Whether we like it or not, it is now an established fact that mobile phones play a major role in our day-to-day life, and never has this been truer than in 2020. With opportunities for socializing and travel reduced, it has been a year of scrolling, messaging and video calling. While there is a general perception that mobile phones are a safe haven from malware and cyberthreats, ESET’s research this year has shown that to be far from the truth.

Android threats surged in March, as the COVID-19 crisis created an opportunity for threat actors to exploit Android users’ hunger for information about the virus and related topics. ESET researchers witnessed malicious apps distributed in campaigns under coronavirus-themed disguises, such as infection maps, tracking applications and information about financial compensation.

For example, in Q2 2020, ESET researchers identified a new Android crypto-ransomware posing as a Canadian COVID-19 tracing app, just days after the Canadian government announced its intention to back the development of a nationwide tracing app. ESET researchers also analyzed an extremely dangerous Android app in May called DEFENSOR ID, which was capable of wiping out a victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts.

In July, a long-running cyberespionage campaign was discovered that targeted Android users in the Middle East via the malicious Welcome Chat app. The app’s operators spied on their victims and then made the data harvested from them freely available on the internet. Similarly, victims in the Middle East were also targeted with a new version of Android spyware used by the APT-C-23 group, which allowed threat actors to read notifications from messaging apps and record calls and screen activity.

These discoveries demonstrate that threats must be taken seriously, but they do not need to ruin our experience with mobile phones – it is vital that we are just as committed to protecting our phones with cybersecurity software as we are our laptops and desktops. ESET Mobile Security (EMS) is a solution for Android that protects against a multitude of mobile threats, securing users’ data through strong malware protection and providing a safe browsing environment with its anti-phishing feature. EMS also protects users from physical loss and theft, supplying real-time information about the status and whereabouts of the device in question.

In September of this year, version 6.0 of ESET Mobile Security was launched, adding a host of new features including Payment Protection, which safeguards users while they are using applications in which they access sensitive financial information for banking transactions or online shopping. The feature prevents other apps replacing or reading the screen of any applications installed from the Google Play store that fall into the finance category, also allowing users to use the same protection for other installed apps that fall outside of the finance category.

Version 6.0 also brought design changes, improving its intuitiveness and ease of use with features such as the Call Filter feature that allows users to protect against unwanted incoming calls and a redesign of the Anti-Theft feature to allow for simpler onboarding and resetting of passwords.

The year 2020 also saw ESET awarded certificates by MRG Effitas, a world leader in independent IT security efficacy testing, in their Android 360° Assessment Programmes in Q1, Q2 and Q3, receiving a 99%+ score for detection. As both the report and ESET’s research highlight, Android-based threats are constantly on the rise, and it is therefore vital to have software installed that protects against malware, as well as other threats such as phishing.

To find out more about ESET Mobile Security and how it can keep you and your phone safe from mobile threats, head over to ESET’s website. 

BRATISLAVA, MONTREAL – ESET researchers discovered Kobalos, a malware that has been attacking supercomputers – high performance computer (HPC) clusters. ESET has worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on these scientific research networks. Among other targets was a large Asian ISP, a North American endpoint security vendor as well as several privately held servers.

ESET researchers have reverse engineered this small, yet complex malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. “We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a kobalos is a small, mischievous creature,” explains Marc-Etienne Léveillé, who investigated Kobalos. “It has to be said that this level of sophistication is only rarely seen in Linux malware,” adds Léveillé.

Kobalos is a backdoor containing broad commands that don’t reveal the intent of the attackers. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers,” says Léveillé.

Any server compromised by Kobalos can be turned into a Command & Control (C&C) server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server. In addition, in most systems compromised by Kobalos, the client for secure communication (SSH) is compromised to steal credentials.

“Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later,”

adds Léveillé. Setting up two-factor authentication for connecting to SSH servers will mitigate the threat, since the use of stolen credentials seems to be one of the ways it is able to propagate to different systems.

For more technical details about Kobalos, read the blogpost “Kobalos – A complex Linux threat to high performance computing infrastructure” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Industry and region of compromised organizations

BRATISLAVA, MONTREAL – A few days ago, ESET researchers discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs. Three different malware families were spotted being distributed from tailored malicious updates to selected victims with no sign of leveraging any financial gain, but rather, only cyberespionage capabilities were seen. ESET dubbed the malicious operation NightScout.

BigNox is a company based in Hong Kong that provides various products, primarily an Android emulator for PCs and Macs called NoxPlayer. The company claims that it has more than 150 million users in over 150 countries who speak at least 20 different languages. That said, BigNox’s follower base is predominantly in Asian countries.

“Based on ESET telemetry, we saw the first indicators of compromise in September 2020. Activity continued apace until we uncovered explicitly malicious activity this week, at which point we reported the incident to BigNox,” says ESET researcher Ignacio Sanmillan, who revealed Operation NightScout.

Operation NightScout is a highly targeted operation with ESET researchers able to identify only several victims. Those identified victims are based in Taiwan, Hong Kong and Sri Lanka. “Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of intelligence collection on targets involved in the gaming community,” elaborates Sanmillan.

Map – Distribution of NightScout victims

In this specific supply-chain attack, the NoxPlayer update mechanism served as the vector of compromise. On launch, if NoxPlayer detects a newer version of the software, it will prompt the user with a message box offering the user the option to install it, thus delivering the malware.

“We have sufficient evidence to state that BigNox’s infrastructure was compromised to host malware and also to suggest that their API infrastructure could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers,” adds Sanmillan.

 

A total of three different malicious update variants were observed by ESET researchers. The first malicious update variant does not seem to have been documented before and has enough capabilities to monitor its victims. The second update variant, in line with the first, was spotted being downloaded from legitimate BigNox infrastructure. The deployed final payload was an instance of Gh0st RAT (with keylogger capabilities) also widely used among threat actors

The third variant, PoisonIvy RAT — a remote access tool popular with cybercriminals was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure.

ESET has spotted similarities between loaders that our researchers have monitored in the past and some of those used in Operation NightScout. The similarities we see relate to instances discovered in a Myanmar presidential office website supply-chain compromise in 2018, and in early 2020 in an intrusion into a Hong Kong university.

“To be on the safe side, in case of intrusion, perform a standard reinstall from clean media. For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat, furthermore, best practice would be to uninstall the software,”, advises Sanmillan.

For more technical details about Operation NightScout, read the blogpost “Operation NightScout: Supply-chain attack targets online gaming in Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

[Update – February 3, 2021]
Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:

•  use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
•  implement file integrity verification using MD5 hashing and file signature checks
•  adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information

BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.

*ESET assumes no responsibility for the accuracy of the information provided by BigNox.

Security flaws in a widely used DNS software package could allow attackers to send users to malicious websites or to remotely hijack their devices

Millions of devices could be vulnerable to Domain Name System (DNS) cache poisoning and remote code execution attacks due to seven security flaws in dnsmasq, DNS forwarding and caching software commonly found in smartphones, desktops, servers, routers and other Internet of Things devices, according to Israel-based security company JSOF, which discovered the security holes.

Collectively dubbed DNSpooq, the vulnerabilities in the open-source utility affect a variety of devices and firmware, including those made by some of the world’s leading tech companies.

“Some of the DNSpooq vulnerabilities allow for DNS cache poisoning and one of the DNSpooq vulnerabilities could permit a potential Remote Code execution that could allow a takeover of many brands of home routers and other networking equipment, with millions of devices affected, and over a million instances directly exposed to the Internet,” warned JSOF. According to Shodan, there are almost 1.2 million dnsmasq servers exposed to the internet, with yet more vulnerable devices confined to internal networks but also at risk.

RELATED READING: DNS attacks: How they try to direct you to fake pages

Researchers identified no fewer than 40 vendors that use dnsmasq in a wide range of products and in various pieces of firmware and software. The list includes big names such as Cisco, Asus AT&T, Comcast, Siemens, Dell, Linksys, Qualcomm, Motorola, and IBM, just to mention but a few. Whether and to what extent devices are affected depends on how they use dnsmasq. 

DNSpooq consists of seven vulnerabilities divided into two groups – three that could allow DNS cache poisoning attacks and four buffer overflow vulnerabilities, one of which could lead to remote code execution and device takeover.

An overview of the DNSpooq vulnerabilities (source: JSOF)

“The impact of DNS cache poisoning of the routing equipment DNS forwarding server can potentially lead to different kinds of fraud if users believe they are browsing to one website but are actually routed to another,” the researchers said. They went on to add that each device susceptible to DNS cache poisoning might also be taken over by an attacker.

While on their own the security bugs present a limited risk, once chained and combined they could also be used to conduct Distributed Denial-of-Service (DDoS) attacks as well as wormable attacks that could spread malware between devices and networks.

Researchers disclosed the vulnerabilities in August 2020 and went public with their discovery after the embargo ended this month. While highlighting a number of workarounds in its technical whitepaper to DNSpooq, JSOF advised everybody to apply the best “antidote” – update to dnsmasq version 2.83. In the meantime, multiple vendors have released their respective advisories, mitigations, workarounds and patches, which are now neatly listed on the website of the CERT Coordination Center at Carnegie Mellon University. The Cybersecurity and Infrastructure Security Agency (CISA) also had some advice to share for organizations that use vulnerable products.

In June 2020, JSOF discovered and disclosed 19 security vulnerabilities that were collectively dubbed Ripple20 and were found to affect a popular TCP/IP software library used by millions of connected devices.

BRATISLAVA – ESET, a global leader in cybersecurity, has been commended with Top Product awards in the latest AV-TEST Product Review and Certification reports in both the business and home consumer categories. ESET Endpoint Security 7.3 and ESET Internet Security 13.2 – ESET  security products for Windows in the business and consumer lineups, respectively – achieved Top Product awards with perfect Protection and Usability scores in the August and October 2020 tests.

AV-TEST, a leading independent testing organization, uses one of the largest collections of malware samples in the world to create a real-world environment for highly accurate in-house testing and realistic test scenarios.

The tests evaluated the best Windows antivirus software for both home and business users, with all vendors being assessed across three main categories: Protection, Performance and Usability. In both the consumer and business evaluations, ESET’s solutions scored a perfect 6 in the Protection category, which measures the protection against malware such as viruses, worms and Trojan horses, and a perfect 6 in the Usability category, which measures the impact of the security software on the usability of the computer. Both solutions also scored near-perfect scores of 5.5 in the Performance category, which measures the impact of the product on computer speed in daily usage.

In addition to the excellent results, this past summer ESET received its 100th AV-Test certificate – this milestone marks ten years since ESET achieved its first certificate from AV-Test in June 2010.

Roman Kováč, Chief Research Officer at ESET, commented, “It is extremely encouraging not only to continue to receive commendations for our home and business security solutions, but also to be recognized for ten years of consistent and outstanding results in third-party testing. At ESET, we are extremely proud of our work in making technology safer. This recognition from AV-Test reaffirms that our solutions are proven to work in real-world scenarios. Businesses and home users can be confident that they are in safe hands with ESET. After a year like no other, it has never been more important for your sensitive information and data to be protected with advanced security software both at work and at home.”

Learn more about ESET’s home and business solutions for Windows here.