Latest news with #GoogleThreatIntelligence
News18
30-05-2025
- News18
Google Calendar Has A Dangerous Malware Threat: What Is It And How It Attacks
Last Updated: Google malware threats are getting wilder but the Calendar app being the ruse to attack businesses is a new method on the check list. Hacker groups are now eyeing your Google Calendar to bypass the device security and steal information. They have devised a dangerous malware called TOUGHPROGRESS that primarily targets government websites and holds them to ransom in exchange for giving them back the access. This is not the first sighting of the malware, and the Google Threat Intelligence team claims the first incident of the APT41 hacking group was reported back in October 2024. Now, the same group is exploiting the Calendar app to breach the system defenses and attack the victims. The details from the cyber security group at Google suggests the malware is directed at targeted systems using the conventional phishing email method. The group sends the pointed email with the objective to get the victim to open the affected website where the malicious ZIP file with PDF and fake images triggers the malware into action. And once the TOUGHPROGRESS malware bypasses all the checks, it tries to access the Calendar app of the victim to not only steal data but take control over the system by sending commands. The fake Calendar app also creates events with data embedded into them. This isn't the first Google product to be targeted by the hacker group. The APT41 group used Google Drive to inflict similar attacks on government entities using Google Sheets and more. Not In Danger Google has strong advice for people to avoid falling prey to these attacks: Expect more details from Google once the severity and impact of the malware campaign is addressed and rectified. First Published:
The Irish Sun
26-05-2025
- The Irish Sun
Fears North Korean spies are posing as IT workers to infiltrate Western companies & earn cash for Kim's warped regime
BRITS could be helping North Korean spies pose as IT workers to infiltrate Western companies, an intelligence report has warned. The jobs using stolen or fake identities to earn cash for Kim Jong-un's regime. 5 North Korean spies are posing as fake IT workers to infiltrate UK companies Credit: Getty 5 The cash from the IT worker scams is being sent straight back to Kim Jong-un's regime Credit: Getty 5 It is thought to be being used to fund North Korea's evil military program Once inside the North Korean fraudsters exploit the companies - stealing funds and information. The scams have had a devastating impact on companies across the country and left them wondering just how North Korea pulled them off. Now, an intelligence report has revealed that Brits could have been helping all along. According to the report from Google Threat Intelligence the North Korean spies use "local facilitators" to help them get jobs and verify their identities. read more on north korea These middlemen use remote desktop software that allows workers from North Korea to log in to a company's internal servers - making it look like they are working from inside the country. Google researchers found that one laptop issued by a US company was being hosted in London, sparking fears that Brits may be part of the shady network. Principal i3 Insider Investigator at DTEX Systems, Michael Barnhart, told The Sun: "The London-based facilitator previously acted as the primary 'farmer' and enterprise representative in the operation, having established a front company in collaboration with another facilitator who was the main North Korean IT worker." Barnhart said that all evidence of the operation has now been removed. Most read in The Sun This follows a wider trend across the US where American citizens have been accused of helping the fake IT workers remain undetected. Matthew Knoot, 38, was arrested for allegedly helping North Korean workers in Nashville, Tennessee last year. Kim Jong Un blows up the ground in North Korea as part of a building project Knoot allegedly helped the workers use stolen identities to pose as US citizens and hosted company laptops at his home. From there he ran a "laptop farm" - allowing the North Korean actors to log in to the computers from China. Knoot is also believed to have helped launder money from the remote IT jobs to accounts tied to North Korean and Chinese actors. United States Attorney Henry Leventis said at the time that Knoot helped funnel hundreds of thousands of dollars to the North Korean government through the scheme. HOW DO THE SCAMS WORK? The North Korean spies reportedly use stolen or fake identities to set up accounts on remote job sites - including LinkedIn, Upwork and Freelancer - to apply for work. And to make sure they're not detected they use "aliases, false or fraudulent personae and proxies, " according to the HM Treasury's Office of Financial Sanctions Implementations . Once they make it to interview stage, they often use AI-generated deepfakes to look and sound like the person they are claiming to be. These AI deep-fakes are becoming increasingly easy to purchase, with a full identity complete with an ID doc and proof of address available from as little as $200 on the dark web. Head of National Security Intelligence at Chainanalysis Andrew Fierman told The Sun: 'All you need are a few photos and a very small clip of voice of the person you're attempting to be and you can effectively be that person' 5 A fake passport belonging to a North Korean worker posing as an Estonian Credit: DTEX Systems 5 An identity card belonging to a North Korean worker posing as a Pole Credit: DTEX systems After being recruited the North Korean workers use their stolen credentials to breeze through the onboarding process. And they often ask their employers to send their work laptops to front addresses - run by "local facilitators" - which allows them to remain undetected. Once fully onboarded the fraudsters work hard to establish themselves within the company, gaining its trust before they pounce. Companies often allow high-performing workers to refer future employees - allowing them to slowly amass an army of cyber warriors. They then set about hatching plans to 'exploit and steal funds from the organisations'. Fierman explained that there are a number of cunning tactics that the North Korean workers use. Fierman said: 'It's all about getting someone within an organisation to give you an access point unknowingly.' He added: 'For example, if it's bonus season and North Korea knows it's bonus season at your organisation, they might send out an email saying here's the details of your upcoming bonus. 'Somebody is going to get excited and click the link and then they've given North Korea access to the entire infrastructure of their organisation." These sly tactics allow the North Korean workers to access sensitive information as well as money. They reportedly use this information as a bargaining chip if needed - dishing out threats of sharing it with competitors. UK sanctions on North Korea DPRK targets are on OFSI's consolidated list of financial sanctions and are subject to an asset freeze. This regime also includes sectoral financial sanctions, which contain both restrictions and requirements. These include those placed on: The sale or purchase of bonds DPRK credit and financial institutions including branches, subsidiaries and representative offices) UK credit and financial institutions from dealing with DPRK credit and financial institutions (including branches, subsidiaries and representative offices) Representative offices belonging to designated persons Business arrangements with designated persons Financial support for trade Investment and commercial activities Bank accounts for DPRK diplomats and diplomatic missions Leasing or, otherwise making available, real property Source: HM Treasury's Office of Financial Sanctions Implementations (OFSI) KIM'S CASH-STARVED REGIME North Korea has been hit by many sanctions over the years forcing Kim Jong-un to think outside the box. The tyrant has long relied on cyber activity to fund his cash-starved regime and the fake IT worker scams are the latest in a string of shady tactics. Fierman told The Sun: 'None of these North Korean workers are operating of their own will or fruition, they're doing it on behalf of the North Korean government.' And it's thought that the money is going straight into the country's weapons programmes. A UN investigation in 2022 confirmed these suspicions and said that cyber attacks were an "important revenue source" for Pyongyang's nuclear and ballistic missile programme The recent worker scams come after a shocking crypto heist saw Hackers were able to gain control of an Ethereum wallet and rip all of its contents, in what has been dubbed the largest heist in crypto's history.
Techday NZ
20-05-2025
- Business
- Techday NZ
Cohesity expands Google Cloud partnership for cyber resilience
Cohesity has announced an expanded partnership with Google Cloud aimed at improving cyber resilience and data insight capabilities for organisations. The partnership will introduce multiple new capabilities designed to help organisations better prepare for, respond to, and recover from cyber threats, as well as harness more value from their business data. According to industry data cited by Cohesity, enterprises incur an average cost of USD $540,000 per hour in downtime, highlighting a significant need for comprehensive cyber resilience solutions. Through this enhanced collaboration, organisations will be able to leverage advanced artificial intelligence-driven tools and integrated threat intelligence to accelerate the detection and recovery from cyber incidents. New developments will focus on reducing business risk and operational disruptions that often accompany such events. Paul Henaghan, Managing Director of Cohesity Australia and New Zealand, stated: "Australian businesses are facing mounting pressure to strengthen their cyber resilience strategies in an increasingly complex threat landscape. Through our expanded partnership with Google Cloud, organisations can now harness advanced AI-driven capabilities and integrated threat intelligence to detect and recover from cyber-attacks faster than ever. This collaboration delivers the security and speed needed to protect critical data while enabling organisations to gain greater data insights." Among the upcoming features, Cohesity is launching the integration of Google Threat Intelligence within the Cohesity Data Cloud. This integration aims to provide customers with faster detection of threats within their backup data, using intelligence from a network of over 450 threat actors and insights based on more than 1,100 incident investigations annually. The goal is to enhance threat detection and incident response, boost containment, and minimise the impact of potential breaches. The expanded partnership will also see increased cooperation between Cohesity's Cyber Events Response Team (CERT) and Google's Mandiant Incident Response teams. By combining resources, the two organisations aim to offer comprehensive incident response services, facilitating the containment, investigation, and mitigation of cyber attacks from both primary and backup infrastructures and helping to minimise business downtime. Another feature being introduced is the establishment of a Cloud Isolated Recovery Environment (CIRE) in Google Cloud, collaboratively set up and validated by Cohesity customers and Mandiant. This measure is intended to allow rapid and trusted restoration of data and business operations following a cyber incident, aiming to help organisations maintain customer trust and reduce the broader impact of such events. There will also be integration between Cohesity Data Cloud and Google's Security Operations, consolidating Cohesity's data protection features with Google's security management capabilities to promote improved data resilience and an enhanced security posture for joint customers. As organisations continue to amass large volumes of data, the need to efficiently manage, analyse, and extract value from this data grows more pronounced. Cohesity is addressing this through the integration of its Data Cloud platform with Google Agentspace, introducing Cohesity Gaia as an artificial intelligence agent. This functionality will allow enterprises to securely search and analyse data across multiple hosting environments, utilising Google Cloud's Gemini models for advanced insights. The integration is designed to enhance compliance, data security, and the discoverability of trusted data assets. Additionally, Cohesity Gaia will incorporate Google Gemini models to further its AI-powered enterprise search assistant, enabling more advanced data analysis, discovery, and management capabilities for users. Stephen Orban, Vice President of Migrations, ISVs, & Marketplace at Google Cloud, commented: "In today's rapidly evolving threat landscape, organisations need comprehensive solutions that not only protect their data, but also help them derive value from it. Our collaboration with Cohesity will enable customers to strengthen their cyber resilience posture while accelerating their digital transformation journeys." Vikram Kanodia, Vice President of Technology and Cloud Alliances at Cohesity, also addressed the significance of the agreement: "Cyber threats like ransomware continue to plague global organisations, putting their businesses at risk and limiting their ability to focus on new, value-driving activities and services. Cohesity is committed to offering the most comprehensive solution to keep our customers' businesses resilient, protect their critical data, help them quickly recover from incidents, while enabling them to find new insights into their data. Working closely with Google Cloud, we're strengthening that commitment, giving our joint customers the tools to not only protect their business data but transform it into a strategic asset." Integrations with Google Cloud for cyber resilience and data insights are projected to be available by the summer of 2025, while the incident response partnership with Mandiant and integration with Google Security Operations are already available to customers.
Web Release
16-05-2025
- Business
- Web Release
Tenable Appoints Eric Doerr as Chief Product Officer
Business and Economics Technology By Editor_wr On May 16, 2025 Tenable® , the exposure management company, today announced the appointment of Eric Doerr as Chief Product Officer (CPO). Doerr brings nearly three decades of experience building and scaling security products at some of the world's most respected technology companies, including Microsoft and, most recently, Google Cloud. At Tenable, Doerr will lead the company's global product organization, overseeing strategy, innovation and execution across its growing cybersecurity portfolio. His appointment comes at a pivotal moment, as Tenable prepares to launch a significantly expanded version of its Tenable One platform—designed to deliver the most comprehensive exposure management capabilities in the industry. It also coincides with Tenable's demonstrated momentum in cloud security. 'Tenable has a clear and compelling vision for the future of cybersecurity—one that unifies visibility, prioritization and remediation across the modern attack surface,' said Steve Vintz, co-CEO, Tenable. 'Eric's deep expertise in cloud-native security, threat intelligence, and large-scale product innovation makes him the ideal leader to advance our exposure management vision and accelerate our impact across the enterprise.' Doerr most recently served as Vice President of Security Products at Google Cloud, where he led a broad portfolio including Google SecOps (formerly Chronicle) and Google Threat Intelligence, as well as the Mandiant integration. Prior to Google, he spent more than 20 years at Microsoft in senior leadership roles across the security and identity space, including General Manager of Microsoft Account and Corporate Vice President of Cloud Security and the Microsoft Security Response Center (MSRC). 'Tenable is transforming how organizations think about and reduce cyber risk,' said Doerr. 'Its forward-thinking approach to exposure management and its rapid innovation in cloud security make this an incredibly exciting time to join. I'm thrilled to be part of a team that's building the future of cybersecurity.' Shai Morag, Tenable's current CPO, will remain at the company during the transition period. The company thanks Mr. Morag for his leadership and many contributions to Tenable's product strategy and growth. Tenable Appoints Eric Doerr as Chief Product Officer Comments are closed.
Techday NZ
30-04-2025
- Business
- Techday NZ
Google Cloud unveils agentic AI to boost security operations efficiency
Google Cloud has outlined its plans to integrate agentic AI into its security operations in an effort to automate routine tasks and improve efficiency for security teams. The use of agentic AI within security is intended to move beyond existing assistive AI by allowing intelligent agents to independently identify, reason through, and dynamically execute tasks, while keeping human analysts informed and involved in the process. Building on customer experiences with Gemini in Security Operations, Google Cloud aims to develop a security operations centre (SOC) where these intelligent agents collaborate with human analysts. Hector Peña, Senior Information Security Director at Apex Fintech Solutions, commented on the current benefits, stating: "No longer do we have our analysts having to write regular expressions that could take anywhere from 30 minutes to an hour. Gemini can do it within a matter of seconds." Google Cloud has recently developed new AI agents as part of its Gemini in Security suite. The alert triage agent in Google Security Operations is designed to perform dynamic investigations and deliver verdicts on alerts. This agent is expected to be available in preview to selected customers in the second quarter of 2025. It analyses the context of each alert, gathers supporting information, and provides an audit log detailing the evidence, reasoning, and decisions behind its verdicts. This tool aims to reduce repetitive work for Tier 1 and Tier 2 security analysts who manage high volumes of daily alerts. In Google Threat Intelligence, the malware analysis agent is designed to undertake the reverse engineering of potentially malicious files. Also expected to be available for preview to selected customers in Q2 2025, this agent examines suspicious code, creates and executes deobfuscation scripts, and presents a summary along with a determining verdict regarding the file's safety. The agentic SOC concept involves connecting multiple specialised agents that collaborate with analysts to automate a variety of security workflows. Google Cloud believes this could yield significant efficiency gains, enabling security professionals to dedicate more attention to complex threats and strategic priorities. Google Cloud provided examples of critical SOC functions that could be automated or orchestrated through agentic AI. These include data management, alert triage, investigation, response actions, threat research, threat hunting, malware analysis, exposure management, and detection engineering. To support the deployment of reliable AI agents, Google Cloud leverages its broad security data and expertise, advanced AI research, and integrated technology stack. The company stated that these resources allow for the development of agents capable of human-like planning and reasoning, producing consistent and high-quality outcomes across security tasks. Google also pointed to the modularity of this approach, with new agents constructed through the combination of existing security capabilities. Interoperability is also a focus for Google Cloud, with the introduction of the Agent2Agent (A2A) protocol to enable communication among agents developed by different developers, and the model context protocol (MCP) for standardised interaction between AI and security applications. Google Cloud is open-sourcing MCP servers for Google Unified Security, allowing customers to build custom workflows that combine Google Cloud and other security solutions. The company emphasises its commitment to an open ecosystem in which agents from various vendors and products can work together. Grant Steiner, Principal Cyber-Intelligence Analyst, Enablement Operations, Emerson, said: "We see an immediate opportunity to use MCP with Gemini to connect with our array of custom and commercial tools. It can help us make ad-hoc execution of data gathering, data enrichment, and communication easier for our analysts as they use the Google Security Operations platform." Google Cloud also introduced SecOps Labs, an initiative offering customers early access to AI pilots in Google Security Operations, and providing a mechanism for the community to give feedback. The initial set of pilots includes autonomous conversion of threat reports into detection rules, the generation of automation playbooks based on historical incident analysis, and updates to data parsers using natural language commands. SecOps Labs is intended as a space for teams to trial and refine AI capabilities, and help shape future Google Security Operations technologies by offering feedback based on real-world experiences.
