Flaw exposed Google Drive Platform to malicious apps.

Welcome to Gone Phishing, your daily cybersecurity newsletter that sounds the alarm on cybercrime like an emergency SMS message from the UK government 👀

Today’s hottest cyber security stories:

• Patch of the Day! ‘GhostToken’ flaw exposed Google Drive Platform to malicious apps

• Fake Fortnite phishing forms, folks!

• CISA adds 3 flaws to KEV catalogue… OMG WTF LMFAO

ARE YOU TOKEN THE P*SS? #GHOSTTOKEN

Okay, crisis averted thanks to the quick thinking and swift acting souls at Israeli cybersecurity startup Astrix Security, our heroes of the day!

So, what happened? A fatal flaw dubbed GhostToken by Astrix Security could have enabled threat actors to conceal an unremovable, malicious application inside a victim's Google account. Scary stuff!

This was another zero-day flaw, this time in Google Cloud Platform (GCP), which has thankfully now been patched.

We know what you’re thinking; what the hell is a ‘zero-day flaw’? Sounds confusing but It’s actually quite straightforward.

A zero-day flaw is an undiscovered vulnerability in an app or operating system: a gap in security for which there is no defence or patch because the software maker (in this case Google) does not know it exists—they've had ‘zero days’ to prepare an effective response.

As you can imagine, zero-day flaws can prove to be a disaster for software makers if they are not adequately prepared upon being notified of a flaw. In this case, the patch came quick; we don’t suppose Google is short of resources!

FYI, zero-day flaws are not to be confused with zero zero trust security, which is something else entirely.

Zero Trust is a security framework requiring all users, whether in or outside the organisation’s network, to be authenticated, authorised, and continuously validated. Isn’t learning fun? Geez, patronising much? Sorry, moving on…

What do the experts say?

"The vulnerability [...] allows attackers to gain permanent and unremovable access to a victim's Google account by converting an already authorised third-party application into a malicious trojan app, leaving the victim's personal data exposed forever," Astrix said in a report.

Hang on, did you say ‘permanent and unremovable’? Yikes! Don’t hesitate; download the update!

I FORT SOMETHING SMELT PHISHY…

Several top tier universities in the United States, including Stanford, MIT, Berkeley, UMass Amherst, Northeastern, and Caltech, among others, have had their Wiki and documentation pages compromised.

Researchers have noted that these universities are hosting the popular game Fortnite and "gift card" spam. The University of Michigan was also targeted in this malicious campaign, as confirmed by BleepingComputer.

We thought Fortnite was just for teens, tweens, and in betweens, but apparently even America’s sharpest minds can’t resist a run on the fiendishly popular online shoot ‘em up which boasts an active user base of a little over 233 million! 😲

Moreover, this week, Twitter user g0njxa identified more than a dozen subdomains of these prominent universities that seem to be running either TWiki or MediaWiki, which is the same CMS platform that powers Wikipedia and several other Wikimedia sites.

Wiki, da. Wiki, da. MALWARE IS MASSIVE 🎶

CISA AND DESIST, ‘PAPERCUT BUG’

Okay, folks, time to decipher these acronyms! So, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalogue, based on evidence of active exploitation.

You’ll have to bear with us because this one gets a tad technical… It is for this reason that we’re going to humble step aside and let the experts do most of the talking.

"In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023.

The three vulnerabilities are as follows:

• CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability

• CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability

• CVE-2023-2136 (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability

Careful, they’re only ChatGPTeeing off!

"While the new feature released by OpenAI is a valuable tool for developers who want to access live data from various providers in their ChatGPT integration, security should remain a core design principle," GreyNoise said.

“That’s NOT all, folks!”

Also added to the KEV catalogue is a critical remote code execution bug affecting PaperCut print management software that allows remote attackers to bypass authentication and run arbitrary code.

Last but not least, we have a Google (Geez, Google!) Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page.

Federal Civilian Executive Branch (FCEB) agencies in the U.S. are recommended to remediate identified vulnerabilities by May 12, 2023, to secure their networks against active threats.

That’s it for today, ladies and gents. And Google, please do better. We’re not angry; we’re disappointed 😂

So long and thanks for reading all the phish!