Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Cloud. Show all posts
Quantum- safe Encryption
Cloud cloud service providers Cyber Security Digital Signatures Google Google Cloud PQC Quantum threats Quantum- safe Encryption

Google Cloud Introduces Quantum-Safe Digital Signatures

 

As quantum computing advances, Google Cloud is taking a significant step toward securing its platform against future threats. The company has announced the introduction of quantum-safe digital signatures in its Cloud Key Management Service (KMS), currently available in preview. 

This move is part of a broader initiative to prepare for the potential risks that quantum computers pose to modern encryption systems. While fully capable quantum computers are not expected to be widely available for at least a decade, they could one day break most of today’s encryption methods in a matter of hours. This looming possibility has led to concerns over a harvest-now-decrypt-later strategy employed by cybercriminals. 

In this method, attackers steal encrypted data today, intending to decrypt it once quantum computing becomes powerful enough. To counter this risk, researchers are developing post-quantum cryptography (PQC)—encryption techniques specifically designed to withstand quantum attacks. One major security risk posed by quantum computing is the potential forgery and manipulation of digital signatures. 

Digital signatures authenticate documents and communications, ensuring they have not been tampered with. If compromised, they could allow attackers to impersonate legitimate users, forge transactions, or spread malware under trusted identities. Google Cloud recognizes the importance of addressing these concerns early and has introduced quantum-resistant digital signatures to build a more secure infrastructure. 

This initiative also aims to set an industry precedent for other cloud service providers. As part of its commitment to transparency and security, Google Cloud has announced that its quantum-related cryptographic implementations will be included in its open-source cryptographic libraries, BoringCrypto and Tink. This allows security researchers and developers to review, audit, and contribute to these implementations, ensuring their robustness against potential threats. 

The new quantum-safe digital signatures in Cloud KMS specifically implement ML-DSA-65 and SLH-DSA-SHA2-128S, two PQC algorithms that adhere to NIST (National Institute of Standards and Technology) standards. Google Cloud has also confirmed plans to integrate additional PQC algorithms into its Hardware Security Modules (HSMs), which are specialized devices designed to provide extra layers of cryptographic security.  

By rolling out these quantum-resistant digital signatures, Google Cloud is giving customers the opportunity to test PQC algorithms in Cloud KMS and provide feedback on their performance and integration. This allows businesses to prepare for a post-quantum future, ensuring their data remains secure even as computing power evolves. 

Google Cloud sees this initiative as a crucial first step toward a fully quantum-resistant cloud ecosystem, demonstrating its dedication to staying ahead of emerging cybersecurity challenges.
Read more »
Privacy
API AT&T Credentials Google Cloud Privacy

Weak Cloud Credentials Behind Most Cyber Attacks: Google Cloud Report

 



A recent Google Cloud report has found a very troubling trend: nearly half of all cloud-related attacks in late 2024 were caused by weak or missing account credentials. This is seriously endangering businesses and giving attackers easy access to sensitive systems.


What the Report Found

The Threat Horizons Report, which was produced by Google's security experts, looked into cyberattacks on cloud accounts. The study found that the primary method of access was poor credential management, such as weak passwords or lack of multi-factor authentication (MFA). These weak spots comprised nearly 50% of all incidents Google Cloud analyzed.

Another factor was screwed up cloud services, which constituted more than a third of all attacks. The report further noted a frightening trend of attacks on the application programming interfaces (APIs) and even user interfaces, which were around 20% of the incidents. There is a need to point out several areas where cloud security seems to be left wanting.


How Weak Credentials Cause Big Problems

Weak credentials do not just unlock the doors for the attackers; it lets them bring widespread destruction. For instance, in April 2024, over 160 Snowflake accounts were breached due to the poor practices regarding passwords. Some of the high-profile companies impacted included AT&T, Advance Auto Parts, and Pure Storage and involved some massive data leakages.

Attackers are also finding accounts with lots of permissions — overprivileged service accounts. These simply make it even easier for hackers to step further into a network, bringing harm to often multiple systems within an organization's network. Google concluded that more than 60 percent of all later attacker actions, once inside, involve attempts to step laterally within systems.

The report warns that a single stolen password can trigger a chain reaction. Hackers can use it to take control of apps, access critical data, and even bypass security systems like MFA. This allows them to establish trust and carry out more sophisticated attacks, such as tricking employees with fake messages.


How Businesses Can Stay Safe

To prevent such attacks, organizations should focus on proper security practices. Google Cloud suggests using multi-factor authentication, limiting excessive permissions, and fixing misconfigurations in cloud systems. These steps will limit the damage caused by stolen credentials and prevent attackers from digging deeper.

This report is a reminder that weak passwords and poor security habits are not just small mistakes; they can lead to serious consequences for businesses everywhere.


Read more »
Technology
Cloud Security Cryptojacking Cybersecurity Threats Google Cloud MFA Raccoon Stealer Ransomware Technology

TRIPLESTRENGTH Targets Cloud for Cryptojacking, On-Premises Systems for Ransomware Attacks

 

Google unveiled a financially driven threat actor, TRIPLESTRENGTH, targeting cloud environments for cryptojacking and on-premise ransomware operations.

"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," Google Cloud noted in its 11th Threat Horizons Report.

TRIPLESTRENGTH employs a three-pronged attack strategy: unauthorized cryptocurrency mining, ransomware deployment, and offering cloud platform access—spanning services like Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean—to other attackers. The group's primary entry methods involve stolen credentials and cookies, often sourced from Raccoon Stealer logs. Compromised environments are used to create compute resources for mining cryptocurrency using tools like the unMiner application and the unMineable mining pool, optimized for both CPU and GPU algorithms.

Interestingly, TRIPLESTRENGTH has concentrated its ransomware efforts on on-premises systems, deploying lockers such as Phobos, RCRU64, and LokiLocker.

"In Telegram channels focused on hacking, actors linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited partners to collaborate in ransomware and blackmail operations," Google Cloud disclosed.

One notable incident in May 2024 involved initial access through Remote Desktop Protocol (RDP), followed by lateral movement and antivirus evasion to execute ransomware across several systems. TRIPLESTRENGTH also regularly advertises access to compromised servers on Telegram, targeting hosting providers and cloud platforms.

To counteract such threats, Google has introduced multi-factor authentication (MFA) and improved logging for detecting sensitive billing actions.

"A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud," Google warned. 

"This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks."
Read more »
Technology
Cloud Cloud Data Google Google Cloud Location data Technology

User Tracking: Google to Store User Data for 180 Days

User Tracking: Google Announces to Store User Data for 180 Days

Google has made a major change in its user tracking, a big leap in privacy concerns for users. Google will stop the nosy cloud storage of data it gets from tracking user location in real time. 

The privacy change

Called Google Maps Timeline, from December, Google will save user location data for a maximum of 180 days. After the duration ends, the data will be erased from Google Cloud servers. 

The new policy means Google can only save a user’s movements and whereabouts for 6 months, the user has an option to store the data on a personal device, but the cloud data will be permanently deleted from Google servers.

The new privacy change is welcomed, smartphones can balance privacy and convenience in terms of data storage, but nothing is more important than location data

Users can change settings that suit them best, but the majority go with default settings. The problem here arises when Google uses user data for suggesting insights (based on anonymous location data), or improving Google services like ads products.

Why important 

The Google Maps Timeline feature addresses questions about data privacy and security. The good things include:

Better privacy: By restricting the storage timeline of location data on the cloud, Google can reduce data misuse. Limiting the storage duration means less historical data is exposed to threat actors if there's a breach.

More control to users: When users have the option to retain location data on their devices, it gives them ownership over their personal data. Users can choose whether to delete their location history or keep the data.

Accountability from Google: The move is a positive sign toward building transparency and trust, showing a commitment to user privacy. 

How will it impact users?

Services: Google features that use location history data for tailored suggestions might be impacted, and users may observe changes in correct location-based suggestions and targeted ads. 

The problem in data recovery: For users who like to store their data for a longer duration, the new move can be a problem. Users will have to self-back up data if they want to keep it for more than 180 days. 

Read more »
Multi-factor authentication
Cyber Security CyberThreat Data Safety Google Cloud Google security MFA Multi-factor authentication

Google Cloud to Enforce Multi-Factor Authentication for Enhanced Security in 2025

 


As part of its commitment to protecting users' privacy, Google has announced that by the end of 2025, all Google Cloud accounts will have to implement multi-factor authentication (MFA), also called two-step verification. Considering the sensitive nature of cloud deployments and the fact that phishing and stolen credentials remain among the top attack vectors observed by Mandiant Threat Intelligence, it seems likely that Google Cloud users should now be required to perform [2 steps of verification], as Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer, told the audience. 

By the end of 2025, Google's cloud division is planning to introduce an optional multi-factor authentication (MFA) feature for all users, as part of its efforts to improve account security as a part of its mission to improve security across the company. As part of a recent announcement by the tech giant, it was announced that it will begin the transition with a phased rollout, to help users adapt more smoothly to the changes. 

The technology industry and cyber security industry have long recommended multifactor authentication as a highly secure authentication method. With an additional step of verification, multi-factor authentication (MFA) dramatically reduces the risk of unauthorized logins, data breaches, and account takeovers, regardless of whether the user's password is compromised. As hackers continue to ramp up their sophisticated attacks on cloud infrastructure and sensitive data, Google is pushing for mandatory MFA as part of a growing trend in cybersecurity. 

According to recent announcements, Google is planning on requiring multi-factor authentication (MFA) for all Cloud accounts by the end of 2025, to protect cloud accounts. MFA is supposed to strengthen security while maintaining a smooth and convenient user experience online, which is exactly what Google claims. It has been reported that 70% of Google users have started using this feature and that security consultants are urging those users who are still on the fence to switch over to MFA at once. Users as well as admins who have access to Google Cloud will be affected by the implementation of the new process. 

Generally speaking, this change will not impact Google accounts of general consumer users. In a recent announcement sent made by Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer an official announcement the company stated that they plan to have mandatory MFA implemented throughout 2025 in a phased approach, with assistance being provided to help plan the deployment process. In response to Google's announcement, the company now states that it is taking a phased approach to the mandatory 2FA requirement that will apply to Google Cloud users; here's what that means in practice. 

There will be three phases to the implementation, and the first phase begins immediately with Google encouraging users to adopt 2FA if they have not yet had the chance to install 2FA protection on their account, but currently sign in with a password. Google estimates that 70% of online users have done this. As part of the first phase of the program, which is scheduled to begin in November 2024, the aim will be to encourage the adoption of MFA. The Google Cloud console will be regularly updated with helpful reminders and information. Resources will be available to help raise awareness, plan rollout and documentation of the MFA process, as well as to conduct testing and enable MFA for users with ease. The first phase of the project is scheduled to begin in November 2024 and will play a key role in facilitating the adoption of MFA. 

There will be several notes and reminders in the Google Cloud Console, including information you'll find helpful in raising awareness, planning rollouts, conducting tests, and ensuring that MFA is enabled smoothly for users, to help raise awareness. There will be a second phase that begins early next year and, at the start of the year, Google will start requiring MFA for users who sign in to Google Cloud with a password, whether they are new or existing. Nevertheless, Google has not yet expressed a concrete date for when it is planning to deploy the 2FA technology as part of phase two, which is scheduled for "early 2025". 

It is important to note, however, that all new Google Cloud users, whether or not they already have a password, will be required to implement two-factor authentication to sign in. As of now, this is a mandatory requirement, with no ifs, no buts. As soon as the Google Cloud Console, Firebase Console and iCloud are updated with the 2FA notification, Upadhyay will warn users that to continue using those tools, they need to enrol with the 2FA service. The final phase of Google Cloud's 2FA requirement will be rolled out by the end of 2025, it has been told and will be required for all users currently using federated authentication when logging into Google Cloud by that time. 

It was confirmed in the announcement that there will be flexible options for meeting this requirement. In other words, it appears to be an option for users to enable 2FA with their primary identity provider before accessing Google Cloud itself, or to add a layer of security through Google's system, using their Google account to enable 2FA through their cloud service. A senior director of technical field operations at Obsidian Security told me that the threat landscape has rapidly become more sophisticated as a result of this increased MFA prevalence. The breach data shows that 89% of compromised accounts have MFA enabled, according to Chris Fuller, senior director of technical field operations.

Several phishing-as-a-service toolkits, including the Mamba toolkit that you can buy for $250 a month, as well as non-human identity compromises, suggest that identity compromises will continue regardless of the technology used to carry out." Google's phased rollout is designed to ease users into the new requirement, which could have been met with resistance due to perceived friction in the user experience, especially when the requirement is implemented suddenly," Patrick Tiquet, Vice President of Security and Compliance at Keeper Security, said. Tiquet further emphasized that organizations leveraging Google Cloud will need to strategically prepare for MFA implementation across their workforce. 

This preparation includes comprehensive employee training on the critical role of multi-factor authentication in safeguarding organizational data and systems. Effective MFA adoption may be supported by tools such as password managers, which can streamline the process by securely storing and automatically filling MFA codes. Proper planning and training will be essential for organizations to successfully integrate MFA and enhance security measures across their teams.
Read more »
Google Cloud
AI Models AI technology Cyber Security Data integrity data poisoning data security Generative AI Google Cloud

Securing Generative AI: Tackling Unique Risks and Challenges

 

Generative AI has introduced a new wave of technological innovation, but it also brings a set of unique challenges and risks. According to Phil Venables, Chief Information Security Officer of Google Cloud, addressing these risks requires expanding traditional cybersecurity measures. Generative AI models are prone to issues such as hallucinations—where the model produces inaccurate or nonsensical content—and the leaking of sensitive information through model outputs. These risks necessitate the development of tailored security strategies to ensure safe and reliable AI use. 

One of the primary concerns with generative AI is data integrity. Models rely heavily on vast datasets for training, and any compromise in this data can lead to significant security vulnerabilities. Venables emphasizes the importance of maintaining the provenance of training data and implementing controls to protect its integrity. Without proper safeguards, models can be manipulated through data poisoning, which can result in the production of biased or harmful outputs. Another significant risk involves prompt manipulation, where adversaries exploit vulnerabilities in the AI model to produce unintended outcomes. 

This can include injecting malicious prompts or using adversarial tactics to bypass the model’s controls. Venables highlights the necessity of robust input filtering mechanisms to prevent such manipulations. Organizations should deploy comprehensive logging and monitoring systems to detect and respond to suspicious activities in real time. In addition to securing inputs, controlling the outputs of AI models is equally critical. Venables recommends the implementation of “circuit breakers”—mechanisms that monitor and regulate model outputs to prevent harmful or unintended actions. This ensures that even if an input is manipulated, the resulting output is still within acceptable parameters. Infrastructure security also plays a vital role in safeguarding generative AI systems. 

Venables advises enterprises to adopt end-to-end security practices that cover the entire lifecycle of AI deployment, from model training to production. This includes sandboxing AI applications, enforcing the least privilege principle, and maintaining strict access controls on models, data, and infrastructure. Ultimately, securing generative AI requires a holistic approach that combines innovative security measures with traditional cybersecurity practices. 

By focusing on data integrity, robust monitoring, and comprehensive infrastructure controls, organizations can mitigate the unique risks posed by generative AI. This proactive approach ensures that AI systems are not only effective but also safe and trustworthy, enabling enterprises to fully leverage the potential of this groundbreaking technology while minimizing associated risks.
Read more »
Vulnerabilities and Exploits
Google Cloud Mandiant Investigation Patching Sensitive data Vulnerabilities and Exploits

Think You’re Safe? Cyberattackers Are Exploiting Flaws in Record Time

 


There has been unprecedented exploitation by attackers of vulnerabilities in the software, Mandiant announced. According to the newly released report of the Mandiant cybersecurity firm, after an analysis of 138 exploits published in 2023, on average, in five days an attacker already exploits a vulnerability. Because of this speed, very soon it has become paramount for organisations to make their system updates quickly. The study, published by Google Cloud bloggers, shows that this trend has greatly reduced the time taken for attackers to exploit both unknown vulnerabilities, known as zero-day, and known ones, called N-day.

Speed in the Exploitation Going Up

As indicated by Mandiant research, the time-to-exploit, which is a statistic indicating the average number of days taken by attackers to exploit a discovered vulnerability, has been reducing rapidly. During 2018, it took nearly 63 days for hackers to exploit vulnerabilities. However, in the case of 2023, hackers took merely five days for exploitation. This shows that the attackers are getting more efficient in exploiting those security vulnerabilities before the application developers could patch them satisfactorily.

Zero-Day and N-Day Vulnerabilities

The report makes a distinction between the zero-day vulnerabilities, being the undisclosed and unpatched flaws that attackers would exploit immediately, and N-day vulnerabilities, which are already known flaws that attackers aim at after patches have already been released. In the year 2023, types of vulnerabilities targeted by the attackers changed, with rates of zero-day exploitation, which rose to a ratio of 30:70 compared with N-day attacks. This trend shows that attackers now prefer zero-day exploits, which may be because they allow immediate access to systems and sensitive data before the vulnerability is known to the world.

Timing and Frequency of Exploitation

This again proves that N-day vulnerabilities are at their most vulnerable state during the first few weeks when the patch is released. Of the observed N-day vulnerabilities, 56% happened within the first month after a patch was released. Besides, 5% were attacked within just one day of the patch release while 29% attacked in the first week after release. This fast pace is something that makes the patches really important to apply to organizations as soon as possible after they are available.

Widening Scope for Attack Targets

For the past ten years, attackers have enormously widened their scope of attacks by targeting a growing list of vendors. According to the report, on this front, the count increased from 25 in the year 2018 to 56 in 2023. The widening of such a nature increases the trouble for teams, who have now encountered a significantly expanded attack surface along with the ever-increasing possibility of attacks at a number of systems and software applications.


Case Studies Exposing Different Exploits

Mandiant has published case studies on how attackers exploit vulnerabilities. For example, CVE-2023-28121 is a vulnerability in the WooCommerce Payments plugin for WordPress, which was published in March 2023. Although it had been previously secure, it became highly exploited after the technical details of how to exploit the flaw were published online. Attacks started a day after the release of a weaponized tool, peaking to 1.3 million attacks in one day. This fast growth shows how easy certain vulnerabilities can be in high demand by attackers when tools to exploit are generally available.


The case of the CVE-2023-27997 vulnerability that occurred with respect to the Secure Sockets Layer in Fortinet's FortiOS was another type that had a different timeline when it came to the attack. Even though media alert was very much all over when the vulnerability was first brought to the limelight, it took them about two or three months before executing the attack. This may probably be because of the difficulty with which the exploit needs to be carried out since there will be the use of intricate techniques to achieve it. On the other hand, the exploit for the WooCommerce plugin was quite easier where it only required the presence of an HTTP header.

Complexity of Patching Systems

While patching in due time is very essential, this is not that easy especially when updating such patches across massive systems. The CEO at Quarkslab says that Fred Raynal stated that patching two or three devices is feasible; however, patching thousands of them requires much coordination and lots of resources. Secondly, the complexity of patching in devices like a mobile phone is immense due to multiple layers which are required for updates to finally reach a user.

Some critical systems, like energy platforms or healthcare devices, have patching issues more difficult than others. System reliability and uninterrupted operation in such systems may be placed above the security updates. According to Raynal, companies in some instances even ban patching because of the risks of operational disruptions, leaving some of the devices with known vulnerabilities unpatched.

The Urgency of Timely Patching

Says Mandiant, it is such an attack timeline that organisations face the threat of attackers exploiting vulnerabilities faster than ever before. This is the report's finding while stating that it requires more than timely patching to stay ahead of attackers to secure the increasingly complex and multi-layered systems that make up more and more of the world's digital infrastructure.


Read more »
UNC
CrowdStrike Cyber Security cybercriminals Financial Threat Google Cloud Google Mandiant Mandiant Threat Intelligence UNC

Protecting Your Business from Snowflake Platform Exploitation by UNC5537

 

A recent report from Mandiant, a subsidiary of Google Cloud, has uncovered a significant cyber threat involving the exploitation of the Snowflake platform. A financially motivated threat actor, identified as UNC5537, targeted around 165 organizations' Snowflake customer instances, aiming to steal and exfiltrate data for extortion and sale. Snowflake, a widely-used cloud data platform, enables the storage and analysis of vast amounts of data. The threat actor gained access to this data by using compromised credentials, which were obtained either through infostealer malware or purchased from other cybercriminals. 

UNC5537 is known for advertising stolen data on cybercrime forums and attempting to extort victims. The sold data can be used for various malicious purposes, including cyber espionage, competitive intelligence, and financial fraud. The joint statement from Snowflake, Mandiant, and cybersecurity firm CrowdStrike clarifies that there is no evidence of a vulnerability, misconfiguration, or breach within Snowflake’s platform itself. 

Additionally, there is no indication that current or former Snowflake employees' credentials were compromised. Instead, the attackers acquired credentials from infostealer malware campaigns that infected systems not owned by Snowflake. This allowed them to access and exfiltrate data from the affected Snowflake customer accounts. Mandiant's research revealed that UNC5537 primarily used credentials stolen by various infostealer malware families, such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Many of these credentials dated back to November 2020 but remained usable. The majority of credentials exploited by UNC5537 were exposed through previous infostealer malware incidents. 

The initial compromise often occurred on contractor systems used for personal activities like gaming and downloading pirated software, which are common vectors for spreading infostealers. Once obtained, the threat actor used these credentials to access Snowflake accounts and extract valuable customer data. UNC5537 also purchased credentials from cybercriminal marketplaces, often through Initial Access Brokers who specialize in selling stolen corporate access. The underground market for infostealer-obtained credentials is robust, with large lists of stolen credentials available for free or for purchase on the dark web and other platforms. 

According to Mandiant, 10% of overall intrusions in 2023 began with stolen credentials, making it the fourth most common initial intrusion vector. To protect your business from similar threats, it is crucial to implement robust cybersecurity measures. This includes regular monitoring and updating of all systems to protect against infostealer malware, enforcing strong password policies, and ensuring that all software is kept up to date with the latest security patches. Employee training on cybersecurity best practices, especially regarding the dangers of downloading pirated software and engaging in risky online behavior, is also essential. 

Moreover, consider using multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly audit your systems for any unusual activity or unauthorized access attempts. Engage with reputable cybersecurity firms to conduct thorough security assessments and implement advanced threat detection solutions. By staying vigilant and proactive, businesses can better protect themselves from the threats posed by cybercriminals like UNC5537 and ensure the security and integrity of their data.
Read more »
Subscribe to: Posts (Atom)