Raising the bar ondigitalsafety and security

We are the Super Blue Team, and were here to help. The Internet of Things Security Foundation (IoTSF) is a non-profit, global membership organisation striving to make the connected world ever-more secure. We are an international response to the complexchallenges posed by cybersecurity in theexpansive hyper-connected world of IoT. By collaborating on cyber protection, we can raise the quality bar for secure IoT. Working with our members, we like to think of ourselves as the super blue team of defenders and a natural home for IoT users and technology providers.

In diversity we have strength.We each have a valuable role in keeping the digital world secure. Our stakeholders includeIoT hardware and software productvendors, network operators, system specifiers, integrators, distributors, retailers, insurers, local authorities, academic institutions, government agencies security professionals, researchers and risk managers anybody with an interest in cyber safety, security and privacy.

Security is a team sport: by workingtogether we can build safer and defend better we are stronger.Becoming a member is a solid investment for you and your business it shows you care; we invite you to come and join the super blue team.

$ The economic impact of the Internet of Things will be measured in $trillions. The number of connected devices will be measured in billions. The resultant benefits of a connected society are significant, disruptive and transformative.

Yet along with the many societal, environmental and economic benefits, the rapidly-expanding connected world, represents a growing attack surface for adversaries of all denominations to exploit. Everyday vulnerabilities in IoT are being used for malicious intent yetthe vast majority of them can be prevented simply and cost-effectively.

Enter IoTSF:Were here to help make it safe to connect so the many benefits of IoT can be realized. Through a dedicated program of guidance, reports, events, training, standards, advocacy and so much more, we represent a collaborative international response to the wicked challenge of IoT insecurity.

Continued here:
IoT Security Foundation The Global Home of IoT Cybersecurity

Like seatbelts, cybersecurity frameworks work best when you use them. Dozens of cybersecurity frameworks (CSFs) and models have been released over the years with the aim of assisting businesses in lowering the risks associated with cyberattacks.

Ransomware strains are being constantly modified and socially engineered to avoid detection by antivirus software. Some ransomware attacks incorporate worms that allow it to spread across networks, infecting devices beyond the initial source. SaaS applications, such as Microsoft 365, Google Workspace, and Dropbox are also vulnerable.Worse yet, ransomware attacks have skyrocketed over the past few years. According to Dattos 2020 Global State of the Channel Ransomware Report, 78% of managed service providers surveyed reported attacks against their small and medium-sized business clients over the last two years.Download this whitepaper to learn how Datto can help your organisations protect critical corporate data.

Please enter a work/business email address

By clicking the Download Free Whitepaper button, you accept the terms and conditions and acknowledge that your data will be used as described in the Datto privacy policy

By downloading this Whitepaper, you acknowledge that we may share your information with our white paper partners/sponsors who may contact you directly with information on their products and services.

Visit our privacy policy for more information about our services, how we may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you.Please check your email to download the Whitepaper.

Which options firms should consider, with so many CSFs to pick from, is a difficult choice. The quick response is that it makes no difference; just make sure you use one. While no CSF is superior to any other, it is important to identify areas of similarity between them as well as discrepancies to make an optimal choice.

CIS (Centre for Internet Security): This is a non-profit organisation whose members work together to develop and identify efficient security methods. Its defence-in-depth strategy employs 18 CIS controls that are prioritised and created to guard against a.

CMMC (Cyber Security Maturity Model Certification): The US Department of Defence created the CMMC framework as a template for contractors in the Defence Industrial. It divides its controls into three categories: Foundation, Advanced, and Expert, and maps them to the NIST framework (below).

COBIT : (Control Objectives for Information and Related IT): ISACA, an international organisation with an emphasis on IT governance, developed the well-known COBIT framework, which is widely utilised in Europe and is suitable for large to medium-sized enterprises.

Essential Eight: The Australian Cyber Security Centre created this cybersecurity framework, and it consists of eight important elements created to help enterprises to defend themselves against different types of cyberattacks. This framework places a strong emphasis on safeguarding internet-connected networks running Microsoft Windows.

ISO 27001 (International Standards Organization): This is an international standard for managing information security. Upon a successful audit result, organisations receive certification. The 144 controls in 14 groups and 35 control categories covered by the ISO controls are extensive.

NIST: The National Institute of Standards and Technology published the NIST cybersecurity framework in 2014 with input from private-sector and government experts.

Zero Trust: Technically speaking, this is not a CSF, but a model that constantly verifies authenticity. Its basic tenet is never trust, always verify. The guiding concepts of the Zero Trust paradigm are that verification has to be explicit; it should employ the least privileged access, and anticipate that a system will definitely be compromised.

Almost continuous supply chain attacks, AI-based spear phishing, and hybrid work practices are behind a global cyber threats scenario that remains dangerous and severe. Attack strategies by bad actors are changing practically every minute, and cybercrime-as-a-service is becoming the norm.

More than 85% of attacks still originate at the human-machine interface, making it the main access point. This is because even with companies employing a wide range of security processes and technologies, social engineering and other emotional manipulation methods are the most effective ways to target employees.

Cyberattacks are rising daily and have to be defended by organisations because they pose a threat to normal company operations. Private-sector businesses across industries have implemented some of the many cybersecurity frameworks voluntarily, singly or in concert, like NIST and MITRE ATT&CK.

These were created to provide best practices to empower security teams to better manage and decrease cybersecurity risks, and to battle the constantly growing attack surface.

Organisations must not rely only on reactive measures to protect against the unprecedented rise in variety and direction of the threat landscape. Instead, they must go beyond cybersecurity frameworks to precisely identify, quantify, and manage key risks.

Companies must no longer only rely on a reactive detect-and-respond approach to protect their critical assets from pressing threats.

It is not true that maintaining compliance with security frameworks can absolutely guarantee system security for organisations. Firms must also assume responsibility for identifying their specific, individual security vulnerabilities/attack paths.

The moment has come to put security posture strengthening measures into action that go beyond merely satisfying compliance with regulations and baseline security standards.

Identify

The Identify function creates the base for further cybersecurity-related actions your firm will take. The success of the framework depends on knowing what is out there, what risks are associated with those settings, and how it relates to your business strategy.

Protect

Going deeper into the framework, PR.DS (Protect Data Security) comprises seven sub-categories, each of which is meant to assure the safety of data. These include measures for securing data while it is in motion (PR.DS-2), securing data while it is at rest (PR.DS-1), and so forth. For example, the organisation might require encryption of data at rest to comply with PR.DS-1.

Detect

The establishment and execution of the necessary processes to identify the presence of a cybersecurity event are required by the Detect function. It makes it possible to quickly identify cybersecurity incidents.

Respond

The Respond function is responsible for operations related to planning, analysing, and mitigating responses in order to ensure that the cybersecurity programme is always improving.

Recover

To lessen the impact of a cybersecurity incident, the Recover step permits a quick return to routine activity. Some examples of outcomes include communications, recovery planning, and improvements by this core Framework function.

The ability of a business to anticipate, withstand, and recover from a cyberattack is known as cyber resilience. This includes cyber security, business continuity, and incident response, and is based on the ability to successfully identify, protect, detect, respond, and recover fast from any cyber incident.

MSPs are at the heart of an asymmetrical battle, meaning the threat actor has numerous ways to attack that [Datto] partner, and partners are critical because they hold the keys to the kingdom; theyre the single point to multiple businesses so attacking a partner is really a juicy target for a bad actor, says Chris McKie, VP of security solutions product marketing at Datto.

They can attack them [a partner] or their customers by any number of means: email, network, endpoint, cloud. They have the advantage that they need to just to find one vulnerability, they need to find one person to click on one link to deliver the malicious payload.

On the flip side, the partner is at an unequalled disadvantage because they have to cover and protect everything. This asymmetrical battle puts threat actors at a huge advantage while putting the MSP at a tremendous disadvantage, says McKie.

To address this we, the [cyber security] industry have come up with these CSFs. Thats the genesis of why there are frameworks in the first place. To help everybody to evaluate their entire security stack from a holistic, comprehensive point of view to address the asymmetrical battle. If youre not using a framework, its like going into a battle without a plan. Youre probably going to lose, and lose badly.

The whole point of a framework says McKie is that it gives you that strategy, that roadmap and tools that strengthen not only the MSPs position, but also that of their customers. If you dont have a solid recovery solution in place, BCDR for example, and you suffer a breach by a ransomware attack and your systems go down, youre out of business for some time.

The average breach costs around $8k per hour between the point of attack to the time of remediation. Thats serious money lost and, possibly, reputational damage! Something like 60% of small businesses that get hit go out of business, says McKie.

Because of this, you need tools that provide comprehensive, defence-in-depth abilities to identify, protect, detect, respond and recover against a myriad of threats. You cant protect what you cant see. This makes Datto RMM a must-have weapon in your cybersecurity arsenal.

Datto RMM is a robust platform for remote monitoring and management. To reduce costs and enhance service delivery, managed service providers (MSPs) can use Datto RMM to remotely secure, monitor, and control endpoints.

The only channel RMM to be reviewed so far, Datto RMM is in the top 20% of all businesses that are going through their Building Security in Maturity Model (BSIMM) evaluation.

Datto RMM was developed with a strict emphasis on security. The company makes it simple for its customers to concentrate on service delivery as there is no hardware to maintain and it boasts an uptime of 99.99% availability. It is dedicated to improving client endpoint security for MSPs and platform security.

Ransomware strains are being constantly modified and socially engineered to avoid detection by antivirus software. Some ransomware attacks incorporate worms that allow it to spread across networks, infecting devices beyond the initial source. SaaS applications, such as Microsoft 365, Google Workspace, and Dropbox are also vulnerable.Worse yet, ransomware attacks have skyrocketed over the past few years. According to Dattos 2020 Global State of the Channel Ransomware Report, 78% of managed service providers surveyed reported attacks against their small and medium-sized business clients over the last two years.Download this whitepaper to learn how Datto can help your organisations protect critical corporate data.

Please enter a work/business email address

By clicking the Download Free Whitepaper button, you accept the terms and conditions and acknowledge that your data will be used as described in the Datto privacy policy

By downloading this Whitepaper, you acknowledge that we may share your information with our white paper partners/sponsors who may contact you directly with information on their products and services.

Visit our privacy policy for more information about our services, how we may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you.Please check your email to download the Whitepaper.

Continued here:
Cybersecurity frameworks and your company - Verdict

THE crime pattern in the digital world is almost the same. In court, it is often observed that the perpetrators are more or less cyber experts while the victims are relatively cyber incompetent or unaware. About 30 per cent of cases pending in tribunals are romance scandals, where a womans private moments are captured with or without her consent. The criminal later publishes those obscene pictures or videos on social media to take revenge, defame the woman, or blackmail her for money. Cases of false information, threats, and denigrations account for close to 35 per cent, and the remaining 65 per cent of cases are filed against cheating, fraud, hacking, incitement, and attacks on religion. According to the CCAF research report, among the victims, 57 per cent are women, and 43 per cent are men. Women are more victims compared to men, mainly for two reasons: a lack of cyber security awareness among them and victim blaming. However, the lack of cyber awareness increases the possibility of becoming a victim of cybercrime for both men and women, while criminals take advantage of the latter, particularly blaming women.

Compared to other crimes, the magnitude and impact of cybercrime are dire. One of the reasons is that the incidents of cybercrime spread across the globe in an instant. People can see it before it is verified as true or false; the victims fame and purity will be at stake, and it will not be easy to recover. Secondly, identifying a cyber-criminal is not painless. Cyber criminals are usually cyber-savvy and may be able to remain anonymous. Thirdly, the perpetrator does not need to be present at the crime scene to commit a cybercrime. A criminal can hack anyones Facebook account while sitting abroad. That is why cybercrime is a transnational crime that has no borders. Fourthly, the evidence used in cybercrime is difficult to collect, and presenting it in court with an opinion after an expert examination is even more difficult. Fifthly, the Digital Security Act, 2018 is a special act, and the terms used in the act are highly technical and not easy to understand for ordinary people.

Currently, about four thousand cyber cases are pending in different tribunals nationwide. The actual number of cybercrimes is higher than the number of cases reported. Due to public shame of victims, fear, and the complexity of the prosecution process, fewer cases come to the tribunal for trial than the actual number of crimes.

According to the Bangladesh Telecommunication Regulatory Commission, there are about 12.5 crore internet users in Bangladesh. There is no debate that Facebook is the most popular social media site in the country. According to Napoleon Cut data, 5.90 crore people now use Facebook, with women accounting for 32 per cent and men accounting for 68 per cent. The number of conscious internet users is insignificant among this enormous number. There are set principles and norms for using social media. Some love to ignore those, and some are not well acquainted with them. Some are unknowingly committing cybercrimes and violating laws and rules. A common perception is that the victims cannot seek justice if obscene pictures or videos are captured with their consent. This is wrong. As per law, whoever publishes such photographs or videos with ill motives or intentions whether the person is a man or a woman commits a cybercrime. However, none should be allowed to take and share personal photos or videos. Sharing a secret password with anyone to show loyalty and prove trust is entirely unwise. Besides, the culprits are misusing the technology by editing normal pictures into naked ones and even making pornographic videos.

Prevention is better than cure and should be the policy to tackle cybercrime. The loss already incurred cannot be compensated for once the offence is committed. The following precautions are vital to prevent crime: (a) strong passwords. Simple passwords such as birthdays, cell phone numbers, and names are not suitable; (b) two-way authentication, one gets an alert notification if unauthorised access is noticed; (c) no sharing of passwords with anyone, not even close family members, because the relationship could end at any time, (d) no sharing of private photos or videos with anyone being emotional, as the emotion of a weak moment may bring extreme suffering in life. Photos or videos captured are stored in the cloud where a wrongdoer may get access and blackmail if the mobile is stolen, hacked, damaged, or needs repairing; (e) it is not wise to open unsolicited messages, emails, or online links, as these might be trapping; (f) updated internet security on the laptop, computer, or mobile for better protection; (g) it is essential to check and monitor the friends list on social media, choose friends carefully, and be vigilant to protect and respect ones privacy.

However, once the crime is committed, the first task is to collect and preserve screenshots, links, and pictures of the crime as evidence; and report the criminal incident to the cyber unit of the police department. The Helpline service is also very active. One can file a general diary or first information report at the police station if necessary. Another door that is open for litigation is the cyber tribunal. The required forensic evidence may not be found when the criminal deletes, edits, or makes only-me his post. Facebook and Google respect users privacy and do not give complete information to the police. It is crucial to recover and seize the device used in the crime to prove the case. The faster the perpetrator is identified and apprehended, the greater the chances of getting proper justice.

Along with technological development, cybercrime will also continue to grow. So let us be aware and vigilant and prevent cybercrime.

Md Ziaur Rahman studies at Queensland University of Technology, Australia.

Go here to read the rest:
What cyber-victims need to do? - newagebd.net

We may earn revenue from the products available on this page and participate in affiliate programs.

Weve collectively become increasingly reliant upon our ability to connect with others virtually, and many of us store secure data in areas that also requires connectivity. But as threats to online privacy intensify it can be tough to figure out which methods are most appropriate.

For a limited time, the Deeper Connect Pico, a proven and powerful cybersecurity hardware device, is available at only $199.99 (reg. $248) when you use coupon code during our Deal Days Sale. This sale presents an alternative to Prime Day, delivering our best deals on a variety of popular products, including this one, but it will come to an end Oct. 12.

Internet security is threatened on a constant basis, making it vital to take extra precautions toward protecting the privacy and functionality of your online life. Individual hackers and collective hacking groups seek quick money and blackmail power by exploiting sensitive data, but this product presents a simple way to shut them off from access.

Carrying an Amazon rating of four stars out of five, Deeper Connect Pico provides a decentralized VPN resource and seven-layer firewall protection within a package that weights only 0.11 pounds. It is equipped with a Wi-Fi adapter, a USB-C power source, and two ethernet cables.

Deeper Connect Picos fully decentralized VPN experience features multi-routing and smart routing that allows unrestricted access to content from across the globe, regardless of regional blackouts and without sacrificing functional internet speed.

Plus, block all ads and implement parental controls with just one touch. Experience the internet the way it was meant to be explored, without restrictions, and do so easily with the simple plug-and-play setup of Deeper Connect Pico. There are no annual fees or subscriptions required.

Operate your devices with confidence and security, whether at home or on the move, with major savings on Deeper Connect Pico, available now for only $199.99no coupon neededthrough Oct. 12.

Prices subject to change.

Read the original:
Save big ahead of Prime Day on this mobile VPN and cybersecurity tool - Popular Science

We discovered that the Cobalt Strike instance added a persistence registry key to load an exploit file from an online code repository controlled by Water Labbu. The repository hosted multiple exploit files of CVE-2021-21220 (a Chromium vulnerability affecting versions before 89.0.4389.128) to execute a Cobalt Strike stager. It also contained files designed to target Meiqia (), a Chinese desktop-based live chat app for online customer support that is used on websites. MeiQia () was developed using ElectronJS a framework that employs Chromium core, and therefore is vulnerable to Chromiums vulnerabilities.

We observed that many cryptocurrency scam websites that were compromised in this campaign also embedded Meiqia to provide an option for easy communication with potential victims. This association suggests that Water Labbu likely sends the exploit via the live chat box. To support this claim, we found an exploit HTML file sample containing a screenshot that looks like a withdrawal confirmation for cryptocurrency funds. If scammers open the exploit page in an old vulnerable version of the Meiqia management client application, its possible that they might get infected by Water Labbu.

The infection is initiated when) the initial scammer (in essence, the victim) opens a weaponized webpage (likely sent to them via livechat). A recent research paper on Electron security demonstrated a successful exploitation of an Electron-based application using CVE-2021-21220. In this scenario, it leveraged cross-site scripting (XSS) techniques to force the exploit to be rendered in a window without sandboxing.

We found weaponized HTML pages created by Water Labbu that leverages the same Chromium vulnerability to attack the MeiQia application. The initial scammers used an old version of MeiQia, which might be vulnerable to exploits. Review of the code shows that old versions of MeiQia open external links inside their ElectronJS applications and render the web page without sandboxing. The latest version of MeiQia is not vulnerable because it runs on the newer version of Chromium core and also opens the external links, not inside the ElectronJS app, but via the default system web browser.

The weaponized HTML pages contain JavaScript that uses the User-Agent to identify whether the environment of the victim is vulnerable. The script detects strings such as electron and x64 to discover Electron-based applications and x64 architecture. It also detects the strings 0.0.8 Chrome/83, s/0.0.7, or s/0.0.6, to identify if it is running inside a vulnerable version of Chromium or MeiQia application. If the User-Agent does not match, it will either redirect victims to the official MeiQia website or create a new iframe to load screenshots from banking or cryptocurrency transactions. Its likely that these are the lures Water Labbu used to communicate with the targeted cryptocurrency scam websites.

When the weaponized HTML pages detect a vulnerable target, it will proceed with loading additional stages of the attack.

The last stage involves the creation and loading of a new script called tongji.js, which in Chinese means (to deliver a punishing attack). These files are hosted inside Water Labbus code repository. The tongji.js script is a JavaScript containing CVE-2021-21220 exploit code, with a shellcode that is a Cobalt Strike stager. The Metasploit module for this vulnerability is publicly available. Water Labbu reuses the available code, obfuscates it with one or more layers of obfuscation (sojson.v4, jsjiami.com.v5), before executing the custom shellcode.

The embedded shellcode can either be a Cobalt Strike stager or a complex batch command capable of stealing credentials, and downloading and running other scripts and files.

Regardless if the embedded shellcode is the stager or the custom batch script, we noticed that the set of malicious operations that were being performed were largely the same:

1) Download and install Cobalt Strike2) Steal cookies and other important files3) Download and patch the MeiQia app4) Download additional spying software5) Provide information about the infection progress by communicating with the report-collecting server, among others

The Cobalt Stike stager is usually encrypted (XOR, AES), encoded (Base64, hexadecimal), and embedded into a Golang shellcode runner to make payload detection more difficult. The malware operator was likely inspired by this blog post.

It attempts to steal *.txt files in desktop, Telegram Desktop, and MeiQia cookies in AppDataRoamingcom.meiqia.windowscookies. These files are included in a specially crafted .html file and submitted to the information-collecting server with the help of headless Chrome (without visible UI) or Internet Explorer (if submission with Chrome fails). The specially crafted .html file contains one form, one input text with the computer name, and one text area with stolen content. After the timeout expires, the script will automatically submit the content to a typosquatting domain.

If Cobalt Strike has not been installed yet, then it is downloaded and executed. The Golang shellcode runner is used as a form of obfuscation.

To learn more about the success or failure of the infection progress, parameters such as COMPUTERNAME and USERNAME are exfiltrated to the report-collecting server. In case of failure, the server may call the following requests:

If the MeiQia app is not found, the error report with parameter a is sent. If the app is found and is unpatched, the error report with parameter b is sent. If the discretionary access control list modifications with icacls fails, the error report with parameter z is sent.

Meanwhile, another script checks if the process 360tray belonging to the 360 Total Security solution is running:

In some cases, we also noticed DNS and HTTP monitoring platforms such as ceye.io being used to collect information about the infection progress:

If necessary, this batch script will download a vulnerable version of Chrome (89.0.4389.114) and/or an-already patched MeiQia application from a repository found on a popular version control site. These files are downloaded and extracted to the infected system.

The script modifies the Run registry key for persistence, with the persistent command being chrome.exe --headless --no-sandbox --user-data-dir= . Since the script installed a vulnerable version of Chrome, the next reboot of the operating system causes the exploitation of the vulnerability and execution of the embedded shellcode (either Cobalt Strike or a custom one).

This script adds a certificate to Trusted Root by via the certutil utility:

The script installs a certificate with the filename "mitmproxy-ca-cert.pem" into Trusted Root. Although we dont have the certificate file, It's likely that it is generated by mitmproxy tool due to its file name.

It then modifies the AutoConfigURL setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. These settings allow a user to specify certain domains to have their traffic forwarded through a proxy. With the help of a malicious certificate installed in the root directory, an attacker will be able to decrypt HTTPS encrypted traffic and steal entered credentials.

The additional scripts perform the following:

a) Hiding windows with the title windows update.b) Downloading and running osmonitor, a tool for spying on victims and monitoring their behavior.c) Patching the MeiQia app, either by downloading an already-patched app0.2.asar archive and replacing it, or by running a patcher scriptd) Restarting the MeiQia app to start the patched versione) Stealing *.txt and *.xl* files from Recent Files, steals *.lnk, *.txt, *.xl* files from Desktop, and adds a list of processes and list of active network connections before packing these into a zip archive and uploading it to an OS information-collecting server

The process of patching MeiQia involves changing files in the app.asar archive. In our scenario, the .modulescreate-window.js file from the app.asar archive was modified. The modifications included:

a) Disabling auto updatesb) Setting fixed window sizesc) Replacing the default URL (https://app.meiqia.com) with a malicious oned) Embedding additional JavaScript files to be executed within the MeiQia application context

When victims open a new MeiQia window, the script injected to the internal function new-window will check the title of the web page. If the title doesnt contain the string (MeiQia), it will redirect victims to the official MeiQia website and execute additional JavaScript files within the page.

During our research, we discovered that many of the links used for loading additional scripts were no longer active. However, one of the links loading a script called apo.js ( = mother-in-law) from their code repository was still available.

If the title contains the Chinese string (dng l = login), the script will try to grab the value of DOM elements with the IDs email and password and send the grabbed data to the remote server app[.]meiqiacontents[.]com. If the title contains the Chinese word (Mei), it will collect the websites cookies and send them to the same remote server.

When victims open a new window without specifying any URL to load, the new window will load the default URL of the application (APP_URL), which has also been replaced with a malicious URL hosted on the delivery server mmmm[.]whg7[.]cc. The delivery server will only respond when the User-Agent contains the string Electron to ensure that it is sent from an Electron application.

The request to the malicious URL responds with a code that redirects to the MeiQia apps original default URL. At the same time, it creates a small new window to load another URL that will perform several redirections before finally attempting to exploit CVE-2021-21220 to launch a Cobalt Strike stager.

Water Labbu registered the typosquatting domain name meiqla.com (compared to the legitimate meiqia.com). Although the website looks visually identical to the legitimate one, there is one noteworthy malicious feature.

Figure 14 shows how the function lc() reads the user-entered email and password and exfiltrates them to an information-recording PHP script before redirecting victims to the legitimate meiqia.com website.

Water Labbu is a dangerous new threat actor with a complex routine and infrastructure that isnt afraid to leverage the schemes of other scammers for its own ends, exploiting live chat applications on preexisting scam websites that were developed using the ElectronJS framework.

A key part of the threat actors routine is the exploitation of a known Chromium vulnerability to target scammers who use an unpatched version of the MeiQia app. Given that users are dealing not only with the original scammer, but with Water Labbu as well, we advise both individuals and organizations to update their applications and systems to the latest secure versions to prevent vulnerable software from being exploited and used in malicious ways.

Read the first part of our Water Labbu series to learn more about how the threat actor compromises Dapps for their own purposes.

The indicators of compromise for this blog entry can be found here.

Read more here:
How Water Labbu Exploits Electron-Based Applications - Trend Micro