The Hamster Kombat game’s success has attracted malicious actors trying to abuse public interest in the game for monetary gain.
ESET researchers discovered Android spyware named Ratel pretending to be Hamster Kombat, distributed via an unofficial Telegram channel.
Android users are also targeted by fake app stores claiming to offer the game but delivering unwanted advertisements instead.
Windows users can encounter GitHub repositories offering farm bots and auto-clickers that actually contain the infostealer Lumma Stealer cryptors.
BRATISLAVA, KOŠICE — July 23, 2024 — In the past few months, the Telegram clicker game Hamster Kombat has taken the world of cryptocurrency game enthusiasts by storm. As was to be expected, the success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game. ESET Research has uncovered threats going after both Android and Windows users. Exposing the risks of trying to obtain games and related software from unofficial sources, ESET found several threats in the form of remotely controlled Android malware distributed through an unofficial Hamster Kombat Telegram channel, fake app stores that deliver unwanted advertisements, and GitHub repositories distributing the Lumma Stealer infostealer cryptors for Windows devices while claiming to offer automation tools for the game.
“Even though gameplay, which mostly entails repeatedly tapping the screen of one’s mobile device, might be rather simple, players are after something more: the possibility of earning big once Hamster Kombat’s creators unveil the promised new cryptocoin tied to the game. Unfortunately, we discovered that cybercriminals have also started to capitalize on Hamster Kombat’s popularity,” explains ESET researcher Lukáš Štefanko, who discovered and analyzed the Hamster Kombat threats.
Due to its success, the game has already attracted countless copycats that replicate its name and icon and have similar gameplay. Luckily, all the early examples we found were not malicious but nevertheless aim to make money from in-app advertisements.
ESET has identified and analyzed two types of threats targeting Android users: a malicious app that contains the Android spyware Ratel and fake websites that impersonate app store interfaces claiming to have Hamster Kombat available for download. ESET researchers found a Telegram channel distributing Android spyware, named Ratel, disguised as Hamster Kombat. This malware is capable of stealing notifications and sending SMS messages. The malware operators use this functionality to pay for subscriptions and services with the victim’s funds, without the victim noticing. Upon startup, the app requests notification access permission and asks to be set as the default SMS application. Once these permissions are granted, the malware gets access to all SMS messages and is able to intercept all displayed notifications.
Even though Hamster Kombat is a mobile game, ESET also found malware abusing the game’s name to spread on Windows. Cybercriminals try to entice Windows users with auxiliary tools that claim to make maximizing in-game profits easier for players. ESET research revealed GitHub repositories offering Hamster Kombat farm bots and auto-clickers, which are tools that automate clicks in a game. These repositories actually turned out to be concealing the infamous Lumma Stealer. The GitHub repositories we found either had the malware available directly in the release files or contained links to download it from external file-sharing services. ESET identified three different versions of Lumma Stealers lurking within the repositories.
Lumma Stealer is an infostealer offered as malware-as-a-service, available for purchase on the dark web and on Telegram. First observed in 2022, this malware is commonly distributed via pirated software and spam and targets cryptocurrency wallets, user credentials, two-factor authentication browser extensions, and other sensitive information. Note that Lumma Stealer’s capabilities are not covered in this research since the focus is on the cryptors that deliver this infostealer, not on the infostealer itself.
“Hamster Kombat’s popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future,” concludes Štefanko.
Example GitHub repository spreading Lumma Stealer via an “offer” for a farm bot
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
Imagine you’re at your favorite coffee shop, buying a latte with your credit card. In that brief moment of swiping or tapping your card, a complex web of data transfers occurs behind the scenes. Your payment information travels through various networks, all the way to the merchant’s bank, to authorize the transaction. This seamless experience relies heavily on stringent security measures to protect your sensitive cardholder data from potential cyber threats.
For businesses handling payment card data, achieving firewall PCI DSS compliance is essential to maintaining this security. Without it, the integrity of these daily transactions—and the trust customers place in using their payment cards—would be at significant risk.
Firewall PCI DSS compliance involves meeting the security standards set by the Payment Card Industry Data Security Standard (PCI DSS) for firewall configurations. These standards offer guidelines on how cardholder data should be protected from unauthorized access and breaches by controlling and monitoring inbound and outbound traffic between trusted and untrusted networks.
A firewall is a security barrier that enforces access control lists (ACLs) and other protective measures to manage traffic. In the context of PCI DSS, a compliant firewall configuration must restrict unauthorized access to cardholder data while ensuring secure communication channels for legitimate traffic. This involves a combination of hardware and software firewalls, virtual private networks (VPNs), and other network security measures.
Benefits of a PCI DSS-compliant firewall
Implementing a firewall that adheres to PCI requirements offers many advantages, enhancing both security and operational efficiency for your business. By ensuring your firewall configuration is PCI DSS-compliant, you gain the following benefits:
Strengthened network security: A PCI DSS-compliant firewall enforces stringent protective measures, including precise control over inbound and outbound traffic. This enhanced security posture minimizes the risk of unauthorized access and data breaches by restricting access to sensitive data.
Improved customer trust & satisfaction: Demonstrating compliance with PCI DSS builds customer confidence in your ability to safeguard their payment card data. By protecting cardholder data effectively, you foster trust and potentially increase customer loyalty and satisfaction.
Mitigation of financial risks: Non-compliance with PCI DSS can lead to significant financial penalties. A PCI DSS-compliant firewall helps avoid these fines, ranging from $5,000 to $100,000 per month. Additionally, preventing breaches protects your organization from the costs associated with data recovery, legal actions, and loss of business.
Streamlined compliance & audit processes: Meeting PCI DSS requirements simplifies compliance with other regulatory frameworks. It also streamlines audit processes by ensuring that protective measures are in place and regularly tested, reducing the burden of demonstrating compliance during audits.
Competitive market advantage: Achieving firewall compliance can serve as a differentiator in a competitive market. Businesses that prioritize security and compliance can appeal to customers and partners who value data protection, providing a competitive edge.
By leveraging these benefits, your organization not only strengthens its security posture but also positions itself to avoid the significant fines and penalties associated with non-compliance.
Avoiding fines and penalties
Failure to comply with PCI DSS can lead to severe financial and reputational consequences. Financially, non-compliance can result in substantial fines imposed by payment processors or acquiring banks. These fines vary based on the severity and duration of non-compliance.
For example, in 2019, Marriott International faced a fine of over $120 million due to a data breach, underscoring the significant financial risks involved. Beyond fines, non-compliance often leads to increased operational costs due to more frequent and stringent audits, which require additional resources and can disrupt regular business activities.
The reputational damage resulting from non-compliance can be even more detrimental. Customers expect businesses to protect their payment card data, and a breach can severely erode trust. According to a 2024 study by CivicScience, 56% of customers express a complete lack of trust in a company post-breach. Consumers aged 25-44 are more forgiving, while those aged 45-54 are least likely to trust a company again.
High-profile breaches have shown that customer confidence can erode rapidly, resulting in decreased sales and a long-term decline in market value. Based on recent Forbes research, 80% of customers in developed countries will abandon a business if their personal data is compromised in a security breach. Negative word-of-mouth and media coverage further amplify the reputational damage, making it challenging for businesses to rebuild trust and attract new customers.
Moreover, the legal ramifications of a data breach can be significant. Businesses may face lawsuits from affected customers or regulatory bodies, leading to costly legal proceedings and settlements. For instance, Target’s data breach cost the organization an $18 million settlement.
These legal battles not only strain financial resources but also contribute to ongoing negative publicity, compounding the damage to the brand’s reputation. Thus, adhering to PCI DSS requirements is crucial not only for regulatory compliance but also for maintaining financial health and customer trust.
Meeting specific PCI requirements
Businesses must comply with various PCI DSS requirements to achieve compliance. These requirements—including maintaining a secure firewall configuration and regularly updating antivirus software—are designed to protect cardholder information by establishing and maintaining robust protective measures over time. Below is an overview of key PCI DSS requirements for effective firewall setup and network security:
Install and maintain a firewall configuration
Businesses must define and enforce firewall rules that control traffic between trusted and untrusted networks. To protect cardholder information, businesses must install and maintain a PCI DSS-compliant firewall setup.
Pro tip: Configure a business firewall to block all traffic from untrusted networks except for specific IP addresses necessary for business operations.
Do not use vendor-supplied defaults for system passwords and other security parameters
Using default settings is a common vulnerability. Businesses must change default passwords and settings to secure configurations and reduce the risk of unauthorized access.
Pro tip: Change the default admin password on a firewall to a complex, unique password.
Protect stored cardholder data
This requirement emphasizes protecting payment card information stored in databases, files, and other storage systems. Businesses must use encryption and other protective measures to secure stored cardholder data.
Pro tip: Encrypt credit card numbers in a database to prevent unauthorized use of the data.
Encrypt transmission of cardholder data across open, public networks
Businesses must encrypt payment card information when transmitting it over open public networks to protect it from interception by unauthorized parties.
Pro tip: Use SSL/TLS encryption to secure the transmission of credit card information from a customer’s browser to the business’s web server.
Use and regularly update anti-virus software or programs
This requirement involves deploying anti-virus software to protect systems from malware and regularly updating these programs to defend against new threats.
Pro tip: Install anti-virus software on all systems that handle cardholder data and schedule regular updates to ensure protection against the latest malware.
Develop and maintain secure systems and applications
This involves implementing security patches, conducting vulnerability scans, and maintaining secure development practices to protect applications that handle sensitive data.
Pro tip: Regularly update PCI DSS-compliant firewall software to the latest version to protect against known vulnerabilities.
Restrict access to cardholder data by business need to know
Access to payment card information should be limited to individuals whose job responsibilities necessitate it. Implementing access control lists (ACLs) helps ensure that only authorized personnel have access to sensitive information.
Pro tip: Set firewall rules to allow only the relevant departments access to payment card data.
Identify and authenticate access to system components
Businesses must use robust authentication mechanisms, such as strong passwords and multi-factor authentication, to verify the identity of users accessing system components.
Pro tip: Require employees to use a combination of passwords and biometric authentication to access network firewalls.
Restrict physical access to cardholder data
Restricting physical access involves controlling who can physically access systems and storage areas that contain cardholder data. This includes using locks, access cards, and surveillance systems.
Pro tip: Install keycard access controls and surveillance cameras in data centers that store cardholder data.
Track & monitor all access to network resources and cardholder data
Comprehensive logging and monitoring of firewall logs and network activities are essential to track access to cardholder data and identify suspicious activities.
Pro tip: Use a logging system to monitor and analyze all access attempts to cardholder data and generate alerts when unauthorized access occurs.
Regularly test security systems & processes
Regular testing involves conducting security assessments, vulnerability scans, and penetration testing to identify and address potential weaknesses in security systems.
Pro tip: Schedule regular penetration tests to evaluate the effectiveness of firewall rules and network security measures.
Maintain a policy that addresses information security for all personnel
Businesses must develop and maintain a comprehensive information security policy that outlines security responsibilities, processes, and protocols for all personnel.
Pro tip: Create a security policy that includes guidelines for firewall management, incident response, and employee training.
Implementing effective firewall configurations
Achieving PCI DSS compliance involves installing network firewalls and configuring them effectively to protect sensitive cardholder data and mitigate potential threats. This requires a comprehensive approach that includes defining clear security policies, segmenting your network, integrating advanced detection systems, and conducting regular assessments and updates.
Below are the best practices for configuring a PCI DSS-compliant firewall:
1. Define clear security policies
Establish and document security policies that specify what traffic is allowed or denied. Regularly review and update these policies to reflect evolving security needs and threats.
2. Segment your network
Network segmentation involves dividing your network into smaller segments, each with its own security controls. This limits the exposure of cardholder data and helps contain potential breaches.
3. Implement intrusion detection & prevention systems
Integrate intrusion detection and prevention systems (IDPS) with your firewall to detect and respond to suspicious activities. These systems help identify unauthorized access attempts and mitigate potential threats.
4. Conduct regular vulnerability assessments
Performing regular vulnerability scans helps identify weaknesses in your firewall configuration. Address identified vulnerabilities promptly to maintain a strong security posture.
5. Keep firewall firmware & software up to date
Attackers can exploit outdated firmware and software. Regularly update your firewall to the latest versions and apply security patches to protect against known vulnerabilities.
6. Monitor & log firewall activity
Implement logging and monitoring to track firewall activities, including traffic, configuration changes, and access attempts. Use logs to investigate and respond to suspicious activities.
7. Conduct regular firewall audits
Regular audits of your firewall configuration ensure it remains compliant with PCI DSS firewall requirements. Audits should include reviewing firewall rules, testing intrusion detection capabilities, and verifying network segmentation.
How NordLayer can help in achieving PCI DSS compliance
Navigating PCI DSS compliance can be complex, but NordLayer’s cloud firewall solution simplifies the process. Here’s how NordLayer can support your compliance efforts:
Simplified compliance management: NordLayer’s cloud-based firewall offers centralized control and visibility, making it easier to manage firewall configurations and demonstrate compliance with PCI DSS. You can efficiently configure firewall rules, monitor traffic, and generate compliance reports.
Enhanced security features: NordLayer’s solution includes advanced security features such as intrusion detection, virtual private networks (VPNs), and multi-factor authentication. These features help secure your network and protect cardholder data from unauthorized access.
Scalable & flexible deployment: NordLayer’s cloud-based firewall can quickly be scaled according to your business needs. Whether you require protection for a small office or a large enterprise, NordLayer adapts to your security requirements.
Comprehensive support & guidance: NordLayer provides expert support to help you navigate the complexities of PCI DSS compliance. NordLayer’s team can assist with any questions or challenges from setup to ongoing management.
Cost-effective solution: NordLayer’s subscription-based model offers predictable pricing, eliminating the need for significant upfront investments in hardware and maintenance. This makes it a cost-effective alternative to a traditional hardware firewall.
Secure Remote Access: NordLayer’s cloud-based firewall supports Secure Remote Access, allowing employees to connect safely from any location. This is particularly important for maintaining security and compliance in remote work environments.
In conclusion, firewall PCI DSS compliance is crucial for protecting sensitive data and maintaining customer trust. By implementing effective firewall configurations and leveraging solutions like NordLayer’s cloud firewall, businesses can meet PCI requirements, enhance their network security, and avoid non-compliance’s financial and reputational consequences.
For more information on how NordLayer’s cloud-based firewall can help your organization achieve PCI DSS compliance, visit NordLayer’s cloud firewall.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About NordLayer NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
About NordLayer NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
In cosmology, there is the concept of the holographic universe: the idea that a three-dimensional volume of space can be entirely described by the exposed information on its two-dimensional surface. In the context of an organization’s security posture, attack surface management is vital; a vulnerability is almost meaningless unless it is exploitable by a bad actor. The trick to determining where the vulnerable rubber meets the exposed road is in identifying what’s actually reachable, taking into account security controls, or other defenses in depth.
While attack surfaces are expanding in multiple ways, becoming more numerous and more specific, two areas of growth that merit attention are operational technology (OT) and the cloud. In the runZero Research Report, we explored how the prevalence of OT and cloud technology combined with their unique associated risks warrants a deeper look at how to navigate challenges across the attack surfaces for these types of environments.
OT & IT convergence will be the end state
OT and industrial control systems (OT/ICS) environments are undergoing massive changes in a new era of convergence with IT devices and networks. In fact, the 2022 report from the U.S. President’s National Security Telecommunications Advisory Committee on IT-OT Convergence concludes that we must “accept that IT/OT convergence will be the end state” of IT and OT. It is evident that the merger of these historically separated networks under the general IT umbrella has created another high-value attack surface for attackers to plunder.
Historically, security was of less concern than safety and reliability for the “grade-separated” networks supporting OT/ICS devices. These networks had different dynamics, using industry-specific network protocols and abiding by maintenance schedules that were less frequent than IT systems. From an attacker’s perspective, OT systems were relatively soft targets with potentially lucrative rewards.
OT equipment has always been designed for long-term reliability and infrequent changes so many factory floors, water treatment plants, critical infrastructure, and other industrial processes use equipment that is relatively slow compared to modern PCs. OT equipment often excludes encryption and authentication at the protocol level to support real-time control requirements .
And until recently, OT was simply not IT’s problem. Improvements to networking and security technologies have changed this, allowing organizations to link their OT and IT networks (sometimes on purpose, and sometimes not). Teams that were previously responsible for securing laptops and servers are now also responsible for OT security. With mandates to improve management and monitoring efficiencies, systems that were once in a walled garden are now, at least in theory, reachable from anywhere in the world.
OT/ICS around the world
Data from the runZero research team confirms that thousands of OT/ICS devices are indeed “reachable from anywhere in the world.” These devices are prime targets for state actors and ransom seekers, as compromising them can result in industrial or utility disruption.
The number of industrial control systems directly exposed to the public Internet is terrifying. While the year-over-year increase of exposed devices has finally slowed, the total number continues to climb. Over 7% of the ICS systems in the runZero Research Report’s sample data were connected directly to the public Internet, illustrating that organizations are increasingly placing critical control systems on the public Internet.
FIGURE 1 – A selection of industrial devices detected by runZero on the public Internet.
OT Scanning: Passive becomes sometimes active
OT devices often run industry-specific software on hardware with limited computing power. These constraints, combined with the long-term nature of OT deployments, result in an environment that does not respond well to unexpected or excessive network traffic.
Stories abound of naive security consultants accidentally shutting down a factory floor with vulnerability scans. As a result, OT engineers have developed a healthy skepticism for any asset inventory process that sends packets on the network and instead opted for vendor-specific tools and passive network monitoring. Passive monitoring works by siphoning network traffic to an out- of-band processing system that identifies devices and unexpected behavior, without creating any new communication on the network.
While passive discovery is almost entirely safe, it is also limited. By definition, passive discovery can only see the traffic that is sent, and if a device is quiet or does not send any identifying information across the network, the device may be invisible.
Passive deployments are also challenging at scale, since it’s not always possible to obtain a full copy of network traffic at every site, and much of the communication may occur between OT systems and never leave the deepest level of the network.
FIGURE 2 – An Allen-Bradley industrial PLC indicating 100% CPU utilization due to the device receiving a high rate of packets from an active scan NOT conducted by runZero.
Active scanning is faster, more accurate, and less expensive to deploy, but most scanning tools are not appropriate or safe to use in OT environments. Active scanning must be performed with extreme care. Large amounts of traffic, or traffic that is not typically seen by OT devices, can cause communication disruptions and even impact safety systems.
FIGURE 3 – A partial screenshot of an OT device detected by a runZero active scan.
Safe active scans
runZero enables safe scans of fragile systems through a unique approach to active discovery. This approach adheres to three fundamental principles:
Send as little traffic as possible
Only send traffic that the device expects to see
Incrementally discover each asset to avoid methods that may be unsafe for a specific device
runZero supports tuning of traffic rates at the per-host level as well as globally across the entire task. runZero’s active scans can be configured to send as little as one packet per second to any specific endpoint, while still quickly completing scans of a large environment at a reasonable global packet rate.
runZero is careful to send only valid traffic to discovered services and specifically avoids any communication over OT protocols that could disrupt the device. This logic is adaptive, and runZero’s active scans are customized per target through a policy of progressive enhancement.
runZero’s progress enhancement is built on a series of staged “probes.” These probes query specific protocols and applications and use the returned information to adapt the next phase of the scan for that target. The earliest probes are safest for any class of device and include ARP requests, ICMP echo requests, and some UDP discovery methods. These early probes determine the constraints for later stages of discovery, including enumeration of HTTP services and application-specific requests. The following diagram describes how this logic is applied.
FIGURE 4 – A high-level overview of the “progressive enhancement” probing process.
Lastly, runZero’s active scans also take into account shared resources within the network path. Active scans will treat all broadcast traffic as a single global host and apply the per-host rate limit to these requests. Scans that traverse layer 3 devices also actively reset the state within session-aware middle devices using a patent-pending algorithm. This combination allows runZero’s active scans to safely detect fragile devices and reduce the impact on in-path network devices as well as CPU-constrained systems within the same broadcast domain.
For those environments where active scanning is inappropriate or unavailable, runZero also supports comprehensive passive discovery through a novel traffic sampling mechanism. This sampling procedure applies runZero’s deep asset discovery logic to observed network traffic, which produces similar results to runZero’s active scanner in terms of depth and detail.
The cloud is someone else’s attack surface
The commoditization of computing power, massive advancements in virtualization, and fast network connectivity have led to just about any form of software, hardware, or infrastructure being offered “as a service” to customers. Where companies used to run their own data centers or rent rack units in someone else’s, they can now rent fractions of a real CPU or pay for bare metal hardware on a per-minute basis.
Cloud migrations are often framed as flipping a switch, but the reality is that these efforts can take years and often result in a long-term hybrid approach that increases attack surface complexity. The result is more systems to worry about, more connectivity between systems, and greater exposure overall.
Cloud migrations
A common approach to cloud migrations is to enumerate the on-premises environment and then rebuild that environment virtually within the cloud provider. runZero helps customers with this effort by providing the baseline inventory of the on-premises data center and making it easy to compare this with the new cloud environment. During this process, organizations may end up with more than twice as many assets, since the migration process itself often requires additional infrastructure. runZero has observed this first hand in the last five years by assisting with dozens of cloud migration projects. It is common for these projects to take longer than planned and result in more assets to manage at completion.
The migration process can be tricky, with a gradual approach requiring connectivity between the old and new environments. Shared resources such as databases, identity services, and file servers tend to be the most difficult pieces to migrate; however, they are also the most sensitive components of the environment.
The result is that many cloud environments still have direct connectivity back to the on-premises networks (and vice-versa). A compromised cloud system is often just as, if not more, catastrophic to an organization’s security situation as a compromised on-premises system.
Ultimately, the lengthy migration process can lead to increased asset exposure in the short-term due to implied bidirectional trust between the old and new environments.
Cloud providers assume many of the challenges with data center management; failures at the power, network, storage, and hardware level now become the provider’s problem, but new challenges arise to take their place including unique risks that require a different set of skills to adequately address.
Cloud-hosted systems are Internet-connected by definition. While it’s possible to run isolated groups of systems in a cloud environment, cloud defaults favor extensive connectivity and unfiltered egress. Although cloud providers offer many security controls, only some of these are enabled by default, and they function differently than on-premises solutions.
Cloud-hosted systems are also vulnerable to classes of attacks that are only significant in a shared computing environment. CPU-specific vulnerabilities like Meltdown, Spectre, and Spectre v2 force cloud operators to choose between performance and security. The mitigations in place for these vulnerabilities are often bypassed. For example, the recently-disclosed
CVE-2024-2201 allows for Spectre-style data stealing attacks on modern processors, a concern in shared-hosting cloud environments.
Additionally, the ease of spinning up new virtual servers means that cloud-based inventory is now constantly in flux, often with many stale systems left in unknown states. Keeping up with dozens (or even thousands) of cloud accounts and knowing who is responsible for them becomes a problem on its own.
We analyzed systems where runZero detected end-of-life operating systems (OSs), and found that the proportions of systems running unsupported OSs are roughly the same across the cloud and external attack surfaces. This implies that the ease of upgrading cloud systems may not be as great as advertised.
Hybrid is forever
Cloud infrastructure is here to stay, but so is on-premises computing. Any organization with a physical presence – whether retail, fast food, healthcare, or manufacturing – will require on-premises equipment and supporting infrastructure. Cloud services excel at providing highly
available central management, but a medical clinic can’t stop treating patients just because their Internet connection is temporarily offline. A hybrid model requires faster connectivity and increasingly powerful equipment to securely link on-premises and cloud environments.
Even in more simplistic environments, cloud migrations leave behind networking devices, physical security systems, printers, and file servers. All of that equipment will most likely be linked to cloud environments, whether through a VPN or over the public Internet.
Closing Thought
As organizations increasingly rely on OT and cloud services, understanding and managing the attack surface has never been more critical. The unique vulnerabilities associated with these environments, requires proactive strategies like robust attack surface management, accurate and fast exposure management, and comprehensive asset inventory to safeguard against advanced emerging threats. Ultimately, fostering a culture that keeps pace with the threat landscape and adopts continuous improvement in security practices will be essential in navigating the complexities of OT and cloud environments.
Not a runZero customer? Download a free trial and gain complete asset inventory and attack surface visibility in minutes.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
ESET Research has discovered a sophisticated Chinese browser injector ESET dubbed HotPage.
It is a signed, vulnerable, ad-injecting driver from a mysterious Chinese company.
The threat poses as a security product that blocks advertisements; however, it introduces even more ads.
HotPage can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads.
The threat leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system.
BRATISLAVA, MONTREAL — July 18, 2024 — ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which ESET dubbed HotPage, comes self-contained in an executable file that installs its main driver and injects libraries into Chromium-based browsers. Posing as a security product capable of blocking advertisements, it actually introduces new ads. Additionally, the malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of other ads. The malware introduces more vulnerabilities and leaves the system open to even more dangerous threats. An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver.
At the end of 2023, ESET researchers stumbled upon an installer named “HotPage.exe” that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic. The installer was detected by most security products as an adware component. What really stood out to ESET researchers was the embedded driver signed by Microsoft. According to its signature, it was developed by a Chinese company named Hubei Dunwang Network Technology Co., Ltd.
“The lack of information about the company was intriguing. The distribution method is still unclear, but according to our research, this software was advertised as an internet café security solution aimed at Chinese-speaking individuals. It purports to improve the web browsing experience by blocking ads and malicious websites, but the reality is quite different — it leverages its browser traffic interception and filtering capabilities to display game-related ads. It also sends some information about the computer to the company’s server, most likely to gather installation statistics,” explains ESET researcher Romain Dumont, who discovered the threat.
According to available information, the business scope of the company includes technology-related activities such as development, services, and consulting – but also advertising activities. The principal shareholder is currently Wuhan Yishun Baishun Culture Media Co., Ltd., a very small company that looks to be specialized in advertising and marketing. Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.
Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load its network-tampering libraries. Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. On top of its obvious mischievous behavior, this kernel component leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the SYSTEM account. Due to improper access restrictions to this kernel component, any process can communicate with it and leverage its code injection capability to target any non-protected processes.
“The HotPage driver reminds us that abusing Extended Verification certificates is still a thing. As a lot of security models are at some point based on trust, threat actors are inclined to play along the line between legitimate and shady. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted thanks to this trust expose users to security risks,” adds Romain. ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process. ESET technologies detect this threat — which Microsoft removed from the Windows Server Catalog on May 1, 2024 — as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.
The Chinese company’s certified products listed in the Windows Server Catalog
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
One of the methods used to protect information is redaction, where parts of a document are obscured to prevent unauthorized access to sensitive data. However, passkey redaction attacks exploit weaknesses in this process, potentially exposing the very information intended to be hidden. There are many intricacies to passkey redaction attacks. Today, we’ll explore how they work, their implications, and measures to prevent them.
What is Redaction?
Redaction is the process of removing or obscuring information in a document to protect sensitive data. This is commonly seen in legal, governmental, and corporate documents where confidential information needs to be hidden from public view. Redaction is crucial for maintaining privacy and security, ensuring that only authorized individuals can access certain information.
The Mechanics of Passkey Redaction Attacks
Passkey redaction attacks target the weaknesses in the redaction process. These attacks typically involve:
Inferential Analysis: Attackers use context and surrounding information to infer the redacted content. This can be surprisingly effective, especially if the redaction is not thorough or if enough contextual clues are left visible.
Data Recovery Techniques: Advanced techniques, such as analyzing the metadata or the digital footprint left by the redaction process, can sometimes reveal the hidden content. This is particularly true if the redaction was done improperly using inadequate tools.
Social Engineering: Attackers may employ social engineering tactics to gather additional information that can help piece together the redacted content. This can include phishing, pretexting, or other manipulative tactics to trick individuals into revealing information.
Real-World Examples of Passkey Redaction Attacks
There have been numerous high-profile cases highlighting the dangers of inadequate redaction, but most frequently such attacks are made against or in the process of:
Legal Documents: In various legal proceedings, poorly redacted documents have been exposed, leading to the release of confidential information. These instances often arise from the use of improper redaction tools or failure to follow secure redaction procedures.
Corporate Data Breaches: Companies sometimes release documents with redacted sensitive information, such as trade secrets or personal data. However, if the redaction is superficial, attackers can recover this data and exploit it for financial gain or competitive advantage.
Techniques Used in Passkey Redaction Attacks
Text Analysis: By analyzing the context and structure of the document, attackers can make educated guesses about the redacted content. For example, if a name is redacted, surrounding sentences might provide enough context to deduce the name.
PDF Layering: Redactions performed incorrectly on PDFs can leave layers of data that can be uncovered with basic PDF editing tools. This method is often due to using inadequate software that doesn’t fully remove the redacted text.
Optical Character Recognition (OCR): If a document is scanned and then redacted, OCR technology can sometimes recover the underlying text, especially if the redaction process wasn’t thorough.
File Metadata: Metadata in files can contain information about the redacted content. Attackers can exploit this by examining the file properties and hidden data that may not be visible in the document itself.
Preventing Passkey Redaction Attacks
Preventing passkey redaction attacks requires a combination of best practices, robust tools, and vigilant procedures:
Use Professional Redaction Tools: Always use reputable redaction software designed to permanently remove sensitive data. Avoid using basic word processing software that might only visually obscure the text.
Thoroughly Check Redactions: After redacting, ensure that the content cannot be recovered by trying to copy and paste the redacted text or by opening the document in different viewers.
Remove Metadata: Before sharing redacted documents, remove all metadata that might contain sensitive information. This can usually be done within the document properties settings of most document editors.
Conduct Security Audits: Regularly audit your redaction processes and tools to ensure they are effective and up-to-date. This can help identify and mitigate any potential vulnerabilities.
Educate and Train Staff: Ensure that all personnel involved in document redaction are properly trained in secure redaction practices. Regular training and awareness programs can significantly reduce the risk of human error.
Implement Multi-Layer Security: Use multiple layers of security to protect redacted documents, including encryption, access controls, and secure document sharing platforms.
Passkey redaction attacks represent a significant threat to information security, exploiting weaknesses in the redaction process to uncover sensitive data. By understanding how these attacks work and implementing robust redaction practices, organizations can better protect their confidential information.
Final Thoughts
Redaction is a critical component of information security, but it must be done correctly to be effective. As the examples and techniques discussed in this post illustrate, the stakes are high, and the consequences of inadequate redaction can be severe. By using professional tools, removing metadata, conducting regular audits, and educating staff, organizations can significantly reduce the risk of passkey redaction attacks and protect their sensitive information from prying eyes.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
