Cyber thieves swipe worker information at Cincinnati-based Procter and Gamble
From
The article is about Procter & Gamble (P&G) having a cyber incident that stemmed from using a file transfer tool called GoAnywhere, which allowed the attackers to obtain employee information. The attackers exploited a bug in the tool and then launched a ransomware attack. The attackers were part of a Russian group and they sell ransomware as a service. Bad guys buy this software to use it to gain money (i.e. Ransomware). P&G stated there is no evidence they stole any customer data. The employee data that was obtain didn’t include SSN, credit card details, or bank account info.
API Security Flaw Found in Booking.com Allowed Full Account Takeover
Several security flaws have been found in the implementation of the Open Authorization (OAuth) social-login feature used by the online travel agency Booking.com. The vulnerabilities discovered by Salt Security could potentially affect users logging into the site via their Facebook accounts. “The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise,” wrote Salt Security security researcher Aviad Carmel. The security expert said that while OAuth provides a more effortless user experience in interacting with websites, its complex technical back-end can create security issues with potential exploitation.
Application Security Requires More Investment in Developer Education
Recent study suggests significant surge in attacks against applications such as cross-site scripting, brute-force attacks, and SQL injections, which is raising significant concerns. As many as 70% of organizations are missing critical security steps in their software development life cycle (SDLC) and vulnerabilities are rising exponentially. To solve this dilemma, enterprises need to shift their focus from finding, patching, and fixing vulnerabilities to proactively ensuring they don’t deliver insecure code in the first place. This requires human foresight, and as a result, greater investment in education for all those responsible for developing software.
Based on feedback from 1,300 CISOs about the state of application security and DevSecOps in their organizations, 75% of CISOs are worried too many application vulnerabilities leak into production, despite a multi-layered security approach.
The second malicious ChatGPT extension for Chrome has been discovered, giving malicious actors access to users’ Facebook accounts through stolen cookies. The extension, discovered by Guardio Labs, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22 2023. It has been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAI’s latest Chat GPT4 algorithm.
Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit “ChatGPT for Google” webpage, then led to the malicious extension’s page on Chrome’s official store. Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victim’s Facebook account.
From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious “Quick access to ChatGPT” Chrome extension from the Google Play app store. If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility. Malicious extensions also monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.
GitHub Updates Security Protocol For Operations Over SSH:
The company stated that the modification was made in order to safeguard customers’ Git operations over SSH, especially from potential threat actors seeking to pose as GitHub or spy on their activities. At the same time, they made it clear that the action was unrelated to a security breach involving GitHub systems or user data.
This week CISA.gov released the Untitled Goose Tool, an oddly named tool that helps with incident response and threat hunting. It is able to review log data and configurations to assist in identity and respond to security incidents. It is especially useful for very large cloud applications such as Microsoft’s O365 suite
The article I have chosen to highlight this week speaks to the incredibly popular ChatGPT AI. Specifically, a chrome browser extension named “ChatGPT for Google” has targeted Facebook accounts by harvesting session cookies. Per the article The “ChatGPT For Google” extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023.
UK’s National Crime Agency has set up a platform for fake crypto trading in hopes to catch the people who are involved with money laundering. The platform is made to look real and also feel real in hopes to lure people in the act of illegal activities. This has caused the Crime Agency to arrest multiple people and the people to get arrested will keep going up. The use of cryptocurrency has become a issue and this is one way to combat this growing trend.
Per the writer, while storing data in the cloud, major challenges in application security are storage protection, authentication/authorization, and data integrity. He recommends best practices such as using groups to organize users with similar job functions and assigning the appropriate roles to each group, creating Identity and access management roles that grant access only to the specific tasks and resources needed for each role as well as identifying the specific tasks and resources users need to access to perform their jobs effectively.
I find the article interesting because by complying with these simple and cost-effective best practices, businesses can safeguard against cyber-attacks.
A hacking group stole $11 million from 12 African countries. The threat actor, which mainly targeted Francophone Africa was codenamed OPERA1ER and relied solely on known off the shelf tools. It managed to launch over 30 successful attacks against banks, financial services providers, and telecommunication companies between 2018 and 2022, stealing $11 million in the process. OPERA1ER used open-source programs, malware freely available on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt Strike .
WooCommerce is a popular WordPress plugin that adds e-commerce functionality so that website owners can have their own stores. a design flaw in the WooCommerce Payments plugin for WordPress has a serious security vulnerability that could allow an attacker to gain unauthorized access to the affected store and completely take over the site. The vulnerability affects versions 4.8.2 through 5.6.2. WordPress has issued a patch and automatic updates for sites that use the affected software version. No evidence of the vulnerability being actively exploited has been found, but users will need to update to the latest version and check for newly added admin users and change all admin passwords and API keys. It is worth noting that to successfully exploit this vulnerability, an attacker would need access to a user account with the Shop manager role. So it would have to work internally or otherwise obtain Shop Manager credentials, such as an XSS exploit or phishing, etc.
New MacStealer Targets Catalina, Newer MacOS Versions
A new piece of information-stealing malware (infostealer) has been observed for Catalina and newer macOS running on Intel M1 and M2 CPUs. This malware can extract information from documents, browser cookies (Firefox, Google Chrome, and Brave), and login information. To guard against this threat, security researchers advise users to keep their Mac systems up to date and only allow files to be installed from trusted sources that are allowed in the “Allow apps downloaded from App Store/App Store and identify Developer” setting. https://www.infosecurity-magazine.com/news/macstealer-targets-macos-versions/
Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts https://www.infosecurity-magazine.com/news/malicious-chatgpt-chrome-hijacks/
Researchers discovered a malicious Chrome extension called “ChatGPT” that hijacks user sessions and can potentially be used to steal sensitive information. The extension claims to use OpenAI’s ChatGPT language model to provide personalized responses to chat messages, but in reality, it installs a hidden remote access trojan (RAT) that can take control of a victim’s browser and execute arbitrary code. The researchers believe that the extension was created by a group of threat actors known as “Indo-European Cyber Army” and that it was being used in targeted attacks against specific individuals. The extension has since been removed from the Chrome Web Store, but users who installed it are still at risk and should uninstall it immediately. The discovery highlights the ongoing threat of malicious browser extensions and the importance of being cautious when installing third-party software.
Deep Dive Into 6 Key Steps to Accelerate Your Incident Response
Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents.
The SANS Institute provides research and education on information security. In the upcoming webinar, we’ll outline, in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication.
Cyber thieves swipe worker information at Cincinnati-based Procter and Gamble
From
The article is about Procter & Gamble (P&G) having a cyber incident that stemmed from using a file transfer tool called GoAnywhere, which allowed the attackers to obtain employee information. The attackers exploited a bug in the tool and then launched a ransomware attack. The attackers were part of a Russian group and they sell ransomware as a service. Bad guys buy this software to use it to gain money (i.e. Ransomware). P&G stated there is no evidence they stole any customer data. The employee data that was obtain didn’t include SSN, credit card details, or bank account info.
API Security Flaw Found in Booking.com Allowed Full Account Takeover
Several security flaws have been found in the implementation of the Open Authorization (OAuth) social-login feature used by the online travel agency Booking.com. The vulnerabilities discovered by Salt Security could potentially affect users logging into the site via their Facebook accounts. “The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise,” wrote Salt Security security researcher Aviad Carmel. The security expert said that while OAuth provides a more effortless user experience in interacting with websites, its complex technical back-end can create security issues with potential exploitation.
https://www.infosecurity-magazine.com/news/api-security-flaw-found-bookingcom/
Application Security Requires More Investment in Developer Education
Recent study suggests significant surge in attacks against applications such as cross-site scripting, brute-force attacks, and SQL injections, which is raising significant concerns. As many as 70% of organizations are missing critical security steps in their software development life cycle (SDLC) and vulnerabilities are rising exponentially. To solve this dilemma, enterprises need to shift their focus from finding, patching, and fixing vulnerabilities to proactively ensuring they don’t deliver insecure code in the first place. This requires human foresight, and as a result, greater investment in education for all those responsible for developing software.
Based on feedback from 1,300 CISOs about the state of application security and DevSecOps in their organizations, 75% of CISOs are worried too many application vulnerabilities leak into production, despite a multi-layered security approach.
https://www.darkreading.com/application-security/application-security-requires-more-investment-in-developer-education
https://www.dynatrace.com/monitoring/platform/application-security/
Malicious ChatGPT Extensions
The second malicious ChatGPT extension for Chrome has been discovered, giving malicious actors access to users’ Facebook accounts through stolen cookies. The extension, discovered by Guardio Labs, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22 2023. It has been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAI’s latest Chat GPT4 algorithm.
Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit “ChatGPT for Google” webpage, then led to the malicious extension’s page on Chrome’s official store. Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victim’s Facebook account.
From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious “Quick access to ChatGPT” Chrome extension from the Google Play app store. If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility. Malicious extensions also monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.
GitHub Updates Security Protocol For Operations Over SSH:
The company stated that the modification was made in order to safeguard customers’ Git operations over SSH, especially from potential threat actors seeking to pose as GitHub or spy on their activities. At the same time, they made it clear that the action was unrelated to a security breach involving GitHub systems or user data.
https://www.infosecurity-magazine.com/news/github-updates-security-protocol/
https://www.cisa.gov/sites/default/files/2023-03/untitled_goose_tool_fact_sheet_final_508cv2.pdf
This week CISA.gov released the Untitled Goose Tool, an oddly named tool that helps with incident response and threat hunting. It is able to review log data and configurations to assist in identity and respond to security incidents. It is especially useful for very large cloud applications such as Microsoft’s O365 suite
Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts
The article I have chosen to highlight this week speaks to the incredibly popular ChatGPT AI. Specifically, a chrome browser extension named “ChatGPT for Google” has targeted Facebook accounts by harvesting session cookies. Per the article The “ChatGPT For Google” extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023.
https://thehackernews.com/2023/03/fake-chatgpt-chrome-browser-extension.html
https://thehackernews.com/2023/03/uk-national-crime-agency-sets-up-fake.html
UK’s National Crime Agency has set up a platform for fake crypto trading in hopes to catch the people who are involved with money laundering. The platform is made to look real and also feel real in hopes to lure people in the act of illegal activities. This has caused the Crime Agency to arrest multiple people and the people to get arrested will keep going up. The use of cryptocurrency has become a issue and this is one way to combat this growing trend.
Per the writer, while storing data in the cloud, major challenges in application security are storage protection, authentication/authorization, and data integrity. He recommends best practices such as using groups to organize users with similar job functions and assigning the appropriate roles to each group, creating Identity and access management roles that grant access only to the specific tasks and resources needed for each role as well as identifying the specific tasks and resources users need to access to perform their jobs effectively.
I find the article interesting because by complying with these simple and cost-effective best practices, businesses can safeguard against cyber-attacks.
https://www.infosecurity-magazine.com/next-gen-infosec/secure-cloud-application-security/
A hacking group stole $11 million from 12 African countries. The threat actor, which mainly targeted Francophone Africa was codenamed OPERA1ER and relied solely on known off the shelf tools. It managed to launch over 30 successful attacks against banks, financial services providers, and telecommunication companies between 2018 and 2022, stealing $11 million in the process. OPERA1ER used open-source programs, malware freely available on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt Strike .
https://qz.com/12-african-countries-lost-11-million-to-hackers-1849751086
WooCommerce is a popular WordPress plugin that adds e-commerce functionality so that website owners can have their own stores. a design flaw in the WooCommerce Payments plugin for WordPress has a serious security vulnerability that could allow an attacker to gain unauthorized access to the affected store and completely take over the site. The vulnerability affects versions 4.8.2 through 5.6.2. WordPress has issued a patch and automatic updates for sites that use the affected software version. No evidence of the vulnerability being actively exploited has been found, but users will need to update to the latest version and check for newly added admin users and change all admin passwords and API keys. It is worth noting that to successfully exploit this vulnerability, an attacker would need access to a user account with the Shop manager role. So it would have to work internally or otherwise obtain Shop Manager credentials, such as an XSS exploit or phishing, etc.
https://www.csoonline.com/article/3691637/critical-flaw-in-woocommerce-can-be-used-to-compromise-wordpress-websites.html
New MacStealer Targets Catalina, Newer MacOS Versions
A new piece of information-stealing malware (infostealer) has been observed for Catalina and newer macOS running on Intel M1 and M2 CPUs. This malware can extract information from documents, browser cookies (Firefox, Google Chrome, and Brave), and login information. To guard against this threat, security researchers advise users to keep their Mac systems up to date and only allow files to be installed from trusted sources that are allowed in the “Allow apps downloaded from App Store/App Store and identify Developer” setting.
https://www.infosecurity-magazine.com/news/macstealer-targets-macos-versions/
Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts
https://www.infosecurity-magazine.com/news/malicious-chatgpt-chrome-hijacks/
Researchers discovered a malicious Chrome extension called “ChatGPT” that hijacks user sessions and can potentially be used to steal sensitive information. The extension claims to use OpenAI’s ChatGPT language model to provide personalized responses to chat messages, but in reality, it installs a hidden remote access trojan (RAT) that can take control of a victim’s browser and execute arbitrary code. The researchers believe that the extension was created by a group of threat actors known as “Indo-European Cyber Army” and that it was being used in targeted attacks against specific individuals. The extension has since been removed from the Chrome Web Store, but users who installed it are still at risk and should uninstall it immediately. The discovery highlights the ongoing threat of malicious browser extensions and the importance of being cautious when installing third-party software.
Deep Dive Into 6 Key Steps to Accelerate Your Incident Response
Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents.
The SANS Institute provides research and education on information security. In the upcoming webinar, we’ll outline, in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication.
https://thehackernews.com/2023/03/deep-dive-into-6-key-steps-to.html