{"id":2270,"date":"2025-03-10T21:38:37","date_gmt":"2025-03-10T21:38:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2270"},"modified":"2025-03-10T21:38:37","modified_gmt":"2025-03-10T21:38:37","slug":"almost-1-million-business-and-home-pcs-compromised-after-users-visited-illegal-streaming-sites-microsoft","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2270","title":{"rendered":"Almost 1 million business and home PCs compromised after users visited illegal streaming sites: Microsoft"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Careless online surfing by employees continues to be the bane of CISOs trying to keep malware off their IT networks. The latest example of its consequences comes from Microsoft, which reports that in early December it detected a large-scale data theft campaign that leveraged GitHub, Discord, and Dropbox to distribute malware to nearly 1 million devices.<\/p>\n<p>The likely initial cause: People clicking on malicious ads posted on streaming websites hosting pirated videos.<\/p>\n<p>And while it might seem that ordinary users would be the victims, Microsoft reports that the campaign also impacted a wide range of organizations and industries, including both consumer and enterprise devices.<\/p>\n<p>The report not only shows that platforms like GitHub, Discord, and Dropbox have to tighten their security, say experts, but also that, as part of <a href=\"https:\/\/www.csoonline.com\/article\/1246117\/8-reasons-your-cybersecurity-training-program-sucks-and-how-to-fix-it.html\">security awareness training<\/a>, CISOs have to regularly remind employees of the risks, both when they are at work and at home, of going to websites that promise goodies.<\/p>\n<p>\u201cMalware spread by <a href=\"https:\/\/www.csoonline.com\/article\/567045\/what-is-malvertising-and-how-you-can-protect-against-it.html\">malicious advertising<\/a>, and GitHub being involved, is nothing new,\u201d said Roger Grimes, data-driven defense evangelist for awareness training provider KnowBe4 . \u201cToday, it\u2019s almost business as usual. Any cybersecurity training should include education about how internet search engines and advertising can lead you to bad places. People have to know this reality. It has always been this way, but it\u2019s worse than ever.\u201d<\/p>\n<p>He noted that, even when a potential victim is led to a bad site, the user has to take some action, and often ignore multiple security warnings, to run the malware. <\/p>\n<p>\u201cThe malware doesn\u2019t just launch onto the person\u2019s device and start doing bad things, unless they are unpatched,\u201d he said. \u201cUsually, the user has to manually and actively allow the malware content to run (versus just displaying a web page). So, users must be made aware that malicious advertising exists, and that if they don\u2019t manually allow the content to run, usually they will be safe from it.\u201d<\/p>\n<p>For CISOs, the report shows how important it is to run an ad blocker as well as other defenses, said Johannes Ullrich, dean of research at the SANS Institute, and it\u2019s not just in case employees ignore company policy to stay away from unapproved websites. \u201cSadly,\u201d he said in an email, \u201cmalicious ads are still showing up on legitimate sites, too.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Campaigns have multiple stages<\/h2>\n<p>In this campaign, the majority of the malware distribution went through GitHub, and Microsoft, which owns GitHub, blunted the campaign by taking down the infected repositories there. But GitHub is not the only site to be abused in this way; Ullrich said it\u2019s a \u201cdifficult\u201d problem for all file-hosting sites.<\/p>\n<p>\u201cThe initial payload was a simple \u2018dropper\u2019. \u2018Droppers\u2019 are very simple software that downloads, decodes, and executes code,\u201d he noted. \u201cThey are not inherently malicious and are difficult to identify before they are used for malicious purposes. Maybe we hear more about GitHub compared to other file hosting sites because Microsoft is more proactive and public about shutting these repositories down.\u201d<\/p>\n<p>Security researchers have been reporting on threat actors\u2019 use of GitHub in particular for spreading malware, in part because it\u2019s a location trusted by application developers for grabbing open source code.<\/p>\n<p>In one of the most recent reports, <a href=\"https:\/\/www.kaspersky.com\/blog\/malicious-code-in-github\/53085\/\">last month Kaspersky said it found<\/a> a campaign by unknown threat actors to create over 200 GitHub repositories (\u201crepos\u201d) containing fake projects offering malicious code, including Telegram bots, tools for hacking the game Valorant, Instagram automation utilities, and Bitcoin wallet managers.\u00a0<\/p>\n<p>That campaign has been going on for at least two years, Kaspersky said.<\/p>\n<p>And just over a year ago, <a href=\"https:\/\/apiiro.com\/blog\/malicious-code-campaign-github-repo-confusion-attack\/\">researchers at Apiiro reported finding <\/a>over 100,000 GitHub code repositories using typo-squatting (giving repositories similar names to legitimate ones) to ape legitimate repos, or by just cloning an existing repo.<\/p>\n<p>These examples show another element of security awareness training: Making sure developers understand the need to check the legitimacy of a repo before downloading code destined for a corporate application.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/06\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/\">The recent Microsoft malvertising report<\/a> said infected illegal streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue for the threat actor or actors. But part of the scheme involved victims being re-directed several times to malicious GitHub repositories for the installation of first stage payloads.<\/p>\n<p>As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate, Microsoft said. A total of twelve different certificates were identified, all of which have been revoked.<\/p>\n<p>Second stage files were then used to discover what was on victim PCs and to exfiltrate system information. The malware may have included <a href=\"https:\/\/www.eset.com\/blog\/business\/lumma-stealer-a-fast-growing-infostealer-threat-1\/\">Lumma Stealer<\/a> and <a href=\"https:\/\/perception-point.io\/blog\/doenerium-malware\/\">Doenerium<\/a>. Various third-stage payloads were deployed, depending on the second-stage payload, for downloading additional files and stealing data.<\/p>\n<p>Depending on the initial payload, NetSupport, a remote monitoring and management (RMM) program, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) such as\u00a0<em>PowerShell.exe<\/em>,\u00a0<em>MSBuilt.exe<\/em>\u00a0and\u00a0<em>RegAsm.exe<\/em>\u00a0to connect to command and control (C2) servers and for data exfiltration of user data and browser credentials.<\/p>\n<p>Microsoft\u2019s defensive recommendations include strengthening endpoint detection, particularly to block malicious artifacts, and requiring the use of multifactor authentication for logins.<\/p>\n<h2 class=\"wp-block-heading\">Security awareness training is critical<\/h2>\n<p>To be effective, any security awareness and training program needs to recognize and be tailored to reflect the way people really work with security in an organization, as part of creating a positive security culture, says the UK\u2019s National Cybersecurity Centre.<\/p>\n<p>There are free resources to help organizations build a cybersecurity and privacy learning program. For example, the <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-50r1.pdf\">US National Institute for Standards and Technology\u2019s (NIST) latest guidance<\/a> on the subject is an 87-page outline that notes that a plan needs measurements of success such as employee ability to recognize and report potential cybersecurity events and employee behavior change, and feedback throughout the year.<\/p>\n<p>\u201cCybersecurity and privacy awareness learning activities should be conducted on an ongoing basis throughout the year,\u201d it says in part, \u201cto ensure that employees are aware of their roles within the organization and the appropriate steps they must take to protect information, assets, and individuals\u2019 privacy.\u201d<\/p>\n<p>Examples of awareness activities that are appropriate for all users include:<\/p>\n<p>messages on logon screens, organizational screen savers, and email signature blocks;<\/p>\n<p>employee newsletters with cybersecurity and privacy articles;<\/p>\n<p>posters (physical or digital) with cybersecurity and privacy tips;<\/p>\n<p>a Cybersecurity Awareness Month (October) or Data Privacy Awareness Week (January) activity fair;<\/p>\n<p>cybersecurity and privacy reminders and tips on employee materials (e.g., pens, notepads, etc.);<\/p>\n<p>periodic or as-needed email messages that provide timely tips or are sent in response to a cybersecurity or privacy event or issue.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Careless online surfing by employees continues to be the bane of CISOs trying to keep malware off their IT networks. The latest example of its consequences comes from Microsoft, which reports that in early December it detected a large-scale data theft campaign that leveraged GitHub, Discord, and Dropbox to distribute malware to nearly 1 million [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2257,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2270"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2270"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2257"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}