CyberSecurity news
FlagThis - #gmail
|
@www.helpnetsecurity.com
//
Russian hackers have found a way to bypass Gmail's multi-factor authentication (MFA) to conduct targeted attacks against academics and critics engaging with Russia discussions. According to Google Threat Intelligence Group (GTIG), the hackers are using stolen app passwords obtained through sophisticated and personalized social engineering attacks. These attacks involve posing as U.S. Department of State officials to build rapport with targets, eventually convincing them to create and share app-specific passwords.
App passwords are 16-digit codes that Google generates to allow certain apps or devices to access a Google Account, bypassing the usual second verification step of MFA. While useful for older or less secure apps that can't handle MFA, app passwords lack the extra layer of security, making them vulnerable to theft or phishing. In one instance, the attackers, tracked as UNC6293 and believed to be state-sponsored, contacted a target under the guise of a State Department representative, inviting them to a consultation in a private online conversation, further lending credibility by CCing four @state.gov accounts. This campaign, which took place between April and early June, involved meticulously crafted phishing messages that didn't rush the target into immediate action. Instead, the hackers focused on building trust through personalized emails and invitations to private conversations, using spoofed '@state.gov' addresses in the CC field to build credibility. Keir Giles, a prominent British researcher on Russia, was one such target. Google's researchers uncovered the slow-paced nature attackers used to build rapports with their victims, often sending them personalized emails and inviting them to private conversations or meetings.
Share:
References :
Classification:
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses. The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.
Share:
References :
Classification: |