Cybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.

The attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix — a new company created following the merger of security firms McAfee Enterprise and FireEye — said in a report shared with The Hacker News.

“This type of communication allows the malware to go unnoticed in the victims’ systems since it will only connect to legitimate Microsoft domains and won’t show any suspicious network traffic,” Trellix explained.

First signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.

images from Hacker News

A previously undocumented cyber-espionage malware aimed at Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong.

Slovak cybersecurity firm ESET attributed the intrusion to an actor with “strong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021.

The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021. Separately, a fraudulent website called “fightforhk[.]com” was also registered for the purpose of luring liberation activists.

In the next phase, the tampered code acted as a conduit to load a Mach-O file by leveraging a remote code execution bug in WebKit that was fixed by Apple in February 2021 (CVE-2021-1789). “The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers said.

The success of the WebKit remote code execution subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as a root user.

images from Hacker News

The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.

“As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls,” IBM Trusteer said in a report. “In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot’s main activity since its inception after the Dyre Trojan‘s demise.”

TrickBot, which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that’s employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a “Trickboot” module that can modify the UEFI firmware of a compromised device.

In the fall of 2020, Microsoft along with a handful of U.S. government agencies and private security companies teamed up to tackle the TrickBot botnet, taking down much of its infrastructure across the world in a bid to stymie its operations.

But TrickBot has proven to be impervious to takedown attempts, what with the operators quickly adjusting their techniques to propagate multi-stage malware through phishing and malspam attacks, not to mention expand their distribution channels by partnering with other affiliates like Shathak (aka TA551) to increase scale and drive profits.

images from Hacker News

The Android malware tracked as BRATA has been updated with new features that grants it the ability to record keystrokes, track device locations, and even perform a factory reset in an apparent bid to cover up fraudulent wire transfers.

The latest variants, detected late last year, are said to be distributed through a downloader to avoid being detected by security software, Italian cybersecurity firm Cleafy said in a technical write-up. Targets include banks and financial institutions in the U.K., Poland, Italy, and Latin America.

“What makes Android RAT so interesting for attackers is its capability to operate directly on the victim devices instead of using a new device,” Cleafy researchers noted in December 2021. “By doing so, Threat Actors (TAs) can drastically reduce the possibility of being flagged ‘as suspicious’, since the device’s fingerprinting is already known to the bank.”

First seen in the wild at the end of 2018 and short for “Brazilian Remote Access Tool Android,” BRATA initially targeted users in Brazil and then rapidly evolved into a feature-packed banking trojan. Over the years, the malware has received numerous upgrades and changes, while also posing as security scanner apps to elude detection.

BRATA is spread via smishing messages that impersonate a bank and contain a link to a malicious website, where the victim is tricked into downloading an anti-spam app. The scammers then call the target and employ social engineering schemes to persuade the user to install the trojan app and grant it overly-intrusive permissions.

images from Hacker News

I recently hopped on the Lookout podcast to talk about virtual private networks (VPNs) and how they’ve been extended beyond their original use case of connecting remote laptops to your corporate network. Even in this new world where people are using personal devices and cloud apps, VPN continues to be the go-to solution for remote access and cloud access. After my conversation with Hank Schless, I was inspired to put some additional thoughts about VPN on paper.

When most organizations were forced to shift to remote work last year, they needed a quick-fix solution that would enable their remote employees to access work resources securely. For many, this solution came in the form of VPNs. However, VPNs were not designed for the bring your own device (BYOD) and cloud app use cases.

While VPNs are able to provide remote access, it may come as a surprise that they fall short when it comes to security. This is because VPNs were built for when only a small portion of your workforce wanted to work from home. They also place too much trust on the device and the user. But now, as work from anywhere continues, it is important to rethink how to provide access for your entire organization in a secure manner.

What are the challenges of a remote-first workforce?

When they first debuted twenty years ago, VPNs were the de-facto method for connecting remote workers to an organization’s data center when laptops became common. Back then, computers still used modems and services like iPass for connectivity. A VPN ran over top of services like iPass to create a “private network” and keep the transmission secure.

But since then, the technological landscape has changed dramatically. In several ways, they were built to solve yesterday’s problems.

Now, the widespread adoption of cloud applications means the way we store and access work data is completely different. On any given day, I’ll connect to an internal development system, access documents on Google Workspace, send Slack messages to coworkers and use Zoom to attend meetings. I can perform all of these equally easily on my smartphone and my laptop.

Many Lookout customers may have a similar experience that also includes accessing applications on AWS or Azure, such as SAP S/4HANA. As we work remotely, we’ve become accustomed to seamlessly accessing what we need wherever it is and to work from any device of our choosing.

Another significant challenge brought on by this new environment is that organizations do not have the required visibility into their complex IT environments.

Unlike back in the day, where you’d only be using work-issued devices on company-managed networks, employees are accessing work resources using devices, networks and software that your IT team has no control over or may even be unaware of. This has significantly increased the attack surface of your organization.

Why are VPNs inadequate for the modern work environment?

One of the biggest issues with VPNs is that they provide full network access to whoever and whatever is connected. And it’s not just the device connected, everything that’s on that device’s network is also given access. So whether it’s a piece of malware, or a compromised account, there’s nothing to stop them from moving laterally across your infrastructure and causing harm.

VPNs also have a bad track record when it comes to user experience. When direct access to the cloud is available everywhere, expecting your employees to first sign into a VPN to go to these cloud applications puts a road bump into their workflows. Think of it like forcing someone to travel from Boston to New York City via Los Angeles — inefficient. If you’ve ever experienced slow page loading times or snail-paced downloads while on a VPN, then it is likely due to your traffic being forced to take an inefficient route.

What’s the alternative?

To address these new problems and for the reasons discussed above, VPNs don’t cut it when it comes to giving your remote workers secure access to what they need. Secure access technologies like Zero Trust network access (ZTNA) or cloud access security broker (CASB) pick up where VPNs leave off.

These secure access service edge (SASE) technologies give granular access to only the applications and data that your workers need while continuously monitoring user and device behavior to adjust access based on risk dynamically. This means that the risk of lateral movement is dramatically reduced, the connectivity between the user and the app is efficient, and the security of the connection goes well beyond encrypting traffic between two points.

ZTNA provides seamless connection to your apps without putting your data at risk

After all these years of connecting your workers to your organization, they deserve their praise where it’s due. But the problems they were made to address back then are no longer relevant. Your organization is now facing the challenge of enabling your workers with the freedom and flexibility to work with applications in the cloud from anywhere while safeguarding your data. Moving away from technology like VPNs to next-generation alternatives like ZTNA is a good start.

Learn how you can augment your VPN deployment and safeguard your organization by checking out the Lookout Secure Access Service Edge solution.

Note — This article is written and contributed by Sundaram Lakshmanan, CTO of SASE Products.

images from Hacker News