Chrome Warns Users, KnowBe4 Hires Hacker, Greece’s Registry Attacked – Cybersecurity News [July 22, 2024]
This week’s cybersecurity updates include the latest Google Chrome malicious file alerts, the story of KnowBe4 hiring a North Korean Hacker, the 400 cyberattacks on the Greece Land Registry, US Sanctions on Russian Hackers targeting critical infrastructure, and threat actors taking advantage of fake CrowdStrike updates. Stay tuned!
Google Chrome Alerts Users About Potentially Dangerous Password-Protected Files
The Chrome browser will now warn you when downloading password-protected files that seem risky and provide alerts on potentially malicious downloaded files.
Google’s Chrome browser aims to help users learn the dangers of Internet-downloaded files and will provide new, detailed warnings via its new two-tier download warning system powered by AI. This AI-powered warning system evaluates risks and provides alerts about files, marking them as suspicious or dangerous.
You can distinguish these warnings according to the icons, colors, and texts so users can make the best choice on what to do with the file after receiving the alert. The browser will also send suspicious files to Google servers for a deep scan if you enable the Enhanced Protection mode. But you’ll have to enter the passwords for those files if you want them to go for scanning via this protection mode.
Google has made it clear that all files and their passwords on the servers will be deleted after scanning and that any information collected will only be used to boost download protection.
KnowBe4 Accidentally Hires a North Korean Hacker, Leading to a Data Theft Incident
This week, an American cybersecurity enterprise called KnowBe4 hired a Principal Software Engineer who was actually a North Korean state actor trying to install info-stealers on devices.
KnowBe4 was able to detect and stop the threat actor dead in his tracks before any data breach could occur, but the incident has highlighted how there are threat actors impersonating IT security staff, trying to take down organizations from within.
The organization even performed background checks, verified the references, and even conducted multiple video interviews before hiring the threat actor. They later found out that he was impersonating a US person’s identity to evade the checks. He also used AI tools to match the person’s face during the video calls.
The organization’s EDR product reported a malware loading attempt from the threat actor’s workstation, which was installing an info stealer to make away with browser information.
The attacker also made several attempts to manipulate session history files and run malicious executables downloaded via a Raspberry Pi. KnowBe4 shared that it’s best to scan remote devices and performing better vetting and scanning of resumes to avoid such instances for your organization.
Greece’s Land Registry Agency Hit by a Series of 400 Cyberattacks
Greece Land Registry agency shared news that it was the victim of a data breach after suffering a wave of 400 cyberattacks in the last week, targeting the IT infrastructure.
The agency said that the threat actors were able to compromise employee terminals and make away with 1.2 GB of data, which is just 0.0006% of the entire data set that the government agency has. The data that was stolen does not contain any personal information of the citizens but has administrative documents that will not impact any operations.
The threat actors also tried creating a malicious user profile to infiltrate the database, a task where they failed miserably. The agency has been working with the Cybersecurity Directorate of the General Staff of National Defense but has not found any hint of ransomware on the breached devices. The agency has reset all employee passwords and has made 2FA mandatory as a precaution.
They are operating normally, and all transactions have remained uninterrupted and safe throughout all the attacks.
US Imposes Sanctions on Russian Hackers Who Compromised Water Facilities
The US government imposed sanctions on a pair of Russian threat actors that targeted the country’s critical infrastructure.
The US Treasury issued a press release highlighting all the details about the news. The sanctioned individuals, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were members of CARR (Cyber Army of Russian Reborn), a Russian-aligned hacktivist group that has been operating since 2022. CARR uses DDoS (Distributed Denial of Service) attacks to target Ukraine and supporting countries and also targets industrial systems of critical infrastructure sites like water and energy facilities.
In January this year, CARR compromised the SCADA US energy enterprise system and manipulated water storage in Texas, and even posted video proof of this. They were not able to cause significant damage but still posed a high risk, enough to guarantee legal action.
The individuals were sanctioned, and now any of their US-based property or interests are blocked. If any financial institutions are found engaging with the threat actors, they will face fines and sanctions as well.
Fake CrowdStrike Updates Trick Organizations Into Installing Malware and Data Wipers
Threat actors have been exploiting the glitchy update by CrowdStrike to install data wipers and remote access tools on organizational devices.
CrowdStrike has been assisting customers after their update crashed millions of Windows hosts around the world. They have advised customers to verify any communications before taking remedial steps because threat actors have been taking advantage of the incident.
Even the NCSC (UK National Cyber Security Center) issued a warning highlighting that they’ve seen a spike in phishing emails taking advantage of the situation. Threat actors started a malware campaign targeting the customers of BBVA bank via a fake CrowdStrike update that instead installs the Remcos RAT on victim devices. They are promoting the update through a phishing site that’s designed like the BBVA Intranet portal and ask employees to install the update file to avoid errors when accessing the organizational network.
A similar malware campaign also delivers the HijackLoader, which in turn downloads the Remcos RAT. Pro-Iranian hacktivists called Handala have also been dropping data wipers in phishing emails, impersonating CrowdStrike. These emails have a PDF with instructions and a malicious link that downloads a ZIP archive from a file host. The zip file has an executable named “CrowdStrike.exe,” which is a data wiper that destroys all data stored on the device.
The rise in phishing attacks exploiting CrowdStrike’s update issues underscores the critical need for vigilant phishing protection. Organizations must rigorously verify all communications and updates through official channels to safeguard against malicious threats. Failure to do so could result in severe data loss and system compromise.