google - X-Industry - Red Sky Alliance2024-03-29T15:38:53Zhttps://redskyalliance.org/xindustry/feed/tag/googleRisky Business in Googlehttps://redskyalliance.org/xindustry/risky-business-in-google2024-01-26T12:50:00.000Z2024-01-26T12:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12366120476,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12366120476,RESIZE_400x{{/staticFileLink}}" width="250" alt="12366120476?profile=RESIZE_400x" /></a>Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.</p>
<p>Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. And by most accounts, the threat from bad ads leading to backdoored software has subsided significantly compared to a year ago.<a href="#_ftn1">[1]</a> But cybercrooks are constantly figuring out ingenious ways to fly beneath Google’s anti-abuse radar, and new examples of bad ads leading to malware are still too common.</p>
<p>For example, a Google search earlier this week for the free graphic design program FreeCAD produced the following result, which shows that a “Sponsored” ad at the top of the search results is advertising the software available from freecad-us[.]org. Although this website claims to be the official FreeCAD website, that honor belongs to the result directly below the legitimate freecad.org.</p>
<p><a href="{{#staticFileLink}}12366121075,RESIZE_584x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12366121075,RESIZE_584x{{/staticFileLink}}" width="500" alt="12366121075?profile=RESIZE_584x" /></a>How do we know freecad-us[.]org is malicious? A review at DomainTools.com show this domain is the newest (registered 19 January 2024) of more than 200 domains at the Internet address 93.190.143[.]252 that are confusingly similar to popular software titles, including dashlane-project[.]com, filezillasoft[.]com, keepermanager[.]com, and libreofficeproject[.]com.</p>
<p>Some of the domains at this Netherlands host appear to be little more than software review websites that steal content from established information sources in the IT world, including Gartner, PCWorld, Slashdot and TechRadar.</p>
<p>Other domains at 93.190.143[.]252 do serve actual software downloads, but none of them are likely to be malicious if one visits the sites through direct navigation. If one visits openai-project[.]org and downloads a copy of the popular Windows desktop management application Rainmeter, for example, the file that is downloaded has the same exact file signature as the real Rainmeter installer available from rainmeter.com.</p>
<p>But this is only a ruse, says the principal threat researcher at the security firm Sentinel One. He has been tracking these malicious domains for more than a year, and he said the seemingly benign software download sites will periodically turn evil, swapping out legitimate copies of popular software titles with backdoored versions that will allow cybercriminals to remotely commander the systems. “They’re using automation to pull in fake content, and they’re rotating in and out of hosting malware,” Sentinel said, noting that the malicious downloads may only be offered to visitors who come from specific geographic locations, like the United States. “In the malicious ad campaigns we’ve seen tied to this group, they would wait until the domains gain legitimacy on the search engines, and then flip the page for a day or so and then flip back.”</p>
<p>In February 2023, Sentinel co-authored a report on this same network, which Sentinel One has dubbed MalVirt (a play on “malvertising”). They concluded that the surge in malicious ads spoofing various software products was directly responsible for a surge in malware infections from infostealer trojans like IcedID, Redline Stealer, Formbook and AuroraStealer.</p>
<p>The spike in malicious software-themed ads came not long after Microsoft started blocking by default Office macros in documents downloaded from the Internet. The volume of the current malicious ad campaigns from this group appears to be relatively low compared to a year ago. “It appears to be same campaign continuing,” he said. “Last January, every Google search for ‘Autocad’ led to something bad. Now, it’s like they’re paying Google to get one out of every dozen of searches. My guess it’s still continuing because of the up-and-down [of the] domains hosting malware and then looking legitimate.”</p>
<p>Several of the websites at this Netherlands host (93.190.143[.]252) are currently blocked by Google’s Safebrowsing technology, and labeled with a conspicuous red warning saying the website will try to foist malware on visitors who ignore the warning and continue. But it remains a mystery why Google has not similarly blocked more the 240+ other domains at this same host, or else removed them from its search index entirely. Especially considering there is nothing else but these domains hosted at that Netherlands IP address, and because they have all remained at that address for the past year.</p>
<p>In response to questions from KrebsOnSecurity, Google said maintaining a safe ads ecosystem and keeping malware off of its platforms is a priority across Google. “Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement, sometimes showing Google one thing and users something else,” Google said in a written statement. “We’ve reviewed the ads in question, removed those that violated our policies, and suspended the associated accounts. We’ll continue to monitor and apply our protections.”</p>
<p>Google says it removed 5.2 billion ads in 2022, and restricted more than 4.3 billion ads and suspended over 6.7 million advertiser accounts. The company’s latest ad safety report says Google in 2022 blocked or removed 1.36 billion advertisements for violating its abuse policies.</p>
<p>Some of the domains referenced in this story were included in Sentinel One’s February 2023 report, but dozens more have been added since, such as those spoofing the official download sites for Corel Draw, Github Desktop, Roboform and Teamviewer.</p>
<p>This October 2023 report on the FreeCAD user forum came from a user who reported downloading a copy of the software from freecadsoft[.]com after seeing the site promoted at the top of a Google search result for “freecad.” Almost a month later, another FreeCAD user reported getting stung by the same scam. “This got me,” FreeCAD forum user “Matterform” wrote on 19 November 2023. “Please leave a report with Google so it can flag it. They paid Google for sponsored posts.”</p>
<p>Sentinel One’s report didn’t delve into the “who” behind this ongoing MalVirt campaign, and there are precious few clues that point to attribution. All of the domains in question were registered through webnic.cc, and several of them display a placeholder page saying the site is ready for content. Viewing the HTML source of these placeholder pages shows many of the hidden comments in the code are in Cyrillic.</p>
<p>Trying to track the crooks using Google’s Ad Transparency tools didn’t lead far. The ad transparency record for the malicious ad featuring freecad-us[.]org (in the screenshot above) shows that the advertising account used to pay for the ad has only run one previous ad through Google search: It advertised a wedding photography website in New Zealand.</p>
<p>The apparent owner of that photography website did not respond to requests for comment, but it’s also likely his Google advertising account was hacked and used to run these malicious ads.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://krebsonsecurity.com/2024/01/using-google-search-to-find-software-can-be-risky/#more-66169">https://krebsonsecurity.com/2024/01/using-google-search-to-find-software-can-be-risky/#more-66169</a></p></div>New Malvertising Campaignhttps://redskyalliance.org/xindustry/new-malvertising-campaign2023-11-16T17:15:00.000Z2023-11-16T17:15:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12292775877,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12292775877,RESIZE_400x{{/staticFileLink}}" width="250" alt="12292775877?profile=RESIZE_400x" /></a>A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection.</p>
<p>While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[.]com. The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app[.]online). At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known as cloaking.<a href="#_ftn1">[1]</a></p>
<p>The signed MSI installer that's hosted on the rogue website contains a malicious PowerShell script, a loader known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host. It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.</p>
<p>This is far from the first-time deceptive Google ADs for popular software have turned out to be a malware distribution vector. Recently, cybersecurity investigators disclosed details of an updated Nitrogen campaign that paves the way for a BlackCat ransomware attack. directingmpaigns show that the drive-by download method of directing users to dubious websites has been leveraged to propagate various malware families like NetWire RAT, DarkGate, and DanaBot in recent months.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/blackcat-tools-impacket-remcom-1">https://redskyalliance.org/xindustry/blackcat-tools-impacket-remcom-1</a></p>
<p>The development comes as threat actors continue to increasingly rely on adversary-in-the-middle (AiTM) phishing kits such as NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack targeted accounts. In addition, researchers called attention to a new method dubbed the Wiki-Slack attack, a user-direction attack that aims to drive victims to an attacker-controlled website by defacing the end of the first para of a Wikipedia article and sharing it on Slack. Specifically, it exploits a quirk in Slack that "mishandle[s] the whitespace between the first and second paragraph" to auto-generate a link when the Wikipedia URL is rendered as a preview in the enterprise messaging platform.</p>
<p>It is worth pointing out that a key prerequisite to pulling off this attack is that the first word of the second paragraph in the Wikipedia article must be a top-level domain (e.g., in, at, com, or net) and that the two paragraphs should appear within the first 100 words of the article.</p>
<p>With these restrictions, a threat could weaponize this behavior such that the way Slack formats the shared page's preview results points to a malicious link that, upon clicking, takes the victim to a booby-trapped site. If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/11/new-malvertising-campaign-uses-fake.html">https://thehackernews.com/2023/11/new-malvertising-campaign-uses-fake.html</a></p></div>APT38 Nabbed Hacking Security Researchershttps://redskyalliance.org/xindustry/apt38-nabbed-hacking-security-researchers2023-09-16T13:10:00.000Z2023-09-16T13:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12224754080,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12224754080,RESIZE_400x{{/staticFileLink}}" width="250" alt="12224754080?profile=RESIZE_400x" /></a>Google’s threat hunting unit has again intercepted an active North Korean APT actor sliding into the DMs of security researchers and using zero-days and rigged software tools to take control of their computers. Google’s Threat Analysis Group (TAG) recently reported the government-backed hacking team’s social media accounts and warned that at least one actively exploited zero-day is being used and is currently unpatched.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/no-good-deed-goes-unpunished">https://redskyalliance.org/xindustry/no-good-deed-goes-unpunished</a></p>
<p>Using platforms like <strong>X</strong> (the successor to Twitter) as their initial point of contact, the North Korean threat actor cunningly forged relationships with targeted researchers through prolonged interactions and discussions. “In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package,” a Google spokesman explained.</p>
<p>Google investigators did not identify the vulnerable software package. They said the zero-day exploit was used to plant shellcode that conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. “The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits,” researchers noted that the security defect has been reported to the affected vendor and is in the process of being patched.</p>
<p>North Korean hackers have been involved in a broad scheme to steal money from banks and conduct cyberattacks targeting the entertainment industry. The hackers have used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance and to steal information useful for North Korea's nuclear and ballistic missile programs. The FBI has blamed North Korean hackers for stealing over $600 million in cryptocurrency from a video gaming company. The North Korean hackers are known as the Lazarus Group, and little is known about them.<a href="#_ftn2">[2]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware">https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/rigged-software-and-zero-days-north-korean-apt-caught-hacking-security-researchers/">https://www.securityweek.com/rigged-software-and-zero-days-north-korean-apt-caught-hacking-security-researchers/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a</a></p></div>New Phishing Lure: using Google Lookerhttps://redskyalliance.org/xindustry/new-phishing-lure-using-google-looker2023-09-14T16:50:00.000Z2023-09-14T16:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12223227086,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12223227086,RESIZE_400x{{/staticFileLink}}" width="250" alt="12223227086?profile=RESIZE_400x" /></a>Cybersecurity investigators are warning of a new type of phishing attacks that abuse Google Looker Studio to bypass protections. Google Looker Studio<a href="#_ftn1">[1]</a> is a legitimate online tool for creating customizable reports, including charts and graphs that can be easily shared with others. Looker Studio, formerly Google Data Studio, is an online tool for converting data into customizable informative reports and dashboards introduced by Google on 15 March 2016 as part of the enterprise Google Analytics 360 suite.<a href="#_ftn2">[2]</a></p>
<p>As part of the observed attacks, threat actors are using Google Looker Studio to create fake crypto pages that are then delivered to the intended victims in emails sent from the legitimate tool itself. The message contains a link to the fake report, claiming to provide the victim with information on investment strategies that would lead to significant returns.</p>
<p>The recipient is lured into clicking on the provided link, which redirects to a legitimate Google Looker page, hosting a Google slideshow claiming to provide instructions on how the recipient could receive more cryptocurrency. The victim is then taken to a login page where they are shown a warning that they need to log into their account immediately, or risk losing access to it. This page, however, is designed to steal the provided credentials.</p>
<p>The recent analysis shows that the attack manages to pass email authentication checks that prevent spoofing because the sender’s IP address is listed as authorized for a google.com subdomain. Since it passes checks against the tampering with message contents in transit (DKIM) and DMARC protections because these verifications are automatically made for the domain google.com, which also leads to no action being taken if the checks fail.</p>
<p>This is a long way of saying that hackers are leveraging Google’s authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google. And it does! Because the attack is nested so deep, all the standard checks will pass with flying colors.</p>
<p>The researchers note that, while these protections will likely fail in this attack, the recipients’ vigilance might save the day. The campaign has been ongoing for several weeks. Google was informed of these attacks on 22 August 2023.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://lookerstudio.google.com/u/0/navigation/reporting%C2%A0">https://lookerstudio.google.com/u/0/navigation/reporting </a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.securityweek.com/new-phishing-campaign-launched-via-google-looker-studio/">https://www.securityweek.com/new-phishing-campaign-launched-via-google-looker-studio/</a></p></div>OSS & Cybersecurity Issueshttps://redskyalliance.org/xindustry/oss-cybersecurity-issues2023-08-25T16:00:00.000Z2023-08-25T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12201646682,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12201646682,RESIZE_400x{{/staticFileLink}}" width="250" alt="12201646682?profile=RESIZE_400x" /></a>The Internet runs on open-source software (OSS). It is probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is embedded in everything from most supercomputers, cloud computing, billions of phones, and most operating systems. “Open Source” software, as its name suggests, is available to anyone, and it poses a particular challenge in tracking what is happening at all times. This, in turn, leads to the potential for unique and serious cybersecurity vulnerabilities.<a href="#_ftn1">[1]</a></p>
<p>While proprietary code (not freely available on the internet) is not inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. As the name suggests, it is open, allowing hackers or other bad actors to infiltrate. Some reports suggest up to 70%-90% of any “software stack” consists of third-party code. The SolarWinds breach is an example that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in the mass dissemination of malware.</p>
<p>Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).</p>
<p>The military, the US Cybersecurity and Infrastructure Security Agency (CISA), Google, and DARPA are concerned about this. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”</p>
<p>While the open-source movement has opened an ecosystem we depend on, experts say we do not fully understand it. The MIT Technology Review report says, “There are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivations are often obscure, making it hard to hold them accountable.”</p>
<p>None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase the use of enterprise open source software for emerging technologies.” In the past two decades, companies have used open-source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.</p>
<p>Clear guidelines exist for best practices related to any secure software, open or otherwise, including code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some ways code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact.</p>
<p>The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec. news, “anyone can check the code to see if best practices have been followed and if the coding is sloppy. Importantly, it is possible to see exactly what the software does with open source. Suppose the source code cannot be checked [such as proprietary software]. In that case, there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs hidden functions from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps, potential issues are quickly identified.</p>
<p>Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open-source software because it is more cost-effective and flexible than paid-for development solutions. Most organizations use some form of community-borne software, even without knowing it. It can increase the speed of development and decrease the costs. Petrosyan says, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations, from the smallest to the largest, have used OSS.</p>
<p>A 2021 MIT Technology Review article posed an important question: “If the internet runs on free, open-source software, who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter.</p>
<p>Although Log4J's vulnerability has been a crucial piece of internet structure, it is extremely easy to exploit. It was made more complicated because it was founded as a volunteer project.</p>
<p>Early attacks came from kids who passed malicious code on Minecraft servers. Hackers, including some linked to China and Iran, seek to exploit the vulnerability in any machine they can find that is running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda at Google echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers or even a single maintainer that is not paid to work on that project.”</p>
<p>As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions and predict potential risks better. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project combining sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”</p>
<p>In that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said, “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus said that open source underpins “The systems that run our industry, power grids, shipping, transportation.”</p>
<p>This is a special concern for the military because our adversaries could write critical code, and the stakes of possible security breaches are incredibly high.</p>
<p>To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has assembled a team of well-respected researchers. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.</p>
<p>Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that, like China’s Huawei, has been sanctioned by the US government. In many cases, open-source that we all depend on is run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who quits one day, which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.</p>
<p>Users have created this illusion of trust around open-source software and its code. As the military, governments, and others are now just realizing, we assume it (open source) will always be there because it’s always been there. D'Antoine from Margin Research said, “The government is only just realizing that our critical infrastructure is running code that could be being written by sanctioned entities. Right now.”</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p> </p>
<p>Wkly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cybersecurityintelligence.com/blog/whats-the-problem-with-open-source-software-and-cybersecurity-7098.html">https://www.cybersecurityintelligence.com/blog/whats-the-problem-with-open-source-software-and-cybersecurity-7098.html</a></p></div>Chrome Woeshttps://redskyalliance.org/xindustry/chrome-woes2023-07-21T12:00:00.000Z2023-07-21T12:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><strong><a href="{{#staticFileLink}}12157544284,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12157544284,RESIZE_400x{{/staticFileLink}}" alt="12157544284?profile=RESIZE_400x" width="200" /></a>Chrome Woes</strong></p>
<p>Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p>There are currently no reports of these vulnerabilities being exploited in the wild.</p>
<p>Systems Affected:</p>
<ul>
<li>Google Chrome versions prior to 115.0.5790.98/99 for Windows.</li>
<li>Google Chrome versions prior to 115.0.5790.98 for Mac and Linux.<br /> <br /> Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:</li>
</ul>
<p>Tactic: Initial Access (TA0001):<br /> Technique: Drive-By Compromise (T1189):</p>
<ul>
<li>Use after free in WebRTC (CVE-2023-3727, CVE-2023-3728)</li>
<li>Use after free in Tab Groups (CVE-2023-3730)</li>
<li>Out of bounds memory access in Mojo (CVE-2023-3732)</li>
<li>Inappropriate implementation in WebApp Installs (CVE-2023-3733)</li>
<li>Inappropriate implementation in Picture In Picture (CVE-2023-3734)</li>
<li>Inappropriate implementation in Web API Permission Prompts (CVE-2023-3735)</li>
<li>Inappropriate implementation in Custom Tabs (CVE-2023-3736)</li>
<li>Inappropriate implementation in Notifications (CVE-2023-3737)</li>
<li>Inappropriate implementation in Autofill (CVE-2023-3738)</li>
</ul>
<p>Insufficient validation of untrusted input in Themes (CVE-2023-3740)<br /> Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.</p>
<p>Researchers recommend the following actions be taken:</p>
<ul>
<li>Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</li>
<li>Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.</li>
<li>Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.</li>
<li>Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</li>
<li>Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</li>
<li>Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.</li>
<li>Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)</li>
<li>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)</li>
<li>Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
<li>Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)</li>
<li>Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.</li>
<li>Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.</li>
<li>Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.</li>
<li>Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)</li>
<li>Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.</li>
</ul>
<p>Reference CVE’s:</p>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3727">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3727</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3728">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3728</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3730">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3730</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3732">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3732</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3733">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3733</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3734">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3734</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3735">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3735</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3736">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3736</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3737">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3737</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3738">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3738</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3740">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3740</a></li>
</ul>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<ul>
<li><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-082">https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-082</a></p></div>G-Android OS Could Allow for Remote Code Executionhttps://redskyalliance.org/xindustry/g-android-os-could-allow-for-remote-code-execution2023-07-07T18:40:00.000Z2023-07-07T18:40:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12131314470,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12131314470,RESIZE_192X{{/staticFileLink}}" alt="12131314470?profile=RESIZE_192X" width="185" /></a>Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.</p>
<p>There are reports of vulnerabilities CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136 being exploited in the wild.<a href="#_ftn1">[1]</a></p>
<p>Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the affected component. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:</p>
<p>Tactic: Execution (TA0002)</p>
<table width="100%">
<tbody>
<tr>
<td>
<p>SYSTEMS AFFECTED:</p>
<p>Android OS patch levels prior to 2023-07-05</p>
<p>Government: Large and medium government <br /> entities - HIGH</p>
<p>Small government: MEDIUM</p>
<p>Businesses: Large and medium business <br /> entities - HIGH</p>
<p>Small business entities - MEDIUM</p>
<p>Home Users: LOW</p>
</td>
</tr>
</tbody>
</table>
<p>Multiple vulnerabilities in System that could allow for remote code execution. (CVE-2023-21250, CVE-2023-2136). A vulnerability in Framework that could allow for remote code execution. (CVE-2023-21127)</p>
<p>Multiple vulnerabilities in Framework that could allow for escalation of privilege. (CVE-2023-20918, CVE-2023-20942, CVE-2023-21145, CVE-2023-21245, CVE-2023-21251, CVE-2023-21254, CVE-2023-21257, CVE-2023-21262)</p>
<ul>
<li>A vulnerability in Framework that could allow for denial of service. (CVE-2023-21087)</li>
<li>Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2023-21238, CVE-2023-21239, CVE-2023-21249)</li>
<li>Multiple vulnerabilities in System that could allow for escalation of privilege. (CVE-2023-21241, CVE-2023-21246, CVE-2023-21247, CVE-2023-21248, CVE-2023-21256)</li>
<li>A vulnerability in System that could allow for information disclosure. (CVE-2023-21261)</li>
<li>Multiple vulnerabilities in System that could allow for denial of service. (CVE-2023-20910, CVE-2023-21240, CVE-2023-21243)</li>
<li>Multiple vulnerabilities in Kernel that could allow for escalation of privilege. (CVE-2022-42703, CVE-2023-21255, CVE-2023-25012)</li>
<li>Multiple vulnerabilities in Arm components. (CVE-2021-29256, CVE-2022-28350, CVE-2023-28147, CVE-2023-26083)</li>
<li>A vulnerability in Imagination Technologies (CVE-2021-0948)</li>
<li>Multiple vulnerabilities in MediaTek components. (CVE-2023-20754, CVE-2023-20755)</li>
<li>Multiple vulnerabilities in Qualcomm components (CVE-2023-21672, CVE-2023-22386, CVE-2023-22387, CVE-2023-24851, CVE-2023-24854, CVE-2023-28541, CVE-2023-28542)</li>
<li>Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2023-21629, CVE-2023-21631, CVE-2023-22667)</li>
</ul>
<p>Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.</p>
<p>Authorities recommend the following actions be taken: Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.</li>
<li>Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (User Training).</li>
<li>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (Exploit Protection)</li>
<li>Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
</ul>
<p><strong>CVEs</strong></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0948">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0948</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29256">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29256</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28350">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28350</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20910">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20910</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20754">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20754</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20755">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20755</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20918">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20918</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20942">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20942</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21087">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21087</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21145">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21145</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2136">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2136</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21238">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21238</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21239">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21239</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21240">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21240</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21241">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21241</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21243">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21243</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21245</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21246">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21246</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21247">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21247</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21248">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21248</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21249">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21249</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21250">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21250</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21251">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21251</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21254">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21254</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21255">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21255</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21256">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21256</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21257">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21257</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21261">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21261</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21262">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21262</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21629">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21629</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21631">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21631</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21672">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21672</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22386">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22386</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22387">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22387</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22667">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22667</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24851">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24851</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24854">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24854</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28147">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28147</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28541">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28541</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28542">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28542</a></p>
<p><strong>Google</strong></p>
<p><a href="https://source.android.com/docs/security/bulletin/2023-07-01#arm-components">https://source.android.com/docs/security/bulletin/2023-07-01#arm-components</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072">https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072</a></p></div>Bandit Stealer to 'Go'https://redskyalliance.org/xindustry/bandit-stealer-to-go2023-05-31T12:10:00.000Z2023-05-31T12:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11171683269,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11171683269,RESIZE_400x{{/staticFileLink}}" alt="11171683269?profile=RESIZE_400x" width="250" /></a>Cyber security researchers identified a new information-stealing malware that targets browsers and cryptocurrency wallets. Although the malware, called Bandit Stealer, has only targeted Windows systems so far, it has the potential to expand to other platforms such as Linux. What makes Bandit Stealer particularly dangerous is that it’s difficult for victims to detect, researchers at Trend Micro wrote in a report published last week.</p>
<p>For example, Bandit Stealer can bypass Windows Defender, a security tool developed by Microsoft to protect users from various types of threats, including viruses, malware and spyware. Bandit Stealer developers are continuously updating the malware's features, according to advertisements circulating in the malware community: “Get ready, because a major update is coming next week that will blow other stealers out of the water,” it said.<a href="#_ftn1">[1]</a></p>
<p>Trend Micro researchers have not identified any active hacking group associated with the malware, and have not determined how the group may use the stolen information.</p>
<p>However, the group and its customers can potentially use the malware for activities like identity theft, data breaches, credential stuffing attacks and account takeovers, according to Trend Micro.</p>
<p>Malware capabilities - Bandit Stealer was developed using the Go programming language, which is widely used and developed by Google. Go allows the malware to run on multiple operating systems and better avoid detection, Trend Micro said. Although Bandit Stealer advertises itself as “the most advanced info-stealer on the market” it has many similarities with other stealers, including Creal Stealer, Luna Grabber, Kyoku Cookie token stealer and Pegasus Stealer, according to Trend Micro.</p>
<p>It targets a wide range of Internet browsers and can steal various types of victims’ data, including usernames, current IPs, hard drive information, detailed information about the victim's computer and the country code associated with an IP address. It can also compromise the security of a victim’s Telegram messaging app, which is popular among cryptocurrency enthusiasts. Once Bandit Stealer gains unauthorized access to Telegram, it can impersonate the compromised user and potentially deceive others; the attackers can also access private messages and data associated with the compromised Telegram account.</p>
<p>Bandit Stealer is persistent, as it is executed every time the infected computer starts up or restarts, meaning that even after a system shutdown, the malware can still operate and steal data from the victim's system. According to Trend Micro, victims can unwittingly download Bandit Stealer while visiting malicious websites or through phishing emails.</p>
<p>The malware opens a Word document on a victim’s computer and deceives the user into opening a seemingly harmless file. One of the documents obtained by Trend Micro was a memo expressing concerns about the victim’s job performance.</p>
<p>Bandit Stealer can also pretend to be a fake installer for a program called Heartsender, which is typically used for automated email sending in advertising and marketing.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/bandit-stealer-malware-trend-micro-crypto-wallets/">https://therecord.media/bandit-stealer-malware-trend-micro-crypto-wallets/</a></p></div>Danger - Google Appshttps://redskyalliance.org/xindustry/danger-google-apps2023-04-20T17:25:00.000Z2023-04-20T17:25:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11030292475,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030292475,RESIZE_400x{{/staticFileLink}}" alt="11030292475?profile=RESIZE_400x" width="222" /></a>Millions of consumers are now being urged to check their devices quickly after security experts found a new threat targeting Android phones. The team at McAfee Mobile Security discovered the most recent attack, which can infect well-known applications with a malicious software library and start carrying out tasks without the smartphone owners' authorization.<a href="#_ftn1">[1]</a></p>
<p>Cyber criminals can use a contaminated app to view Wi-Fi history, Bluetooth devices connected to a phone, apps used, and even nearby GPS locations once it has been installed. This indicates that a con artist may be aware of your exact location.</p>
<p>How dangerous could this happen? Worse yet, because the bug can perform AD fraud by clicking on bogus advertisements that appear in the background, Android users might be making money for hackers without even realizing it. Phones frequently become overloaded and overworked because of this kind of attack, which is also known to slow down devices. McAfee confirmed, "the research team has found over 60 applications containing this third-party malicious library, with over 100 million downloads."</p>
<p>In addition, the problem has already been reported to Google by the research team, who instructed app developers to fix their apps or face removal from its app store.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. wapacklabs. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941</li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-in/money/technology/google-has-banned-36-popular-android-apps-and-millions-are-being-pushed-to-do-so-right-away/ar-AA1a2du3">https://www.msn.com/en-in/money/technology/google-has-banned-36-popular-android-apps-and-millions-are-being-pushed-to-do-so-right-away/ar-AA1a2du3</a></p></div>Google Chrome Issueshttps://redskyalliance.org/xindustry/google-chrome-issues2023-04-04T20:10:00.000Z2023-04-04T20:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11004795484,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11004795484,RESIZE_400x{{/staticFileLink}}" alt="11004795484?profile=RESIZE_400x" width="250" /></a>Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p>Threat Intel: There are currently no reports of these vulnerabilities being exploited in the wild.</p>
<p>Systems Affected:</p>
<ul>
<li>Google Chrome versions prior to 111.0.5563.110/.111 for Windows</li>
<li>Google Chrome versions prior to 111.0.5563.110 for Mac and Linux</li>
</ul>
<p>Risks:</p>
<p>Government: Large and medium government entities HIGH; Small government MEDIUM</p>
<p>Businesses: Large and medium business entities HIGH; Small business entities MEDIUM; Home Users: LOW</p>
<p>Technical Summary: Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:</p>
<p>Tactic: Initial Access (TA0001):</p>
<p>Technique: Drive-By Compromise (T1189):</p>
<ul>
<li>Use after free in Passwords (CVE-2023-1528)</li>
<li>Out of bounds memory access in WebHID (CVE-2023-1529)</li>
<li>Use after free in PDF (CVE-2023-1530)</li>
<li>Use after free in ANGLE (CVE-2023-1531)</li>
<li>Out of bounds read in GPU Video (CVE-2023-1532)</li>
<li>Use after free in WebProtect (CVE-2023-1533)</li>
<li>Out of bounds read in ANGLE (CVE-2023-1534)</li>
</ul>
<p>Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.</p>
<p>Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.</li>
<li>Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.</li>
</ul>
<p>Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</p>
<ul>
<li>Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</li>
<li>Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.</li>
</ul>
<p>Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)</p>
<p>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)</p>
<ul>
<li>Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
</ul>
<p>Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)</p>
<ul>
<li>Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.</li>
<li>Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.</li>
<li>Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.</li>
</ul>
<p>Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)</p>
<ul>
<li>Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.</li>
</ul>
<p>REFERENCES: CVEs</p>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1528">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1528</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1529">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1529</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1530">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1530</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1531">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1531</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1532">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1532</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1533">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1533</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1534">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1534</a></li>
<li>google</li>
<li><a href="https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html">https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html</a></li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/<br /> • Website: https://www. wapacklabs. com/<br /> • LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-033">https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-033</a></p></div>What's Bard ?https://redskyalliance.org/xindustry/what-s-bard2023-03-24T11:55:00.000Z2023-03-24T11:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11001080665,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11001080665,RESIZE_400x{{/staticFileLink}}" alt="11001080665?profile=RESIZE_400x" width="250" /></a>Google has launched Bard, yes Bard, the search giant’s answer to OpenAI’s ChatGPT and Microsoft’s Bing Chat. Unlike Bing Chat, Bard does not look up search results, all the information it returns is generated by the model itself. But it is still designed to help users brainstorm and answer queries. Google wants Bard to become an integral part of the Google Search experience.</p>
<p>In a recent live demo, Google demonstrated that Bard came up with ideas for a child’s bunny-themed birthday party and gave lots of tips for looking after houseplants. “We really see it as this creative collaborator,” says a senior product director at Google.<a href="#_ftn1">[1]</a></p>
<p>Google has a lot riding on this launch. Microsoft partnered with OpenAI to make an aggressive play for Google’s top spot in search. Meanwhile, Google blundered straight out of the gate when it first tried to respond. In a teaser clip for Bard that the company put out in February, the chatbot was shown making a factual error. Google’s value fell by $100 billion overnight. Oops.</p>
<p>Google will not share many details about how Bard works: large language models, the technology behind this wave of chatbots, have become valuable IP. But it will say that Bard is built on top of a new version of LaMDA, Google’s flagship large language model. Google says it will update Bard as the underlying tech improves. Like ChatGPT and GPT-4, Bard is fine-tuned using reinforcement learning from human feedback, a technique that trains a large language model to give more useful and less toxic responses.</p>
<p>Google has been working on Bard for a few months behind closed doors but says that it’s still an experiment. The company is now making the chatbot available for free to people in the US and the UK who sign up to a waitlist. These early users will help test and improve the technology. “We’ll get user feedback, and we will ramp it up over time based on that feedback,” says Google’s vice president of research. “We are mindful of all the things that can go wrong with large language models.”</p>
<p>But the chief ethics scientist at AI startup Hugging Face and former co-lead of Google’s AI ethics team, is skeptical of this framing. Google has been working on LaMDA for years, she says, and she thinks pitching Bard as an experiment, “is a PR trick that larger companies use to reach millions of customers while also removing themselves from accountability if anything goes wrong.”</p>
<p>Google wants users to think of Bard as a sidekick to Google Search, not a replacement. A button that sits below Bard’s chat widget says “Google It.” The idea is to nudge users to head to Google Search to check Bard’s answers or find out more. “It’s one of the things that help us offset limitations of the technology,” Google explained. “We really want to encourage people to actually explore other places, sort of confirm things if they’re not sure.”</p>
<p>This acknowledgement of Bard’s flaws has shaped the chatbot’s design in other ways, too. Users can interact with Bard only a handful of times in any given session. This is because the longer large language models engage in a single conversation, the more likely they are to go off the rails. Many of the weirder responses from Bing Chat that people have shared online emerged at the end of drawn-out exchanges, for example. Google will not confirm what the conversation limit will be for launch, but it will be set quite low for the initial release and adjusted depending on user feedback.</p>
<p>Google is also playing it safe in terms of content. Users will not be able to ask for sexually explicit, illegal, or harmful material (as judged by Google) or personal information. In the recent my demo, Bard would not give me tips on how to make a Molotov cocktail. That is standard for this generation of chatbot. But it would also not provide any medical information, such as how to spot signs of cancer. “Bard is not a doctor. It’s not going to give medical advice,” says Google.</p>
<p>Perhaps the biggest difference between Bard and ChatGPT is that Bard produces three versions of every response, which Google calls “drafts.” Users can click between them and pick the response they prefer or mix and match between them. The aim is to remind people that Bard cannot generate perfect answers. “There’s the sense of authoritativeness when you only see one example,” says Google. “And we know there are limitations around factuality.”</p>
<p>In the recent demo conducted in London, a Google rep asked Bard to write an invitation to his child’s birthday party. Bard did this, filling in the street address for Gym World in San Rafael, California. “It’s a place I drive by a ton but I honestly can’t tell you the name of the street,” he said. “So that’s where Google Search comes in.” Krawczyk clicked “Google It” to make sure the address was correct. (It was.)</p>
<p>Google noted it does not want to replace Search for now. “We spent decades perfecting that experience,” he says. But this may be more a sign of Bard’s current limitations than a long-term strategy. In its announcement, Google states: “We’ll also be thoughtfully integrating LLMs into Search in a deeper way; more to come.”</p>
<p>That may come sooner rather than later, as Google finds itself in an arms race with OpenAI, Microsoft, and other competitors. “They are going to keep rushing into this, regardless of the readiness of the tech,” says a researcher who studies search technologies at the University of Washington (UW). “As we see ChatGPT getting integrated into Bing and other Microsoft products, Google is definitely compelled to do the same.”</p>
<p>A year ago, WU co-authored a paper with a linguist who studies large language models, also at the University of Washington, in which they called out the problems with using large language models as search engines. At the time, the idea still seemed hypothetical. They said that they both worried they might have been overreaching. But this experimental technology has been integrated into consumer-facing products with unprecedented speed. “We didn’t anticipate these things happening so quickly,” WU says. “But they have no choice. They have to defend their territory.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.technologyreview.com/2023/03/21/1070111/google-bard-chatgpt-openai-microsoft-bing-search/">https://www.technologyreview.com/2023/03/21/1070111/google-bard-chatgpt-openai-microsoft-bing-search/</a></p></div>Google & Twitter in Courthttps://redskyalliance.org/xindustry/google-twitter-in-court2023-02-21T16:01:12.000Z2023-02-21T16:01:12.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10970905059,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10970905059,RESIZE_400x{{/staticFileLink}}" alt="10970905059?profile=RESIZE_400x" width="250" /></a>In 2015, ISIS conducted a series of coordinated attacks around Paris that killed 130 people and wounded nearly 500 more. Two years later, 39 people were killed in an ISIS attack on an Istanbul nightclub during the early hours of New Year’s Day. This week, the US Supreme Court will hear oral arguments in a pair of cases arising from those attacks. The justices’ decisions in Gonzalez v. Google and Twitter v. Taamneh could reshape legal liability for some of the nation’s largest technology companies.</p>
<p>Gonzalez v. Google - The question at the center of Gonzalez, which will be argued this week, is the scope of Section 230 of the Communications Decency Act of 1996, which generally shields tech companies from liability for content published by others. The justices will consider whether that landmark statute protects internet platforms when their algorithms target users and recommend someone else’s content.<a href="#_ftn1">[1]</a></p>
<p>The question comes to the court in a lawsuit filed by the family of Nohemi Gonzalez, a 23-year-old American woman who was killed in the 2015 ISIS attack on a Parisian bistro, La Belle Équipe. They brought their lawsuit under the Antiterrorism Act, arguing that Google (which owns YouTube) aided ISIS’s recruitment by allowing ISIS to post videos on YouTube that incited violence and sought to recruit potential ISIS members, and by recommending ISIS videos to users through its algorithms.</p>
<p>A divided panel of the US Court of Appeals for the 9th Circuit ruled that Section 230 protects such recommendations, at least if the provider’s algorithm treated content on its website similarly. The majority acknowledged that Section 230 “shelters more activity than Congress envisioned it would.” However, the majority concluded, Congress, rather than the courts, should clarify how broadly Section 230 applies. The Gonzalez family then went to the Supreme Court, which agreed last year to weigh in.</p>
<p>The Gonzalez family insists that recommendations are not always shielded from liability under Section 230. Whether they are protected, the family says, hinges on whether the defendant can meet all of the criteria outlined in Section 230, which bars providers of “an interactive computer service” from being “treated as the publisher … of any information provided by” a third party. For example, the family argues, Section 230 does not protect a defendant from liability for recommendations that contain material that the defendant itself created or provided, such as URLs for the user to download or “notifications of new postings the defendant hopes the user will find interesting,” because in that scenario, the information would not be provided by someone else. </p>
<p>A website like YouTube is also not shielded from liability, the family continues, when it provides unsolicited recommendations that it thinks will appeal to users. In that scenario, the family asserts, the defendant is not providing access to a computer server (because the user is not making a request) and therefore is not acting as a “provider … of an interactive computer service.”</p>
<p>Because Section 230 does not always provide tech companies with immunity for their recommendations, the family concludes, the 9th Circuit should not have thrown out the family’s claim. But, the family stresses, even if Google is not entitled to immunity under Section 230, that is only the beginning of the inquiry: The family must then show that Google can be held liable under federal antiterror laws for its recommendations.</p>
<p>The current administration agrees with the Gonzalez family that the court of appeals was wrong to dismiss its claim based on YouTube’s recommendations of ISIS content, but its reasoning focuses only on how YouTube’s algorithms operate and on their effect. YouTube’s suggested videos, the administration notes, appear on the side of each user’s YouTube page and will “automatically load and play when a selected video ends.” In so doing, the administration explains, YouTube “implicitly tells the user that she ‘will be interested in’” the content of that video – which is a separate message from the message in the video itself. Therefore, the administration concludes, although the family may ultimately “face obstacles” in proving their claims under the ATA, Google and YouTube are not entitled to immunity under Section 230 because the family is seeking “to hold YouTube liable for its own conduct and its own communications, above and beyond its failure to block ISIS videos or remove them from the site.”</p>
<p>In their brief on the merits, Google and YouTube condemn terrorism and emphasize that they have taken, “increasingly effective actions to remove terrorist and other potentially harmful conduct.” But Section 230 bars the family’s claims against them for YouTube’s recommendation of ISIS-related videos, they maintain, because the provision provides immunity from claims that treat the defendant as a publisher. And just as a newspaper acts as a publisher when it puts together an opinion page filled with essays and columns written by other people, the companies write, YouTube acts as a publisher when its algorithms “sort and list related videos that may interest viewers so that they do not confront a morass of billions of unsorted videos.”</p>
<p>Google and YouTube urge the justices not to “undercut a central building block of the modern Internet.” If Section 230 does not protect YouTube’s efforts to organize the videos that others post on its site, they caution, neither Gonzalez nor the Biden administration have a “coherent theory that would save search recommendations and other basic software tools that organize an otherwise unnavigable flood of websites, videos, comments, messages, product listings, files, and other information.”</p>
<p>Google and YouTube offer the justices an off-ramp, noting that the Gonzalez family’s claims in this case are “materially identical” to the claims in Twitter v. Taamneh, which will be also argued this week. If the court were to rule that the Taamneh family’s claim cannot go forward under the ATA, the tech companies tell the justices, then the Gonzalez family’s claims also cannot go forward, so there would be no need for the justices to decide whether Google and YouTube are shielded from liability under Section 230.</p>
<p>Twitter v. Taamneh - In the Twitter case, the justices agreed to decide whether Twitter (along with Facebook and Google, which were also defendants in the lower courts) can be held liable, regardless of Section 230, for aiding and abetting international terrorism based on ISIS’s use of the companies’ platforms.</p>
<p>The lawsuit was filed by the family of Nawras Alassaf, a Jordanian citizen who was among the 39 people killed in the January 2017 ISIS attack at the Reina nightclub in Istanbul. The Taamneh family filed a lawsuit in federal court in California under the Antiterrorism Act, which allows US nationals to sue anyone who “aids and abets, by knowingly providing substantial assistance,” international terrorism. The family contended that Twitter and the other tech companies knew that their platforms played an important role in ISIS’s terrorism efforts but, despite extensive press coverage and government pressure, did not act aggressively to keep ISIS content off those platforms.</p>
<p>The 9th Circuit allowed the Taamneh family’s aiding-and-abetting claim to go forward. It acknowledged that the tech companies’ policies bar users from posting content that promotes terrorism, and that the tech companies regularly removed posts with ISIS-related content. And although it stressed that “[n]ot every transaction with a designated terrorist organization will sufficiently state a claim for aiding-and-abetting liability under the ATA,” it concluded that the Taamneh family had done so in this case. Twitter went to the US Supreme Court, which agreed last year to weigh in.</p>
<p>In the Supreme Court, Twitter urges the justices to overturn the 9th Circuit’s ruling. The company argues that a defendant can only be held liable under the ATA, as amended by the Justice Against Sponsors of Terrorism Act, when it has provided substantial assistance for a specific act of international terrorism – such as the attack on the Reina nightclub. But the plaintiffs have not even alleged that the terrorists responsible for the Reina attack ever used Twitter.</p>
<p>Twitter’s actions also fell short of the kind of “knowing” assistance required for liability under the ATA, the company says. It is not enough that Twitter knew that terrorists used its platforms, even though Twitter’s policies barred them from doing so. Instead, Twitter argues, it can only be held liable if it knew about “specific accounts that substantially assisted the Reina attack” and knew “that not blocking those accounts would substantially assist such an attack.” But, it stressed, the plaintiffs concede that Twitter “rarely knew about specific terrorist accounts or posts,” and they do not allege that Twitter “knew about yet failed to block any account or post that was used to plan or commit the Reina attack or any other terrorist attack.”</p>
<p>The Biden administration agrees that the 9th Circuit’s decision should not stand, but it takes a slightly different (and broader) view of liability than Twitter. In its view, a defendant could in some circumstances be held liable under the ATA even when it did not specifically know about the terrorist attack that led to a victim’s injury, or if it did not provide support for that act. But, the government adds, plaintiffs must allege more than that the defendants have simply provided “generalized support to a terrorist organization through the provision of widely available services” – and the Taamneh family has not done so in this case.</p>
<p>The Taamneh family counters that the ATA was intended to provide plaintiffs with “the broadest possible basis” to sue companies and organizations that aid terrorist organizations. And the text of the ATA, the family says, makes clear that it does not require a connection between the assistance that the defendant provides and a specific terrorist attack: It is enough that the defendant provided assistance to the broader terrorist organization. “Twitter’s proposed interpretation of” the ATA, the family writes, “would implausibly segregate a particular terrorist act from the overall campaign of terror of which it was an integral part, requiring courts to ignore the often long chain of events which enabled a foreign terrorist organization to mount such an attack.”</p>
<p>Both sides warn of dire consequences if the other side prevails. Twitter suggests that the family’s theory could create a “novel and boundless conception of aiding-and-abetting liability” that could expose aid organizations and NGOs to liability if they provide assistance that eventually reaches and assists ISIS’s general operations, even if there is no connection to a specific terrorist attack.</p>
<p>Facebook and Google echo Twitter’s concerns. They tell the justices that a ruling for the family could mean that social-media companies could be sued under the ATA “for virtually any terrorist attack ISIS ever commits, at anytime and anywhere in the world, simply because their efforts to prevent ISIS members or supporters from exploiting their services were not, in a jury’s estimation, sufficiently ‘aggressive.’” That liability, they continue, could extend to a wide range of other companies whose products or services could be used by terrorists.</p>
<p>But the Taamneh family says that Twitter’s construction of the law would be so narrow that it would be almost useless: It would only apply, for example, “to a fellow terrorist who handed a killer a firearm” and “could not as a practical matter be applied to the types of outside assistance that most matters to terrorist organizations, such as contributions, banking services, and social media recommendations.” Twitter’s theory, the family posits, would also “require a type of knowledge which almost no one but a terrorist would usually possess.”</p>
<p>Even as the justices grapple with the weighty questions in the Google and Twitter cases, they are also aware that another pair of cases involving social-media companies is lurking on the horizon. In January, the justices asked the Biden administration for its views on the challenges to controversial laws, enacted in Florida and Texas, that seek to regulate the content-moderation policies of social-media companies like Facebook and Twitter. Both laws were passed in response to beliefs that social-media companies were censoring their users, particularly those expressing conservative beliefs. If, as expected, the Florida and Texas cases eventually return to the Supreme Court, the court’s rulings could create a conundrum for tech companies: A decision that curtails Section 230 could require tech companies to remove content to avoid expanded legal liability, while the Texas and Florida laws could restrict the companies’ ability to do so.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> Original opinion article from Amy Howe: <a href="https://amylhowe.com/2023/02/19/justices-will-consider-whether-tech-giants-can-be-sued-for-allegedly-aiding-isis-terrorism/">https://amylhowe.com/2023/02/19/justices-will-consider-whether-tech-giants-can-be-sued-for-allegedly-aiding-isis-terrorism/</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.scotusblog.com/2023/02/justices-will-consider-whether-tech-giants-can-be-sued-for-allegedly-aiding-isis-terrorism/">https://www.scotusblog.com/2023/02/justices-will-consider-whether-tech-giants-can-be-sued-for-allegedly-aiding-isis-terrorism/</a></p></div>Google Chrome Woes - Arbitrary Code Executionhttps://redskyalliance.org/xindustry/google-chrome-woes-arbitrary-code-execution2022-12-06T14:11:50.000Z2022-12-06T14:11:50.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10902441091,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10902441091,RESIZE_400x{{/staticFileLink}}" width="210" alt="10902441091?profile=RESIZE_400x" /></a>A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution.<a href="#_ftn1">[1]</a> Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.</p>
<p><strong>Threat Intelligence</strong>: Google is aware that an exploit for CVE-2022-4262<a href="#_ftn2">[2]</a> exists in the wild.</p>
<p>System Affected:</p>
<ul>
<li>Google Chrome versions prior to 108.0.5359.94 for Mac and Linux</li>
<li>Google Chrome versions prior to 108.0.5359.94/.95 Windows</li>
</ul>
<p><strong>Risk</strong>:</p>
<p>Government:</p>
<p>- Large and medium government entities: Medium</p>
<p>- Small government entities: Medium</p>
<p>Businesses:</p>
<p>- Large and medium business entities: Medium</p>
<p>- Small business entities: Medium</p>
<p>Home Users: Low</p>
<p><strong>Technical Summary</strong>: A Type Confusion in V8 has been discovered in Google Chrome which could allow for arbitrary code execution. An attacker must trick an unsuspecting victim into following a malicious URI to exploit this issue. This is typically achieved through social engineering techniques.</p>
<p><strong>Recommendations</strong>: Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system.</p>
<p>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.</p>
<p>Reference - Google:</p>
<p><a href="https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html">https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2022-137">https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2022-137</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-4262">https://nvd.nist.gov/vuln/detail/CVE-2022-4262</a></p></div>EvilProxy Now Available for Purchasehttps://redskyalliance.org/xindustry/evilproxy-now-available-for-purchase2022-09-07T15:17:22.000Z2022-09-07T15:17:22.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10805878881,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10805878881,RESIZE_400x{{/staticFileLink}}" width="250" alt="10805878881?profile=RESIZE_400x" /></a>A new Phishing-as-a-Service (PhaaS) named EvilProxy (also known as Moloch) was seen for sale in dark web forums, according to researchers. Moloch ransomware is a computer virus infection that encrypts all personal victim files on an affected device and demands a ransom for unlocking them. This file-locking parasite belongs to a relatively small Makop ransomware family compared to others, such as Djvu or Dharma.</p>
<p>EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA [two-factor authentication] proxying the victim's session, according to a recent report. Providing a connection in this context means giving a client component the ability to communicate with a forward proxy.<a href="#_ftn1">[1]</a> To proxify an HTTP connection, the differences between forward and reverse proxies must be understood (understand the HTTP CONNECT verb and be aware of the proxy HOST header ( Stackoverflow ), RFC 7230 ).</p>
<p>The analysis warns that such methods have been seen in targeted campaigns of advanced persistent threats (APTs) and cyber-espionage groups. These methods have been successfully productized in EvilProxy, highlighting the significance of growth in attacks against online services and MFA authorization mechanisms. Based on the ongoing investigation of attacks against multiple employees from Fortune 500 companies, researchers said it obtained substantial knowledge about EvilProxy, including its structure, modules, functions, and network infrastructure. According to the investigators, early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts, either with SMS or Application Token.<a href="#_ftn2">[2]</a></p>
<p>To establish a timeline of EvilProxy's operations, investigators said the malware was first spotted in early May 2022, when the threat actors (TAs) behind it released a demonstration video describing how it could be used to deliver advanced phishing links. These could be used to compromise consumer accounts belonging to Apple, Facebook, Google, Instagram, Microsoft, and Twitter, among others. EvilProxy also supports phishing attacks against Python Package Index (PyPi).</p>
<p>See: <a href="https://redskyalliance.org/xindustry/what-s-a-pypi">https://redskyalliance.org/xindustry/what-s-a-pypi</a></p>
<p>Several PyPi software repository project contributors were subject to a phishing attack that tricked them into divulging their account login credentials last week. That attack, linked to the JuiceStealer payload, was now connected to EvilProxy actors. The security experts said the TA would have added this function shortly before the attack. Besides PyPi, the functionality of EvilProxy also supports GitHub and npmjs...enabling supply chain attacks via advanced phishing campaigns.</p>
<p>The analysis also suggests it is highly likely these threat actors target software developers and IT engineers to gain access to their repositories with the end goal of hacking "downstream" targets. These tactics allow cybercriminals to capitalize on the end users' insecurity who assume they're downloading software packages from secure resources and do not expect it to be compromised.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html">https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.oodaloop.com/briefs/2022/09/06/evilproxy-phishing-toolkit-spotted-on-dark-web-forums/">https://www.oodaloop.com/briefs/2022/09/06/evilproxy-phishing-toolkit-spotted-on-dark-web-forums/</a></p></div>Cloud Armor to the Rescuehttps://redskyalliance.org/xindustry/cloud-armor-to-the-rescue2022-08-22T11:41:46.000Z2022-08-22T11:41:46.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10780776857,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10780776857,RESIZE_400x{{/staticFileLink}}" width="225" alt="10780776857?profile=RESIZE_400x" /></a>Google Cloud has claimed to have blocked the largest Layer 7 (HTTPS) DDoS attack to date after a Cloud Armor customer was targeted by a series of attacks that peaked at 46 million requests per second (rps). Google explained the attack, which occurred on 1 June 2022, was at least 76% larger than the previously reported HTTPS DDoS record and showed characteristics that link it to the Mēris attack family.</p>
<p>Google said its Cloud Armor Adaptive Protection was able to detect and analyze the traffic early in the customer’s attack lifecycle, blocking the attack while ensuring the customer’s service stayed online. The attack comes in the midst of increasing DDoS activity targeting organizations as attackers employ ever more infrastructure and diversity in campaigns.</p>
<p>HTTPS DDoS attack peaked at 46 million requests per second - In a blog post, Google wrote that, at around 9.45 a.m. PT on 1 June 1 2022, an attack of more than 10,000 rps began targeting a customer’s HTTPS load balancer. “Eight minutes later, the attack grew to 100,000 requests per second,” Cloud Armor added. Cloud Armor generated an alert containing the attack signature by assessing the traffic and a recommended rule to block on the malicious signature, Google stated.<a href="#_ftn1">[1]</a></p>
<p>The customer’s network security team immediately deployed the recommended rule into its security policy, and it started blocking the attack traffic. “They chose the ‘throttle’ action over a ‘deny’ action to reduce the chance of impact on legitimate traffic while severely limiting the attack capability by dropping most of the attack volume at Google’s network edge,” Google wrote. “In the two minutes that followed, the attack began to ramp up, growing from 100,000 rps to a peak of 46 million rps. Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally.” The attack then began decreasing in size, ultimately ending 69 minutes later at 10:54 a.m. “Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack,” Google stated. “The attack illustrates two trends: that DDoS attack sizes are continuing to grow exponentially and that attack methods are continuing to evolve, leveraging new kinds of vulnerable services from which to launch attacks,” said the senior product manager at Google Cloud.</p>
<p>New attack dwarfs previous HTTPS DDoS campaigns - The 46 million rps attack dwarfs the largest HTTPS DDoS attack previously recorded. In June 2022, Cloudfare detected and mitigated a 26 million rps attack that originated from a small but powerful botnet of 5,067 devices. In 2021, the same firm thwarted a then record DDoS attack that peaked at 17.2 million rps, before stopping a slightly smaller attack (15 million rps) in April 2022.</p>
<p>Noteworthy characteristics of the largest HTTPS DDoS attack are links to the Mēris botnet. Along with a significantly high traffic volume, Google cited several other noteworthy characteristics in the attack. It identified 5,256 source IPs from 132 countries contributing to the attack, with the top four countries contributing approximately 31% of the total traffic. Cloud Armor explained these countries were Brazil, India, Russia and Indonesia. Additionally, the attack leveraged encrypted requests, which would have taken added computing resources to generate, Google stated. “Although terminating the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP pipelining required Google to complete relatively few TLS handshakes,” the company added. Google approximated that 22% (1,169) of the source IPs corresponded to Tor exit nodes, although the request volume coming from those nodes represented just 3% of the attack traffic. “While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services,” Google wrote.</p>
<p>The most interesting is that Google stated the geographic distribution and types of unsecured services leveraged match the Mēris family of attacks, known for record-breaking DDoS campaigns that abuse unsecured proxies to obfuscate the true origin of attacks.</p>
<p>DDoS attacks on the rise, present rich mix of volume and duration – In general, DDoS activity is increasing, impacting organizations across sectors and geographies. Radware’s 2022 H1 Global Threat Analysis Report discovered that, in the first six months of 2022, the number of malicious DDoS events mitigated per customer grew by 203% compared to the first six months of 2021, and by 239% when compared to the last six months of 2021. “DDoS attack trends tend to be somewhat cyclical in their format, though there is an underlying trend over time of increasing volume, whether in bits per second (bps), packets per second (pps), or requests per second (rps),” said a senior principal analyst at Omdia. This upward trend is partly explained by attackers’ ability to harness ever more infrastructure, i.e., greater amounts of bots from which to launch attacks, and the availability of DDoS as a service, which offers infrastructure that can be rented to mount an attack for however long the attacker desires, he adds. “That said, volumetric attacks are only one variety of exploit, and while their overall size continues to increase with new record volumes announced almost yearly, it is not the case that the percentage of DDoS attacks that are volumetric is going up linearly,” Omdia continues. Some years the percentage of volumetric attacks goes down, even as maximum volumes continue to rise, because attackers may be trying out new variants of attack methodology, he says. “It’s also worth keeping an eye on the average duration of a DDoS attack, as it can often be that a monstrously large volume is unleased for only a couple of minutes, just to show what the attackers are capable of, then followed up with a ransom demand.” Other types of attack, including application-layer (Layer 7) attacks, are often low and slow because they want to avoid detection and discover what defenses the target has in place and how long it takes to activate them, Omdia says. “Ultimately, DDoS attacks present a rich mix of volume and duration, making it more difficult to defend against them as you are never entirely sure which types will be coming at your infrastructure.” </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.csoonline.com/article/3670748/google-cloud-blocks-largest-https-ddos-attack-ever.html">https://www.csoonline.com/article/3670748/google-cloud-blocks-largest-https-ddos-attack-ever.html</a></p></div>Big Brother ?https://redskyalliance.org/xindustry/big-brother2022-07-28T18:37:02.000Z2022-07-28T18:37:02.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10702174675,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10702174675,RESIZE_400x{{/staticFileLink}}" width="250" alt="10702174675?profile=RESIZE_400x" /></a>Google Search and Drive are erroneously flagging links to Association for Computing Machinery (ACM) research papers and websites as ‘malware.’ This 'issue' was first reported by a German researcher. Founded in 1947 and located in New York City US as a non-profit, ACM is the world's largest scientific and educational computing society. As of 2019, ACM's membership comprises nearly 100,000 students and professionals involved in the field of computing.<a href="{{#staticFileLink}}10704461667,RESIZE_400x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10704461667,RESIZE_400x{{/staticFileLink}}" width="200" alt="10704461667?profile=RESIZE_400x" /></a></p>
<p>Its research paper allegedly "violates" Google Drive policies, as reported by a German based PhD researcher of the Planck Society, who was frustrated on seeing one of his Google Docs files restricted by Google. The file contained links to ACM research papers, but "violates" Google's Terms of Service as per a screenshot shared by the researcher.</p>
<p>And, apparently it is not just Google Drive. Google Search is acting quirky too, Golla points out. Researchers confirmed Google Search results for the ACM website, ACM Digital Library research papers, and contact pages are also treating links to ACM domains as malicious.</p>
<p><a href="{{#staticFileLink}}10703562257,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10703562257,RESIZE_400x{{/staticFileLink}}" width="300" alt="10703562257?profile=RESIZE_400x" /></a>Figure 1. (left) Google search results flag ACM sites as malicious (BleepingComputer) <a href="{{#staticFileLink}}10704214258,RESIZE_930x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10704214258,RESIZE_400x{{/staticFileLink}}" width="200" alt="10704214258?profile=RESIZE_400x" /></a></p>
<p>This issue is essentially blocking any and all traffic to ACM domains from Google Search results. ACM visitors will instead have to manually copy-paste the intended link in their web browser's address bar:<a href="{{#staticFileLink}}10703889700,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10703889700,RESIZE_400x{{/staticFileLink}}" width="300" alt="10703889700?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p>Figure 2 (right). Google search results to ACM site blocked by an interstitial (BleepingComputer)</p>
<p>These warnings are typically shown by Google to visitors who may inadvertently be navigating to compromised sites or domains hosting adware, MageCart scripts, or other types of malware. Thus far, there is no indication that ACM's domains are compromised or serving malware. BleepingComputer has reached out to ACM to ensure that is indeed the case. "For detailed information about the problems that we found, visit Google's Safe Browsing diagnostic page for this site," advises Google's warning message. But analysts observed the "diagnostic page" indicated that ACM's website was safe:</p>
<p><a href="{{#staticFileLink}}10702756290,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10702756290,RESIZE_400x{{/staticFileLink}}" width="250" alt="10702756290?profile=RESIZE_400x" /></a>Figure 3. (right) Google's SafeBrowsing Diagnostic page states ACM is safe (BleepingComputer)</p>
<p>Third time's a charm ! Although the blocking of ACM links across Google Search and Drive seems unpredictable, this is not the first time Google Drive has inaccurately flagged materials for being in violation of its Terms of Service when there is not any.</p>
<p>In January of this year, Google Drive was seen restricting nearly empty files for 'copyright infringement.' These files contained no data other than some numbers or a single digit, such as '1'. Google Drive documents that contain phishing links, even for personal research purposes have, on occasion, also been automatically marked to be in violation of terms and had their sharing features restricted.</p>
<p>Analysts from BleepingComputer reached out to Google prior to publishing its report to understand what is causing the issue with ACM domains. While Google did not immediately disclose the cause of the problem, by last week, ACM purportedly made changes to its website resolving the issue: "With ACM taking down the portion of their site that triggered our malware distribution warnings, this has now been resolved," a Google spokesperson reported. BleepingComputer has still not heard back from ACM. All very strange.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. wapacklabs. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Weekly Cyber Intel Report - All Sector 07 01 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-07-01-20222022-07-01T15:33:27.000Z2022-07-01T15:33:27.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10614408283,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10614408283,RESIZE_400x{{/staticFileLink}}" width="250" alt="10614408283?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 1 July 2022:</h2>
<ul>
<li>Red Sky Alliance identified 40,622 connections from new IP’s checking in with our Sinkholes</li>
<li>MS hit 45 x – 2<sup>nd</sup> week</li>
<li>Analysts identified 1,801 new IP addresses participating in various Botnets</li>
<li>DeadLocker</li>
<li>Symbiote</li>
<li>Killnet</li>
<li>СПИСОК_посилань_на_інтерактивні_карти[.]docx</li>
<li>Apple, Google and theUS FTC</li>
<li>Guns and California Data Hacks</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10614408486,original{{/staticFileLink}}">IR-22-182-001_weekly182.pdf</a></p></div>Power Point Presentations Can Pack a Punchhttps://redskyalliance.org/xindustry/power-point-presentations-can-pack-a-punch2022-02-08T19:05:41.000Z2022-02-08T19:05:41.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10081632867,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10081632867,RESIZE_400x{{/staticFileLink}}" width="250" alt="10081632867?profile=RESIZE_400x" /></a>Cyber threat actors are now using socially engineered emails with .ppam file attachments that hide malware that can rewrite Windows registry settings on targeted machines to take over an end user’s computer, researchers have found. It is one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.</p>
<p>New research from Avanan <a>https://avanan.com </a> has uncovered how a “little-known add-on” in PowerPoint the .ppam file is being used to hide malware. Jeremy Fuchs, cybersecurity researcher, and analyst at Avanan wrote in a report published this month that the file has bonus commands and custom macros, among other functions.</p>
<p>Beginning in January 2022, researchers observed attackers delivering socially-engineered emails that include .ppam file attachments with malicious intent. One email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file – named PO04012022 to appear legitimate – included a malicious executable, Fuchs said.</p>
<p><em>Malicious email posing as a standard purchase order. Source: Avanan</em></p>
<p>The payload executed a number of functions on the end user’s machine that was not authorized by the user, including installing new programs that create and open new processes, changing file attributes, and dynamically calling imported functions. “By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company,” Fuchs wrote.</p>
<p>The campaign allows attackers to bypass a computer’s existing security in this case, security provided by Google with a file that is rarely used and thus will not trip an email scanner, he said. “Plus, it shows the potential dangers of this file, as it can be used to wrap any sort of malicious file, including ransomware,” Fuchs reported.</p>
<p>During October 2021, investigators reported that attackers were using .ppam files to wrap ransomware, he said, citing a report on the Ppam ransomware published in October by the cybersecurity portal PC risk. The latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs, and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.</p>
<p>In November 2021, reports showed that scammers were using a legitimate Google Drive collaboration feature to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.</p>
<p>A wave of phishing attacks during December 2021 targeted mainly Outlook users, leveraging the “Comments” feature of Google Docs to send malicious links that also lifted credentials from victims. During the month of January 2022, the Avanan team reported on another scam that researchers had already observed in December 2021 which threat actors were found creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate but instead deliver malware to Office 365 and Gmail users.</p>
<p>To avoid allowing email scams to slip past corporate users, Fuchs recommended some typical precautions to security administrators that should be implemented consistently. One is to install email protection that downloads all files into a sandbox and inspects them for malicious content. Another is to take extra security steps – such as dynamically analyzing emails for indicators of compromise (IoCs) – to ensure the safety of messages coming into the corporate network, he said. “This email failed an SPF check and there was an insignificant historical reputation with the sender,” Fuchs wrote of the phishing message observed by Avanan researchers. SPF, Sender Policy Framework, is an email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.</p>
<p>Cyber security personnel should encourage all end-users in their networks to contact their IT department if they see an unfamiliar file come over via email.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that has long collected and analyzed cyber indicators. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p></div>Weekly Cyber Intel Report - All Sector 01 14 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-01-14-20222022-01-14T14:41:53.000Z2022-01-14T14:41:53.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10012032279,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10012032279,RESIZE_400x{{/staticFileLink}}" width="250" alt="10012032279?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 14 January 2022:</h2>
<ul>
<li>Red Sky Alliance identified 24,345 connections from new IP’s checking in with our Sinkholes</li>
<li>Microsoft IP’s in UK and N. Ireland hit</li>
<li>Analysts identified 1,435 new IP addresses participating in various Botnets</li>
<li>Rook Ransomware</li>
<li>More Log4j</li>
<li>Ukraine Cyber Bust</li>
<li>UK NHS</li>
<li>Who’s Winning?</li>
<li>Google Docs</li>
<li>The Electric Grid’s Hot Wires</li>
<li>BLM suing LAPD</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10012027486,original{{/staticFileLink}}">IR-22-014-001_weekly014.pdf</a></p></div>INTELLIGENCE REPORT: ALL SECTOR CYBER THREATShttps://redskyalliance.org/xindustry/intelligence-report-all-sector-cyber-threats2021-06-11T11:24:49.000Z2021-06-11T11:24:49.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}9077533290,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9077533290,RESIZE_400x{{/staticFileLink}}" width="250" alt="9077533290?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 11 June 2021:</h2>
<ul>
<li>Red Sky Alliance identified 33,092 connections from new unique IP Addresses</li>
<li>Analysts identified 1,485 new IP addresses participating in various Botnets</li>
<li>Variations of dnSpy is still being used as a Lure</li>
<li>Agent Tesla</li>
<li>NOBELIUM</li>
<li>Phishing Campaigns Targeting NGOs</li>
<li>Bing v. Google and Videos</li>
<li>Chinese general buys land in TX, why?</li>
<li>Cloud service company Fastly, Shut Down</li>
<li>SkinnyBoy</li>
<li>Quanta Computer – Taiwan</li>
<li>Amazon Prime accused of Spying??</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}9077534477,original{{/staticFileLink}}">IR-21-162-001_weekly_162_FINAL.pdf</a></p></div>INTELLIGENCE REPORT: MANUFACTURING SECTORhttps://redskyalliance.org/xindustry/intelligence-report-manufacturing-sector2021-04-02T12:47:34.000Z2021-04-02T12:47:34.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}8748776293,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8748776293,RESIZE_400x{{/staticFileLink}}" width="250" alt="8748776293?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 2 April 2021:</h2>
<ul>
<li>Red Sky Alliance identified 34,034 connections from new unique IP addresses</li>
<li>Analysts identified 3,876 new IP addresses participating in various Botnets</li>
<li>20 new unique email accounts compromised with Keyloggers were observed this week</li>
<li>Soccer player’s name Berat Can Sonmez is being used to lure Victims</li>
<li>EggShell Malware</li>
<li>New US-IRS Phishing Campaign</li>
<li>WordPress Vulnerabilities</li>
<li>ClearURL and Goggle</li>
<li>Honeywell and Molson Coors Attacked</li>
<li>Manufacturing IT & OT</li>
<li>Cyber-attacks up 207% in New Delhi</li>
<li>Amazon and Unions</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}8748774882,original{{/staticFileLink}}">IR-21-092-001_Manufactweekly_092_FINAL.pdf</a></p></div>I’m not a Robot, but I know you are Phishing Mehttps://redskyalliance.org/xindustry/i-m-not-a-robot-but-i-know-you-are-phishing-me2021-03-19T12:39:24.000Z2021-03-19T12:39:24.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8684060481,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8684060481,RESIZE_400x{{/staticFileLink}}" width="250" alt="8684060481?profile=RESIZE_400x" /></a>In addition to the aggravation of having to find the “car” in a series of pictures, a phishing attack targeting Microsoft users leverages a bogus Google reCAPTCHA system. Microsoft users are being targeted with thousands of phishing emails, in an ongoing attack aiming to steal their Office 365 credentials. The attackers add an air of legitimacy to the campaign by leveraging a fake Google reCAPTCHA system and top-level domain landing pages that include the logos of victims’ companies.</p>
<p>According to researchers, at least 2,500 such emails have been unsuccessfully sent to senior-level employees in the banking and IT sector, over the past three months. The emails first take recipients to a fake Google reCAPTCHA system page. Google reCAPTCHA is a service that helps protect websites from spam and abuse, by using a ‘Turing test’ to tell humans and bots apart (through asking a user to click on a fire hydrant out of a series of images, for instance). The Turing test, originally called the imitation game in 1950, is a test of a machine's ability to exhibit intelligent behavior equivalent to, or indistinguishable from, that of a human. Turing proposed that a human evaluator would judge natural language conversations between a human and a machine designed to generate human-like responses. The evaluator would be aware that one of the two partners in conversation is a machine, and all participants would be separated from one another.</p>
<p>Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. “The attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data,” said researchers with Zscaler’s ThreatLabZ. “The aim of these campaigns is to steal these victims’ login credentials to allow threat actors access to valuable company assets.”</p>
<p>The phishing emails pretend to be automated emails from victims’ unified communications tools, which say that they have a voicemail attachment. For instance, one email tells users that “(503) ***-6719 has left you a message 35 second(s) long on Jan 20” along with a lone attachment that’s titled “vmail-219.HTM.” Another tells email recipients to “REVIEW SECURE DOCUMENT.”</p>
<p>When the victims click on the attachment, they then encounter the fake Google reCAPTCHA screen, which contains a typical reCAPTCHA box featuring a checkbox that the user must click that says “I’m not a robot,” which then triggers the Turing test. After filling out the fake reCAPTCHA system, victims are then directed to what appears to be a Microsoft login screen. The login pages also contain different logos from the companies which victims work at such as one containing a logo from software company ScienceLogic and another from office rental company BizSpace. This reveals that attackers have done their homework and are customizing their phishing landing pages to fit their victims’ profile, to make the attack appear more legitimate. Victims are asked to input their credentials into the system; once they do so, a message tells them that the validation was “successful” and that they are being redirected. “After giving the login credentials, the phishing campaign will show a fake message that says ‘Validation successful,'” said researchers. “Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion”</p>
<p>Researchers found a variety of phishing pages associated with the campaign, which were hosted using generic top level domains such as .xyz, .club and .online. These top-level domains are typically utilized by cybercriminals in spam and phishing attacks. That is because they can be purchased for less than $1 each a low price for adding a level of believability to phishing campaigns.</p>
<p>Adversaries have been leveraging bogus reCAPTCHA systems in their attacks for years. For instance in 2019, a malware campaign targeted a Polish bank and its users with emails containing a link to a malicious PHP file, which eventually downloaded the BankBot malware onto victims’ systems. The attackers used a fake Google reCAPTCHA system to seem more realistic. Another phishing attack in February 2021 purported to be sent from a voicemail service and contained a link to play the voice message “Play Audi Date.wav,” eventually redirecting victims to a malicious site with a reCAPTCHA message.</p>
<p>The above examples show that reCAPTCHA continues to be used in phishing attacks, as the tactic successfully adds legitimacy to the attack: “Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020,” noted researchers.</p>
<p>Microsoft Office 365 users have faced several sophisticated phishing attacks and scams over the past few months. In October 2020, researchers warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. The attack aimed to steal Office 365 recipients’ login credentials. Also, in the same month an Office365 credential-phishing attack targeted the hospitality industry, using visual CAPTCHAs to avoid detection and appear legitimate. Phishing attackers have also adopted new tactics like Google Translate or custom fonts to make the scams seem more legitimate. </p>
<p>Red Sky Alliance has been has analyzing and documenting these type cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings</strong>: </p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p>source: <a href="https://threatpost.com/google-recaptcha-phishing-office-365/164566/">https://threatpost.com/google-recaptcha-phishing-office-365/164566/</a></p></div>