News Heading - 1

Google Cloud Run Exploited by Hackers to Distribute Banking Trojans

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In a massive malware distribution campaign, hackers have been exploiting Google Cloud Run service to deploy several banking trojans like Astaroth, Mekotio, and Ousaban.

Google’s Cloud Run service allows developers to build and deploy web applications and websites without the need to manage or scale an infrastructure.

Security researchers at Cisco Talos observed a surge in this malware campaign since September 2023, when trojan loaded emails sent from Brazil were using malicious Microsoft Installers (MSIs) to distribute the malware.

The report believes that Google Cloud Run gained prominence as a distribution tool among hackers as it’s inexpensive and has the ability to bypass various security systems.

The infection chain which starts with legitimate looking phishing emails are generally related to invoices, financial documents, or messages from local government or tax agencies.

Since the campaign is mainly LATAM-focused, the majority of emails are in Spanish. In one instance, the researchers found an email impersonating the Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina.

Nevertheless, the campaign is believed to be targeting victims in Europe and North America as well, as few instances were found where Italian was also used in the phishing emails.

The emails containing the malicious links redirect victims to a threat actor hosted web service on Google Cloud Run or end up downloading a malicious MSI installer.

The Talos researchers further explained that cases were seen where a single Google Cloud Storage Bucket was used to distribute multiple malwares. This signifies either a collaboration between the different malware families or a single hacker-controlled malwares.

The Google Cloud Run malware campaign mainly involves three malwares, i.e., Astaroth/Guildma, Mekotio, and Ousaban. ‘’Each is designed to infiltrate systems stealthily, establish persistence, and exfiltrate sensitive financial data that can be used for taking over banking accounts,’’ Talos revealed.

Nevertheless, of the three, Astaroth is considered the most dangerous, as it targets more than 300 institutions across 15 Latin American countries. Moreover, it was also observed collecting a variety of credentials related to cryptocurrency and bitcoin accounts.

News Heading - 2

New NCSC Guidance Aimed at Securing PBX Systems From Cyber Threats

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The National Cyber Security Centre (NCSC) of the UK issued guidance to protect Private Branch Exchange (PBX) systems against potential cyber threats. The increasing integration of traditional PBX with the internet has made the system vulnerable to cyberattacks.

PBX is an internet-connected private telephone network, used to route and manage incoming and outgoing calls. The system comprises business-friendly support services, like call forwarding, diverting, voicemail, and conference calling.

According to the advisory, if the PBX systems are not configured correctly, they can expose an organization to various types of fraudulent activities and cyberattacks.

Some of the ways in which the PBX system can be weaponized include, committing ‘dial-through fraud’, where cybercriminals route calls to premium overseas numbers or set up scam lines that charge a premium rate. When compromised, the system allows a threat actor to carry out denial-of-service (DoS) attacks against any enterprise, NCSC says.

To help organizations fortify their cyber defenses, the NCSC released new risk mitigation measures in a recently published advisory.

Regardless of the type of PBX system used, whether internally managed or cloud-based, organizations can boost their system security. Employees can be trained to use stronger passwords and protect administrative accounts by setting up multi-factor authentication (MFA).

Additionally, organizations, as PBX owners are advised to thoroughly review the contract with PBX providers, so as to mitigate financial risks arising from cyber threats.

‘’For example, you may decide that you need to limit the types of calls staff make, or restrict the ability to forward calls to an off-premise number. If you’re using a managed service, then attacks as a result of misconfiguration are the responsibility of the provider, something to keep in mind if you’re pressured into taking out insurance to defend against attacks that should be covered by your managed service provider,’’ the advisory outlined .

In conclusion, NCSC advised that in case of any suspected PBX compromise, enterprises should immediately contact their PBX providers and financial institutions. They should also report the incident to relevant authorities like Action Fraud (UK) or local law enforcement agencies.