Google Ads exploited for network breaches

BleepingComputer reports that widespread malvertising campaigns by initial access broker DEV-0569 that exploit Google Ads are underway, facilitating malware distribution, password theft, and network breaches. DEV-0569 has been leveraging malicious ads promoting widely used software to deploy the RedLine Stealer info-stealing malware to exfiltrate browser cookies, passwords, and cryptocurrency wallets, prior to the delivery of the Gozi/Ursnif malware downloader, said CronUp researcher German Fernandez, who noted that Gozi would be used for Cobalt Strike deployment. Nearly 64,000 individuals have been victimized by the attack. Meanwhile, infrastructure previously leveraged by the TA505 threat operation linked to Cl0p ransomware has been used in a similar Google Ads campaign. Attackers behind the campaign have been spoofing Microsoft Teams, AnyDesk, Adobe, LibreOffice, TeamViewer, Slack, and W-9 IRS form websites to deliver malware. Google previously noted its "robust policies" against ads masquerading as other brands. "We reviewed the ads in question and have removed them," said Google in reference to another similar malware campaign.