Tag Archive for: weaponized

China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

/in


The individuals confessed to creating variations of ransomware, enhancing the software through the utilization of OpenAI’s ChatGPT, carrying out vulnerability scans, infiltrating networks to secure access, deploying ransomware, and engaging in extortion.

Chinese media has reported the country’s first major step towards countering the use of ChatGPT as four Chinese individuals have been arrested for developing ransomware using ChatGPT. This is the country’s first instance involving the popular yet officially banned chatbot.

The arrests should not come as a surprise, as cybercriminals have been eager to exploit the AI chatbot for malicious purposes. Those who could not exploit it have created their own versions of the malicious ChatGPT, infamously known as WormGPT and FraudGPT.

According to the South China Morning Post (SCMP), the cyber attackers came under the authorities’ radar after an unidentified company in Hangzhou reported a cybercrime. The hackers demanded 20,000 Tether to unblock/restore access to their systems.

In late November 2023, the police arrested two suspects in Beijing and two in Inner Mongolia. The suspects admitted to writing ransomware versions, optimizing the program using the popular chatbot, conducting vulnerability scans, infiltrating networks to gain access and implanting ransomware, and performing extortion.

The use of ChatGPT, a chatbot developed by OpenAI, is prohibited in China as part of Beijing’s initiatives to limit access to foreign generative artificial intelligence products. In response, China has introduced its own version of ChatGPT named Ernie Bot. However, the report does not provide clear information on whether utilizing ChatGPT is subject to legal charges in China.

According to SCMP’s report, three of the detainees were previously implicated in other criminal activities, including spreading misinformation and selling stolen CCTV footage through deep fake technology.

Despite OpenAI blocking internet protocol addresses in China, Hong Kong, and sanctioned regions such as North Korea and Iran, certain users find ways to bypass these restrictions by using VPNs and obtaining phone numbers from supported…

Source…

Konni Group Use Weaponized Word Documents Deliver RAT Malware

/in


In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals. 

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago. 

It provided capabilities for file transfers, support chat, inventory management, and remote access. 

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks. 

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns. 

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites. 

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website. 

This update hosts a PHP script that displays a seemingly authentic update prompt. 

Upon…

Source…

Google Chrome Zero-Day Weaponized to Spy on Journalists

/in


A zero-day vulnerability in Google Chrome was used by the established spyware group Candiru to compromise users in the Middle East — specifically journalists in Lebanon.

Avast researchers said attackers compromised a website used by news agency employees in Lebanon, and injected code. That code identified specific, targeted users and routed them to an exploit server. From there, the attackers collect a set of about 50 data points, including language, device type, time zone, and much more, to verify that they have the intended target.

At the very end of the exploit chain, the attackers drop DevilsTongue spyware, the team noted.

“Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru,” the Avast researchers explained.

The original vulnerability (CVE-2022-2294), discovered by the same Avast team, was the result of a memory corruption flaw in WebRTC. Google issued a patch on July 4.

“The vulnerabilities discovered here are definitely serious, particularly because of how far-reaching they are in terms of the number of products affected — most modern desktop browsers, mobile browsers, and any other products using the affected components of WebRTC,” James Sebree, senior staff research engineer with Tenable, said via email. “If successfully exploited, an attacker could potentially execute their own malicious code on a given victim’s computer and install malware, spy on the victim, steal information, or perform any other number of nefarious deeds.”

But, Sebree added, the original heap overflow flaw is complicated to exploit and won’t likely result in widespread, generalized attacks.

“It’s likely that any attacks utilizing this vulnerability are highly targeted,” Sebree explained. “While it’s unlikely that we will see generalized attacks exploiting this vulnerability, the chances are not zero, and organizations must patch accordingly.”

Candiru (aka Sourgum, Grindavik, Saito Tech, and Taveta) allegedly sells the DevilsTongue surveillance malware to governments around the world. The Israeli company was founded by engineers who left NSO Group, maker of the infamous Pegasus…

Source…

The FBI Disrupted Russian Gru Botnet Malware Through a Court Order Before It Could Be Weaponized

/in


The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized.

The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies.

The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”

U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques.

Russian GRU botnet malware linked to Sandworm APT

FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.

Sandworm hacking group is responsible for large-scale cyber attacks including the worldwide NotPetya campaign, Ukraine’s power grid shutdown in 2015, the French presidential campaign hack, the 2018 Winter Olympics Destroyer, and attacks on the Organization for the Prohibition of Chemical Weapons (OPCW).

The Cyclops Blink malware emerged in 2019 as a replacement for the VPNFilter malware that the Justice Department brought down through another court-authorized action in 2018.

On Feb 3, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory on Cyclops Blink malware targeting WatchGuard and Asus networking devices.

Similarly, researchers from Trend Micro warned in March 2022 that the Cyclops Blink malware targeted devices in non-critical infrastructure organizations to…

Source…