IT NEWS

If you want to tighten up your parents’ home cybersecurity as much as possible, you’ve come to the right place. After all, you’re no doubt the family IT person, and first point of contact if trouble arises. 

Consider a Chromebook. If someone is looking for a new computer system for regular, non-demanding purposes, such as browsing, social media, and email, you can help with recommendations. For such a person, who isn’t invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus allows them to play browser-based games if needed.

Turn on auto-update. Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software program, operating system or browser that has an option to auto-update should be set to do this. We know this isn’t always recommended in a work environment, but for the computer illiterate person in their own home, it’s perfect. One less thing to worry about.

Configure their security software.  In addition, selecting security software that allows users to minimize notifications to only dire warnings will keep users from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

• They don’t understand to which program the messages belong, which takes away the context for them
• The text in the notifications is designed to be short, which means they’re not always maximized for clarity
• Technical terms used in the notification may be unfamiliar

When there are too many notifications, people can get fatigued. Most will simply want the pop-ups to disappear, no matter what they have to click on to accomplish this. So, any software that can be set to only issue a warning when something is really amiss deserves a big plus.

Disabled Remote Desktop. If you’re dealing with a Windows computer, disable Remote Desktop. Remote Desktop is sometimes used by scammers in things like technical support scams, so if you don’t need it you may as well turn it off. You can do this in Settings. Here’s how to do it in Windows 10:

• Launch the Settings app. (shortcut Win + I)
• Under the System section, scroll down and click on the Remote Desktop option.
• Then, click on the toggle next to the Remote Desktop option to turn it off.

• Windows will prompt you to confirm your decision.
• Click on the Disable button and exit the settings app.

Use an easy to maintain blocklist or firewall. This can keep a lot of harm at bay. Alternatively, make use of security software that includes a web protection module, like Malwarebytes Premium.

Configure the router accordingly. Make sure to configure the home router and access points with unique usernames and passwords and do not use the default ones that come with the equipment. Many botnets will attempt to take over such devices by trying default credentials.

There are some other basic settings that can enhance the security of the home router without hindering the users:

• Turn off remote management if enabled.
• Use WPA2 or WPA3 (if available) encryption on Wireless routers.

Hang up, close the tab, and call your bank. A Dutch bank ran a very effective campaign that advised customers to “Hang up, close the tab, and call your bank.” This is very easy to remember and very effective at the same time. Tell your parents to remember that phrase when they see “urgent” warnings online or get cold calls from Microsoft, their bank, or any other entity that seeks access to personal or financial information. It’s good to teach your parents they shouldn’t trust that friendly voice with a concerned tone, if they can’t verify their identity. The same is true for text and chat messages. Even if the sender claims to be you on your new phone.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has released security updates for several products to address several serious vulnerabilities  including some actively exploited zero-days. Updates are available for these products:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Some of the notable CVEs patched in these updates are:

CVE-2023-38606: A vulnerability in the kernel that may allow an app to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. The exploitation of this vulnerability took place as part of a 0-click exploit chain used to install spyware. These exploitation methods are named like that because they require no user interaction to compromise a device.

CVE-2023-32409: a vulnerability in the WebKit. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. A patch for this vulnerability was issued in May for iOS 16 and iPadOS 16, but is now also available for iOS 15.7.8 and iPadOS 15.7.8.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

CVE-2023-37450: Another WebKit vulnerability where processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This vulnerability has been covered by a Rapid Security Response (RSR) earlier because Apple was aware of a report that this issue may have been actively exploited.

CVE-2023-32416: a vulnerability in the Find My app which could allow another app to read sensitive location information. This issue was addressed with improved restrictions.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The Tampa General Hospital (TGH) has promised to reach out to individuals whose information has been stolen by a ransomware group.

In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023.

“Fortunately, TGH’s monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients.”

While that is good news from a healthcare perspective, the ransomware operators did obtain something of value. An investigation learned that an unauthorized third party accessed TGH’s network and obtained files from its systems between May 12 and May 30, 2023.

Further investigation showed that some patient information was included. The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.

According to TGH, the criminals did not access the hospital’s electronic medical record system.

TGH says it is mailing letters to individuals whose information may have been compromised, and will provide complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were accessed.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Snatch ransomware

On July 18, 2023, Snatch ransomware group claimed responsibility for the data theft on its leak site.

At Malwarebytes, we’ve been tracking the Snatch group since 2019. The group is suspected to operate from Russia. Back in 2019, the group stood out because it deployed a somewhat new technique for ransomware which forced the affected machine to reboot into safe mode without networking. Safe mode starts Windows in a basic state, using a limited set of files and drivers. It’s intended for troubleshooting, but since many monitoring tools will not work in safe mode, it allowed for an undisturbed and quicker encryption process. By choosing the “without networking” mode, administrators lose view of the system. The Snatch ransomware added itself as a service which ran in safe mode. Interestingly, for some reason the group no longer uses that method.

Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. Programmed in Go, the ransomware component is separate from the data stealer. We have not seen the multi-platform capabilities of Go put to use, and only Windows machines are affected.

Malwarebytes detects the Snatch ransomware as Ransom.Snatch.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• CISA: You’ve got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519
• Estée Lauder targeted by Cl0p and BlackCat ransomware groups
• Google fixes “Bad.Build” Cloud Build flaw, researchers say it’s not enough
• Accidental VirusTotal upload is a valuable reminder to double check what you share
• Amazon in-van delivery driver footage makes its way online
• Docker Hub images found to expose secrets and private keys
• Plane sailing for ticket scammers: How to keep your flight plans safe
• Microsoft validation error allowed state actor to access user email of government agencies and others
• FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT
• Introducing Slack and MS Teams Notifications for Nebula & OneView
• Act now! In-the-wild Zimbra vulnerability needs a workaround
• Spy vs. spy: Exploring the LetMeSpy hack, with maia arson crimew

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Estée Lauder is currently at the heart of a compromise storm, revealing a major security issue via a Security Exchange Commission (SEC) filing on Tuesday.

Although no detailed explanation of what has taken place is given, there is confirmation that an attack allowed access to some systems and involved potential data exfiltration. Meanwhile, two ransomware groups are taking credit for compromises unrelated to one another. Is one of the compromises the attack mentioned in the filing? It’s worth mentioning here that Estée Lauder does not name either ransomware group. With this in mind, the relevant section from the filing reads as follows:

The Estée Lauder Companies Inc. (NYSE: EL) has identified a cybersecurity incident, which involves an unauthorized third party that has gained access to some of the Company’s systems.  After becoming aware of the incident, the Company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cybersecurity experts. The Company is also coordinating with law enforcement.  Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data.

The Company is implementing measures to secure its business operations and will continue taking additional steps as appropriate. During this ongoing incident, the Company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.

Bleeping Computer notes that the ALPHV/BlackCat and Cl0p groups are claiming responsibility for the two unrelated ransomware compromises specifically. Worse, both ransomware groups have what they claim to be Estée Lauder data up for grabs on their leak portals.

If you’re unfamiliar with such sites, they’re places where ransomware groups store stolen data. The compromised organisation is then threatened with the data being made public, traded, or sold off to the highest bidder unless a ransom is paid. This is a common tactic in so-called “double extortion” ransomware, where the encrypting of devices is merely the first step to extracting money.

The Cl0p group claims to have somewhere in the region of 131GB of data to hand. Meanwhile BlackCat is complaining of the lack of communication from Estée Lauder, sending multiple emails but receiving no replies. It also claims to still have network access despite various attempts to secure the network.

Supposedly, the information taken could “impact customers, employees, and suppliers”. There are no further details on the contents at this time. Regular readers will know that these attacks typically target confidential information, company secrets, personal data, payroll, and identity scans. The attackers could be bluffing, or it really could be as bad as they claim. We’ll have to wait and see.

The Cl0p compromise is said to have made use of a MOVEit Transfer vulnerability to gain access to the target systems. Both Cl0p and BlackCat tend to feature heavily in our ransomware review posts. In our June post, Cl0p was the most active group around with BlackCat falling suspiciously quiet. Perhaps it was focusing on heavy-hitter attacks such as this the whole time.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical unauthenticated remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by August 9, 2023 to protect their networks against active threats. We urge everyone else to take it seriously too.

The recommended actions are to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Given the active exploitation, we would advise to do this as soon as possible.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is CVE-2023-3519 a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability with a CVSS score of 9.8 out of 10. The vulnerability can lead to unauthenticated RCE. It affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization and accounting (AAA) virtual server.

Little information has been made available about the campaign that is exploiting this vulnerability. What we do know is that the criminals use web shells—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised system. CISA has released a cybersecurity advisory about the tactics, techniques, and procedures (TTPs) of the currently active campaign.

Reportedly, there are around 38,000 Citrix Gateway appliances exposed to the public Internet and exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on a cybercrime forum.

Citrix acknowledges the urgency by stating:

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The security bulletin by Citrix about this vulnerability includes two more vulnerabilities. The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Citrix notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Malwarebytes blocks the IP addresses that are known indicators of compromise (IoCs) for the active campaign exploiting this vulnerability.

216.41.162.172

216.51.171.17

For administrators that would like to see whether their instance has been compromised and what they should do about it, I found this checklist.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Footage from technology used to monitor Amazon delivery drivers is leaking onto the internet. AI-enabled equipment which keeps an eye on the drivers’ speed, location, and other activities is part of the growing trend of workplace surveillance. In theory where drivers are concerned it could flag a lack of seat belt, or running red lights.

In practice the drivers aren’t too keen and insist that the companies using this tech can trust them without having a camera in their face all day long. There are other privacy issues to consider too.

When you receive a delivery nowadays, it’s not unusual for drivers to take a photo at the doorstep. You may or may not be present when these images are taken, but you’ll often see them on the web-based “parcel delivered” status page. If you’re lucky, your pyjamas are safely out of shot.

You may have wondered about the privacy issues related to these photographs. On the one hand, they’re attached to a URL online somewhere and they sometimes have your house number in shot. On the other hand, there’s a good chance nobody cares, those parcel delivered links tend to be temporary, and you’re not posing and waving alongside your delivery.

Why does this matter? Well, filmed footage takes in a lot more than a static, split-second shot of your doorstep. If a camera is rolling when a delivery person reaches your home, you could end up in the video footage or even just via the recorded audio should it exist. Ever had a casual chat with your driver? It could be in one of these recordings somewhere.

The cameras used are able to record both road and driver, with Vice reporting that drivers must consent to their biometric data being collected so their actions can be recorded “properly”. Despite this, there are examples of the cameras incorrectly penalising drivers.

Meanwhile the current clips are leaking to sites like Reddit, and nobody is sure who is doing it for the most part. Drivers claim they don’t have access to the footage: only Amazon, the technology maker, and the delivery service partner (DSP) which is the firm making the actual delivery.

On the Subreddit in question, drivers confirm that there is no live feed, but “dispatchers” on the other end can check-in, and drivers can request a pull up of specific footage as seems to be the case in this example. Whether the footage should be requested and dropped online is a different question. With drivers already worried about potential privacy issues of clips making their way to the internet, it’s probably not helpful if some drivers are contributing to the steady flow.

This isn’t the first time footage has appeared online, even if it seems to be more common now. Back in February of this year, one driver shared details of the AI system tracking her moments to a TikTok video which went viral. In that instance, she described the van’s four cameras (one forward facing, two on the side, and one facing her) and how they work together to “ding” her with a violation should she do something against the rules. Even there, she references a driver receiving a “distracted driver violation” for itching his beard which the system considered to be him using a phone while driving. Drivers can contest these supposed violations, but it all gives the impression of a system somewhat at war with itself.

Amazon’s stance on this technology is clear: It’s a valuable and necessary tool to ensure drivers are doing the right thing and not causing problems for other drivers. From Amazon’s comments to Business Insider:

“The safety technology in delivery vans help keep drivers and the communities where we deliver safe, and claims that these cameras are intended for anything else are incorrect. Since we started using them, we’ve seen a 35% reduction in collision rates across the network along with a reduction in distracted driving, speeding, tailgating, sign and signal violations, and drivers not wearing their seatbelts.”

As for people receiving the packages, this is more of a problem for drivers than the recipients for the most part. However, it would be a shame if this ends up encouraging a lack of interaction with the folks bringing you your packages on a daily basis. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A document accidentally uploaded to Google’s VirusTotal service has resulted in the potential exposure of defence and intelligence agency names and email addresses. The service, used to scan files for signs of potential malicious activity, is used by security professionals and folks just interested in the files making their way to their systems.

The list makes up roughly 5,600 of the site’s customers, and identities multiple security-centric entities. The Record cites individuals affiliated with the NSA, FBI, Pentagon, and other US military service branches. Meanwhile, the UK tally includes “a dozen Ministry of Defence personnel”, and emails tied to CERT-UK/National Cyber Security Centre, a part of the UK’s Government Communications Headquarters (GCHQ).

Sadly the emails listed are not entirely anonymous. There are full names tied to emails from the Ministry of Defence, Pensions Regulator, and the Cabinet Office, among others.

The file was removed by VirusTotal within an hour of it being uploaded. Commentary from some of the impacted organisations suggest this isn’t that big of a deal. The UK’s Ministry of Defence told The Record that they consider the data to be non-sensitive, and also low risk. This is of course good news, and much better than everyone running around yelling that the sky is falling.

While there is some element of risk here, it’s important not to get carried away. Someone genuinely determined to pull up a name or email address can usually do it by checking relevant websites or simply asking around. After all, what use is an email address if you can’t email people?

As for VirusTotal itself, submitted files can be shared and analysed via the security organisations tied to the scanning service. The results are often findable online via search engine, or hunting for specific file characteristics while on the VirusTotal website. You may also sometimes see VirusTotal pages linked directly from security blogs such as our own. Accidents of this nature tend to come about because folks making use of the service don’t quite realise the way data is used once submitted.

In March of last year, semi-automated uploads to VirusTotal were flagged by the German Bundesamt für Sicherheit in der Informationstechnik (BSI). This translates as the Federal Office for Security in Information Technology. In some cases, the documents being uploaded were confidential and should not have made their way to the VirusTotal service.

As we said at the time, files uploaded are not only shared with the 70 or so security vendors making up the bulk of the visible scanning service. They’re also potentially accessible to those making use of the premium features. If you make a mistake when uploading, it could be a costly one. In fact, a mistake uploading can be costly anywhere.

I’d be surprised if there’s anyone reading this who hasn’t, at some point, hit publish when they shouldn’t have, mailed a file that should have stayed where it is, or posted a message publicly when it was supposed to be private. It happens!

There is almost never a need to rush a process, and plenty of need to double check whatever you happen to have in the “about to send” box. Some organisations will restrict what can (and cannot) be uploaded. In most cases though, the onus will be on the uploader to get it right the first time.

We have some tips with regard to VirusTotal below:

Receivers:

• If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
• Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
• Never click on links in emails or email attachments.
• Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

• Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
• Inform recipients about the fact that you are sending them an attachment and for what reason.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at Orca Security have found a design flaw in the Google Cloud Build service. Attackers would have been able to gain Privilege Escalation resulting in unauthorized access to code repositories in Google’s Artifact Registry.

The researchers dubbed the vulnerability Bad.Build and say it could have far reaching consequences comparable to supply chain attacks like those caused by exploitation of flaws in 3CX, MOVEit, and SolarWinds.

The vulnerability was fixed in June and according to Google no further user action is required. But the security researchers claim that Google’s fix only limits the discovered Privilege Escalation (PE) vector and organizations are still vulnerable to the larger supply chain risk.

Since the researchers go on to explain how the Bad.Build design flaw can be exploited, users of Google Cloud Build are under advice to take action. We’ll let you know what to do below (under Mitigation).

First, let’s have a look at the problem.

In traditional software development, programmers code an application in one computing environment only to find bugs or errors when deployed in another environment. To account for this, developers bundle their application together with all its related configuration files, libraries, and dependencies required to run in containers hosted in the cloud. This method is called containerization.

Google Cloud Build is a managed continuous integration and delivery (CI/CD) service provided by Google Cloud that makes it easy getting container images on the cloud. Cloud Build also provides pre-built images that you can reference in a Cloud Build config file to execute your tasks.

The Artifact Registry provides an overview of the packages you use while continuously monitoring and updating the state of those artifacts. This provides insight and control over the packages, images, and other dependencies used in your software development and delivery process.

The flaw uncovered by the researchers enables the impersonation of the default Cloud Build service account. By exploiting the flaw, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code. If these images are intended to be used by customers of the supplying organization, the risk crosses from the supplying organization’s environment to their customers’ environments, constituting a supply chain attack.

When notified about the problem, Google revoked the logging.privateLogEntries.list IAM permission from the Cloud Build service account to adhere to the security principle of least privilege. When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the permission, which allowed the build to have access to list private logs by default. But, the revoked permission wasn’t related to Artifact Registry.

As a result, an attacker could use the artifactregistry permissions to download and exfiltrate an image that is being used inside Google Kubernetes Engine (GKE). They could then inject malicious code into the image and push it back to the artifact registry, which is then deployed once again to the GKE. Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root.

Mitigation

If there is anything the researchers made clear, is that it’s important that organizations pay close attention to the behavior of the default Google Cloud Build service account. Some important elements to keep in mind:

• Principle of least privilege. Limit permissions to what’s needed and keep track of given permissions.
• Implement cloud detection and response. If something goes wrong, it’s important to learn about it as early as possible.
• Prioritize risks, but don’t lose sight of the fact that a combination of two or more seemingly harmless vulnerabilities can be chained into a fatal attack.

Google denied Orca Security’s assessment, explaining that the access given to service accounts is the “nature of automated systems that run independently,” but both agreed that it’s important to check permissions and adjust them as you see fit, depending on your threat model.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

You may be getting ready to jump on a plane and head off for a few days or weeks of rest and relaxation. So the last thing you need before flying is a technology related horror show. Sadly, scammers are aware of families getting ready to hit the skies, and have tailored their threats accordingly. Several trip-related scams are doing the rounds right now, and we’re going to highlight some of the more prevalent ones.

Fake customer support on social media is one current major area of concern. This is often aimed at banking customers looking for assistance. The risk of this has increased since Twitter started charging for blue checkmarks, as many legitimate accounts now sport no visible means of authentication. 

With popular airline easyJet cancelling 1,700 flights between July and September due to air traffic control delays, fraudsters have been busy creating fake support accounts. For people stuck in an airport and hearing the flight is off, or getting ready to make the trip, their first reaction may be to hop onto social media for breaking advice and information.

Bogus airline accounts are directing potential victims to fake airline websites and other portals in an effort to steal credentials (and most likely any payment data they can scoop up along the way).  There’s currently somewhere in the realm of 100+ Twitter accounts using the easyJet branding. Of those, at least two have a gold verified check mark which are used exclusively for approved business accounts. Here’s the main easyJet account, for example.

The rest are a combination of “temporarily restricted” accounts, accounts set to private (and so not visible to non-followers), private individuals, video game themed(!), and more. Many of the accounts claim to be customer support and ask Twitter users to send them their mobile number for assistance. If you’re not talking to the verified account, or directed somewhere by that account, you may end up running into trouble.

Meanwhile, scammers elsewhere are targeting folks looking to dodge some of the Arizona heat. Phony travel agents lie in wait with fake websites and non-existent plane tickets. These sites appear in search engine results or random emails promising fantastic prices. Once you’ve paid and turned up on the day of the flight, or even just tried to check in online the day before, you’re in for a nasty surprise.

The fraudster has merely reserved a seat, as opposed to booking the desired ticket. Meanwhile, they were off using your payment details to try and buy who knows what. A fraught call to your bank or credit card’s customer service department now beckons.

If you’re looking for good deals, airlines and travel agents will be able to direct you to legitimate ticket sources. If you stumble upon a site you’ve not heard of, look up reviews and keep an eye out for any reference to wrong doing. One word of caution: you may also have to check the legitimacy of the reviews, too.

A final warning: be careful what you post online. We’ve previously talked about how posting up a photograph of your home environment can reveal important information. An envelope with your address on it, a box with your full name, even being geolocated because of traceable landmarks outside of your window. Well, the same warning applies to your airplane tickets too. If you’re getting into the holiday swing of things, keep all the small bits and pieces of data related to your trip out of shot. Using the information on your boarding ticket, or even your passport, people up to no good can get a good handle on who you are and what you’re doing.

If you’re revealing your name, frequent flyer number, and passport information online then you’re a possible meal ticket for scammers. This isn’t even necessarily a case of stealing your banking data. They can potentially social engineer their way into accessing your account under the guise of you having “forgotten” your login details. Maybe they’ll sell your frequent flyer account on, or do something else to cause you a headache. They may even just wait a few months and then send a targeted phish. The sky really is the limit with scams, so keep your personal info private.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.