21.10.24 Threat Report
Fake Google Meet Pages Deliver Infostealers
Cybercriminals are using fake Google Meet web pages in an ongoing campaign known as "ClickFix" to distribute malicious software, specifically targeting both Windows and macOS systems.
According to a report from French cybersecurity firm Sekoia, the attackers deceive users by displaying fake error messages in their web browsers, tricking them into copying and executing harmful PowerShell commands. This results in malware infections on their devices.
The ClickFix campaign, also known as ClearFake or OneDrive Pastejacking, has been active in recent months. It employs various tricks to redirect users to fraudulent pages that mimic popular services like Facebook, Google Chrome, PDFSimpli, reCAPTCHA, and now Google Meet and possibly Zoom. These fake pages prompt users to run encoded PowerShell commands to fix alleged browser issues, leading to the installation of malware.
Sekoia has linked these Google Meet phishing activities to two criminal groups, Slavic Nation Empire and Scamquerteo, which are part of larger cybercrime organisations known as Markopolo and CryptoLove. Both groups use the same fake Google Meet page template, suggesting they share resources and infrastructure, potentially provided by a third-party cybercrime service.
The malicious domains used in this campaign include:
For Windows users, the attack installs StealC and Rhadamanthys stealers, while macOS users are targeted with a booby-trapped disk image file ("Launcher_v1.94.dmg") that installs another stealer called Atomic.
This campaign is particularly dangerous because it avoids detection by security tools. Instead of downloading and running malware automatically, it relies on users manually executing the malicious code in their systems.
In addition, a rise in open-source infostealers, such as ThunderKitty, Skuld, Kematian, Divulge, DedSec (Doenerium), Duck, Vilsa, and Yunit, has made malware attacks more accessible to cybercriminals. These tools lower the entry barrier for attackers, posing a growing risk to businesses and individuals alike, according to cybersecurity firm Hudson Rock.
Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser
Microsoft has revealed details about a vulnerability in macOS that allowed attackers to bypass Safari’s privacy controls and access sensitive user data. This flaw, tracked as CVE-2024-44133 and nicknamed "HM Surf," has since been patched by Apple in macOS Sequoia 15.
The vulnerability exploited Apple's Transparency, Consent, and Control (TCC) framework, which is designed to prevent unauthorised access to personal data. Attackers could manipulate the TCC protections for Safari, modifying configuration files to gain access to users' browsing data, camera, microphone, and location—without the user's consent.
Jonathan Bar Or from Microsoft’s Threat Intelligence team explained that this issue was specific to Safari, and Microsoft is now working with other browser vendors to enhance security for local configuration files.
HM Surf is part of a series of vulnerabilities in macOS identified by Microsoft, including flaws like Shrootless and Achilles, that could bypass security measures. TCC normally requires user consent before apps access personal information, but Safari’s permissions allow it to bypass TCC through specific entitlements, such as "com.apple.private.tcc.allow." Although Safari uses these entitlements for legitimate functions, they also pose security risks if exploited.
The exploit worked by modifying files in Safari’s configuration, stored in the user's home directory, and tricking Safari into using these altered files. This allowed attackers to capture video, audio, or location data without user approval. While third-party browsers are not affected, Microsoft noted that an adware campaign known as AdLoad may have exploited this vulnerability.
领英推荐
Microsoft emphasised the importance of updating macOS to protect against these threats, especially as suspicious activity tied to AdLoad has been observed. Though it's unclear if AdLoad directly used the HM Surf vulnerability, its similarities highlight the need for robust security defences against such attacks.
US contractor pays $300K to settle accusation they didn't look after Medicare users' data
A U.S. government contractor, ASRC Federal Data Solutions (AFDS), has agreed to pay $306,722 to settle allegations of cybersecurity failures that led to a breach of Medicare beneficiaries' personal information. The breach, which occurred between March 2021 and October 2022, involved the improper storage of sensitive data by a subcontractor.
The issue arose when AFDS transitioned to electronic handling of Medicare support services for the Centers for Medicare and Medicaid Services (CMS) during the COVID-19 pandemic. A subcontractor engaged by AFDS used servers that did not fully comply with the Department of Health and Human Services' (HHS) cybersecurity requirements. Although disk-level encryption was in place, it only protected against invalid credentials, leaving files accessible to anyone with valid access.
The breach occurred when the subcontractor took unencrypted screenshots of CMS systems that contained personally identifiable information (PII). These files were later accessed by an unauthorised third party using valid credentials in October 2022.
The U.S. government filed the allegations under the False Claims Act, stating that AFDS improperly billed CMS for managing these unencrypted screenshots, violating HHS cybersecurity protocols.
Despite settling, AFDS did not admit liability. The contractor also agreed to waive reimbursement for expenses incurred in addressing the breach, including $877,578 spent on notifying victims and providing credit monitoring services.
AFDS was credited for its prompt response, alerting CMS within an hour of learning about the breach, initiating a third-party security review, and providing additional security training to staff. This cooperation, along with its remediation efforts, was acknowledged in the settlement.
The Justice Department emphasised that contractors handling sensitive personal information must comply with cybersecurity requirements to protect against data breaches. The settlement underscores the government’s commitment to using all available tools to safeguard healthcare data and address fraud and abuse within taxpayer-funded programs.
Healthcare Services Group discloses 'cybersecurity incident'
Healthcare Services Group (HSG), a provider of housekeeping, laundry, and dining services to U.S. healthcare facilities, has disclosed a "cybersecurity incident" in a recent filing with the Securities and Exchange Commission (SEC). The incident, reported on October 9, involved unauthorised activity within some of HSG’s systems.
In the SEC Form 8-K filing, HSG stated that it immediately initiated its Cybersecurity Incident Response Process and enlisted the help of third-party cybersecurity experts to investigate the breach. Law enforcement authorities have also been notified, and the company is continuing to monitor the situation as part of its ongoing response.
At this stage, HSG has not disclosed specific details regarding the cause, scope, or potential impact of the incident, as the investigation is still in progress. However, the company has indicated that it does not expect the breach to have a significant financial or operational impact on its business.
This incident adds to a growing list of cyberattacks targeting U.S. healthcare-related organisations. For example, Gryphon Healthcare, a provider of revenue cycle and billing management services, also suffered a significant breach recently, with cybercriminals stealing sensitive personal and medical data affecting 400,000 individuals. Similar to HSG, Gryphon’s breach has already triggered legal actions, with law firms seeking to organise a class-action lawsuit.
Earlier this year, Change Healthcare experienced a major breach by the ALPHV/BlackCat ransomware group, leading to multiple class-action lawsuits.
HSG, which operates across 48 states and serves around 5,000 healthcare facilities, is one of the many companies in the healthcare sector grappling with the rising threat of cyberattacks.