General Worldwide activity:

1st: ChatGPT usage in InfoSec:

How Dangerous Are ChatGPT And Natural Language Technology For Cybersecurity?

Overview:

How Dangerous: The sheer power and capability of ChatGPT have fueled the public’s imagination about just what could be possible with AI. Already, there’s a great deal of speculation about how it will impact a huge number of human job roles, from customer service to computer programming. Here, though, I want to take a quick look at what it might mean for the field of cybersecurity. Is it likely to lead to an increase in the already fast-growing number of cyberattacks targeting businesses and individuals? Or does it put more power in the hands of those whose job it is to counter these attacks?

Five Days: This past week we had an intense educational experience here at the Alperovitch Institute: 5 hours of Malware Analysis and Reverse Engineering with Juan Andres Guerrero-Saade, every day, all week, including Saturday (Monday was a holiday). The class was a first in several ways: we had never taught malware analysis at SAIS Hopkins. It was our first professional skills class in this format. But the most stunning novelty was the use of ChatGPT in the classroom.

Breakdown: ChatGPT and the interest/hype cycle around AI toolsets is just beginning. It is an amazing add-on for content creation, research and improving the general knowledge of the world, but there is also a dark side to any tool created to function like a human in many ways, because that toolset can be abused by bad actors. Here we see the two sides of the coin being well documented, both an awesome example of real-world usage of the tool to increase the capabilities of every student in a complex technical training class, and the flip side of the coin where we look at the dangers of the tool as well. Both articles give a good overview of the good and bad, what worked and what did not, and both serve as a great introduction to the topic in general.

2nd: Industry Reactions to Hive Ransomware Takedown: Feedback Friday

Overview: Authorities in the United States and Europe have announced the results of a major law enforcement operation targeting the Hive ransomware. Agencies from around the world worked together to take down Hive’s leak website and servers. In addition, agents hacked into Hive systems in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files without paying a ransom. Authorities continue to investigate Hive in an effort to identify the cybercriminals involved in the operation, including developers, administrators and affiliates. The US announced that it’s offering rewards of up to $10 million for information on these and other hackers. Several industry professionals have commented on various aspects of the Hive takedown, many noting that while Hive may have fallen, the threat actors behind the operation will likely continue their malicious activities.

Breakdown: Takedowns on large attacker infrastructure are always a cause for celebration. If you have not heard the general coverage, the article also links to several other detailed articles on what exactly happened and why to give you a good base to start. It is also both fun and very informative to see other’s reactions or opinions on this kind of operation, to see how other people in the industry feel about these kinds of giant wins for the defense side of the house.

3rd: British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries

Overview: The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. “The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists,” the NCSC said. The agency attributed the intrusions to SEABORGIUM (aka Callisto, COLDRIVER, and TA446) and APT42 (aka ITG18, TA453, and Yellow Garuda). The similarities in the modus operandi aside, there is no evidence the two groups are collaborating with each other. The activity is typical of spear-phishing campaigns, where the threat actors send messages tailored to the targets, while also taking enough time to research their interests and identify their social and professional circles.

Breakdown: The NCSC, like the NSA and other governmental security focused organizations, is constantly tracking worldwide hacking activity and sharing discoveries as they find new actions. With the on-going Russia/Ukraine conflict, we have seen a massive uptick in attacks contained in those two countries, but we have also been expecting more globally focused attacks due to the conflict failing to reach any kind of reasonable conclusion. In this case we see more Russian and Iran focused attacks reaching out to specific industry sectors where they feel they can get the information they lack on future plans for other countries.

4th: Bitwarden password vaults targeted in Google ads phishing attack

Overview: Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users’ password vault credentials. As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords. However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps. These passwords are stored in the cloud in “password vaults” that keep the data in an encrypted format, usually encrypted using users’ master passwords. Recent security breaches at LastPass and credential stuffing attacks at Norton have illustrated that a master password is a weak point for a password vault. For this reason, threat actors have been spotted creating phishing pages that target your password vault’s login credentials, potentially authentication cookies, as once they gain access to these, they have full access to your vault.

Breakdown: As a combination of several methods of attack we have seen in the past couple months, now we have password managers being targeted with Google Ad phishing campaigns. We have seen Google ads targeted to serve malware through open-source software and popular software packages in the past couple weeks along with other ad targeted phishing. Now we have attacks going directly for master passwords and full password vaults to get access to any resources saved in the vault, which for most people are investment accounts, bank accounts, company and private email systems, etc.

5th: Threat Actors Turn to Sliver as Open-Source Alternative to Popular C2 Frameworks

Overview: The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open-source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that’s designed to be used by security professionals in their red team operations.

Breakdown: Commercial rootkits/C2 frameworks/pentesting toolsets are always going to be a target for APT groups and others interested in mass attacks. We have seen Cobalt Strike being abused for years and like the recent news on Brute Rutel code being potentially available and used for attacks, we now have another framework with a target on it for abuse. The article has a concise technical breakdown of certain features that make it ripe for usage in attacks, and links to a detailed report with the full technical details of the toolset.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 01/23 to 01/27/2023

General Worldwide activity:

Written by James Beal