In today’s cybersecurity news…
Google responds to “most sophisticated” voice phishing attack
Last week, Hack Club founder Zach Latta published details about “the most sophisticated phishing attack I’ve ever seen.” This saw attackers posing as the Google Workspace team in a call to Latta, claiming to investigate a suspicious login attempt overseas. The call came from a genuine number associated with Google Assistant with a caller ID of “Google.” Still suspicious, Latta asked for an authenticated email to confirm identity and received one from workspace-noreply@google.com. The attackers appeared to get access to a Workspace g.co subdomain, which was used to create an account for Latta to send the password reset. Latta said this attack method gets around two fundamental best practices for identity verification. Google said it found no widespread use of this tactic but hardened its defenses “against abusers leveraging g.co references at sign-up” going forward.
Security consortium creates Opengrep
The static application security testing tool Semgrep launched in 2017, becoming popular partly because users could write custom rules that could be shared with the broader community. However, in December 2024, the company changed its licensing to restrict the use of community-contributed rules in its free core engine service. Now a consortium of ten security firms, including Endor Labs, Jit, Mobb, Orca Security, and Amplify Security, launched a fork of Semgrep creatively named Opengrep. The consortium says it will provide dedicated development, testing, and deployment teams for the new project and regular reviews of community-contributed code. The plan is to eventually move Opengrep to a foundation on a non-profit model for long-term viability.
DeepSeek suspends new user registrations
The AI startup DeepSeek has been making headlines the last few days, on claims of an open-source LLM created using a fraction of the hardware resource from competitors. This attention led to its app topping the US iOS App Store, but it also seems to have attracted malicious activity. DeepSeek updated its status page to say that it temporarily limited registrations “[d]ue to large-scale malicious attacks,” although it offered no other specifics. The company said the attacks did not impact existing users.
Brazil bans compensation for biometric data scheme
Tools for Humanity is the company behind the digital identity project World, formerly known as Worldcoin. World relaunched in Brazil in November, sparking an investigation from the country’s National Data Protection Authority. That agency has now ruled that World cannot offer financial compensation, including cryptocurrency, in exchange for biometric data, saying this “may interfere with the free expression of the will of individuals.” In response to that decision, Tools for Humanity said these iris scans qualify as “Proof of Personhood” and that the company doesn’t store any personal data, including biometrics. The company said it’s confident it can work with the regulator to ensure it can still offer World services in Brazil.
Huge thanks to our sponsor, Conveyor
It’s not answering questions – most of you have automation software for that.
It’s all of the manual back and forth that becomes a slog like communicating between teams, tracking people down to get their review, updating sources and updating systems.
Conveyor just launched an AI agent, Sue, to do all of these things and more for you.
Learn about Sue at www.conveyor.com.
Teams to rollout phishing alerts
Microsoft reminded Microsoft 365 admins that it will launch new brand impersonation protection features in Teams Chat as of mid-February, which are enabled by default. This feature will display alerts for suspected phishing attacks for organizations with external Teams access enabled. Users must preview messages flagged as high-risk and select whether to accept or block them. These alerts will also be available in Teams logs for admin review. Microsoft still recommends that Teams admins that don’t need regular external tenant communication disable External Access or add specific domains to an allow list.
Ukraine denies involvement in cyberattack
Late last week, Slovak Prime Minister Robert Fico alleged that Ukraine was involved in a “massive cyberattack” on General Health Insurance Company, the largest insurance provider in Slovakia. Fico said the attack’s goal was espionage but was ultimately unsuccessful. Ukraine’s foreign ministry flatly rejected “any hints” that it participated in the attack. Local media reported this as a phishing attack. This comes against a background of shifting relations between the two countries, with Ukraine recently suspending the transit of Russian gas through Slovakia and Fico meeting with Russian President Vladimir Putin.
TalkTalk confirms breachbreach
The UK telco confirmed it suffered a data breach involving a third-party platform. This comes after a threat actor known as “b0nd” attempted to sell data on 18.8 million TalkTalk customers on a hacking forum. This data allegedly includes names, phone numbers, and IP addresses. TalkTalk has roughly 2.4 million customers, and the number cited in the sale post was “wholly inaccurate and very significantly overstated.” Screenshots from the forum post indicate the data came from CSG’s Ascendon platform, but TalkTalk did not confirm.
Salting disrupts brand detection systems
CISO Talos released a report showing the tactics threat actors use to get around email security measures. One observed method included concealing malware in email attachments by embedding irrelevant comments in base64 strings to get around typical attachment scanning. The report recommends using advanced filtering for analyze HTML structure to look for suspicious CSS properties or inline styles. The report also highlighted how attackers can hide email content with irrelevant or invisible language, such as English emails as French, by embedding hidden French words.
Clone2Leak hits Git
GMO Flatt Security researcher RyotaK published details about three related attacks that allow an attacker to get Git to leak stored credentials. One flaw in the Git Credential Manager misinterpreted carriage return characters, allowing a malicious URL to send credentials to a third-party server. A flaw in Git LFS allows bypassing security checks when using newline characters in a config file. A flaw in GitHub CLI allowed for overly permissive sharing of authentication tokens to a different host. No signs of active exploitation were found, and the three vulnerabilities have been patched.