APT28, also known as FancyBear, is at the heart of another targeted campaign. This time, it’s sniffing around users of Google services. Some 14,000 people have been notified about a spear phish attempt looking to compromise accounts and access their files.
When did this happen?
Sometime late September, according to the folks at Google. They didn’t go into detail about which industries were key targets, but this campaign “compromised 86% of the batch of warnings we sent for this month”.
Did Google catch all the malicious missives?
Shane Huntley, Director of Google’s Threat Analysis Group, mentioned that they blocked all the emails sent. That seems pretty conclusive. He goes into more details in this thread:
TAG sent a above average batch of government-backed security warnings yesterday. Some info for people who got the warning and a reminder what it means:https://t.co/ozlRL4SwhG— Shane Huntley (@ShaneHuntley) October 7, 2021
and also in this
As per his thoughts, these warnings are primarily to tell you to batten down the hatches for the next attack, whenever that might be.
What we see over and over again is that much of the initial targeting of government backed threats is blockable with good security basics like security keys, patching and awareness, so that's why we warn.— Shane Huntley (@ShaneHuntley) October 7, 2021
Google has more information on this type of warning over on its security blog. If you ever see the below message, it’s definitely time to take action:
Government backed attackers may be trying to steal your password.
There’s a chance this is a false alarm, but we believe we detected government-backed attackers trying to steal your password., This happens to less than 0.1% of all Gmail users. We can’t reveal what tipped us off because the attackers will take note and change their tactics, but if they are successful at some point they could access your data or take other actions using your account.
Google recommends those affected join its Advanced Protection Program, which is says is its strongest protection for users at risk of targeted attacks.
What is the Advanced Protection Program?
Google’s Advanced Protection Program is another layer of security on top of regular Google protection, for those who need it. Physical security keys are a big feature of this program. The Chrome browser will also scan any and all files which attempt to download on a device. It also refuses files from untrusted/unknown sources on Android, and makes it more difficult for rogue files to gain permissions from the device.
What else is Google doing in this realm?
Well, Google is very much about auto-enrolment for things like 2FA these days. Take-up on 2FA is quite low across many services on the web, and something like this can only help boost everyone’s security a bit more.
There’s also Google’s Security Checkup feature. At a glance, this will tell you about logged in devices, recent security activity, whether or not you have 2FA enabled, and your Gmail settings including which addresses you may have blocked. Many of the tabs reveal more and more information as you go. The 2-step column will tell you about phones using sign-in prompts, which Authenticator app you’re using and when it was added, phone numbers, and backup codes.
Don’t forget, you can also see a list of IP addresses using your Gmail account on the desktop in the bottom right hand corner (“last account activity”). This shows the type of access (web? mobile?), location/IP address, and the date/time of said activity.
These are all useful things to help ward off compromise, and also perhaps figure out where something might have gone wrong.
Should I be worried?
As above, the risk from something like FancyBear is as good as negligible. If you work in a high risk occupation, or deal with sensitive data you feel governments may be interested in then, yes, you could potentially be a target, though this is still very slim pickings in terms of whether you should be worried about it. If you’re a journalist, an activist, work in human rights, are a lawyer, or work in some form of natsec role then you may want to sign up to the Advanced Protection Program.
Everyone else should realistically be more concerned about common or garden malware, scams, phishes, and so on. The good news is a lot of basic security practices to help ward off these attacks will also go some way towards warding off the big stuff. There is no detriment to yourself to start making use of said security practices…it’s win-win.
Do yourself a favour, and start digging through the multitude of security features Google has available. You’ll be surprised how easy it is to set most of it up, and you’ll be strengthening the security of your data at the same time.
The post Google warns some users that FancyBear’s been prowling around appeared first on Malwarebytes Labs.