With Remote Workers on the Rise, Mobile Devices Expand the Attack Surface, Exposing Critical Infrastructure and Assets

In 2020, society endured more social, economic, and structural pressures than ever before, and CIOs, CISOs and IT professionals were confronted with waves of challenges as they scrambled to follow work-from-home mandates and do all they could to keep their teams productive in the context of constant chaos.

Large organizations, whether government agencies or commercial enterprises, had to accelerate their digital transformations, including moving more applications to the cloud, and to identify and address new cybersecurity threats while managing distributed workforces – including the IT teams.

The growth of the mobile workforce and use of company-issued devices, or personal “BYOD” smartphones, tablets, and laptops, is not new. The mobile device management industry has continued to expand over the last two decades – but few could have imagined the urgency, scope, and scale of the conversion to a “mobile first” scenario until it happened in real time.

The accelerated pace of change required business leaders to rapidly adapt their workplace culture, to create more agile communications with customers, to increase employees’ access to tools, including access to web-based information and applications, all while ensuring that the skyrocketing dependency on mobile devices did not compromise enterprise security.

According to Gallup, the percentage of Americans working remotely more than doubled in March 2020, driven by work-from-home orders in response to the coronavirus pandemic. Most experts expect at least some of this shift to be permanent. Even those who have returned partially to the traditional workplace continue to rely on mobile devices, applications, and access to enterprise systems to get work done.

Bring-your-own-device (BYOD) is on the rise, delivering increased mobile flexibility and satisfaction for employees, while helping to reduce IT costs, enhance productivity, and improve security and control for enterprises. The market for BYOD solutions is expected to grow at a compound annual growth rate (CAGR) of 15% annually from 2020 to 2025, reaching over $430 billion in 2025 according to some industry analysts.

Mobility requires a new…


Beware! Hackers Using New Amazon Gift Card Scam to Infect Devices with Banking Malware

With movement restrictions and lockdowns due to the COVID-19 pandemic, millions of people have preferred to shop online during the holiday season. Cybercriminals, however, are taking advantage of that situation with scams and malware targeting online shoppers. Among those, an Amazon gift card scam has attracted the attention of cybersecurity researchers as it could not only cost you money but also make your device vulnerable to hacking.

Discovered by cybersecurity research firm Cybereason, the scam is targeted to people in Europe and the US. As many people are staying home, gift cards have become a popular tool to present to loved ones during Christmas. However, one such “too good to be true offer” is designed to serve Dridex banking trojan.

“Both cybercriminals and nation-state threat actors alike find and exploit trending circumstances in order to leverage a given situation to infect unsuspecting victims, such as the holiday season, the ongoing COVID-19 pandemic, or both of them combined,” Daniel Frank, a cybersecurity researcher at Cybereason said in a blog post.

Cybercriminals are sending spoofed emails pretending to give out $100 Amazon gift card

Dridex Malware

The malware is delivered by phishing attacks through a spoofed email that reads, “We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You.” The email also contains Amazon order date and number. However, the email comes with a malicious word document or screensaver file attached. After downloading the attachment, the users are redirected to Amazon’s legitimate webpage, “gaining more credibility with the victim.”

Once the user opens the document, it prompts to run a malicious macro. After enabling the macro, it shows a fake error message “Word experienced an error trying to open the file”. But in reality, a Windows PowerShell script runs in the background to serve the Dridex malware.

Phishing email
The phishing email contains a word file to serve Dridex malware that can steal banking credentials

Apart from spoofed emails, hackers are also using a second delivery method involving screensaver files (with .scr extension). Using SCR to infect devices has gained popularity amongst hackers as it…


Managing security on mobile devices through mobile certificate management | 2020-12-16

Managing security on mobile devices through mobile certificate management | 2020-12-16 | Security Magazine


Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

linux botnet malware

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.

Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called “Gitpaste-12,” which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.

The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (“ls”), a file with a list of passwords for brute-force attempts (“pass”), and a local privilege escalation exploit for x86_64 Linux systems.

The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.

“The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” Juniper researcher Asher Langton noted in a Monday analysis.

Included in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.

It’s worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.

Aside from installing X10-unix and the Monero crypto mining…