May 17 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatโs got that Friday feeling! ๐๐๐
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
Google has rolled out crucial fixes for nine security issues in Chrome, including a zero-day vulnerability actively exploited in the wild! ๐ก๏ธ CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine, reported by Kaspersky researchers, could let attackers execute arbitrary code! ๐ฑ This marks the third zero-day patch this week, after CVE-2024-4671 and CVE-2024-4761. ๐ ๏ธ To stay safe, update to Chrome version 125.0.6422.60/.61 for Windows and macOS, and 125.0.6422.60 for Linux. Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also update ASAP! ๐
๐จ Microsoft Issues Vital Security Patches: Update Now! ๐
Microsoft has rolled out fixes for 61 security flaws in its May 2024 Patch Tuesday update, including two zero-days actively exploited in the wild! ๐ก๏ธ Of these, one is Critical, 59 are Important, and one is Moderate. Additionally, 30 vulnerabilities in the Chromium-based Edge browser were addressed, including two zero-days (CVE-2024-4671 and CVE-2024-4761).The zero-days fixed are:
CVE-2024-30040 (CVSS 8.8): MSHTML Platform Security Feature Bypass
CVE-2024-30051 (CVSS 7.8): Desktop Window Manager (DWM) Core Library Elevation of Privilege
Exploitation of these flaws could allow attackers to execute arbitrary code and gain SYSTEM privileges! ๐ฑ Attackers can exploit CVE-2024-30040 by tricking users into opening a malicious document, while CVE-2024-30051 allows threat actors to elevate privileges with SYSTEM access.Microsoft urges users to update immediately to mitigate these threats. Federal agencies must apply the latest fixes by June 4, 2024. ๐๏ธThis update also addresses critical remote code execution bugs in Windows Mobile Broadband Driver and Windows Routing and Remote Access Service (RRAS), among others. Stay secure by prioritising updates and reviewing your security posture.
Now, on to todayโs hottest cybersecurity news stories:
๐ฑ Android users rejoice! New advanced features protect from scams ๐ก๏ธ
๐ฎ FBI shuts down BreachForums platform for second time in a year ๐
๐จโ๐ป Hackers exploit Microsoftโs Quick Assist feature for ransomware ๐ฐ
Enhanced Play Integrity APIGoogle is rolling out a suite of new features in Android 15 aimed at preventing malicious apps from capturing sensitive data. The updated Play Integrity API allows third-party developers to secure their apps against malware.
๐ Key Updates
Developers can check for other apps that might be capturing the screen, creating overlays, or controlling the device. This is crucial for hiding sensitive information and protecting users from scams.The Play Integrity API can verify if Google Play Protect is active and if the device is free of known malware before performing sensitive actions.
๐ ๏ธ Expanded Restricted SettingsWith Android 15, restricted settings are getting stronger. Now, when installing apps via sideloading from web browsers, messaging apps, or file managers, user approval is required before enabling permissions.
โ ๏ธ Proactive Fraud Detection
Developers can opt-in to receive recent device activity to detect if a device is making too many integrity checks, which could indicate an attack. This feature targets Android banking trojans known to abuse accessibility services for overlay attacks and disabling security mechanisms.
๐ Continuous Improvement
Google is piloting enhanced fraud protection in regions where malicious sideloaded apps are prevalent, like Singapore and Thailand. This protection blocks instals from sources that use permissions commonly abused for financial fraud.
๐ก Cellular Security Enhancements
Google is also enhancing cellular security by alerting users if their network connection is unencrypted or if a fake cellular base station is recording their location.
๐ Tightened Screen Sharing ControlsAndroid 15 will automatically hide notification content during screen sharing to prevent the display of one-time passwords (OTPs) sent via SMS, closing a common attack vector for fraud and spyware.
๐ง Live Threat Detection
Google Play Protect's on-device AI capabilities are getting an upgrade with live threat detection. This feature uses the Private Compute Core (PCC) infrastructure to flag anomalous patterns on the device and analyse behavioural signals related to the use of sensitive permissions.
๐ Real-Time Scanning
The new live threat detection builds on recently added real-time scanning capabilities to combat novel malicious apps and spot emerging threats, ensuring users are better protected against the latest cyber threats.
๐ก๏ธ Staying Ahead of Threats
"We're continuously working on improving and evolving our protections to stay ahead of bad actors," said Dave Kleidermacher, vice president of engineering for Android security and privacy. "With these new features, we aim to provide users with the highest level of security and privacy."
Google is collaborating with original equipment manufacturers (OEMs) to roll out these features to users over the next couple of years, ensuring comprehensive protection across the Android ecosystem.4o
Have you heard of Prompts Daily newsletter? I recently came across it and absolutely love it.
AI news, insights, tools and workflows. If you want to keep up with the business of AI, you need to be subscribed to the newsletter (itโs free).
Read by executives from industry-leading companies like Google, Hubspot, Meta, and more.
Want to receive daily intel on the latest in business/AI?
In just ONE click, you can quickly sign up to the free Prompts Daily newsletter.
Law Enforcement StrikesLaw enforcement agencies have seized control of the notorious BreachForums platform, an online marketplace for stolen data, for the second time in a year.
๐ Seizure Notice
The BreachForums website ("breachforums[.]st") now displays a seizure banner from the U.S. Federal Bureau of Investigation (FBI).
๐ Global Effort
This operation was a collaborative effort involving authorities from Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine.
๐ฑ Telegram Takeover
The FBI has also taken control of the Telegram channel operated by Baphomet, the administrator who took over after Conor Brian Fitzpatrick (aka pompompurin) was arrested in March last year.
๐ Official Message
A message on the seized Telegram channel reads: "This Telegram chat is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners."
๐ Investigation Ongoing
Authorities are reviewing the site's backend data and encourage reporting cyber criminal activity via specified FBI contact points.
๐จ Administrator Status
It's unclear if Baphomet and co-administrator ShinyHunters have been arrested, but the seizure banner shows their profile pictures behind bars.
๐ Forum History
BreachForums emerged in March 2022 after the takedown of RaidForums. Despite being shut down in 2023, it resurfaced under Baphomet and ShinyHunters.
๐ผ Contraband Marketplace
From June 2023 to May 2024, BreachForums operated as a marketplace for cybercriminals to buy, sell, and trade illegal goods, including stolen data and hacking tools.
Microsoft's Threat Intelligence team has identified a threat actor, Storm-1811, using Quick Assist in social engineering attacks to deploy ransomware.
๐ญ Impersonation Tactics
Storm-1811, a financially motivated group known for Black Basta ransomware, uses voice phishing to trick victims into installing remote management tools like Quick Assist, followed by delivering QakBot, Cobalt Strike, and Black Basta ransomware.
๐ ๏ธ Quick Assist Misuse
Quick Assist, a legitimate Microsoft application for remote troubleshooting, is being exploited. Attackers impersonate trusted contacts, such as Microsoft tech support, to gain access to devices.
๐ป Attack Method
The attackers use email bombing (link listing) to flood victims' inboxes, then call them posing as IT support to offer help. Victims are persuaded to use Quick Assist, allowing attackers to run commands and download malicious payloads.
๐ Chain of Attack
Phishing Call: Impersonation and persuasion to use Quick Assist.
Access Gained: Running commands to download malware.
Ransomware Deployment: Using PsExec for spreading Black Basta ransomware.
๐ Ongoing Response
Microsoft is investigating the misuse of Quick Assist and plans to add warnings to alert users about potential tech support scams.
๐ฏ Targeted Industries
The campaign, starting mid-April 2024, has targeted sectors like manufacturing, construction, food and beverage, and transportation, indicating a broad attack scope.
๐ Top Tips
Block/Uninstall: Remove Quick Assist and similar tools if unused.
Employee Training: Educate staff to identify tech support scams.
ย Focus on Prevention: Emphasise security measures before ransomware deployment to mitigate threats.
๐ข Expert Insights
"Ransomware remains a lucrative tactic for attackers due to its low entry barrier and high impact," said Robert Knapp, Rapid7. Organisations should enhance security measures and focus on early attack stages to reduce risks.
๐ Collaborative Effort
Microsoft describes Black Basta as a "closed ransomware offering" relying on a few threat actors who partner for access and malware development. Since April 2022, Black Basta has been deployed following access from QakBot and other distributors, highlighting the importance of early-stage defence.
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!