.svg)
Google has recently alerted users about a critical security flaw in its Chrome browser, tracked as CVE-2024-7965. This vulnerability affects Chrome's V8 JavaScript engine, which is responsible for running JavaScript and WebAssembly. If exploited, the bug could allow hackers to gain control over a user's device through a crafted HTML page.
The flaw was discovered on July 30, 2024, by a security researcher known as TheDog, who was awarded $11,000 for reporting it. Google quickly released a patch in Chrome version 128.0.6613.84, and users are strongly advised to update their browsers to this version or later to protect against potential attacks.
The vulnerability involves "inappropriate implementation" in V8, which could lead to heap corruption—a type of memory issue that can be exploited for remote code execution. While Google has confirmed that this flaw has been actively exploited, details about the specific attacks or the identity of the attackers remain undisclosed.
This security flaw is part of a larger series of vulnerabilities addressed by Google in 2024, with nine zero-day exploits fixed so far, including those demonstrated at the Pwn2Own 2024 competition. Some of these include CVE-2024-0519, CVE-2024-2886, and CVE-2024-7971, which involve similar issues in Chrome's V8 engine.
Given the active exploitation of this vulnerability, users are urged to update their Chrome browsers on Windows, macOS, and Linux systems to the latest version immediately. Keeping software up to date is one of the most effective ways to protect against security threats.
Key Points:
A critical vulnerability identified as CVE-2024-38063 has been discovered in the Windows TCP/IP stack (tcpip.sys), posing a significant security threat. This flaw, found in the handling of IPv6 packets, can lead to a heap-based buffer overflow, allowing remote attackers to execute arbitrary code on affected systems. The exploit is particularly dangerous as it enables attackers to gain full control over vulnerable machines by sending specially crafted packets. The issue was patched in August 2024, but the complexity of the exploit and reliance on specific network configurations make it a severe risk for unpatched systems.
The vulnerability can be exploited in environments where IPv6 is enabled, and successful attacks could lead to complete system compromise. Security professionals are urged to apply the latest updates and monitor for unusual network activity.
For technical details and proof of concept, visit the GitHub repository.
Scammers are using deepfake videos of Sir Keir Starmer and Prince William to promote fraudulent cryptocurrency schemes on platforms like Facebook and Instagram. These AI-generated videos, which falsely depict the UK Prime Minister and the Prince of Wales endorsing a scam trading platform, have targeted nearly 900,000 people.
The deepfake videos are part of a larger scam that uses artificial intelligence (AI) to create realistic, yet fake, endorsements from public figures. Over 250 advertisements featuring these AI-generated versions of Sir Keir Starmer and Prince William have been identified, all promoting a fraudulent cryptocurrency trading platform called “Immediate Edge.”
The scam ads suggest that the trading platform has been endorsed by these high-profile individuals. The ads, which have reached 891,834 users on Facebook and Instagram, were discovered by Fenimore Harper, a media research firm, using Meta’s open-source AI tool, Llama 3.1.
When users click on the links in the fake ads, they are taken to a landing page that asks for their name, phone number, and email address. Scammers then contact these victims, persuading them to deposit money into a fake online trading platform. The scammers typically show a fake portfolio that appears to be making profits, convincing the victims to invest even more money.
One of the fake ads features Sir Keir Starmer saying, “Your life is about to change. I am Keir Starmer, Prime Minister of the United Kingdom and leader of the Labour Party. I have been waiting for you. Today is your lucky day. I don't know how you found this page, but you won't regret it.” The ad falsely claims that 45 people have been chosen to earn "life-changing money" through this project, with promises of earning £1,000 daily without needing any special skills.
Another fraudulent ad features an AI-generated Prince William stating, “I am pleased to announce that I, Prince William, and the entire royal family fully support Prime Minister Keir Starmer’s initiative and his new platform.”
According to Meta's advertising platform, up to £21,053 was spent on these fraudulent ads, which made up 43% of all Meta advertisements featuring Sir Keir Starmer, as found by Fenimore Harper’s research. The research also revealed that Google mistakenly promoted the disinformation, showing a misleading result that described Immediate Edge as legitimate when users searched for information about the scam.
More needs to be done to combat online disinformation. The ability to impersonate well-known figures through AI has made it easier to spread false information quickly, posing significant risks to individuals, public figures, businesses, and democracy itself.
There needs to be increased transparency in online advertising, this could help slow the spread of false information.
Thinking of getting Slack? Be care as cybercriminals are using deceptive Google search ads to spread malicious software by posing as legitimate ads for Slack, a popular communication tool. This attack is both sneaky and advanced, showing how threat actors are improving their methods to avoid being caught.
Over the past year, there have been nearly 500 cases of malvertising—where fake ads are used to spread malware—related to Google search ads. These incidents often have similar characteristics, suggesting that the attackers are working together in coordinated campaigns. Some attackers take great care to bypass security systems, while others are willing to risk losing their accounts and resources to achieve their goals. The attack targeting Slack stands out for its cleverness and complexity.
For several days, a suspicious ad for Slack appeared at the top of Google search results. At first, it looked like a normal ad that directed users to Slack's official website. However, on closer inspection, it was clear that the advertiser was promoting products aimed at the Asian market, making the Slack ad seem out of place.
This oddity raised alarms and highlighted the importance of being able to spot unusual patterns when trying to detect compromised ad accounts.
Initially, clicking on the Slack ad took users to a pricing page on Slack’s official website. This tactic, known as “slow cooking,” is commonly used by attackers. By allowing the ad to behave normally at first, they avoid detection for a longer period.
Eventually, the ad’s behavior changed, redirecting users to a click tracker—a vulnerability in the Google ad system that can be exploited to direct users to malicious websites. The final URL of the ad became slack-windows-download[.]com, a domain that had been created just a week before. Although the page looked harmless at first, further investigation revealed that it was a fake site pretending to be Slack, and it offered a download link meant to trick victims.
This tactic, called "cloaking," involves showing different content to different users, which makes it difficult to detect harmful activity without special tools and a good understanding of how attackers operate.
Clicking the download button on the fake Slack page triggered a file download from another domain, suggesting that the attackers might also be targeting Zoom users. Analysis in a controlled environment showed that the file made a remote connection to a server previously linked to SecTopRAT, a type of malware that can steal information and give attackers remote access to the victim’s system. This kind of malware has been used in other fake ad campaigns, including ones that pretended to be from NordVPN.
In response, cybersecurity company Malwarebytes has improved its detection capabilities and reported the fake ad to Google. Additionally, Cloudflare has marked the fake domains as phishing sites.
Despite these efforts, attackers continue to use both free and paid platforms to avoid being detected, showing patience and careful planning in their attacks.
As cyber threats become more advanced, it is important for individuals and organisations to stay alert and informed. Users should be cautious when clicking on ads and always check that websites are legitimate before downloading anything.
By staying informed and taking proactive security steps, we can better protect ourselves from the ever-changing landscape of cyber threats.
Researchers from Unit 42 have uncovered a large-scale cyberattack targeting organisations using cloud systems, specifically those hosted on Amazon Web Services (AWS). This sophisticated attack affected over 230 million unique systems.
The cybercriminals took advantage of security weaknesses in the cloud infrastructure, particularly focusing on exposed environment variable files (.env). These files, often neglected in security practices, contain sensitive data like access codes for various programs and services. By exploiting these files, the attackers were able to gain unauthorised access to the targeted systems and infiltrate further into the networks.
The attackers used automated tools to scan over 10,000 domains for exposed .env files. These files held crucial information that allowed the attackers to conduct a thorough examination of the compromised environments. Using AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets, they gathered information about the environment they had breached.
Next, the attackers increased their control by creating new IAM roles with full administrative privileges, showing a deep understanding of AWS IAM (Identity and Access Management) components. They then deployed malicious Lambda functions designed to search for more .env files across multiple AWS regions, with a particular focus on Mailgun credentials, which could be used for large-scale phishing attacks.
The scale of the attack was enormous, with over 110,000 domains breached and more than 230 million unique endpoints targeted. The attackers then moved the stolen data to S3 buckets under their control.
This attack highlights the need for strong IAM policies, constant monitoring of cloud activities, and secure configuration practices to prevent unauthorised access and protect sensitive data in cloud environments.
The attackers' activities were detected through API calls made using S3 Browser, a tool that allowed them to operate without triggering object-level logging. However, the exfiltration of data could be noticed through unusual spikes in GetObject and DeleteObject operations, as reported in Cost and Usage Reports.
After stealing and deleting the data, the attackers left ransom notes in the emptied S3 buckets, demanding payment to avoid data leaks and possibly restore the deleted information. In some cases, these ransom notes were sent directly to company shareholders via email.
The campaign also compromised social media login credentials and exposed various details about the organisations' infrastructure.
Organisations should take steps to improve their security measures, such as disabling unused AWS regions, maintaining robust logs with a 90-day retention period, and using Amazon GuardDuty. Additionally, companies should adopt the principle of least privilege, prefer temporary credentials, and develop custom alerting systems based on their specific AWS usage patterns.
A multi-layered defence strategy, including continuous monitoring and regular security audits, is essential to mitigate the risks posed by such advanced attack campaigns.
AWS clarified that its services and infrastructure were not compromised by this attack. The issues arose due to the attackers exploiting misconfigured web applications that allowed public access to .env files, some of which contained AWS credentials. AWS advises that environment variable files should never be publicly accessible and should not contain AWS credentials. Instead, AWS offers various secure methods for web applications to access temporary AWS credentials.
Contact Periculo for expert cyber security solutions tailored to the digital health industry.