Cloudflare Announces Comprehensive Email Security and Data Protection Tools
Cloudflare has announced several new Zero Trust email security solutions, compatible with any email provider, to protect employees from multichannel phishing attacks, prevent sensitive data from being exfiltrated via email, and help businesses speed up and simplify deployments. Now, Cloudflare is providing organizations with simple and robust phishing and malware protection that is deeply integrated with its Zero Trust platform, helping to secure all of an organization’s applications and data.
“You can’t have a complete Zero Trust solution without securing email, given that a huge proportion of all cyber attacks begin with phishing,” said Matthew Prince, co-founder, and CEO of Cloudflare. “In 2022, Cloudflare Area 1 identified and kept almost 2.3 billion unwanted messages out of customer inboxes. Today we’re filling a void in the marketplace that has been underinvested in for the last ten years, with the first set of deeply integrated solutions that bring together Cloudflare Area 1 email security and our Zero Trust platform.”
Email is one of the most ubiquitous and also most exploited tools that businesses use every single day. The FBI’s latest Internet Crime Report shows that business email compromise and email account compromise, a subset of malicious phishing campaigns, is the most costly—with U.S. businesses losing nearly $2.4 billion. On top of that, email is also one of the hardest tools for businesses to secure, often resulting in multiple vendors, complex deployments, and a huge drain of resources for IT teams. Now, with Cloudflare’s Zero Trust SASE platform, customers can quickly and easily deploy comprehensive email security and data protection tools that are deeply integrated with their existing security stack and work with any email provider.
“Cloudflare One provides a comprehensive Zero Trust SASE platform that is built natively into Cloudflare’s global network, spanning more than 275 cities in over 100 countries. This deeply integrated approach ensures a simple deployment in just a few clicks, without the need to change email providers, and lightning-fast performance wherever users are,” the company said. With Cloudflare Area 1’s new solutions, businesses will be able to:
- Automatically isolate suspicious links or attachments in emails: With Link Isolation, If an employee clicks a link in an email it will automatically be opened using Cloudflare’s industry-leading Remote Browser Isolation technology. Isolating any potentially risky links, downloads, or other zero-day attacks from impacting that user’s computer and the wider corporate network.
- Identify and stop exfiltration of data: With the rapid use of cloud-based email services within organizations, the amount of sensitive data that now resides outside a customer’s premises has increased dramatically. By combining Cloudflare’s Data Loss Prevention and Area 1, businesses can create specific policies to scan for and block sensitive or protected content before it gets attached and sent.
- Onboard new Microsoft 365 domains in minutes: Now it is as simple as possible to deploy Cloudflare Area 1 for Microsoft 365 domains via the Microsoft API. This means a single IT administrator can have the entire solution fully deployed, and running in minutes not days like legacy providers.
A Total of 13 Organizations in 9 Countries Fall Victim to “Dark Pink”
Group-IB has today published a new update into the APT (advanced persistent threat) group codenamed Dark Pink, revealing that a total of 13 organizations in 9 countries have now fallen victim to this malicious actor. Dark Pink’s operations were detailed in depth by Group-IB’s Threat Intelligence unit in a January 2023 blog post, and at this time, researchers linked the group to attacks on 7 organizations in the Asia-Pacific region and 1 in Europe. Group-IB experts have since discovered 5 new Dark Pink victims, and the geographic scope of the group’s operations is wider than previously thought, as organizations in Brunei, Thailand, and Belgium were all hit by Dark Pink attacks.
Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group. The initial access vector for Dark Pink attacks continues to be spear-phishing emails, and Group-IB researchers noted in their January 2023 blog that the group utilized an almost-entirely custom toolkit to exfiltrate files and messenger data from infected devices and networks.
Since then, Group-IB experts can reveal that Dark Pink APT has updated many of these custom tools, changing their functionalities in order to allow the group to slip undetected past defense mechanisms of cybersecurity systems. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is still stored on the filesystem of infected devices, but it is now divided into two distinct parts — one that controls the device and the other that steals sensitive data. Dark Pink also continues to use an MSBuild utility to launch KamiKakaBot in the infection chain.
Group-IB’s Threat Intelligence unit has discovered Dark Pink’s new account on GitHub, which was created as soon as the first information about the APT group was published in the public domain this past January. The threat actors can issue commands to infected machines to download files from this GitHub account, and Group-IB researchers found 12 commits to the new account performed between January 9 and April 11, 2023.
Recent attacks have also seen the group exfiltrate stolen data over a HTTP protocol using Webhook service, and they have also leveraged functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot (a simpler version of KamiKakaBot written in PowerShell). In line with Group-IB’s zero-tolerance policy to cybercrime, all confirmed and potential victims of Dark Pink attacks were issued with proactive warnings.
“Dark Pink APT shows no sign of slowing down,” Andrey Polovinkin, Malware Analyst at Group-IB, said. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception. The profile of the affected targets underscores the significant danger that Dark Pink poses for both public- and private-sector actors. Group-IB will continue to analyze all Dark Pink activity and ensure that confirmed and potential victims are informed.”
Acronis Launches Endpoint Detection and Response
Acronis has announced the general availability of Acronis Advanced Security + Endpoint Detection & Response (EDR) for Acronis Cyber Protect Cloud. With new capabilities such as AI-based attack analysis, Acronis EDR reduces complexity and simplifies workflows for a more streamlined operation, making it easier than ever for MSPs and the businesses they serve to deploy comprehensive security and data protection. With more organizations turning to MSPs for their backup and security needs, and with a greater need for simplicity and efficiency, Acronis EDR aims to expand the adoption of advanced security capabilities, helping organizations of all sizes better protect themselves.
“With the proliferation of endpoints and increasing frequency of cyber threats, EDR has become a mission-critical tool in incident response and the fight for data protection. But solutions that are difficult to deploy and maintain are an obstacle,” said Research Vice President of Security and Trust Michael Suby at IDC. “The best solutions deliver the advanced security of EDR and meet the needs of the IT professionals who use it. That means easy deployments and rapid detection, response, and recovery with AI and automation on board.”
Acronis EDR offers the broadest number of out-of-the-box recovery options that take advantage of the integration with Acronis Cyber Protect’ backup and recovery, endpoint management, and endpoint security capabilities. Designed for Managed Service Providers (MSPs), it allows them to quickly and easily analyze and prioritize security incidents, minimize downtime, and maintain business continuity while keeping their clients safe and protected.
“Other EDR tools can be over-complicated and force MSPs into expensive, time-consuming processes to implement and understand. Acronis EDR delivers a robust EDR solution that is easy to deploy and use while following industry-established standards like the NIST cybersecurity framework and mapping to the MITRE ATT&CK framework,” said Candid Wüest, VP of Research at Acronis. “By rapidly understanding attack analysis and impact, Acronis EDR users can quickly evaluate a potential threat, gain insight into how an attacker gained access, what damage was caused, and how the attack might spread.”
Acronis EDR delivers:
- Optimized Incident Analysis to quickly and easily analyze and prioritize security incidents and potential attacks without relying on costly security expertise or time-consuming processes.
- Integrated Security with Backup & Recovery, for comprehensive protection critical to minimizing downtime and maintaining business continuity in the event of an attack.
- A Complete Cyber Protection Solution in a single agent — simple for MSPs to deploy, manage, and scale — that eliminates the cost, complexity, and security gaps inherent in multiple-point solutions.
“As a cybersecurity expert, I have witnessed firsthand the evolution of EDR and how it has revolutionized the way we approach security,” said Eric O’Neill, former FBI counterintelligence operative. “EDR allows security personnel to efficiently investigate, remediate, and recover from potential incidents while also reducing the attack surface and threat actor dwell time. The latest advances in EDR technology allow for rapid analysis of attack changes, shortened time to respond to incidents, and better business continuity for all organizations.”
Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Says Sophos
Sophos has announced that it had uncovered multiple apps masquerading as legitimate, ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. As detailed in Sophos X-Ops’ latest report, “’FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” these apps have popped up in both the Google Play and Apple App Store, and, because the free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year.
“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment,” said Sean Gallagher, principal threat researcher, Sophos.
In total, Sophos X-Ops investigated five of these ChatGPT fleeceware apps, all of which claimed to be based on ChatGPT’s algorithm. In some cases, as with the app “Chat GBT,” the developers played off the ChatGPT name to improve their app’s ranking in the Google Play or App Store. While OpenAI offers the basic functionality of ChatGPT to users for free online, these apps were charging anything from $10 a month to $70.00 a year. The iOS version of “Chat GBT,” called Ask AI Assistant, charges $6 a week—or $312 a year—after the three-day free trial; it netted the developers $10,000 in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.
The key characteristics of so-called fleeceware apps, first discovered by Sophos in 2019, are overcharging users for functionality that is already free elsewhere, as well as using social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. Usually, the apps offer a free trial but with so many ads and restrictions, they’re barely useable until a subscription is paid. These apps are often poorly written and implemented, meaning app function is often less than ideal even after users switch to the paid version. They also inflate their ratings in the app stores through fake reviews and persistent requests of users to rate the app before it’s even been used or the free trial ends.
“Fleeceware apps are specifically designed to stay on the edge of what’s allowed by Google and Apple in terms of service, and they don’t flout the security or privacy rules, so they are hardly ever rejected by these stores during the review. While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up. While some of the ChatGPT fleeceware apps included in this report have already been taken down, more continue to pop up—and it’s likely more will appear. The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting ‘subscribe.’ Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,” said Gallagher.