Demand for Virtual CISO services is soaring. According to Gartner, the use of vCISO services among small and mid-size businesses and non-regulated enterprises was expected to grow by a whopping 1900% in just one year, from only 1% in 2021 to 20% in 2022!

Offering vCISO services can be especially attractive for MSPs and MSSPs. By addressing their customers’ needs for proactive cyber resilience, they can generate a growing amount of recurring revenue from existing and new customers. And all while differentiating themselves from the competition. vCISO services also enable upselling of additional products and services the MSP or MSSP specializes in.

However, not all MSPs and MSSPs fully understand how to provide vCISO services. Some may be unsure about which services are expected from them. Others may not realize they are already providing vCISO services and have the potential to effortlessly broaden their offerings into a complete vCISO suite or package it differently to make it more lucrative.

images from Hacker News

More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021.

AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim’s bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide.

“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud,” the researchers said in the report.

This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that “AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.”

images from Hacker News

Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.

“Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps,” cybersecurity vendor Doctor Web said in an analysis.

“Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components.”

The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package.

The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MP3 file (“Idea.mp3”) to load an image file (“Fruit.png”) to activate the multi-stage infection.

images from Hacker News

Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.

The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.

A brief description of each of the vulnerabilities is below –

• CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
• CVE-2023-38386 and CVE-2023-38393 – Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.

Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.

images from Hacker News

A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.

CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard.

Once installed, the apps seek users’ permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen.

Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recognize potential mnemonic phrases from images and photos stored on the device, the results of which are periodically uploaded to a remote server.

The success of the campaign banks on the possibility that users tend to take screenshots of the wallet recovery phrases on their devices.

Trend Micro said it also found an app developed by the CherryBlos threat actors on the Google Play Store but without the malware embedded into it. The app, named Synthnet, has since been taken down by Google.

The threat actors also appear to share overlaps with another activity set involving 31 scam money-earning apps, dubbed FakeTrade, hosted on the official app marketplace based on the use of shared network infrastructure and app certificates.

images from Hacker News

Increasing cyber threats and attacks have made protecting organizational data a paramount concern for businesses of all sizes. A group of experts have recognized the pressing need for comprehensive browser security solutions and collaborated to develop “The Definitive Browser Security RFP Template.” This resource helps streamline the process of evaluating and procuring browser security platforms. It provides organizations with a standardized approach to enhance their security posture by protecting the key employee workspace – the browser.

images from Hacker News