Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Emails. Show all posts

ChatGPT Vulnerability Exposes Users to Long-Term Data Theft— Researcher Proves It

 



Independent security researcher Johann Rehberger found a flaw in the memory feature of ChatGPT. Hackers can manipulate the stored information that gets extracted to steal user data by exploiting the long-term memory setting of ChatGPT. This is actually an "issue related to safety, rather than security" as OpenAI termed the problem, showing how this feature allows storing of false information and captures user data over time.

Rehberger had initially reported the incident to OpenAI. The point was that the attackers could fill the AI's memory settings with false information and malicious commands. OpenAI's memory feature, in fact, allows the user's information from previous conversations to be put in that memory so during a future conversation, the AI can recall the age, preferences, or any other relevant details of that particular user without having been fed the same data repeatedly.

But what Rehberger had highlighted was the vulnerability that hackers capitalised on to permanently store false memories through a technique known as prompt injection. Essentially, it occurs when an attacker manipulates the AI by malicious content attached to emails, documents, or images. For example, he demonstrated how he could get ChatGPT to believe he was 102 and living in a virtual reality of sorts. Once these false memories were implanted, they could haunt and influence all subsequent interaction with the AI.


How Hackers Can Use ChatGPT's Memory to Steal Data

In proof of concept, Rehberger demonstrated how this vulnerability can be exploited in real-time for the theft of user inputs. In chat, hackers can send a link or even open an image that hooks ChatGPT into a malicious link and redirects all conversations along with the user data to a server owned by the hacker. Such attacks would not have to be stopped because the memory of the AI holds the instructions planted even after starting a new conversation.

Although OpenAI has issued partial fixes to prevent memory feature exploitation, the underlying mechanism of prompt injection remains. Attackers can still compromise ChatGPT's memory by embedding knowledge in their long-term memory that may have been seeded through unauthorised channels.


What Users Can Do

There are also concerns for users who care about what ChatGPT is going to remember about them in terms of data. Users need to monitor the chat session for any unsolicited shift in memory updates and screen regularly what is saved into and deleted from the memory of ChatGPT. OpenAI has put out guidance on how to manage the memory feature of the tool and how users may intervene in determining what is kept or deleted.

Though OpenAI did its best to address the issue, such an incident brings out a fact that continues to show how vulnerable AI systems remain when it comes to safety issues concerning user data and memory. Regarding AI development, safety regarding the protected sensitive information will always continue to raise concerns from developers to the users themselves.

Therefore, the weakness revealed by Rehberger shows how risky the introduction of AI memory features might be. The users need to be always alert about what information is stored and avoid any contacts with any content they do not trust. OpenAI is certainly able to work out security problems as part of its user safety commitment, but in this case, it also turns out that even the best solutions without active management on the side of a user will lead to breaches of data.




Emailing in Different Languages Just Got Easier— This AI Will Amaze You


 


Proton, a company known for its commitment to privacy, has announced a paradigm altering update to its AI-powered email assistant, Proton Scribe. The tool, which helps users draft and proofread emails, is now available in eight additional languages: French, German, Spanish, Italian, Portuguese, Russian, Chinese, and Japanese. This expansion enables users to write emails in languages they may not be proficient in, ensuring that their communications remain accurate and secure. Proton Scribe is particularly designed for those who prioritise privacy, offering a solution that keeps their sensitive information confidential.

What sets Proton Scribe apart from other AI services is its focus on privacy. Unlike many AI tools that process data on external servers, Proton Scribe can operate locally on a user’s device. This means that the data never leaves the user's control, offering an added layer of security. For users who prefer not to run the service locally, Proton provides a no-logs server option, which also ensures that no data is stored or shared. Moreover, users have the flexibility to disable Proton Scribe entirely if they choose. This approach aligns with Proton’s broader mission of enabling productivity without compromising privacy.

The introduction of these new languages follows overwhelming demand from Proton’s user base. Initially launched for business users, Proton Scribe quickly gained traction among consumers seeking a private alternative to conventional AI tools. By integrating Proton Scribe directly into Proton Mail, users can now manage their email communications securely without needing to rely on third-party services. Proton has also expanded access to Scribe, making it available to subscribers of the Proton Family and Proton Duo plans, in addition to Proton Mail Business users who can add it on as a feature.

Proton’s commitment to privacy is further emphasised by its use of zero-access encryption. This technology ensures that Proton itself has no access to the data users input into Proton Scribe. Unlike other AI tools that might be trained using data from user interactions, Proton Scribe operates independently of user data. This means that no information typed into the assistant is retained or shared with third parties, providing users with peace of mind when managing sensitive communications.

Eamonn Maguire, head of machine learning at Proton, underlined the company's dedication to privacy-first solutions, stating that the demand for a secure AI tool was a driving force behind the expansion of Proton Scribe. He emphasised that Proton’s goal is to provide tools that enable users to maintain both productivity and privacy. With the expansion of Proton Scribe’s language capabilities and its availability across more subscription plans, Proton is making it easier for a broader audience to access secure AI tools directly within their inboxes.

Proton continues to set itself apart in the crowded field of AI-driven services by prioritising user privacy at every step. For those interested in learning more about Proton Scribe and its features, Proton has provided additional details in their official blog announcement.


Threatening Emails Rattle Bengal Schools: Police Pursue Latvia Lead

 


In a statement announced Tuesday, the Kolkata Police said that more than 20 schools across the city have been threatened with bombs, which have been later revealed as hoaxes. According to the sender, bombs had been placed in numerous classrooms across a variety of schools in the city, and the bombs would explode in the morning hours following the placement. 

After receiving a hoax bomb threat mail on Monday, Kolkata Police took the initiative to spread an online message on Tuesday to reassure all parents that they would be there to ensure their children's safety and security, clarifying that it was a hoax mail and that they would be on hand to help. It has been revealed that police have traced the IP address to the Netherlands where the threat mail which was sent to 200-odd schools in the city, suburbs, and Siliguri, was sent from.

On the intervening night between Sunday and Monday (April 8, 2024), a user known as "doll" sent an email at 12.28 am on Monday with the email address 'happyhotdog101' threatening to have bombs placed in schools. The user threatened to make it happen with the help of the U.S. Government.   An email screenshot has been shared by over 90 schools and the screenshots have been shared on more than a dozen websites. 

The message itself has not been shared yet, but the fact that it has gone viral has contributed to its success. The sender, it is thought, had threatened the students that bombs would be detonated when they arrived at school that morning and that this was the reason for the mail. 

There had been no official announcement regarding this case from either the Calcutta Police or the West Bengal Police until late that evening. There is also the possibility that none of the schools in either of the cities will publicize the threat. The email reads, “This is a message for everyone. There are bombs planted inside "of the" classrooms. The bombs are set to go off tomorrow morning when there are kids inside "of the" schools. Our mission is to leave as many as people in a pool of blood." 

his attack was caused by 2 terrorists named Ching and Doll." According to the Latvian police, the email had been generated by an account linked to an email service provider founded in 2018 and set up its operations in 2022, but it was conceived in 2018 and started operating in 2022. 

Around 68 educational institutions in Bengaluru received a threat email last January, which came from one of the email addresses that were created by the same company that provides email services to these institutions. Initially, Bengaluru police speculated that the email was coming from either the Czech Republic or Slovakia, but they have since removed that suspicion. 

In the course of the investigation, it was found that the encryption service provider in question was the same as the one used in the Calcutta school case, though the location was in Cyprus instead of India. It was reported that the email sender said that he used a Switzerland-based Virtual Private Network, which is also well-known for the security and privacy of end-to-end encryption and focus on privacy, to send the email according to reports from the Bengaluru Police. 

There is an announcement that, in June 2022, the Narendra Modi government will ask all VPN operators to store for five years data related to its subscribers, such as names, email addresses, contact numbers, and IP addresses to tighten cybersecurity rules. Also, the Indian government requested the use of the data at its discretion as and when it deemed necessary. As a result of the order, most VPN companies have declared themselves uncooperative and have removed their servers from India as a result.

The Calcutta Police and the Bengal Police are yet to discover whether the email service provider has been contacted by either the Calcutta Police or the Bengal Police to review Monday's threat emails as yet. Amidst a flurry of concerning emails inundating over 90 schools across Bengal, authorities promptly alerted law enforcement, triggering a swift response from the cyber crime cell. Their immediate objective: pinpoint the sender's identity through meticulous analysis of the email's IP address. Offering insights into the unfolding situation, a senior police official asserted that the dissemination of such emails was a deliberate ploy aimed at stoking tensions in the lead-up to the elections, underscoring the malicious intent behind the communication. 

In a bid to assuage public concerns, the city police took to social media to affirm that the purported threats were indeed unfounded, branding them as mere 'hoaxes' intended to sow panic and unrest. Further action was swiftly undertaken by authorities, with the registration of a formal case against the individual responsible for the email transmission, signalling the commencement of a thorough investigation into the matter. 

This incident is but the latest in a string of similar occurrences, with the Delhi Police, just last March, apprehending a 29-year-old Bangladeshi national residing in Kolkata for orchestrating a hoax bomb threat targeting a SpiceJet flight en route from Delhi to Kolkata. Delving into the motives behind the elaborate ruse, law enforcement disclosed that the perpetrator, upon interrogation, confessed to concocting the threat in a bid to derail the flight and thus prevent the imminent arrival of his brother-in-law in Kolkata. This calculated manoeuvre, as elucidated by police officials, stemmed from the individual's desire to conceal a web of deceit, as he had falsely claimed to be pursuing a PhD in the United States—a fabrication that facilitated his marriage to his spouse.

SurveyLama Data Breach Exposes Millions of Users' Information

 



A major data breach has impacted the online survey platform SurveyLama, putting the sensitive data of over four million individuals at risk. The breach, which occurred in February of this year, was confirmed by the company to Troy Hunt, the creator of the well-known website Have I Been Pwned?, which tracks email addresses exposed in data breaches.

What Happened:

Unknown attackers gained unauthorised access to SurveyLama's database, compromising users' names, dates of birth, email addresses, IP addresses, passwords, phone numbers, and postal addresses. This breach leaves users vulnerable to identity theft and phishing scams.

Implications for Users:

SurveyLama rewards its users for completing surveys, making them potential targets for phishing emails. While passwords were stored in encrypted forms (salted SHA-1, bcrypt, and argon2 hashes), some could still be susceptible to brute-force attacks, especially those hashed with SHA-1, which has known vulnerabilities. Users are strongly advised to update their passwords immediately as a precautionary measure.

Protective Measures:

SurveyLama has reportedly notified affected users via email about the breach. However, users should remain cautious of any suspicious emails, particularly those promising rewards in exchange for quick action. Although the stolen information has not yet been publicly posted or sold on the dark web, proactive steps should be taken to secure accounts.

Expert Insight:

Troy Hunt, upon receiving information about the breach, independently verified the data's authenticity. SurveyLama confirmed the security incident and assured users that passwords were stored in encrypted forms. Nonetheless, users are encouraged to reset their passwords not only on SurveyLama but also on other platforms where similar credentials may have been used.

While SurveyLama has taken steps to address the breach and notify affected users, the potential risks remain significant. The possibility of the stolen data being exploited privately or leaked to cybercriminals underscores the importance of immediate action by users to safeguard their personal information.

All in all, the SurveyLama data breach serves as a reminder of the ever-present threats to online security and the importance of vigilance in protecting personal data. Users must stay informed, remain cautious of suspicious activities, and take proactive measures to enhance their online security posture.


Russian Hackers Breach Microsoft's Security: What You Need to Know

 


In a recent set of events, reports have surfaced of a significant cyberattack on Microsoft, allegedly orchestrated by Russian hackers. This breach, attributed to a group known as Midnight Blizzard or Nobelium, has raised serious concerns among cybersecurity experts and the public alike.

The attack targeted Microsoft's source code repositories, exposing sensitive company information and communications with partners across various sectors, including government, defence, and business. While Microsoft assures that no customer-facing systems were compromised, the breach has far-reaching implications for national and international security.

Cybersecurity experts warn of the potential for increased zero-day vulnerabilities, which are undiscovered security flaws that can be exploited by hackers. Access to source code provides attackers with a "master key" to infiltrate systems, posing a significant threat to organisations and users worldwide.

The severity of the breach has prompted strong reactions from industry professionals. Ariel Parnes, COO of Mitiga, describes the incident as "severe," emphasising the critical importance of source code security in the digital age. Shawn Waldman, CEO of Secure Cyber Defense, condemns the attack as a "worst-case scenario," highlighting the broader implications for national security.

The compromised data includes emails of senior leadership, confidential communications with partners, and cryptographic secrets such as passwords and authentication keys. Larry Whiteside Jr., a cybersecurity expert, warns of potential compliance complications for Microsoft users and partners, as regulators scrutinise the breach's impact on data protection laws.

As the fallout from the breach unfolds, there are growing concerns about the emergence of zero-day vulnerabilities and the need for proactive defence measures. Experts stress the importance of threat hunting and incident response planning to mitigate the risks posed by sophisticated cyber threats.

The incident underscores the ongoing battle in the global cyber warfare landscape, where even tech giants like Microsoft are not immune to attacks. With cybercriminals increasingly targeting supply chains, the need for enhanced security measures has never been more urgent.

The breach of Microsoft's systems serves as a wake-up call for individuals and organisations alike. It highlights the ever-present threat of cyberattacks in an increasingly interconnected world and underscores the need for enhanced cybersecurity measures. By staying vigilant and proactive, establishments can mitigate the risks posed by cyber threats and protect their digital assets from exploitation.

As the field of cybersecurity keeps changing and developing, stakeholders must work together to address the underlying threats and ensure the protection of critical infrastructure and data. This recent breach of Microsoft's security by Russian hackers has raised serious concerns about the vulnerability of digital systems and the need for robust cybersecurity measures.


Quishing Emerges as a Leading Cybersecurity Challenge

 


Researchers are predicting that cybercriminals will employ email-based quashing attacks as a means of stealing data from users. Several quishing campaigns are known to have been large, long-running, and dynamic, based on attack cadence and variations within the lures and domains featured in the messages used by the campaigns. 

A study released by the Global State of Mobile Phishing Report recently raises some sobering insights into the widespread use of mobile phishing attacks. The report noted that over 50% of the personal devices used by employees of a company had been hacked every quarter, which is an astounding number. 

Technology is constantly evolving to make users' personal and professional lives more convenient in the era of digital technology, as the usage of technology gradually increased over the years. One of the advancements that have made life easier for consumers has been the Quick Response (QR) code. The user can either share the URLs of websites and contact information, or they can pay with this two-dimensional barcode which is easy to read. 

In addition to improving our daily lives, QR codes have also created new avenues for cybercriminals to exploit, which has made it easier for them to steal information. This method of phishing is also known as quishing and poses a significant threat to individuals and organizations alike. QR codes are phishing attacks that have been on the rise for years. 

Even though "squishing" sounds all cute and squishy, it's a serious practice that has to be taken seriously. A QR code can be obtained by generating a fake email that contains a QR code that is inserted into the email, and then sending it to a person as a phishing email. 

In an attempt to trick the recipients of an email attack into visiting malicious websites or downloading malware onto their devices, hackers use QR codes embedded in the email to trick them. Social engineering tactics are usually used in these kinds of attacks to exploit the trust that people place in emails because they often put their trust in them. 

Recent findings regarding the effectiveness of mobile phishing attacks have been released in the Global State of Mobile Phishing Report. Over half of a company's employees' devices are exposed to phishing every few weeks, and at least one-third of those are not even aware that it is happening. 

Additionally, there was a seven-fold increase in the number of QR code phishing reports in Q2 of 2022. Many industries are targeted by these types of attacks, including insurance, legal, financial, and healthcare. A high level of regulation is enforced in these industries as a result of the sensitive and valuable nature of their data. As a result, they are a good target for cybercriminals as they are easy to reach. 

Increasingly, QR codes are appearing everywhere: they are in restaurants, mass vehicles, commercials, signs, walls, bathrooms, advertisements on billboards and posters; and even companies are shipping their products with QR codes so that consumers can access the manual via their phones. 

There are two main ways that criminals are attempting to quench attacks at the moment: they send targets a QR code via email and then try to crack it. In many cases, those emails are simply a call to action for users to verify their accounts and to act within a specific time frame otherwise their accounts will be locked or closed. A QR code would be inserted into an email on a desktop computer by the user, and once scanned, it would cause havoc on the computer.  

Using traditional email filtering methods, it is hard to detect QR code attacks since there are no embedded links or malicious attachments to scan. In addition, email filtering is not designed to follow a QR code to its destination to look for malicious content. The threat is also moved to another device which is more likely not to be protected by corporate security software, as well as shifting the actual threat to another device. 

Detecting these attacks can be done using artificial intelligence and image recognition technology. Fake QR codes are usually not the only sign that a malicious email is being sent. In addition, AI-based detection will take into account other signals as well - such as the sender's name, the content, the size, and the placement of images – to determine whether a message is malicious. To detect and prevent QR code scams, Barracuda Impersonation Protection will employ several techniques, as well as others. 

Currently, there are many quashing attacks targeting individual consumers, but enterprises, as well as their employees, are also at risk of squishing attacks. Researchers from HP and Abnormal Security discovered, in particular, that email-based QR phishing campaigns, like those uncovered by the researchers, could be used to steal credentials or spread malicious software to business accounts. 

Fraudulent QR Code Signs


Receivers need to pay close attention to the labels on the quashing codes to see that these codes are marked. These include: 

  • There are several errors on destination websites, including spelling errors, poor-quality images, and inadequate design. 
  • Rather than beginning with HTTPS, a URL starts with HTTP.
  • The true destination site is hidden by short URLs that are unreadable. 

Guarding Against DMARC Evasion: The Google Looker Studio Vulnerability

 


As a free online tool, Google Looker Studio allows users to create reports that can be customized with charts, graphs, and other data points. Once users have prepared their report, they can share it with anyone they desire. 

It appears that based on our observations, threat actors are using Google Looker Studio to create fake cryptographic pages which are sent to the intended victims in email attachments that are sent from the legitimate tool itself, as part of the observed attacks. 

Using a Web-based tool, Google Looker Studio can convert documents - such as slideshows, spreadsheets, etc. - into information. It can be done in several different ways, including charting and graphing data into usable visuals. 

Researchers at Check Point have discovered a botnet campaign known as the business email compromise (BEC) campaign that has been operating over the past several weeks. The campaign uses this tool to build crypto-themed pages in an attack that is socially engineered to look like the actual cryptocurrency.

It has been discovered that attackers send emails that appear to come directly from Google, containing links to unverified reports purporting to be useful for cryptocurrency investors, and encouraging them to click on a link to sign in to their accounts to obtain further information about the reports. 

There is a link in the message that leads to the fake report which purports to provide all the information the victim needs on investment strategies that can yield significant returns. This scam solicits the recipient to click on a link provided to them and be taken to a legitimate Google Looker page which displays a Google slideshow which contains instructions on how to receive more cryptocurrencies from the sender. 

A message is displayed to the victim as the user is taken to a login page where a warning has been displayed warning them that unless they log into their account immediately they may lose access to it. Nonetheless, this page has been designed with the intent of stealing the credentials users supply. It is common for cybercriminals to embed the URLs of these websites in their phishing emails, as Looker Studio's reputation for being a legitimate and trustworthy company makes them a good target for email security checks. 

Using Google's letterhead, the phishing emails appear to originate from Google and claim to have been sent by the tech giant itself. They inform the recipient that they have won approximately 0.75 Bitcoins ($19,200) by joining the firm's cryptocurrency insights and trading strategies program, as part of which they had the opportunity to participate. 

Gmail users are encouraged to follow the embedded link to collect their earnings in the e-mail, which otherwise appears to be well-written. It has been found in Check Point's analysis that because the sender's IP address is listed as authorized for a subdomain located at google.com, the attack can pass email authentication checks that prevent spoofing. 

Using Google's authority to bypass email security scans, the attackers were able to bypass the security scans for emails. They employ several techniques such as fooling Sender Policy Frameworks (SPFs), DomainKeys Identified Mail (DKIMs), and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) frameworks to achieve their end. 

With these tactics, phishing emails can go undetected since they are associated with the legitimate domain "google.com", giving them the appearance of being legitimate. Using cryptographic signatures, DomainKeys Identified Mail (DKIM) verifies the integrity and origin of emails with the use of cryptographic signatures. 

In the domain-based Message Authentication, Reporting, and Conformance (DMARC), domain owners can specify specific actions that should be taken when an email message fails an SPF authentication check or a DKIM authentication check. 

A BEC attack has been a popular phishing method for many years due to its simplicity and effectiveness. Threat actors continuously adjust their strategies and incorporate new technologies into their attacks to make them more convincing. 

Check Point researchers recommend that users adopt AI-driven security technologies capable of analysing various phishing indicators to take a proactive approach to combat sophisticated BEC attacks. Cyberattacks such as Business Email Compromise (BEC) are a form of cybercrime whereby threat actors impersonate employees or business partners, so they can steal money, and sensitive data, or gain unauthorised access to corporate networks by impersonating employees or business partners. 

An email sender is verified as authorized by the Sender Policy Framework (SPF), which is a protocol for authenticating emails. Despite the growing number of attacks, attackers are continually growing their skill set and leveraging new technology to create more convincing and creative attacks that will pique the interest of users and incite them to follow along and give up their credentials to attack lures. 

Google Looker Studio is an example of such technology. The researchers of the Check Point company advise that businesses adopt increasingly common artificial intelligence (AI)-powered security technologies to protect themselves against complex BEC attacks by analyzing and identifying numerous phishing indicators that can be used by hackers to conceal their malicious intent. 

The campaign used a legitimate Google app and domain to disguise its malicious intent. A comprehensive security solution must be implemented for organizations to increase their level of security, Fuchs advised, including document- and file-scanning capabilities as well as URL protection systems that conduct thorough scans of websites and emulate webpages for a higher level of protection.

Email Security: Secure Email Gateways


You expect a message to reach the intended recipient without any errors when you send it via email. There is a small group of people who are within this group as cybercriminals. They are constantly trying to hijack emails. They also trick people into opening malicious attachments or clicking on links that will provide them with malware to install on their devices.  

Therefore, what are the best ways to protect yourself, your family, your friends, and your employees from these risks? By implementing a secure email gateway, you can prevent these threats from occurring. 

There are several types of secure email gateways (SEG), some of which are used by businesses, organizations, or governments to protect their internal email servers from cyberattacks that can infiltrate the email servers of those organizations. SEGs ensure that outgoing and inbound emails contain no malicious elements. Using this feature, users can keep track of emails they have sent and received and decide if they should be processed according to their previous instructions.  

To protect email communications, secure email gateways are placed to connect the organization's server to the public internet. As any message enters or leaves the server, it is scanned by the SEG. 

Essentially, SEGs are designed to prevent unwanted emails from being able to reach the servers of your email service provider to cause any damage. In this way, SEGs offer a level of protection for confidential information from cyber criminals, provide data privacy, and encrypt sensitive emails to protect data from being breached. 

Several types of emails could be harmful, including 

  • Spam
  • Malware
  • Viruses
  • Business Email Compromise (BEC)
  • Fraudulent content
  • Ransomware
  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks
  • Trojan
  • Phishing attacks
Further, SEGs are expected to thoroughly scan outbound emails and internal email communications between employees. This is to prevent sensitive information about the business from being leaked into the public domain. If malicious content is detected on the server, emails will not be allowed to leave the server. 

What Are the Functions of a Secure Email Gateway? 

SEGs are designed to scan and filter incoming and outgoing emails on an email server. They employ a set of rules that the system uses to assess the potential for spam. Both inbound and outbound emails are protected against harmful content that can be transmitted between your devices and your network. 

As part of the scanning process, SEGs confirm whether any malicious content has been included in the domain, its contents, and any attachments inside the email. If the messages are found free of malware following the scanning process, the SEG routes them to the email server. The SEG also routes them to the user's mailbox if they do not contain malware. 

What are the features of secure email gateways? 

SEGs have their unique functions and features, but here are some of the most common security features that SEGs offer. 

Filtering spam mail 

Technology for spam filtering uses algorithms to identify spam from known spam email domains and quarantine or block it. 

Spammers use specific patterns of email content to detect new emails with spam-related patterns, such as keywords and malicious links, as well as new emails. In addition, this feature will allow users to report spam and block the sender if certain spam emails pass the gateway and enter your mailbox. 

Protection against malware and viruses 

Additionally, it protects you against malware and viruses that may infect your email network due to malware on your computer. The company employs antivirus software to scan emails and block or quarantine any that have viruses or malware in them, thereby protecting the company from liability. As cybercrime continues to evolve, it is imperative to keep your antivirus software up to date at all times. 

Archiving of e-mails 

Email services are managed by SEGs. You can use them to store and manage your organization's emails so that you can meet your organization's data management and legal compliance requirements. 

Security Email Gateways Can Help You Keep Your Emails Safe 

Various cyber threats can be found in the form of phishing, spam, denial-of-service attacks, and extremely advanced fraud attacks. Thus, individual, business, corporate, and government entities, along with their employees, should employ SIEGs to secure their email accounts from malicious entities that often seek to steal data or cause harm through other means.   

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign

 

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as pageguidelinesfacebook@outlook.com.

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries

 

Over the last two years, a persistent cyber-attack campaign targeting major financial institutions in French-speaking African countries has surfaced. Check Point Research (CPR) discovered the campaign and termed it 'DangerousSavanna.' To start infection chains, it used spear phishing techniques. 

The threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, using a variety of file types to entice victims, including PDF, Word, ZIP, and ISO files. DangerousSavanna hackers also used lookalike domains to impersonate other African financial institutions such as Tunisian Foreign Bank and Nedbank.

Sergey Shykevich, threat intelligence group manager at CPR explained, "Our suspicion is that this is a financially motivated cybercriminal, but we don't have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Furthermore, the cybersecurity expert stated that Check Point's assessment indicates that this actor will continue to try to break into its targeted companies until vulnerabilities are discovered or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

In general, the Check Point executive stated that cyber-criminals believe that the fragile economies of some African countries are linked to a lack of cybersecurity investment.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

CPR provided companies with advice on preventing spear phishing attacks in an advisory detailing some of DangerousSavanna's recent attacks. These methods include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees, and testing their cybersecurity knowledge on a regular basis.

The DangerousSavanna warning comes just weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

SharpTongue: A Malware from North Korea that Monitors Emails

About SharpTongue

Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups. 

The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT." 

How does SharpTongue operate?

Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts. 

The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. 

The current variant 3.0 supports three browsers:

  • Edge
  • Chrome
  • Whale (It is used in South Korea)

The attack process

The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences. 

After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions. 

Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."


New Spear Phishing Campaign Targets Russian Dissidents

 

In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway. The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country. 

The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim. The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails. 

Various phishing methods

To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service. The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications." 

To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body. Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting. 

All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike. 

The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations: 
  • Portal of authorities of the Chuvash Republic Official Internet portal
  • Russian Ministry of Internal Affairs
  • ministry of education and science of the Republic of Altai
  • Ministry of Education of the Stavropol Territory
  • Minister of Education and Science of the Republic of North Ossetia-Alania
  • Government of Astrakhan region
  • Ministry of Education of the Irkutsk region
  • Portal of the state and municipal service Moscow region
  • Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.