Google Admin Security, SharePoint File Theft, Health Department Cyberattacks - Cybersecurity News [April 08, 2024]

by Duocircle


To stay ahead of threat actors and protect valuable assets, you must keep up with the latest cybersecurity news. Join us, and we’ll take you through this week’s discoveries with the new dual admin approval feature in Google Workspace, the new vulnerabilities in Microsoft SharePoint, how threat actors are targeting healthcare IT desks to steal finances, fake Facebook ads and pages spreading malware via hijacked AI tool pages, and the RUBYCARP botnet that has been operating for a decade. Stay Tuned!


Google Workspace Introduces Dual Administrator Approval for High-Risk Alterations

Google announced that it’s rolling out a new feature that requires multiple admins to approve a high-risk setting instead of just one.

The new feature, “Multi Party Approvals, ” is designed with an approval request system to add an extra layer of security without unnecessary burden.

The feature will make sure that all actions are appropriate. Moreover, once an admin initiates a change, the other admins just have to approve it, and it will be executed automatically without any additional action. The requests for approvals will be sent via email, and you can approve or view them in the Admin console for 72 hours before they expire. You will be able to set these multi-party approvals for the following high-risk settings:

  • Account Recovery
  • Advanced Protection
  • Login Challenges
  • Passwordless
  • Google Session Control
  • 2-Step Verification

The new feature will control hackers, as they won’t be able to perform malicious activities even if they have hijacked a super admin account. It will also prevent harmful actions by genuine admin operators that could lower Google Workspace’s security


SharePoint Vulnerabilities Allow Thieves to Stealthily Extract Files

Varonis researchers have shared two techniques that threat actors could use to bypass audit logs when downloading SharePoint files. 

MS SharePoint is used by countless enterprises globally and integrates MS Office with 365 for data management and data storage. Varonis shared a look into these techniques. The first one uses the “Open in App” feature that users typically use to open documents in Microsoft Word instead of the web browser. If you use it, it does not generate any download log in the audit logs and creates an “Access” event instead.


data theft


The second one is spoofing of the User-Agent string of file access requests via a PowerShell script to make downloads appear as data syncing events. The issues were rated as moderate when they were first disclosed at the end of 2023, which means they won’t get immediate fixes. 

It’s best to learn how exactly these flaws work, but there’s little that customers can do at their end. Microsoft has shared that it’s best for vendors to use “FileAccessed, FileDownloaded, plus two potential sync-related signals, FileSyncDownloadedFull and FileSyncDownloadedPartial audit events to monitor for file access.”


US Health Department Alerts Hospitals to Cyberattacks Aimed at IT Support Desks

The US HHS (Health and Human Services) department issued a warning this week for the Healthcare sector regarding threat actors who are targeting IT help desks

Threat actors have been using social engineering tactics to target said help desks. They use a local area code to call up enterprises and pose as employees of the financial department via stolen ID cards and SSNs (Social Security Numbers).

Once they gain trust, they share how their smartphone is broken and ask the worker to enroll a new device, which the threat actor can misuse to redirect transactions in BEC (Business Email Compromise) attacks. The threat actors target login credentials to payer websites, gain access to employee emails and then send instructions to update the payment method (a threat actor-controlled US bank account). 

The tactics observed in these social engineering attacks look like the work of the Scattered Spider gang, which is known for phishing, SIM swapping, and MFA bombing


MFA fatigue attacks

Stages of an MFA bombing attack

Image sourced from


Counterfeit Facebook AI Page Distributes Malware to Over a Million Users

In other news, hackers have developed a liking to Facebook and are posting advertisements on the social media platform to promote fake AI services like MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E for spreading malware

The threat actors start these malware campaigns via hijacked FB accounts and impersonate AI services. They use these accounts to spread info-stealers via fake posts that offer a sneak peek of new features of AI platforms. The malware collects browser information, credentials, cookies, crypto wallet info, credit card info, and autocomplete data from the victim’s system, which is sent back to the threat actors.

Since the craze of AI is so high these days, the reach of these campaigns is staggering. A malicious FB page impersonating Midjourney got nearly 1.2 million followers and posted regularly for almost a year before it was identified and taken down. 

The threat actors don’t use the pages for only tricking people into downloading malware. In many cases, the threat actors also entice people via opportunities to create NFT art and sell them. 


RUBYCARP Cybercriminals Connected to Decade-Old Cryptomining Network

A new Romanian botnet came into light that is exploiting vulnerabilities in brute force attacks against corporate networks

Known as RUBYCARP, the botnet is managed on private IRC channels and has over 600 compromised servers. Researchers at Sysdig shared a new report highlighting how the botnet has 39 different variants and has been active for at least a decade.

Sysdig has been detecting RUBYCARP for many months and noticed how the threat actors behind it began using brute-force attacks against SSH servers and are targeting WordPress sites.

First, the shellbot payload is installed on one of the compromised servers, which connects to the IRC-based C2 (Command and Control) server. The payload and its IP (Internet Protocol) address are also blocked to keep security analysts from launching unauthorized probes if the configuration cannot establish a connection properly.


phishing emails


Once on the system, threat actors can use it to launch DDoS (Distributed Denial of Service) attacks, phishing or financial frauds and scams, and even mine crypto. The threat actors also steal financial information by deploying phishing templates and sending phishing emails to both individual targets and organizations. 

RUBYCARP is not the most significant botnet in the wild but it’s managed to operate undetected for over 10 years so the threat actors behind it are surely professionals. Diligent endeavors in implementing phishing protection measures and conducting phishing awareness training programs can shield businesses from such attacks.

Pin It on Pinterest

Share This