News
New Malware Targets Smartphones and PCs Through Wi-Fi Routers

In January 2023 Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the Roaming Mantis campaign. Now cybercriminals can use compromised Wi-Fi routers in cafes, airports hotels, and other public places to potentially infect more Android smartphones with the Wroba.o malware. At the moment, the new technique targets users in South Korea, but it can be soon implemented in other countries as well.
Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and crypto-mining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.
New DNS changer functionality to attack more users via public routers
Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader) – the malware that was primarily used in the campaign. A DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.
At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country.
An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changes. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%), and the U.S. (10.1%).
“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well. The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions,” said Suguru Ishimaru, Senior Security Researcher at Kaspersky.
In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:
- Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
- Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
- Never install router firmware from third-party sources. Avoid using third-party repositories for your Android devices.
- Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
- Consider installing a mobile security solution to protect your devices from these and other threats.
Expert Speak
Don’t Brush It Off – Plan Your Incident Response Now

In business, impermanence is the only certainty. An example is how organizations addressed the COVID-19 pandemic. Within a few weeks, many developed a plan to run their businesses remotely.
More than three-quarters of organizations worldwide don’t have an IT incident response plan in place because most believe they have little risk of becoming a cyberattack statistic. Unfortunately, that’s still likely to happen.
According to africanews, in the past year, Kenya has experienced a concerning rise in cyberattacks, with a remarkable 860 million incidents documented in 2022.
As wisely expressed by Benjamin Franklin, “By failing to prepare, you’re preparing to fail.” Let’s explore a strategic incident response plan for your organization.
Create a Backup
Business networks are complex and large, and oftentimes, a network outage results in financial and reputational repercussions, including disgruntled clients. It’s imperative to create a backup of critical data and systems that you can’t run your business without, and store it in a safe location. When the inevitable breach occurs, your business will be able to recover as quickly as possible.
Never Say Never
While a workforce continuity plan might seem unimportant and nonurgent, the pandemic prompted IT departments worldwide to quickly realize the importance of being able to rapidly change the way their organizations conducted business.
Here are a few steps to help you draft a business continuity plan to address the next disruption:
- Form a team with representatives from each department and understand their workflow.
- Identify critical business functions and find a way to prioritize them.
- Assess the risks for every process in your organization and record them.
- Develop a risk mitigation strategy to protect your critical business functions from those risks.
- Document the entire procedure and keep it up to date.
Train Your Employees
A common hurdle with an incident response plan is ensuring that employees take the plan seriously. To deter the mindset that the plan is “less urgent,” educate employees about its importance and the repercussions that can result from cyber threats and cyber incidents. It’s vital to conduct regular training sessions to address hardware failures, software glitches, network outages, and security breaches so that you efficiently mitigate a cybersecurity incident.
What Doesn’t Kill You Makes You Stronger
Understand the points of failure in your previous incidents and find a way to rectify them. Single points of failure should be addressed by establishing a backup, not just in terms of network and systems but also in terms of staff allocation. Relying on a single person, especially when it comes to a critical network, is not a great idea. Delegate a second person to reach out and provide assistance in case of an incident.
While incident response might seem insignificant in the larger scheme of things, when a disaster hits, it could potentially devastate your business. Take some time to prioritize incident management and make it part of your organization’s culture by creating a backup, training your employees, drafting a workplace continuity plan, and learning from your past incidents. Learn more about IT incident management for your business.
Cyber Security
ManageEngine Intros Enhanced SIEM with Dual-Layered System for Better Precision in Threat Detection

ManageEngine, the enterprise IT management division of Zoho Corporation, today unveiled the industry’s first dual-layered threat detection system in its security information and event management (SIEM) solution, Log360. The new feature, available in Log360’s threat detection, investigation and response (TDIR) component, Vigil IQ, empowers security operations centre (SOC) teams in organizations with improved accuracy and enhanced precision in threat detection.
A quality SOC ensures people, processes, and cutting-edge technology function well. However, enterprise security is made difficult by staffing shortages and solution orchestration complexities. Following recent upgrades to the security analytics module of Log360 designed to facilitate SOC optimization through key performance metric monitoring, the company has focused on addressing pressing challenges in security operations.
“In a recent ManageEngine study, a majority of respondents revealed that their SOCs are understaffed. These resource-constrained SOCs grapple with significant obstacles, such as process silos and manual investigation of alerts, which are often non-threats, low-priority issues or false positives. These lead to extended detection and response times for actual threats. To overcome these challenges, we recognize the imperative adoption of AI & ML for contextual event enrichment and rewiring threat detection logic,” said Manikandan Thangaraj, vice president at ManageEngine.
“We pioneered a dual-layered, ML approach to heighten the precision and consistency of threat detection. First, Vigil IQ ensures genuine threats are discerned from false positives. Second, the system facilitates targeted threat identification and response. This advanced system significantly improves the accuracy of identifying threats, streamlining the detection process and allowing SOC analysts to focus their valuable time on investigating real threats.”
Key Features of the Dual-Layered Threat Detection System of Vigil IQ in Log360:
Smart Alerts: Vigil IQ, the TDIR module of Log360, now combines the power of both accuracy and precision in threat detection. With its dynamic learning capability, Vigil IQ adapts to the changing nature of network behaviour to cover more threat instances accurately. It will spot threats that get overlooked due to manual threshold settings, thereby improving the detection system’s reliability.
Proactive Predictive Analytics: Leveraging predictive analytics based on historical data patterns, Vigil IQ predicts potential security threats, facilitating the implementation of proactive measures before incidents occur. This predictive intelligence drastically reduces the mean time to detect (MTTD) threats.
Contextual Intelligence: Vigil IQ enriches alerts with deep contextual information, providing security analysts with comprehensive threat insights. This enrichment of alerts with non-event context accelerates the mean time to respond (MTTR) by delivering pertinent, precise information.
News
Proofpoint Appoints Sumit Dhawan as Chief Executive Officer

Proofpoint has announced that Sumit Dhawan has been appointed chief executive officer, effective immediately. Rémi Thomas, Proofpoint’s chief financial officer, who has been acting as Proofpoint’s interim CEO since October 25th, will continue to serve as the company’s CFO. “The Proofpoint board of directors could not be more excited to partner with Sumit as he joins Proofpoint to usher in a new stage of growth,” said Seth Boro, managing partner at Thoma Bravo. “Sumit brings a wealth of valuable experience and expertise in building category-leading, scaled companies and businesses. We are confident his customer-centric passion and strong legacy of leadership will continue to carry Proofpoint’s mission forward in providing people-centric cybersecurity solutions that address some of the most challenging risks facing organizations today.”
Dhawan is a highly respected and seasoned technology leader with a proven track record of building market-leading security, cloud, and end-user computing businesses. In his most recent role as president of VMware, Dhawan was responsible for driving over $13B of revenue and led the company’s go-to-market functions including worldwide sales, customer success and experience, strategic ecosystem, industry solutions, marketing, and communications. Before that, he was chief executive officer of Instart, a cybersecurity business delivering innovations in web application security services. He has held senior executive and general management roles at both VMware and Citrix and has successfully established category-leading businesses at scale.
“Over the years, Proofpoint has built an exceptional brand and is trusted by some of the world’s leading organizations as their cybersecurity partner of choice,” said Sumit Dhawan. “I’m honoured to join a leader at the forefront of cybersecurity innovation and to shepherd its continuing and unwavering commitment to helping organizations across the globe protect people and defend data.”
Proofpoint recently announced it has entered into a definitive agreement to acquire Tessian, a leader in the use of advanced AI to automatically detect and guard against both accidental data loss and evolving email threats. Tessian’s cloud-native, API-enabled inbound and outbound email protection solution will extend Proofpoint’s award-winning offering to address the most frequent form of data loss including, misdirected email and data exfiltration.
-
Cyber Security1 week ago
Databases Are the Black Boxes for Most Organisations
-
News1 week ago
Proofpoint Appoints Sumit Dhawan as Chief Executive Officer
-
Cyber Security1 week ago
Cybersecurity on a Budget: Affordable Cybersecurity Strategies for Small Businesses
-
Cyber Security1 week ago
ManageEngine Intros Enhanced SIEM with Dual-Layered System for Better Precision in Threat Detection
-
Cloud1 week ago
Google Clarifies the Cause of Missing Google Drive Files
-
Interviews3 days ago
COP28: AI Can Be Leveraged to Deliver Actionable Insights
-
Interviews3 days ago
COP28: Fortinet is Committed to Innovating for a Safer Internet
-
Expert Speak3 days ago
Don’t Brush It Off – Plan Your Incident Response Now