Researchers at Bitdefender have reported discovering vulnerabilities in Google Workspace and Google Cloud Platform which, after first compromising the local machine, could allow threat actors to extend their activities to a “chain reaction” network-wide breach, potentially leading to ransomware attacks or data exfiltration.
The researchers say that, for example, starting from a single compromised machine, threat actors could: “move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem.”
Bitdefender says it “responsibly disclosed” its findings to Google but says Google has confirmed “no plans” to address the findings, because it is outside of their specific threat model.
The advice to businesses is to strengthen detection and response capabilities (e.g. by investing in threat detection solutions, to identify and respond to unusual or unauthorised access attempts swiftly) and to have an incident response plan to address local device compromises.
Research from Sharp shows that unsecured printers have been the cause of cyber-attacks for one-fifth of European SMBs, and for one half of public sector organisations.
Despite the office printer being an under the radar weak spot for cyber-attacks like phishing, malware, and computer viruses, fewer than a quarter of UK SMBs report educating their employees about either scanner or printer security.
Sharp reports that the most common printer vulnerabilities which lead to the attacks are the use of default passwords, unsecured network connections, and outdated firmware.
The advice to SMBs is to keep software for scanners and printers updated, regularly back up data, and to encourage a consistent security policy across teams working from multiple locations.
Threat Detection Technology SlashNext has reported that in the 12 months that ChatGPT’s been publicly available, the number of phishing emails has jumped 1,265 per cent, with credential phishing, a common first step in data breaches, seeing a 967 per cent increase.
SlashNext’s State of Phishing 2023 report notes that cybercriminals may have been leveraging LLM chatbots like ChatGPT to help write more convincing phishing emails and to launch highly targeted phishing attacks. Generative AI chatbots may also have lowered the barriers for any bad actors wanting to launch such campaigns (i.e. by giving less skilled cyber criminals the tools to run more complex phishing attacks).
Businesses can safeguard against phishing attacks by taking measures such as educating employees to recognise fraudulent communications, enforcing strong password policies, using MFA, keeping software up-to-date and installing anti-phishing tools, and by having an effective incident response plan to mitigate damage from breaches.
It’s been reported that following a hack of online travel agency Booking.com’s email system, customers have been receiving phishing emails asking for their bank card details to avoid cancellation of their hotel booking.
The emails, which have been reported to come from a standard booking.com email address, appear to be targeting customers who have checked-in or are due to check in, and although they vary slightly in content, give customers a limited time (4 to 12 hours) to provide their card details following the fraudulent payment request.
It’s been reported that booking.com denies having its email hacked and blames the breach on partner hotels’ email systems being hacked following phishing attacks. The advice for those who have received the emails and are suspicious is to contact Booking.com’s customer service team, contact the hotel directly, or if payment has been made, to contact their bank.
As featured in a recent Wall Street Journal report, iPhone thieves are exploiting a security setting called the ‘recovery key’ to permanently lock owners out of their own iPhones and gain access to their financial apps.
The method, however, hinges first upon ‘shoulder surfing’, i.e. looking over the iPhone user’s shoulder to get the passcode, or finding a way to make the device’s owner share their passcode. Once the passcode has been obtained, the thief uses it to change the device’s Apple ID, turns off “Find my iPhone” and resets the 28-digit recovery code (which was intended to be a security measure), thereby locking the owner out of their own device.
The advice to iPhone owners is to use Face ID or Touch ID when unlocking the phone in public, set up an alphanumeric passcode that would be very difficult for thieves to figure out, consider using the iPhone’s Screen Time setting to set up a secondary password, and to regularly back up your iPhone via iCloud or iTunes.
Cyber threat intelligence company Cyble has highlighted in its recent threat report how ransomware use has doubled compared to Q3 of the year, has been adapted to bypass common defence strategies, and how there’s been increased weaponisation of vulnerabilities to deliver the Ransomware.
Cyble identifies notable trends such as exploiting zero-days, targeting networking devices, focusing on the healthcare sector, the targeting of high-income organisations (with sensitive data), and the growing popularity of ‘Rust’ and ‘GoLang’ ransomware variants. Cyble also notes how the US is still the most targeted region and how major players like LockBit are still a threat.
The advice to businesses is to amplify employee training, establish strong incident response and data recovery plans, adopt security protocols like Zero-Trust Architecture and MFA, collaborate and utilise threat intelligence platforms, proactively manage vulnerabilities, and ensure secure supply chains and vendor risk management.
Researchers at Rapid7 have reported a “possible mass exploitation” of vulnerabilities in Progress Software’s WS_FTP Server (a program that enables the upload and download files to and from a server).
Rapid7 reported that from September 30, it has observed “multiple instances of WS_FTP exploitation in the wild”.
With secure file transfer technologies continuing to be popular targets for attackers, the advice is to update/upgrade to a patched version of WS_FTP Server such as 8.8.2.
Also, those using the Ad Hoc Transfer module in WS_FTP Server who can’t update to a fixed version are advised to consider disabling or removing the module.
A severe browser security flaw, tacked as CVE-2023-4863 and then CVE-2023-5129, has led to emergency updates in Google Chrome, Microsoft Edge, Mozilla’s Firefox, and Apple’s Safari browsers.
The vulnerability, in the libwebp image format, which was made by Google to provide better image compression than e.g., JPEG or PNG, leaves any program using it, such as browsers, vulnerable to attack.
The advice is to check and make sure that you have the most up-to-date bowser version. For example, in Chrome, click on the three dots (top right), then on Help > About Google Chrome to reveal the version number.
It’s been reported that according to a dark web victim blog of cybercrime hacking gang ‘Donut,’ Nottingham-based IT Service Provider Agilitas may have been the subject of a ransomware attack.
Donut is reported to be claiming that it is in possession of the source code and SQL databases belonging to Agilitas and is threatening to start posting the information onto the dark web to force the company to meet its ransom demands.
This highlights how no businesses (even IT Service Providers and security experts) are immune to being targeted by cyber criminals and the advice to all businesses is to remain vigilant, continuously update their security protocols, and educate their employees about the dangers of phishing and other cyber threats.
Microsoft has warned of a new phishing campaign from the “financially motivated” Storm-0324 threat actor which uses an open-source tool to send phishing lures through Microsoft Teams chats.
The goal is accessing corporate networks and enabling follow-on attacks like ransomware, i.e. handing off access to compromised networks to other threat actors. The campaign leverages the open-source TeamsPhisher tool to attach files to messages.
Microsoft says it has rolled out improvements to better defend against the threat and has suspended identified accounts. Microsoft also gives a list of recommendations to harden networks against Storm-0324 attacks on its website here.