Monday, December 23, 2024

Google gamed into advertising a malicious Authenticator

Must read

Infosec in brief Scammers have been using Google’s own ad system to fool people into downloading a borked copy of the Chocolate Factory’s Authenticator software.

A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. They even list the domain for the download as coming from google.com, as you can see below, even though it defaults to a GitHub download.

Seems legit – Click to enlarge

After clicking on the advert, users are redirected a number of times before landing on chromeweb-authenticators.com, hosting the fake app for download. Hosting the code on GitHub gives it an extra air of authenticity. While attribution is impossible, some of the code on the site is written in Russian.

“Some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well,” reported Jérôme Segura, principal threat researcher at Malwarebytes.

“We should note that Google Authenticator is a well-known and trusted multifactor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software.”

AI-written emails now account for 40 percent of BEC cases

A study of messages used in the multi-billion dollar business email compromise (BEC) fraud industry are written by AI, according to threat hunters.

In its latest report for Q2 of this year, VIPRE security scanned BEC messages using AI text detection software such as GPTZero, ZeroGPT, and Quillbot to spot the machine-written missives. Notably, the AI-generated messages were more accurate in spelling and grammar than those written by humans, we’re told.

Score one for the machines it seems.

CISA appoints first AI officer

In a further sign that the US is taking the potential threats from machine learning seriously, CISA has appointed its first chief artificial intelligence officer, Lisa Einstein.

This is an internal hire. Einstein has been with CISA, focusing on artificial intelligence, for the last two years – working on how to protect against machine-augmented attacks but also use the technology to scan and address threats across both government and the private sector.

Vulnerabilities topping the charts this week

After its recent corporate reshuffling there were more woes for US software house ServiceNow.

CISA issued an alert that it was adding two bugs in ServiceNow’s Washington DC and Vancouver releases, with some earlier platforms also vulnerable. The addition of these to CISA’s Known Exploited Vulnerabilities Catalog means federal agencies have until August 19 to have them patched.

The two vulnerabilities – CVE-2024-4879 and CVE-2024-5217 – have CVSS scores of 9.3 and 9.2 respectively and both are issues with how the Now platform handles input validations and allow an unauthenticated user to run code remotely. They have been patched by ServiceNow since June, but the CISA alert demonstrates that if you haven’t fixed this, now is the time.

Also included in the catalog alert was a CVSS 9.8 vulnerability in older versions of Acronis Cyber Infrastructure – CVE-2023-45249. The platform has a default password issue that allows full remote code execution and, although patched in October 2023, is getting enough criminal traffic to make a patch mandatory in government.

“If we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable,” she commented. “But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools.”

China attacks Taiwan(ese computing institute)

The APT41 group, believed to be a state-sponsored Chinese intrusion gang, has been going after Taiwanese targets using the ShadowPad trojan and Cobalt Strike penetration testing software, plus new tools written in basic Chinese, according to Cisco-affiliated Talos Intelligence.

“The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies,” the Talos team wrote. “The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies.”

The campaign, spotted by the Cisco Talos team, has been going on for over a year and was uncovered after the team discovered “abnormal PowerShell commands” being sent to the institute. Early surveillance by the institute’s security staff led to the attacker going offline briefly and then trying again with new PowerShell commands and a unique malware tool targeting Microsoft COM for Windows exploiting CVE-2018-0824 – a remote code execution vulnerability.

Toronto cops cuff suspected SIM swappers

Canadian Mounties famously always get their man, but Toronto cops have also have a good week – arresting ten people who, it’s alleged, used SIM swapping to reap over $1 million in stolen funds.

The operation – dubbed Project Disrupt – also seized 400 pieces of fake ID, which was used to persuade staff at telcos and mobile phone shops to allow them to access other people’s accounts. Once control had been transferred, the suspects are accused of hijacking bank accounts and credit cards.

The ten face charges of fraud, intercepting private communications, and possession of property obtained by crime. Two other suspects are considered on the run. ®

Latest article