General Worldwide activity:

1st: Russian state hackers lure Western diplomats with BMW car ads

Overview: The Russian state-sponsored hacking group ‘APT29’ (aka Nobelium, Cloaked Ursa) has been using unconventional lures like car listings to entice diplomats in Ukraine to click on malicious links that deliver malware. APT29 is linked to the Russian government’s Foreign Intelligence Service (SVR) and has been responsible for numerous cyberespionage campaigns targeting high-interest individuals across the globe. In the past two years, Russian hackers focused on NATO, EU, and Ukrainian targets, using phishing emails and documents with foreign policy topics, along with phony websites to infect their targets with stealthy backdoors. A report published today by Palo Alto Network’s Unit 42 team explains that APT29 has evolved its phishing tactics, using lures that are more personal to the phishing email recipient.

Breakdown: Another perfect example to use of advanced persistent threat groups using lures to get clicks on malware/ransomware style attacks. This requires extra work on the attack escalation paths these groups follow, when people are aware and watching for threats. The attackers must put in more effort to personalize and customize their phishing techniques and tactics on each individual campaign.

2nd: White House unveils ‘roadmap’ for national cyber strategy goals

Overview: The Office of the National Cyber Director unveiled the implementation plan for its sweeping national cybersecurity strategy Thursday, setting deadlines for 18 different government agencies to put in motion changes designed to make cybersecurity regulation more robust and streamlined while increasing corporate responsibility for protecting critical infrastructure from cyberattacks. The 57-page implementation plan should be considered a “roadmap” for how to achieve the objections outlined in the precedent-setting strategy, acting National Cyber Director Kemba Walden told reporters ahead of the document’s release. The Biden administration described the plan as most focused on two primary objectives: ensuring that the “biggest, most capable, and best-positioned entities” in the public and private sectors take on more responsibility for lowering cyber risk and boosting incentives to fuel investment in cybersecurity in the long term.

Breakdown: We have been preparing to see this plan released for several months now, it is great to see it finally out there and available for public consumption. This is something I think everyone involved in information security should be aware of and have reviewed for an awareness of the strategy going forward at a national government level. As noted in the article, they are going to treat this as a roadmap for how to proceed on getting more direct involvement from both the public and private sectors on making everyone safer overall.

3rd: Beautiful Bauhinia: “HKLeaks” — The Use of Covert and Overt Online Harassment Tactics to Repress 2019 Hong Kong Protests

Overview: In August 2019, at the height of the Anti-Extradition Bill protests that rocked Hong Kong, a series of websites branded “HKLEAKS” began surfacing on the web. Claiming to be run by anonymous citizens, they systematically exposed (“doxxed”) the personal identifiable information of protesters, journalists, and other individuals perceived as affiliated with the protest movement. A number of analyses [1, 2, 3, and more] over the subsequent months and years, as well as individual observers, surfaced several peculiar features of this operation, from the dodgy Russian-based hosting of its web domains, to the synergy with Chinese state media, to the suspicious sourcing of the data used for the doxxing.

Breakdown: This falls slightly out of the range of general information security, but research from the CitienLab is always top tier and makes for a very entertaining way to learn new about this kind of activity. Doxxing, online harassment and disinformation campaigns are well-used tools in the hands of governments worldwide and align with many areas of information security and system protections to keep people safer from this kind of abuse.

4th: WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses

Overview: Cybercriminals are leveraging generative AI technology to aid their activities and launch business email compromise (BEC) attacks, including use of a tool known as WormGPT, a black-hat alternative to GPT models specifically designed for malicious activities. According to a report from SlashNext, WormGPT was trained on various data sources, with a focus on malware-related data, generating human-like text based on the input it receives and is able to create highly convincing fake emails. Screenshots from a cybercrime form illustrate exchanges between malicious actors on how to deploy ChatGPT to aid successful BEC attacks, indicating hackers with limited fluency in the target language can use gen AI to fabricate a convincing email. The research team also conducted an evaluation of the potential risks associated with WormGPT, with a specific focus on BEC attacks, instructing the tool to generate an email aimed at pressuring an unsuspecting account manager into making payment for a fraudulent invoice.

Breakdown: Everyone expected cybercrime and APT groups would not be far behind in creating malicious versions of the popular large language model AI tools such as ChatGPT to assist in the creation of threat campaigns. This is an excellent overview of how that has been done and ways the toolsets will be abused by attacker groups in new campaigns.

5th: The Spies Who Loved You: Infected USB Drives to Steal Secrets

Overview: In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally. Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines.

Breakdown: In 2023, it almost seems to be an apocryphal story shared in infosec circles that just dropping USBs in a parking lot was a successful way to attack an organization, that many do not believe to be true. Anyone interested in and aware of the history of cybercrime knows this is absolutely true and how effective human curiosity really is when random things like that happen. Anyone who thought it was an old joke will be surprised to see, as called out in the article, two newer attack campaigns that have successfully used USB devices as attack methods and has had worldwide impact.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 07/10 to 07/14/2023