According to Kaspersky, the message triggers a vulnerability that leads to code execution, and the code within the exploit downloads several subsequent stages from the command-and-control server that include additional exploits for privilege escalation.

After successful exploitation, a final payload is downloaded from the C&C server, which Kaspersky calls a “fully featured APT platform.” The initial message and the exploit in the attachment is then deleted.

How Kaspersky discovered the exploit

Researchers for Kaspersky, which is the subject of a federal government ban and potential enforcement actions due to its alleged ties to the Russian government, say the company was monitoring network traffic of its own corporate WiFi network dedicated for mobile devices when they noticed suspicious activity coming from iOS devices.

“Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise,” researchers say.

The company says its mobile device backups provided a partial copy of the filesystem, including some user data and service databases. Timestamps of files, folders and the database records helped the company reconstruct the events leading to compromise.

According to Kaspersky, the malicious toolset does not support persistence, likely due to the limitations of the operating system.

Based on timelines of infected devices, devices may be reinfected after being rebooted.

The oldest traces of infection discovered by researchers happened in 2019, and the attack is ongoing, as the most recent version of devices successfully targeted is iOS15.7, which was released in September 2022.

While analysis of the final payload is not finished yet, Kaspersky researchers say the code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.

Disabling iMessage would prevent iOS devices from compromise, the company says.

The vulnerabilities used, while not disclosed in the Kaspersky blog, were apparently zero days before they were patched in February.

Who is behind these attacks?

Kaspersky (neither the company nor the CEO of the same name) did not attribute the attacks to any specific group, but Russia’s Federal Security Service (FSB) in a separate statement (which didn’t specifically mention the Kaspersky report) accused the U.S. National Security Agency and Apple of having a “close cooperation” to spy on Russian diplomats.

In a statement provided to Reuters and other media outlets, Apple denied the claims, saying the company has “never worked with any government to insert a backdoor into any Apple product and never will.”

In a series of Tweets, CEO Eugene Kaspersky says successful exploitation can result in transmitting private information, including microphone recordings, photos from instant messages, geolocation and data about a number of other activities.

We’ve discovered a new cyberattack against iOS called Triangulation.

The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware. No user action is required.#IOSTriangulation pic.twitter.com/daxEYZwXwD

— Eugene Kaspersky (@e_kaspersky) June 1, 2023

The spyware infected “several dozen iPhones” of Kaspersky employees, but the CEO says the threat has been neutralized and the company is now operating normally.

In other Tweets, Kaspersky says the campaign is not related to other iOS attacks, such as Pegasus, Predator, or Reign. In addition, the Russia-based cybersecurity firm was not the main target of the attacks, the CEO says.

The company calls this campaign “Operation Triangulation” and has set up a webpage containing all related information. The company is asking anyone with additional details to contact the company at triangulation[at]kaspersky.com.

How to find out if you’ve been affected by Operation Triangulation

Kaspersky on Friday released a tool designed to automate the process of checking iOS device backups for possible indicators of compromise.

This article has been updated on June 2, 2023 to reflect a statement from Apple. 

The post Kaspersky Discovers New 0-Click iOS Exploit appeared first on My TechDecisions.

According to the company, the new innovations further enhance its threat and information protection platforms, in addition to its newly formed Identity Threat Defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.

“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, executive vice president, cyber security strategy, Proofpoint in a statement. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”

Proofpoint’s Aegis Threat Protection Platform

Proofpoint Aegis Threat Protection Platform is an AI/ML-powered threat protection platform that disarms attacks, such as business email compromise (BEC), phishing, ransomware, supply chain threats. With flexible deployment options using both APIs and inline architecture, Aegis delivers AI-powered, cloud-based protection that complements native Microsoft 365 defenses, says Proofpoint.

By combining the company’s proprietary behavioral analytics and threat intelligence, Proofpoint is delivering new capabilities that provide visibility into account takeover-based attacks from both within an organization’s environment and outside suppliers.

Supplier Threat Protection

Supplier relationships are a growing attack vector: 69% of organizations experienced a supply chain attack within the past year, and CISOs rate it as one of their top concerns, according to Proofpoint research. With Proofpoint’s Supplier Threat Protection, organizations can detect compromised supplier accounts so that security teams can swiftly investigate and remediate.

This new product proactively monitors for and prioritizes known compromised third-party accounts, simplifies investigation with details on why the account is suspected compromised and which employees recently communicated with the account in question, enabling security teams to seamlessly defend against prevalent third-party attacks such as BEC and phishing.

Targeted Attack Prevention Account Takeover (TAP ATO)

Threat actors successfully override MFA in 30% of all targeted cloud and email account takeover attacks according to Proofpoint threat research. Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will.

Proofpoint TAP ATO, available at the end of Q2 2023, provides visibility across the entire email account takeover attack chain. It accelerates response investigation and remediates accounts, malicious mailbox rule changes, and manipulations of third-party apps and data exfiltration across email and cloud environments.

Identity Threat Defense (formerly known as Illusive)

From ransomware to APTs, 90% of attacks rely on compromised identities, says Proofpoint. The complexity of managing Active Directory (AD) has resulted in the presence of exploitable privileged identity risks in all organizations at a rate of one in six endpoints.

These identity risks include unmanaged local admins with stale passwords, misconfigured users with unnecessary privileges, cached credentials left exposed on endpoints and much more. When an attacker compromises an endpoint with these privileged identity risks, deploying malicious software and stealing data is easy. Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, most organizations are unaware of this risk – until they are attacked.

Leveraging new advanced identity risk analytics and automated detection, Proofpoint has further bolstered its Identity Threat Defense platform – undefeated in more than 150 red team exercises – to provide organizations with comprehensive identity risk protection and remediation:

 Spotlight Risk Analytics

The new advanced risk analytics in the Spotlight dashboard allows users to gain an executive view of an organization’s risk trends as well as exposure across various risk categories and risk exposure levels. It also provides recommendations for possible user admin action.

Spotlight Risk Analytics simplifies decision makers’ workload while ensuring organizational leaders can make informed decisions to remediate modern and sophisticated identity risks. With availability expected late Q2 2023, decision makers will also be able to follow risk trends to track their organization’s risk posture improvements over time.

Proofpoint Spotlight Cross Domain & Trust Visibility

For organizations with complex infrastructure, including multinational, multi-business and merging organizations, identity infrastructure is often stitched together without broader visibility.

Spotlight Cross Domain & Trust Visibility provides insight to understand where AD domains across companies have too much bi-directional trust, which can result in identity risk and lateral movement by attackers. Business leaders can gain a centralized view into the broadest organizational structure’s domains and trusts to better prevent identity risk exposure in a holistic fashion.

Sigma Information Protection Platform

Since its introduction in early 2020, Proofpoint’s information protection business has grown a remarkable 107%, making the company the second largest data loss prevention (DLP) vendor globally and by revenue according to Gartner. Driven by the accelerated adoption of work-from-anywhere practices, the Proofpoint Sigma Information Protection platform is now deployed to over 5,000 customers and 46 million users worldwide, analyzing 45 billion events each month, and trusted by nearly half of the Fortune 100.

Proofpoint’s Information Protection platform merges content inspection, threat telemetry and user behavior across channels in a unified, cloud-native interface.

Privacy by Design Data Loss Prevention

As international organizations work to meet new and changing local privacy and data sovereignty requirements, Proofpoint now hosts its Sigma Information Protection platform in regions such as the European Union, Japan, and Australia in addition to the U.S.

Proofpoint is also further investing in privacy-related capabilities so that organizations can mask sensitive data in the console to limit its exposure and create custom data access policies to address privacy and compliance needs. 

Additional features are available in beta, with general availability expected in Q3 2023, enabling organizations to anonymize identifying user information so analysts can investigate without bias and with better privacy for the user.

Administrators will also be able to set up metadata for anonymization and approval workflows for de-anonymizing the metadata during investigation.

The post Proofpoint Unveils New Innovations to Combat Increasingly Common Threats appeared first on My TechDecisions.

The partnership pairs ESET’s advanced security solutions with Atera’s cloud-based platform to help IT professionals automate and protect vital assets within the Atera platform. The integration results in an anti-malware and threat detection solution that provides real-time intelligence and threat monitoring to protect organizations of all verticals and sizes, the companies say.

According to a press release, the integration will include the option for users to activate, provision and deploy ESET’s products directly from Atera, providing additional ease of use within the platform. Customers will gain access to ESET’s dashboard, which includes license management, detailed reporting and customer site administration capabilities.

IT professionals using Atera have the option to choose from four popular solution tier packages: ESET PROTECT Entry, ESET PROTECT Advanced, ESET PROTECT Compete or ESET PROTECT Enterprise – advanced and customizable security solutions that include endpoint security, detection and response; file and mail server security; mobile security and more.

Atera recently announced a new integration with OpenAI, which is designed to help users automatically generate scripts to help execute processes that would otherwise weigh down already stretched-thin IT teams.

Atera CEO Gil Pekelman says in a statement that cyberattacks are increasing in sophistication and frequency, so the company wanted to partner with a cybersecurity leader like ESET to offer protection against malware and zero-day threats.

“ESET’s multi-layered approach to threat detection as well as response, including threat intelligence feeds, endpoint detection and response and advanced cloud sandboxing, helps our partners minimize their attack surface and address the growing threat landscape,” Pekelman says. “The resulting integrated offering represents a tremendous opportunity for Atera and its global customer base.”

Ryan Grant, vice president of sales for ESET North America, in a statement says the company has been impressed with Atera’s recent growth.

“Atera’s development team has worked tirelessly to ensure a best-in-class integration that enhances the customer experience for IT professionals by reducing complexity and providing proactive threat detection and response,” Grant says. “We are committed to growing together, serving our customers and expanding the integration over time.”

The post Atera, ESET Launch Anti-Malware, Threat Detection Integration appeared first on My TechDecisions.

“From receptionists to the C-Suite, every employee should be treated as an important chess piece when it comes to cybersecurity. But cybersec training and tools should be based on equity, not equality, and tailored to each department and role because exposure to outside threats and access to certain types of information varies greatly inside every company,” says Oliver Noble, a cybersecurity expert at NordLocker.

According to Oliver, these departments are most at risk of being hacked; and here’s why:

The Marketing Department

With marketers being the company’s outward-facing voice, they are some of the easiest targets for cybercriminals, according to Noble. More often than not, the email addresses and other contact information of marketers are out in public and easily accessible, which makes them a low-hanging fruit for hackers to leverage in their next phishing attack.

People working in marketing are also much more likely to fall for a phishing attack by clicking that malicious link or downloading the suspicious attachment. Because marketing departments are very likely to work with third-party vendors, receiving emails from outside sources is often a part of their routine, making it easier for a phishing email to blend in. And it only takes one slipup for malware to make its way into the network.

The C-Suite

The highest-ranking executives are an obvious choice for cybercriminals. They are usually the ones to have unrestricted access to the most sensitive company files, which if accessed by a person with bad intentions, could spell doom for the company’s future.

However, most often, it is not the executives themselves that let malware into the network, because their access points and contact details are protected by additional threat mitigation measures compared to the average employee. That cannot, however, be said about people in their closest circle, such as their assistants, which often have similar, if not the same, access credentials to internal documents but lack the same cybersecurity measures as their boss.

The IT Department

The IT department often has wider access to the most critical business data when compared to other branches, including important credentials, and encryption keys, which makes them exceptionally lucrative targets for cybercriminals. Apart from that, people working in IT are responsible for handling the entire company’s digital infrastructure, which if exposed to hackers, could shut the entire company down and hold it hostage in a matter of minute.

Download: Creating a Ransomware Response Plan

How to safeguard your business from a cyberattack

According to Noble, people can avoid many data breaches by following these steps to improve cybersecurity:

1. Encourage cybersecurity training. Investing into your employee’s knowledge is one of the fastest ways to prevent a cyberattack from happening in the first place. It should be organized regularly and have a holistic approach that covers every single employee.
2. Adopt zero-trust network access. The mindset of “trust none, verify all” is based on the zero-trust paradigm and is applied through identity authentication to access work equipment and resources, network segmentation and access control management.
3. Implement and enforce periodic data backup and restoration processes. An encrypted cloud might be the most secure solution.
4. Enable multi-factor authentication. Known as MFA, it serves as an extra layer of security. It is an authentication method that uses two or more mechanisms to validate the user’s identity – these can be separate apps, security keys, devices, or biometric data.

The post These 3 Departments Pose the Highest Risk of Being Hacked appeared first on My TechDecisions.

Now, hackers are experimenting with other file types, including using virtual hard disk, compiled HTML and OneNote, according to new research from enterprise security software company Proofpoint.

The Sunnyvale, Calif.-based firm says in a new blog that their researchers have noticed an increase in the use of OneNote documents to deliver malware via email to end users. Proofpoint researchers says in December it observed six campaigns using OneNote attachments to deliver AsyncRat malware. In January, Proofpoint observed more than 50 OneNote campaigns with different malware payloads, including AsyncRAT, Redline, AgentTesla and DOUBLEBACK.

The use of OneNote to deliver malware, Proofpoint writes, is unusual. However, it comes as Microsoft continues to take steps to prevent its tools to be used for malicious purposes, such as blocking Office macros by default. Now, attackers are experimenting with different attachment types. Proofpoint came to a similar conclusion in July 2022, saying attackers were already experimenting with other file types when Microsoft first announced the move.

“The technique may be effective for now,” Proofpoint researchers wrote in the Feb. 1 blog. “At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor.”

The company says malware campaigns leveraging OneNote share similar characteristics, such as unique messages to deliver malware and the lack of threat hijacking. Messages typically contain OneNote attachments with themes such as invoice, remittance, shipping and seasonal themes including Christmas bonuses.

One group, TA577, a cybercrime group tracked by Proofpoint since 2020 that delivers payloads such as Qbot, IceID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike, has been conducting similar campaigns using OneNote since late January.

According to Proofpoint, OneNote documents used maliciously contain embedded files, which are often hidden behind a graphic that looks like a button. When a user double clicks on the embedded file, they are prompted with a warning. If the user clicks “continue,” the file executes.

These malicious OneNote attacks have increased significantly between December 2022 and the end of January 2023. While the company only saw OneNote campaigns deliver AsyncRAT in December, researchers saw seven other malware payloads distributed via OneNote attachments last month, with targets located globally, including in North America and Europe.

Multiple threat actors are believed ot be using the OneNote attachment tactic in an attempt to bypass threat detections, and more sophisticated actors may begin using OneNote attachments soon, Proofpoint concludes.

TA577’s adoption of OneNote is particularly worrisome, as the group is an initial access broker that facilities follow-on infections for additional malware, including ransomware, Proofpoint researchers say.

“Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked,” the company says, noting that its own customers were protected since Proofpoint detected the malicious emails. “It is likely more threat actors will adopt OneNote attachments to deliver malware.”

The post Hackers Are Pivoting to OneNote Documents for Malware Delivery appeared first on My TechDecisions.

As cloud apps are widely used by many business, these apps are an ideal home for hosting malware and causing harm to organizations. “Attackers are increasingly abusing business-critical cloud apps to deliver malware by bypassing inadequate security controls,” says Ray Canzanese, threat research director, Netskope Threat Labs. “That is why it is imperative that more organizations inspect all HTTP and HTTPS traffic, including traffic for popular cloud apps, both company and personal instances, for malicious content.”

Compared to 2021, the most significant change in cloud application use was the increase in the percentage of users uploading content to the cloud in 2022. According to Netskope data, over 25% of users worldwide uploaded documents daily to Microsoft OneDrive, while 7% did so for Google Gmail and 5% for Microsoft Sharepoint. The drastic increase in active cloud users across a record number of cloud applications led to a sizable increase in cloud malware downloads in 2022 from 2021, after remaining close to flat in 2021 compared to 2020.

Nearly a third of all cloud malware downloads originated from Microsoft OneDrive, with Weebly and GitHub coming in the next closest among cloud apps at 8.6% and 7.6%, respectively.

In 2022, several geographic regions saw significant increases in the overall percentage of cloud vs. web-delivered malware compared to 2021, including:

• Australia (50% in 2022 compared to 40% in 2021)
• Europe (42% in 2022 compared to 31% in 2021)
• Africa (42% in 2022 compared to 35% in 2021)
• Asia (45% in 2022 compared to 39% in 2021)

In certain industries, cloud-delivered malware also became more predominant globally, especially:

• Telecom (81% in 2022 compared to 59% in 2021)
• Manufacturing (36% in 2022 compared to 17% in 2021)
• Retail (57% in 2022 compared to 47% in 2021)
• Healthcare (54% in 2022 compared to 39% in 2021)

How to Avoid Cloud-and-Web Delivered Malware

With remote and hybrid work dynamics continuing to pose cybersecurity challenges, Netskope recommends organizations take the following actions to avoid increased risk of security incidents stemming from cloud- and web-delivered malware:

• Enforce granular policy controls to limit data flow, including flow to and from apps, between company and personal instances, among users, to and from the web, adapting the policies based on device, location, and risk.
• Deploy multi-layered, inline threat protection for all cloud and web traffic to block inbound malware and outbound malware communications.
• Enable multi-factor authentication for unmanaged enterprise apps.

The post Malware-Delivering Cloud Apps Nearly Tripled in 2022 appeared first on My TechDecisions.

According to a public service announcement from the FBI, cybercriminals have been buying advertisements that appear within search results using a domain that is similar to an actual business or service. The ads being purchased appear at the top of search results, and it is difficult to differentiate between actual search results and ads.

The ads link to a webpage that even looks identical to the impersonated business’ official site, but the fraudulent website instead contains malicious links or fake credential forms designed to deploy malware or steal credentials and other financial information.

“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI says in the advisory. “These malicious sites appear to be real exchange platforms and prompt users to enter login credentials and financial information, giving criminal actors access to steal funds.”

Although search engine advertisements are designed to help businesses promote products or services, they are being exploited by malicious actors, so end users should be cautious, the FBI warns.

End users should check the URL before clicking on an advertisement to make sure it is authentic, the agency says. In addition, users should also simply find the business’ URL directly rather than searching for it and use ad blocking extensions when performing internet searches.

For businesses, the FBI recommends using domain protection services that notify the organization that similar domains are registered to help prevent domain spoofing. Businesses should also educate users about spoofed websites and cybersecurity basics as well as providing resources end users need to do their jobs so they don’t search for tools online.

The post FBI: Beware of Search Engine Ads appeared first on My TechDecisions.

The findings come from a quarterly report from HP’s endpoint security division, which found that 44% of malware was delivered inside archive files, an 11% rise from the previous quarter. In comparison, 32% of malware was delivered through Microsoft Office files such as Word, Excel and PowerPoint.

HP Wolf Security’s report identifies several campaigns that were combining the use of archive files with new HTML smuggling techniques, which is when cybercriminals embed malicious archive files into HTML files to bypass email gateways.

For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers masquerading as Adobe. Users were instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware on their PCs, the company says.

The malware within the original HTML file is encoded and decrypted, making detection by email gateway and other email security tools challenging. The attacker relies on social engineering and creates a well-designed website to fool users into initiating the attack by opening the malicious ZIP file, according to HP Wolf Security.

Alex Holland, a senior malware analyst on HP Wolf Security’s threat research team, says archives are easy to encrypt and help conceal malware and avoid detection.

“This makes attacks difficult to detect, especially when combined with HTML smuggling techniques,” Holland says. “What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,”

The company also identified a complex campaign leveraging a modular infection chain that could enable attackers to change the payload mid campaign, potentially allowing them to change between spyware, ransomware or keyloggers midcampaign. This could also allow the introduction of new features, such as geo-fencing.

By not including malware directly in an email attachment, this could also help attackers evade detection by email security tools.

Dr. Ian Pratt, global head of security for personal systems at HP, says attackers are constantly changing their techniques and making it difficult for detection tools to spot.

“By following the Zero Trust principle of fine-grained isolation, organizations can use micro-virtualization to make sure potentially malicious tasks – like clicking on links or opening malicious attachments – are executed in a disposable virtual machine separated from the underlying systems,” Pratt says. “This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally.”

The post HP: Archive File Format Use Among Hackers on the Rise appeared first on My TechDecisions.

In the advisory, CISA along with the ACSC says most of these top malware strains have been in use for several years, with their respective code bases evolving into multiple variations.

Some of the strains are well-known to IT and security professionals, while some are newer strains designed for enabling initial access to ransomware strains.

To mitigate these threats, CISA recommends keeping software up to date to prevent exploitation of vulnerabilities, implementing and enforcing multi-factor authentication, securing and monitoring Remote Desktop Protocol and other risky services, securing backups offline and providing end user training and awareness.

Paul Laudanski, head of threat intelligence at cloud email security provider Tessian, called the list of top malware strains a “stark reminder” of the cyber threats organizations face.

“To keep your machine secure, keep your OS patched and updated at all times, update your applications regularly, use some sort of behavioral detection looking for malicious activity, and be critical of emails you receive even when they look to come from family and friends,” Laudanski says. “Machine learning tools can also be very helpful as well.”

Here’s CISA and ACSC’s list of top malware strains, in full.

Agent Tesla

• Overview: Agent Tesla is capable of stealing data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos, and Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing.[3][4]
• Active Since: 2014
• Malware Type: RAT
• Delivery Method: Often delivered as a malicious attachment in phishing emails.
• Resources: See the MITRE ATT&CK page on Agent Tesla.

AZORult

• Overview: AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. AZORult’s developers are constantly updating its capabilities.[5][6]
• Active Since: 2016
• Malware Type: Trojan
• Delivery Method: Phishing, infected websites, exploit kits (automated toolkits exploiting known software vulnerabilities), or via dropper malware that downloads and installs AZORult.
• Resources: See the MITRE ATT&CK page on AZORult and the Department of Health and Human Services (HHS)’s AZORult brief.

FormBook

• Overview: FormBook is an information stealer advertised in hacking forums. ForrmBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS)[7], such as CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability.[8][9]
• Active Since: At least 2016
• Malware Type: Trojan
• Delivery Method: Usually delivered as an attachment in phishing emails.
• Resources: See Department of Health and Human Services (HHS)’s Sector Note on Formbook Malware Phishing Campaigns.

Ursnif

• Overview: Ursnif is a banking Trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.[10][11][12] Based on information from trusted third parties, Ursnif infrastructure is still active as of July 2022.
• Active Since: 2007
• Malware Type: Trojan
• Delivery Method: Usually delivered as a malicious attachment to phishing emails.
• Resources: See the MITRE ATT&CK page on Ursnif.

LokiBot

• Overview: LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.[13][14]
• Active Since: 2015
• Malware Type: Trojan
• Delivery Method: Usually delivered as a malicious email attachment.
• Resources: See CISA’s LokiBot Malware alert and the MITRE ATT&CK page on LokiBot.

MOUSEISLAND

• Overview: MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.[15]
• Active Since: At least 2019
• Malware Type: Macro downloader
• Delivery Method: Usually distributed as an email attachment.
• Resources: See Mandiant’s blog discussing MOUSEISLAND.

NanoCore

• Overview: NanoCore is used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors.[16][17][18]
• Active Since: 2013
• Malware Type: RAT
• Delivery Method: Has been delivered in an email as an ISO disk image within malicious ZIP files; also found in malicious PDF documents hosted on cloud storage services.
• Resources: See the MITRE ATT&CK page on NanoCore and the HHS Sector Note: Remote Access Trojan Nanocore Poses Risk to HPH Sector.

Qakbot

• Overview: originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.[19][20]
• Active Since: 2007
• Malware Type: Trojan
• Delivery Method: May be delivered via email as malicious attachments, hyperlinks, or embedded images.
• Resources: See the MITRE ATT&CK page on Qakbot and the Department of Health and Human Services (HHS) Qbot/Qakbot Malware brief.

Remcos

• Overview: Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.[21][22]
• Active Since: 2016
• Malware Type: RAT
• Delivery Method: Usually delivered in phishing emails as a malicious attachment.
• Resources: See the MITRE ATT&CK page on Remcos.

TrickBot

• Overview: TrickBot malware is often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.[23][24][25][26]
• Active Since: 2016
• Malware Type: Trojan
• Delivery Method: Usually delivered via email as a hyperlink.
• Resources: See the MITRE ATT&CK page on Trickbot and the Joint CSA on TrickBot Malware.

GootLoader

• Overview: GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.[27]
• Active Since: At least 2020
• Malware Type: Loader
• Delivery Method: Malicious files available for download on compromised websites that rank high as search engine results
• Resources: See New Jersey’s Cybersecurity & Communications Integration Cell (NJCCIC) page on GootLooader and BlackBerry’s Blog on GootLoader

Read CISA’s advisory on the top malware strains for more information.

The post These are the Top 11 Malware Strains Observed in 2021 appeared first on My TechDecisions.

In Q1 2022, as many as 78.5% of malware targets Microsoft Office vulnerabilities, according to Atlas VPN.

While Securelist, the online warehouse for malware research from Kaspersky, does not share malware statistics for Q4 2021, it does provide data for Q3 2021, revealing that Microsoft Office was targeted in 60.68% of attacks back then.

Based on the findings, according to Atlas VPN, it is safe to say that hackers are continuing to abuse Microsoft Office each quarter.

Researchers believe browser exploits are becoming increasingly rare because they get updated automatically, which is not the case for Microsoft Office.

Hackers primarily target users that do not follow the basic cybersecurity practices of patching their software as soon as the update is available.

Since Office is used by over one billion people from across the world, coupled with the fact that security updates can be delayed, it’s no surprise to see it at the top of the list.

The post Microsoft Office Flaws Exploited in Nearly 80% of Malware Attacks appeared first on My TechDecisions.