Mar 15 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that thinks cybercriminals should be labelled an extremist group and denied all government funding in the UK π€ #MichaelGove
Itβs Friday, folks, which can only mean one thingβ¦ Itβs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatβs it.
Congrats, the cybercriminals are no matchβ¦ for your patch! π©Ήπ©Ήπ©Ή
Check out this freshly hatched patch π£
March Madness from Microsoft π€ͺ
π Microsoft's March Security Update: 61 Flaws Fixed! π
Microsoft's latest security update tackles 61 security flaws across its software, including two critical issues in Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.
Out of these flaws, two are Critical, 58 are Important, and one is Low severity. While none are publicly known or actively attacked, six are marked with an "Exploitation More Likely" label. This update also includes fixes for 17 security flaws in the Chromium-based Edge browser.
Notable vulnerabilities addressed involve Azure Kubernetes Service, Windows Composite Image File System, and Authenticator. A privilege escalation bug in the Print Spooler component and a remote code execution flaw in Exchange Server are also patched.
The highest-rated vulnerability, CVE-2024-21334, concerns remote code execution in the Open Management Infrastructure. Despite fewer CVEs patched compared to previous years, cybersecurity experts advise remaining vigilant. π‘οΈπ
Now, on to todayβs hottest cybersecurity stories:
π» Googleβs Gemini is vulnerable to LLM threats along with race baiting π¬
π΄ββ οΈ PixPirates of the pancreas! Brazilian bankers watch out! TrojanΒ π
β οΈ BEWARE: 4 ways hackers use social engineering to bypass MFA π
HiddenLayer identified security vulnerabilities in Google's Gemini Large Language Model (LLM), impacting consumers using Gemini Advanced with Google Workspace and companies utilising the LLM API.
These vulnerabilities could lead to the leakage of system prompts, generation of harmful content, and execution of indirect injection attacks.
π Identified Vulnerabilities
Leakage of System Prompts: Attackers can exploit synonym attacks to bypass security defences and content restrictions, prompting the LLM to output foundational instructions or system messages, potentially compromising sensitive information.
Generation of Misinformation: Crafty jailbreaking techniques can manipulate the LLM to generate misinformation, including misinformation about elections or producing content that may be illegal or dangerous.
Information Leakage in System Prompts: By passing repeated uncommon tokens as input, attackers can trick the LLM into leaking information contained in the system prompt.
π Impact and Risks
These vulnerabilities could facilitate the dissemination of false information, compromise user privacy, and enable attackers to gain unauthorised control over interactions with the LLM.
While not novel, these vulnerabilities underscore the importance of rigorous testing and continuous improvement in LLM security measures.
π§ Mitigation Measures
Google is actively conducting red-teaming exercises and enhancing model defences against adversarial behaviours, including prompt injection and jailbreaking.
Safeguards are in place to prevent harmful or misleading responses, with ongoing improvements to ensure robust security.
As a precautionary measure, Google is restricting responses to election-based queries and enforcing policies against prompts related to candidates, political parties, election results, voting information, and notable office holders.
π Broader Implications
These findings highlight the need for comprehensive security testing across LLMs to mitigate prompt attacks, data extraction, model manipulation, and adversarial threats.
Collaboration among industry stakeholders and ongoing research efforts are crucial to address evolving cybersecurity challenges in language models.
The PixPirate Android banking trojan, notorious for exploiting Android's accessibility services to carry out fraudulent transactions, has adopted a new evasion technique.
The malware now hides its icon from the home screen, ensuring that victims remain unaware of its malicious activities during the reconnaissance and attack phases.
π Attack Flow
PixPirate is typically distributed via SMS and WhatsApp, leveraging a downloader app to deploy the main payload.
The downloader not only instals the malicious app but also actively executes it, establishing communication between the two components for fraudulent operations.
π Evasion Technique
The latest version of PixPirate's droppee lacks the activity necessary for launching the app from the home screen.
Instead, the downloader initiates the execution of the PixPirate APK by binding to a service exported by the droppee, ensuring persistence even if the downloader is removed.
Receivers registered by the droppee are triggered by system events, allowing it to run and conceal its presence independently of the downloader.
π Broader Implications
PixPirate's evasion technique highlights the evolving sophistication of malware, posing challenges for detection and mitigation.
Latin American banks are also facing threats from malware like Fakext, which employs rogue Microsoft Edge extensions for financial fraud.
π§ Mitigation Measures
Users should exercise caution when downloading apps from unofficial sources and be vigilant for suspicious behaviour on their devices.
Employing mobile security solutions and keeping devices updated can help mitigate the risk of malware infections.
π¨ Security Response
Google Play Protect automatically safeguards Android users against known versions of PixPirate and other malicious apps, providing an additional layer of defence against threats.
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
Multi-Factor Authentication (MFA) is a crucial defence against breaches, but it's not foolproof. Hackers can employ social engineering tactics to circumvent MFA and gain unauthorised access to accounts. Let's delve into four common strategies hackers use:
Adversary-in-the-middle (AITM) Attacks
Hackers create counterfeit websites to deceive users into divulging login credentials, including MFA codes.
Using '2FA pass-on,' attackers promptly enter stolen credentials on the legitimate site to trigger a genuine MFA request, granting them access.
Notorious threat groups like Storm-1167 use this tactic to harvest credentials, mimicking MFA steps to gain complete access.
MFA Prompt Bombing
After compromising passwords, attackers exploit push notification MFA prompts, hoping users will accept them without suspicion.
In a notable case, the 0ktapus group tricked an Uber contractor into accepting a fraudulent MFA push notification after a password compromise.
Service Desk Attacks
Hackers manipulate helpdesks, claiming password forgetfulness, and gain access through phone calls.
Exploiting recovery settings and backup procedures, attackers may bypass MFA by coercing service desks.
Notable incidents include the MGM Resorts attack by the Scattered Spider group.
SIM Swapping
Cybercriminals exploit MFA reliance on cell phones by tricking service providers into transferring services to a SIM card under their control.
This allows them to intercept MFA prompts and gain unauthorised access to accounts.
Threat groups like LAPSUS$ employ extensive social engineering campaigns, including SIM swapping, to bypass MFA.
π Password Security Still Matters
Despite MFA implementation, compromised passwords remain a significant risk.
Even strong passwords can't protect against breaches or password reuse.
Tools like Specops Password Policy enforce robust password policies and scan for compromised passwords, ensuring MFA serves as an additional security layer.
π¨ Conclusion
Organisations must recognize MFA's limitations and bolster password security measures.
Combining MFA with stringent password policies provides a comprehensive defence against social engineering tactics and unauthorised access.
Thatβs all for this week, cyber squad. Stay safe out there β
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!
π΅ CACTUS ransomware exploits flaws in Qlik Sense π»