Cybersecurity is a rapidly evolving domain that requires you to be updated with information on the latest innovations to stay on top. To help in the process of making email security and organizational cyber well-being possible, here are the top cybersecurity headlines from this week:
Google Looker Studio Becomes the New Path to Evade Email Security
In a recent attack, malicious actors exploited Google’s Looker Studio data visualization tool to send phishing lure pages to hundreds of businesses. These pages are designed to evade email security defenses and steal data and money.
Google Looker Studio is a web-based tool that converts slideshows, spreadsheets, etc., into visualized data like charts and graphs. The latest Business Email Compromise (BEC) scam uses Google Looker Studio to build cryptocurrency-themed pages to send to businesses as if from Google. These emails contain purported reports on strategies for cryptocurrency investing and require users to sign into their Google accounts for more details.
If users click on the sign-in link, they are redirected to a spoofed Google Looker page, which hosts a Google Slideshow informing them about the process of claiming more Bitcoin. It also creates a sense of urgency, leading users to a login page that steals their credentials. This attack scheme works because it can dodge malicious email scanning technology.
The messages fool the Sender Policy Framework (SPF) using the authorized sender IP address data-studio.bounces.google.com. They can also evade any flags arising in the DKIM authentication tool or DMARC inspection as they come from the legitimate domain google.com they claim.
The incident makes one wonder whether traditional security measures can detect sophisticated email attack vectors like the one under discussion. Thus, the best thing to do is to install a robust file-scanning and URL protection system at an organizational level to detect and prevent BEC attacks.
Storm-0324 and Sangria Tempest Collaborate for Teams Phishing Email Scam
The threat actor group Storm-0324 has been using Microsoft Teams Email to send phishing emails to organizations since July 2023. This email-based initial infection strategy unfolds in multi-layered exploitation, wherein Storm-0324 gains unauthorized access to a network and hands it over to other threat actors. Storm-0324 works with the ransomware-as-a-service (RaaS) actor Sangria Tempest to distribute the JSSLoader malware.
Storm-0324 uses highly effective infection chains involving invoice and payment lures. This collaboration between adversaries, wherein Storm-0324 distributes payloads from other adversaries, necessitates organizations to employ advanced email security measures such as multi-layered scanning.
Reportedly, Storm-0324 and Sangria Tempest have been collaborating since 2019. Storm-0324 gains access to victim systems, distributes JSSLoader and then hands it over to Sangria to steal information and encrypt the systems.
In a typical attack, Storm-0324 sends a phishing email with a payment or invoice link to a victim. Clicking on this leads users to a SharePoint site with a ZIP archive. This archive has a file embedded with JS code, and opening the file infects the system with the JSSLoader variant DLL. To protect against such email vulnerabilities, Microsoft has upgraded its Accept/Block feature in one-on-one chats within Teams.
Mozilla Patches a Critical Zero-Day Vulnerability in its Firefox Web Browser
Mozilla recently found a zero-day vulnerability in its Firefox web browser and Thunderbird email client. Tagged CVE-2023-4863, the flaw allows remote attackers to perform an out-of-bounds memory write through a spoofed HTML page. So far, a CVSS score has not yet been assigned to the vulnerability, but it is reported to be critical.
Mozilla talked about the zero-day flaw in its advisory dated September 12, 2023, and said it was also being exploited in the wild in other products. These include Google’s Chrome browser as well. However, Chrome was patched against this vulnerability a day before the advisory was released. Firefox 117.0.1, Firefox ESR 102.15.1, Firefox ESR 115.2.1, Thunderbird 115.2.2, and Thunderbird 102.15.1 have also been patched similarly.
Zero-day attacks like this exploit browser vulnerabilities and target all major browsers like Firefox, Chrome, Safari, and Edge. A browser compromise leads to infiltration of any cloud-based service accessible to that browser. Thus, users must ensure that their web browsers are updated with the latest patches.
Several Vulnerabilities Detected in Proton Mail’s Web Client
Cybersecurity experts recently found critical code vulnerabilities in the renowned privacy-focused webmail service, Proton Mail. These vulnerabilities pose a severe threat to the privacy and confidentiality of user data. The vulnerabilities exist in Proton Mail’s web client, where messages get decrypted for users.
A significant loophole in the service’s encryption system comes to light via these vulnerabilities: though its email security works fine for messages in transit and at rest, the vulnerabilities can be exploited to steal decrypted messages and impersonate users.
An attacker can trick Proton Mail users into interacting with their malicious messages and clicking on links embedded in these emails. The research team at SonarSource notified Proton Mail of these email security loopholes in June 2022, and the organization took immediate corrective measures. Owing to Proton Mail’s proactive security steps, no known exploits of the vulnerabilities have been recorded.