Google Top Choice for Cybercriminals for Brand-Impersonation Spear-Phishing Campaigns

Google | May 28, 2020

  • Phishing campaigns are now regarded as among the most prevalent cybersecurity threats as COVID-19 strands people at home, but after months of isolation, official data has confirmed it.

  • A new report from Barracuda released today shows 100,000 attacks impersonating reputable brands, including Google and Microsoft, have targeted remote workers.

  • More generally, 4% of all spear-phishing attacks in the period between January and April were made up by Google-brand impersonations, with that number expected to climb.


It’s no secret that phishing campaigns are now regarded as among the most prevalent cybersecurity threats as COVID-19 strands people at home, but after months of isolation, official data has confirmed it. A new report from Barracuda released today shows 100,000 attacks impersonating reputable brands, including Google and Microsoft, have targeted remote workers between January 1 and April 30 2020. 65% of this figure impersonated Google, mostly via file-sharing and storage websites – including storage.googleapis.com (25%) docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4%). More generally, 4% of all spear-phishing attacks in the period between January and April were made up by Google-brand impersonations, with that number expected to climb.


Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber criminals are taking the opportunity to flood people’s inboxes with these scams,” says Barracuda Networks UK systems engineer manager Steve Peake. “The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users." Barracuda reported that Microsoft brands were targeted in 13% of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%).



Learn more: GOOGLE AND KPMG SECURITY EXPERTS SHARE THEIR INSIGHTS ON COVID-19 RELATED CYBER SCAMS .
 

“Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber criminals are taking the opportunity to flood people’s inboxes with these scams,”

~ Steve Peake Barracuda Networks UK systems


This comes as Microsoft warned its userbase this week of a new widespread COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool to completely take over a user's system and execute commands on it remotely. Microsoft’s Security Intelligence team claimed the campaign involved the usage of malicious Excel attachments to infect user's devices with a remote access trojan (RAT), with the initial attack beginning with an email impersonating the Johns Hopkins Center, a major source of credible COVID-19 news. Spear-phishing campaigns like this, which trick victims into sharing login credentials, have enjoyed massive success during the pandemic.

“The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users."


Fortunately, there are ways to protect oneself against these cyber, such as implementing multi-factor authentication steps on all log-in pages so that hackers will require more than just a password to gain access to your data,”says Peake. “Other, more sophisticated methods of cyber protection include using email security software, such as API based inbox defence, which uses artificial intelligence to detect and block attacks.” Attackers use many tricks, including by leveraging enterprise brand assets, such as company names and logos, to develop phishing websites that appear authentic and lure internet users to enter valuable information such as user names and passwords. Phishing Protection helps prevent users from accessing phishing sites by identifying various signals associated with malicious content, including the use of your brand assets, classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing.


This is through a combination of factors, including heightened fears over a globally penetrating issue and the worldwide trend of remote working, which increases risk landscapes generally. Google's Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and our users. This is an area we have invested in deeply for over a decade. Our daily work involves detecting and defeating threats, and warning targeted users and customers about the world’s most sophisticated adversaries, spanning the full range of Google products including Gmail, Drive and YouTube .In the past, we’ve posted on issues like phishing campaigns vulnerabilities and disinformation. Going forward, we’ll share more technical details and data about the threats we detect and how we counter them to advance the broader digital security discussion.


Learn more: NEW CYBER THREAT INDEX SHOWS INDUSTRIES ARE UNDER ATTACK IN UNCERTAIN TIMES .
 

Spotlight

When an incident occurs, the natural reaction is to think about the short-term impact. Most companies focus on assessing the damage; developing a response; and securing funds to pay for fines, legal fees, consulting third parties, and consumer identity protection services. The real challenge is to mitigate risk to the organization from the long-term effects, such as class-action lawsuits, damage to brand reputation, erosion of consumer trust, and lost business opportunities. This paper takes an in-depth look at the true costs — both short and long term — of a data breach, and provides steps and tips that executive teams and security leaders can use to determine and reduce the true cost of a data breach.


Other News
DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

One of Europe’s Largest Logistics Companies Selects IronNet to Increase its Network Visibility and Proactively Hunt for Cyber Threats

IronNet, Inc. | August 26, 2022

IronNet, Inc. , an innovative leader Transforming Cybersecurity Through Collective DefenseSM, announced today that a major European logistics company, offering courier, package delivery and express mail service, will deploy the IronNet Collective DefenseSM platform to help defend against increased cyber threats facing the sector. The logistics company is remaining anonymous to help protect its operational security. It serves millions of customers across Europe, provides pick-up and drop-off points for package and parcel services as well as door-to-door courier and fulfillment services for e-merchants. “Cyber attacks along the supply chain can bring the global consumer economy to a halt. We must protect ourselves and our customers from these attacks so we sought out a cybersecurity solution that could identify advanced threats invisible in our current stack,” said the logistics company’s Chief Information Security Officer. “By deploying the IronNet Collective Defense platform, we will benefit from relevant, real-time attack intelligence and extensive threat hunting capabilities. It will provide enhanced visibility into our network and allow us to work with others in the industry to strengthen our cybersecurity and protect our customers from attacks.” “Since the start of the pandemic, the global supply chain has been strained with increased demands on logistics and transportation companies. Now, with the growing conflict between Russia and Ukraine, we cannot risk this sector being hit with cyber attacks to cause even more damage. “By partnering with one of Europe’s largest logistics companies, IronNet is helping this team hunt for threats to stop attacks on their network before they happen and enable the secure, efficient flow of commerce across the continent.” General (Ret.) Keith Alexander, co-CEO and Founder of IronNet Amazon Web Services (AWS) serves as the backbone of the IronNet Collective Defense platform, and it will enable the logistics company to deploy the solution quickly across hundreds of enterprises and maintain a dynamic radar view of threats on enterprise networks comprehensively and at network speed. The logistics company will also use IronNet’s leading AI-based Network Detection and Response (NDR) solution as part of the Collective Defense platform to better detect and defend against cyber attacks. The security platform will enable the logistics company to leverage NDR capabilities, powered by behavioral analytics, to detect unknown threats on its network and, in turn, anonymously in real-time exchange visibility with others in the Collective Defense community. The IronNet Collective Defense platform is the only solution that can identify anomalous behaviors and deliver actionable attack intelligence to all the other participants in the IronNet community. It serves as an early warning system for all participating companies and organizations, strengthening network security through correlated alerts, automated triage, and extended hunt support. About IronNet, Inc. Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.

Read More

DATA SECURITY,SOFTWARE SECURITY,WEB SECURITY TOOLS

Legit Security Discovers and Helps Remediate Software Supply Chain Vulnerabilities in Google Firebase & Apache Open-Source Projects

Legit Security | September 16, 2022

Legit Security, a cyber security company with an enterprise platform to secure an organization’s software supply chain, today announced that it discovered software supply chain attack vulnerabilities in popular open-source projects from Google and Apache. The discovered vulnerability affects GitHub, an extremely popular Source Code Management (SCM) system at the heart of many organization’s software supply chains and used by software developers globally. The Legit Security research team found a new type of CI/CD vulnerability called “GitHub Environment Injection” that allows attackers to take control of the vulnerable project's GitHub Actions CI/CD pipeline. Any GitHub user could exploit this vulnerability to modify the project’s source code, steal secrets, move laterally and attack inside the organization, and ultimately initiate a SolarWinds-like supply chain attack. The vulnerability was found in the Google Firebase project and in a very popular integration framework project from Apache. Both Google and Apache acknowledged and fixed the vulnerabilities after an initial disclosure by Legit Security. Legit Security has published a technical disclosure blog on their website including guidance for organizations to remediate this vulnerability. Legit Security’s Research Team discovered that a specially crafted payload written to a GitHub environment variable called “GITHUB_ENV” could allow an attacker to execute code on the target pipeline and thereby modify the source code or compromise the repository itself. This attack can be initiated by any GitHub user and is very easy to implement just by creating a “pull request” or a proposed change to the source code. The mere act of submitting the pull request will trigger the vulnerable build action and carry out a successful compromise and the attacker does not need to be subjected a code review approval from the source code maintainer for it to take effect. The Legit Security team disclosed these issues to Google and Apache project maintainers, along with remediation guidelines, and verified that these vulnerabilities weren’t exploited by a malicious actor. Both projects have been fixed and are now safe. However, these are not the only projects susceptible to this kind of attack. Since using the GITHUB_ENV file is currently considered the “safe” way to change environment variables in GitHub Actions, many repositories are using workflows that write untrusted data into this file, leaving them exposed to supply chain attacks. “This type of vulnerability joins many other software supply chain vulnerabilities and attacks targeting popular open-source projects, including GitHub, which is the largest and the de facto host of most open-source projects. “We, as a security community, must build the tools and processes to address these threats and allow organizations to trust software and use it safely. Here at Legit Security our mission is to secure every organization’s software supply chain and we are active conducting security research and collaborating on initiatives to achieve this goal." Liav Caspi, CTO and co-founder of Legit Security According to Gartner®, nearly half of organizations worldwide will experience an attack on their software supply chains by 2025, a three-fold increase from 2021. There has been a huge rise in attempts to compromise open-source projects and CI/CD build services, including GitHub Actions, to enable wide ranging attacks through software supply chains. For in-depth analysis of the GitHub Environment Injection vulnerability, along with broader information and guidance on how to protect your organization from software supply chain attacks, please visit the Legit Security website and blog. About Legit Security Legit Security protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people so that businesses can stay safe while releasing software fast. Legit provides an easy to implement SaaS platform that supports both cloud and on-premises resources and combines automated discovery and analysis capabilities with hundreds of security policies developed by industry experts with real-world SDLC security experience. This integrated platform keeps your software factory secure and provides continuous assurance that your applications are released without vulnerabilities.

Read More

SOFTWARE SECURITY

Red Canary and Palo Alto Networks expand collaboration to provide detection and response across security landscape

Red Canary | July 08, 2022

Red Canary, the Managed Detection and Response (MDR) trailblazer, has expanded its collaboration with industry leader Palo Alto Networks to help deliver on a bold vision: unifying threat investigation across a wide range of Palo Alto Networks products. To help achieve this goal Red Canary is now a part of the Palo Alto Networks Cortex® MSSP partner program. Today, Red Canary MDR supports Palo Alto Networks firewalls by integrating with PAN-OS version 9 and higher. This integration allows security alerts and event data generated by firewall appliances to feed into the Red Canary MDR platform for further investigation and remediation. Red Canary is working with Palo Alto Networks as an MDR partner for the Cortex XDR product, which includes built-in endpoint protection. While many MDR offerings simply ingest alerts generated by endpoint security tools, Red Canary is working toward being able to ingest raw telemetry as well as alerts from the Cortex XDR endpoint agent. Red Canary anticipates this will allow it to reduce false positives by up to 99% and significantly increase the detection of confirmed threats compared to what endpoint security tools can identify on their own. "The detailed endpoint telemetry generated by Cortex XDR enables leading scores in actual hands-on tests, such as MITRE's recent ATT&CK® evaluation," said Rick Caccia, SVP of Marketing for Palo Alto Networks. "Red Canary's ability to manage and analyze large volumes of endpoint, network, and other types of telemetry will make them an ideal partner for solving customers' most pressing security challenges. Together, we can help protect organizations from ransomware, phishing, and other modern threats." To complete our vision of unifying threat investigation across the Palo Alto Networks product line, Red Canary is also developing integrations for Prisma® Cloud, Threat Prevention, and the WildFire Analysis Environment. Red Canary's MDR everywhere strategy allows events from Palo Alto Networks products to be combined with multi-vendor events in a unified timeline. To learn more, visit https://redcanary.com/cyber-threat-investigation/. "Red Canary is meeting customer demand for security across the modern IT environment by integrating alert data from network, identity, and SaaS applications – all in a unified timeline. Our collaboration with Palo Alto Networks layers best-in-class managed detection and response across an industry-leading portfolio of cybersecurity solutions. The result is more choice and better security for our customers." Chris Rothe, CTO, Red Canary About Red Canary Red Canary stops cyber threats no one else does so organizations can fearlessly pursue their missions. The company's managed detection and response (MDR) solution works across enterprise endpoints, cloud workloads, network, identities, and SaaS apps. Red Canary operates as a security ally for customers and partners by providing unlimited 24×7 support, deep threat expertise and hands-on remediation to prevent threats from turning into business-defining incidents.

Read More

DATA SECURITY,PLATFORM SECURITY

SCYTHE New Version 4.0 Enhances Collaboration Across Multiple Security Team Roles

SCYTHE | September 09, 2022

SCYTHE, a leader in adversarial emulation, announced the release of version 4.0 of the company’s flagship cybersecurity platform, offering new features and functionality that will extend capabilities for greater collaboration between blue, red, and purple teams. SCYTHE runs real-world adversary emulations that help security teams reduce detection and response rates, validate controls, and optimize resources by enabling teams to prioritize vulnerabilities, and focus on the highest risk issues to the business. Its scalable platform automates adversary emulations and expands your team’s threat intelligence skills so that you can multiply your cybersecurity team’s velocity and reduce cybersecurity risk. SCYTHE has the largest, public library of threats in the breach attack simulation industry and has more capabilities than all other competitors combined as shown by Tidal Cyber’s Community Edition of their SaaS threat-informed defense platform. With a redesigned UI, SCYTHE 4.0 makes threats easier to manage by bringing campaign details to the surface, allows for greater communication between team members, and makes it simpler to take action via Jira integrations—all available as an on-prem or SaaS offering. Through automation, communication, and integrations, SCYTHE 4.0 is designed to help security teams collaborate, as a purple team, on adversary emulation. “The new SCYTHE 4.0 platform sets a new standard for adversary emulation automation for offensive, defensive, and hybrid purple teams to help customers strengthen defenses, share actionable data between teams to better resolve real-world cybersecurity concerns quickly, and improve collaboration,” said Stephanie Simpson, VP, Product. “Version 4.0 is based on feedback from our customers and prospects about what they need to optimize their teams’ breach and attack simulation (BAS) capabilities.” In addition to this, SCYTHE’s Cyber Threat Intelligence (CTI) Team just released offerings that are complementary to the SCYTHE platform capabilities and services that can serve as an extension of your security team. This includes emergency action emulation plans, custom plans, cloud-focused plans, and emulation plans covering more diverse tactics, techniques and procedures. What’s New With 4.0? SCYTHE version 4.0 was designed to enhance collaboration within security teams and improve the user experience. These updates include: Collaboration features — SCYTHE enables greater collaboration between blue, red, and purple teams to create and leverage existing adversary emulation plans. The updated, user-friendly dashboard clearly displays outcomes and severity of campaign results. Users can have different access levels to create and personalize realistic attacks or re-run existing attacks. In-platform messaging now allows for better and faster communication between users. Workflow automation — Users can take a more collaborative team approach and seamlessly share actionable insights through a Jira integration. SaaS and on-prem — Previously an exclusively on-prem solution, SCYTHE 4.0 now has a SaaS offering available to provide flexibility to customers in any type of environment. SCYTHE 4.0 will be available for customers in Q4. About SCYTHE SCYTHE is like hiring the hacker you always wanted, but could never afford. SCYTHE transforms your organization’s capabilities and defines a new technology category: Attack, Detect, and Respond to integrate cybersecurity risk management across people, process, and technology. The SCYTHE 4.0 platform enables collaboration between red, blue, and purple teams to build and emulate real-world adversarial campaigns. Customers can easily and quickly validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions.

Read More

Spotlight

When an incident occurs, the natural reaction is to think about the short-term impact. Most companies focus on assessing the damage; developing a response; and securing funds to pay for fines, legal fees, consulting third parties, and consumer identity protection services. The real challenge is to mitigate risk to the organization from the long-term effects, such as class-action lawsuits, damage to brand reputation, erosion of consumer trust, and lost business opportunities. This paper takes an in-depth look at the true costs — both short and long term — of a data breach, and provides steps and tips that executive teams and security leaders can use to determine and reduce the true cost of a data breach.

Resources