HTML Attachments Remain the Most Dangerous File, Says Barracuda
A new Barracuda Threat Spotlight shows how in March 2023 just under half (45.7%) of all HTML attachments scanned by the company were malicious. This follows a steady upward trend in the proportion of malicious HTML files since Barracuda’s last report on the threat in May 2022 when the proportion was less than half (21%) of the current value. In comparison, only 0.03% and 0.009% of the highly popular Microsoft Office and PDF file types were found to be malicious.
HTML stands for Hypertext Markup Language, and it is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm, or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.
The data follows analysis by Barracuda researchers of many millions of messages and files scanned by the company’s security technologies. “The security industry has been highlighting the cybercriminal weaponizing HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.
Barracuda’s analysis further shows that not only is the overall volume of malicious HTML attachments increasing, nearly a year since the company’s last report, but HTML attachments also remain the file type most likely to be used for malicious purposes. “Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages,” said Shi.
A Total of 13 Organizations in 9 Countries Fall Victim to “Dark Pink”
Group-IB has today published a new update into the APT (advanced persistent threat) group codenamed Dark Pink, revealing that a total of 13 organizations in 9 countries have now fallen victim to this malicious actor. Dark Pink’s operations were detailed in depth by Group-IB’s Threat Intelligence unit in a January 2023 blog post, and at this time, researchers linked the group to attacks on 7 organizations in the Asia-Pacific region and 1 in Europe. Group-IB experts have since discovered 5 new Dark Pink victims, and the geographic scope of the group’s operations is wider than previously thought, as organizations in Brunei, Thailand, and Belgium were all hit by Dark Pink attacks.
Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group. The initial access vector for Dark Pink attacks continues to be spear-phishing emails, and Group-IB researchers noted in their January 2023 blog that the group utilized an almost-entirely custom toolkit to exfiltrate files and messenger data from infected devices and networks.
Since then, Group-IB experts can reveal that Dark Pink APT has updated many of these custom tools, changing their functionalities in order to allow the group to slip undetected past defense mechanisms of cybersecurity systems. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is still stored on the filesystem of infected devices, but it is now divided into two distinct parts — one that controls the device and the other that steals sensitive data. Dark Pink also continues to use an MSBuild utility to launch KamiKakaBot in the infection chain.
Group-IB’s Threat Intelligence unit has discovered Dark Pink’s new account on GitHub, which was created as soon as the first information about the APT group was published in the public domain this past January. The threat actors can issue commands to infected machines to download files from this GitHub account, and Group-IB researchers found 12 commits to the new account performed between January 9 and April 11, 2023.
Recent attacks have also seen the group exfiltrate stolen data over a HTTP protocol using Webhook service, and they have also leveraged functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot (a simpler version of KamiKakaBot written in PowerShell). In line with Group-IB’s zero-tolerance policy to cybercrime, all confirmed and potential victims of Dark Pink attacks were issued with proactive warnings.
“Dark Pink APT shows no sign of slowing down,” Andrey Polovinkin, Malware Analyst at Group-IB, said. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception. The profile of the affected targets underscores the significant danger that Dark Pink poses for both public- and private-sector actors. Group-IB will continue to analyze all Dark Pink activity and ensure that confirmed and potential victims are informed.”
Acronis Launches Endpoint Detection and Response
Acronis has announced the general availability of Acronis Advanced Security + Endpoint Detection & Response (EDR) for Acronis Cyber Protect Cloud. With new capabilities such as AI-based attack analysis, Acronis EDR reduces complexity and simplifies workflows for a more streamlined operation, making it easier than ever for MSPs and the businesses they serve to deploy comprehensive security and data protection. With more organizations turning to MSPs for their backup and security needs, and with a greater need for simplicity and efficiency, Acronis EDR aims to expand the adoption of advanced security capabilities, helping organizations of all sizes better protect themselves.
“With the proliferation of endpoints and increasing frequency of cyber threats, EDR has become a mission-critical tool in incident response and the fight for data protection. But solutions that are difficult to deploy and maintain are an obstacle,” said Research Vice President of Security and Trust Michael Suby at IDC. “The best solutions deliver the advanced security of EDR and meet the needs of the IT professionals who use it. That means easy deployments and rapid detection, response, and recovery with AI and automation on board.”
Acronis EDR offers the broadest number of out-of-the-box recovery options that take advantage of the integration with Acronis Cyber Protect’ backup and recovery, endpoint management, and endpoint security capabilities. Designed for Managed Service Providers (MSPs), it allows them to quickly and easily analyze and prioritize security incidents, minimize downtime, and maintain business continuity while keeping their clients safe and protected.
“Other EDR tools can be over-complicated and force MSPs into expensive, time-consuming processes to implement and understand. Acronis EDR delivers a robust EDR solution that is easy to deploy and use while following industry-established standards like the NIST cybersecurity framework and mapping to the MITRE ATT&CK framework,” said Candid Wüest, VP of Research at Acronis. “By rapidly understanding attack analysis and impact, Acronis EDR users can quickly evaluate a potential threat, gain insight into how an attacker gained access, what damage was caused, and how the attack might spread.”
Acronis EDR delivers:
- Optimized Incident Analysis to quickly and easily analyze and prioritize security incidents and potential attacks without relying on costly security expertise or time-consuming processes.
- Integrated Security with Backup & Recovery, for comprehensive protection critical to minimizing downtime and maintaining business continuity in the event of an attack.
- A Complete Cyber Protection Solution in a single agent — simple for MSPs to deploy, manage, and scale — that eliminates the cost, complexity, and security gaps inherent in multiple-point solutions.
“As a cybersecurity expert, I have witnessed firsthand the evolution of EDR and how it has revolutionized the way we approach security,” said Eric O’Neill, former FBI counterintelligence operative. “EDR allows security personnel to efficiently investigate, remediate, and recover from potential incidents while also reducing the attack surface and threat actor dwell time. The latest advances in EDR technology allow for rapid analysis of attack changes, shortened time to respond to incidents, and better business continuity for all organizations.”
Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Says Sophos
Sophos has announced that it had uncovered multiple apps masquerading as legitimate, ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. As detailed in Sophos X-Ops’ latest report, “’FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” these apps have popped up in both the Google Play and Apple App Store, and, because the free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year.
“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment,” said Sean Gallagher, principal threat researcher, Sophos.
In total, Sophos X-Ops investigated five of these ChatGPT fleeceware apps, all of which claimed to be based on ChatGPT’s algorithm. In some cases, as with the app “Chat GBT,” the developers played off the ChatGPT name to improve their app’s ranking in the Google Play or App Store. While OpenAI offers the basic functionality of ChatGPT to users for free online, these apps were charging anything from $10 a month to $70.00 a year. The iOS version of “Chat GBT,” called Ask AI Assistant, charges $6 a week—or $312 a year—after the three-day free trial; it netted the developers $10,000 in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.
The key characteristics of so-called fleeceware apps, first discovered by Sophos in 2019, are overcharging users for functionality that is already free elsewhere, as well as using social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. Usually, the apps offer a free trial but with so many ads and restrictions, they’re barely useable until a subscription is paid. These apps are often poorly written and implemented, meaning app function is often less than ideal even after users switch to the paid version. They also inflate their ratings in the app stores through fake reviews and persistent requests of users to rate the app before it’s even been used or the free trial ends.
“Fleeceware apps are specifically designed to stay on the edge of what’s allowed by Google and Apple in terms of service, and they don’t flout the security or privacy rules, so they are hardly ever rejected by these stores during the review. While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up. While some of the ChatGPT fleeceware apps included in this report have already been taken down, more continue to pop up—and it’s likely more will appear. The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting ‘subscribe.’ Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,” said Gallagher.