The IT Nerd

Google has uncovered a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group Cold River (also known as UNC4057, Star Blizzard, and Callisto). The group is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. LOSTKEYS marks a new development in the toolset of Cold River, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers.

More info can be found here. https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos 

Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, commented:

“There can be no doubt that intelligence gathering and cyber warfare is taking place at the nation-state level and will probably do so for the foreseeable future. This is simply the digital version of a spy sneaking in a micro camera and taking pictures of sensitive information and then providing it to whomever they work for. While these attacks are targeting mostly non-governmental organizations (NGOs), many of them do have ties to government agencies and could have information useful to that government’s adversaries.

“Because it seems they prefer tactics such as social engineering through email phishing, organizations should ensure that they have a well implemented human risk management (HRM) program in place that includes training and education to help employees fend off social engineering attacks.”

The human element is always the weakest point. Thus improving that would go a long way in terms of heading off attacks.

UPDATE: Another comment has come in from Darren Siegel, Lead Sales Engineer at Outpost24:

“This is yet another example showing that credential theft is an ongoing area of risk, as even the strongest passwords can be captured by this kind of malware attack.  While obviously the ideal outcome here would be to prevent such attacks from occurring in the first place, it underscores the need for organizations to implement continuous monitoring for compromised credentials, ideally using tools that are informed by threat intelligence that can quickly identify and respond to new breaches.” 

In a novel attack, hackers are sending fake emails that appear to come from Google’s systems – no-reply@google.com – bypassing all verifications and the DomainKeys Identified Mail (DKIM) authentication method and pointing to a fraudulent page that collects logins.

You can get more details about this here: https://threadreaderapp.com/thread/1912439023982834120.html

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“DMARC, DKIM, and SPF all focus on the DNS domain involved. The “email address” portion can change and the DMARC, DKIM, and SPF check will be just fine. So, if I can get an email sent from a common, global domain like google.com or hotmail.com, I can get nearly any email address name I like (e.g., the realbillgates@gmail.com) and it’s going to pass the checks.

DMARC, DKIM, and SPF should be understood this way: I claim to be from this and this domain (e.g., google.com) and if I pass the checks, I really am from that claimed domain. The user still has to look at the entire email address (friendly name and domain name) and figure out if it is or isn’t legitimate for the domain being claimed. On top of that, malicious scammers deploy DMARC, DKIM, and SPF at higher rates than non-scammers. Scammers early on decided that they needed all the domains they used to have DMARC, DKIM, and SPF enabled so their scammy email didn’t end up in the Junk Mail, Spam folder, or be rejected and never make it to the end-user. To that end, DMARC, DKIM, and SPF have been a total success. And at the same time it is a victim of its own success, with scammers using it even more than legitimate senders.”

I have certainly seen this with this attack that makes refund scam emails look like they are coming from Microsoft. Thus I am not shocked that this is happening on the Google side of the fence. And I fully expect to see more of this sort of thing going forward.

Google has published a security bulletin warning of two critical and actively exploited Android vulnerabilities, CVE-2024-43093 and CVE-2024-50302, being used in attacks targeting devices running Android 12 through 15. CVE-2024-50302 appears to be the zero-day exposed by Amnesty International in a 2/28 report about an attack against a Serbian political activist.

Javvad Malik, lead security awareness advocate at KnowBe4, commented:

“Google’s disclosure of CVE-2024-43093 and CVE-2024-50302 serves as a stark reminder of the perils lurking in our pockets. These vulnerabilities, affecting over a billion Android devices, highlight the importance of deploying patches in a timely manner. 

The involvement of Serbian authorities and Cellebrite’s UFED tools in exploiting these vulnerabilities adds a layer of complexity in that it blurs the lines between state-sponsored surveillance and cybercrime.

The real challenge lies in the fragmented nature of the Android ecosystem. With dozens of manufacturers and carriers, patching becomes a logistical nightmare, leaving countless devices vulnerable long after fixes are available. Unfortunately, many cheaper Android devices running older versions of the operating system can’t be updated at all.

This incident underscores the urgent need for a more cohesive approach to security updates in the Android world. Google, OEMs, and carriers must pull together to ensure patches reach users swiftly, regardless of device or location.” 

This is something that I have been saying for years. Android needs a more cohesive approach as the way thing are right now isn’t workable from a security standpoint. In short, they need to be more like Apple where if a security issue exists, a fix is pushed out and mitigated on the majority of devices in short order. Hopefully Google decides to eventually move in that direction.

Big tech has been the target of the Justice Department in the US for a while now, and Google has been on the top of their list to go after. In a 23-page document filed on Wednesday, U.S. regulators asked a federal judge to break up Google after a court found the tech giant of maintaining an abusive monopoly through its dominant search engine. As punishment, the DOJ calls for a sale of Google’s Chrome browser and restrictions to prevent Android from favoring its own search engine. In short, that means that Google would have to:

• Sell the Chrome browser
• Sell the Android OS if asked. But the Justice Department will start with restricting what the OS will do in terms of allowing Google to make money by routing consumers to their own services. YouTube for example.
• Share search results with rivals for free
• Stop doing exclusive deals to be the preferred search engine on devices. Apple products for example.

While Google will have the chance to present its own view of the universe shortly, you have to imagine that they must be freaked out by this as this would fundamentally change their business model. On top of that, you know that this will be in court for years before there’s any resolution. Finally, if you’re Apple, this is what’s headed in your direction as the Justice Department is coming after them as well. So you know that they’ll be circling the wagons in preparation for what is surely headed their way.

According to a report from mobile security platform Zimperium, threat actors are using a modified version of Android malware, dubbed “FakeCall,” taking control of phone dialers and intercepting calls made to banks.

• “FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls. Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.”

First reported by Kaspersky in 2022, the attack mimicked banking apps and let users make calls through them. Attackers would overlay the bank’s actual number on victims’ screens and then impersonate bank employees when the victim called the number, thereby obtaining users personal banking information.

Ted Miracco, CEO, Approov had this to say: 

  “Google’s isolated approach to Android security has proven insufficient, as exemplified by recurring threats like ‘FakeCall.’ Dismantling Google’s monopolistic Play Store and fostering competitive app stores with open standards for security—including attestation and a transparent rating system—would empower consumers with clearer insight into app risks and access to safer, rigorously vetted applications.”

The fact that this was first discovered in 2022 and is still around today shows that there needs to be a new approach to keep this sort of malware from being a problem. Hopefully Google who is in all sorts of trouble when it comes to the Play Store can come to the table with something that addresses this once and for all.

AI Overviews in Search are coming to Canada! Google is beginning the full rollout of AI Overviews in Canada — helping you search the web in a whole new way, no matter what questions are on your mind. This innovative AI-powered feature simplifies how users connect with web information. 

Key Benefits:

• Connect to the best of the web: Helping people discover content from publishers, businesses and creators remains central to Google’s approach. Google has  introduced more prominent ways to show links to relevant websites within AI Overviews, with a right-hand link display on desktop and a similar experience on mobile, accessible by tapping the site icons in the upper right. 
• Traffic increases: Earlier this month, Google launched in-line links that appear directly within the text of AI Overviews. In testing, both the right-hand link display and in-line links drove an increase in traffic to supporting websites compared to the previous designs, and the link display has made it easier for people to visit sites that interest them.
• Expand your queries: AI Overviews are just one of the ways Google is building AI into Search, and dramatically expanding the kinds of questions you can ask on Google – which creates even more ways for people to explore content online. 

Please find the full blog post here. 

Google has been ordered by U.S. District Judge James Donato to make it easier for mobile app store developers to sell to users of phones and tablets that use the company’s Android software, giving “Fortnite” developer Epic Games the win in its antitrust suit. Google reportedly plans to appeal the ruling.

Google is ordered to allow third parties to access the company’s Play Store catalog of apps to build competing offerings, and is prohibited from paying incentives either to app developers to release an app first or exclusively on its Play Store, or to device manufacturers to pre-load the Google Play Store or not pre-load a competing app store.

The injunction is scheduled to take effect in November, but a Google spokesperson said the company is asking that the court “pause implementing the remedies to maintain a consistent and safe experience for users and developers as the legal process moves forward.”

Epic will launch its own app store through the Play Store next year, Epic CEO Tim Sweeney said.

Ted Miracco, CEO of Approov, a mobile app market and security expert, offers this comment:

  “This ruling is a significant step toward reshaping the mobile app economy globally. While the immediate impact is US focused and centered on app developers avoiding high fees on Android, the long-term implications could be transformative. We may see a shift toward either a direct-to-consumer model or the rise of alternative app stores, not only on Android but potentially across both Android and iOS globally. These changes may fundamentally alter the balance of power between app developers and platform owners. They can also foster greater competition, innovation, security and consumer choice in the mobile ecosystem.

  “In addition to this ruling, there is mounting pressure on the mobile app duopoly of Google and Apple from multiple fronts. The European Union’s Digital Markets Act (DMA), the UK’s Digital Markets, Competition and Consumers Bill (DMCC), and U.S. antitrust efforts—both through private litigation and the Department of Justice—are collectively (!) working to dismantle the stranglehold these companies have on app distribution. These efforts represent a serious threat to the vast profits generated by the App Store and Play Store.

  “The dominance of these platforms not only inflates costs for consumers but also stifles innovation and undermines security and privacy by concentrating control in the hands of a few. Breaking up these dual monopolies could lead to a more open and competitive ecosystem that better serves developers and consumers alike.”

This is still subject to appeal, so Mr. Sweeney shouldn’t pop the champagne yet. But if this goes through, this would be a seismic shift in terms of the app economy.