Australia targets government tech under foreign control
Australia’s Department of Home Affairs issued new instructions to all government agencies, ordering them to review their tech stacks for Foreign Ownership, Control or Influence risks. The agencies have until June 2025 to report these risks. A separate order requires developing a security risk management plan for any internet-facing services or systems that can be “directly accessed by untrusted or unknown entities.” A third order mandates government agencies using threat intelligence platforms to connect to a centralized sharing platform run by the Australian Signals Directorate.
Singapore banks replace OTP with digital tokens
As part of a joint statement from the Monetary Authority of Singapore and The Association of Banks in Singapore, three banks, DBS, OCBC, and UOB, plan to deprecate the use of one-time passwords, or OTPs, for customers already using digital tokens on mobile devices for logging in. Users still using physical tokens for authentication can still use OTPs, but will be “strongly encouraged” to switch to digital tokens. The banks hope the move will help combat phishing scams that intercept OTPs.
(ZDNet)
New group targets Veeam vulnerability
Researchers at Group-IB discovered a ransomware group known as EstateRansomware began exploiting a known flaw in Veeam Backup & Replication in early April 2024. Veeam patched this flaw in March 2023. The group gained initial access through Fortinet VPN appliances using dormant accounts. From there the attacks access a failover server. Once obtaining access, EstateRansomware created a rogue user account and established a command shell. Before dropping its ransomware payload, the group disabled Windows Defender. The Russian FIN7 cybercrime group exploited the same flaw last year.
CISA warns about OS command injections
The FBI joined CISA in an advisory strongly urging software companies to not ship software with path OS command injection vulnerabilities. This comes after these types of exploits were successfully used against Cisco, Palo Alto Networks, and Ivanti. The vulnerabilities also recently took the fifth spot in MITRE’s top 25 list. CISA pointed to well-known mitigations to prevent these in the design and development process, saying that trusting user inputs without validation or sanitation puts customers at risk
Huge thanks to our sponsor, Entro
The Fin7 resurgence
Speaking of Fin7, security journalist Brian Krebs highlighted new research on the group’s resurgence. This comes after the Washington US attorney declared the group “no more” in May 2023, following a series of convictions of high-profile members. However, researchers at Silent Push released a report documenting Fin7’s rebuild infrastructure, which now uses over 4,000 hosts to spoof high-profile brands for spearphishing attacks, as well as typosquatting attacks against popular free software. The group uses some hosting services from Stark Industries Solutions, which came online just before Russia invaded Ukraine and shows links to various Russian-based groups.
Poco RAT bites the mining sector
Researchers at Cofense published details on this novel malware, named after its use of the POCO C++ libraries. This mostly seems targeted at a single unnamed Latin American mining company, which received 67% of Poco RAT campaign email volume. Subsequently, the operators targeted manufacturing and utility organizations. The emails use links to legitimate file hosting services with lures around invoices and other financial documents. The malware is written in Delphi, communicating with C2 servers with only Latin American IP addresses once obtaining persistence. No word on what group is operating the campaign.
Scammers using deepfakes on Meta platforms
Researchers at Bitdefender Labs looked at fake ad campaigns operating on Facebook, Messenger, and Instagram from March to May this year. They found over 1,000 deepfake videos featuring 40 fake medical supplements, using deepfake audio from celebrities and faked endorsements from politicians, doctors, and other experts. These faked supplements also proved somewhat popular, with one product page with over 350,000 followers. The theme of the ads is to entice users to pay for the supplements using discounts and limited offers. AI tools likely allow the operators to quickly scale and adapt to different audiences, able to quickly generate fake reviews, news coverage, and product sites.
Google expands security services
It’s always a good idea to keep abreast of changes to Google security services. Google introduced its Advanced Protection Program back in 2017, designed to provide extra security for targeted users like journalists and politicians. Since launch, this required two physical security keys to set up, with users having to provide a password and one of those keys to log in. Now Google allows setting up the service with a single passkey using phone-based biometrics.
The company also announced it will make its “Dark Web reports” available to all Google accounts later this month. Google previously limited these reports to Google One subscribers. As such, the reports will no longer show up in the Google One app, moving instead to general account settings.