Russia-linked Gamaredon starts stealing data 30 to 50 minutes after initial compromise
Ukraine’s Computer Emergency Response Team has discovered new abilities within the Russia-linked APT group Gamaredon (also known as Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa). The group is apparently able to steal data from networks in less than an hour after initial compromise. Gamaredon often uses spear-phishing along with social engineering emails and messages sent via Telegram, WhatsApp, and Signal, using accounts that have been previously compromised.
New AI tool – WormGPT allows for sophisticated cyber attacks
This tool has been advertised on forums as a new way to create convincing fake emails that are personalized to the recipient, according to research from SlashNext. Despite anti-abuse protocols put in place by OpenAI and and Google’s Bard, a report from CheckPoint last week described how “Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT,” making it the current tool of choice for such activities. SlashNext security researcher Daniel Kelley added, in his company’s report, that threat actors are promoting “jailbreaks” for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code.
Microsoft still unsure how hackers stole Azure AD signing key
Following up last week’s email breach story, an inactive Microsoft account (MSA) consumer signing key was allegedly used by Chinese hackers to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies. “The threat actors used the stolen Azure AD enterprise signing key to forge new auth tokens by exploiting a GetAccessTokenForResource API flaw, providing them access to the targets’ enterprise mail.” Microsoft stated, “the method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft admitted in a new advisory published Friday.
White House plan for implementing cybersecurity strategy faces roadblocks
The Biden administration’s implementation plan for the White House’s national cybersecurity strategy, was revealed Thursday, but was overshadowed somewhat by the email breach as well as by a court halting a regulation mandating that U.S. water systems improve their cybersecurity posture. That water systems suit especially may create a roadblock for other potential moves by the administration to use existing authorities to create cybersecurity mandates for other critical infrastructure sectors.
Thanks to this week’s episode sponsor, OpenVPN
Source code of the BlackLotus UEFI Bootkit leaked on GitHub, experts are divided
Back in March, researchers from ESET discovered in March a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit, named BlackLotus, that is able to bypass Secure Boot on Windows 11. Its source code has been leaked on GitHub, meaning threat actors can use it to create their own variants, which include new exploits. According to some experts, this represents a significant risk mainly because it can be combined with new exploits and create new attack opportunities, while others, such as Alex Matrosov, CEO of the firmware security company Binarly, believes that the leaked source code doesn’t represent a significant threat because it isn’t complete.
Genesis Market sold to anonymous buyer despite FBI disruption
Following up on a story we brought you last week regarding the Genesis market, which was put up for sale three months after having its assets seized by the FBI. Well, it’s sold. According to forum posts from GenesisStore, the group behind Genesis Market claimed on Thursday that it had been sold to an unidentified buyer. GenesisStore had previously been associated with the platform’s administrators. “A buyer has been found and a deposit has been made. The store will be handed over to a new owner next month,” stated the post in Russian, adding: “Accounts on the forums will not be transferred, the new owner will create new accounts if necessary.”
Hackers steal over $55 million in Mexican financial fraud
Researchers from Israel-based cybersecurity company Perception Point, estimated that since early 2021, threat actors have defrauded more than 4,000 victims in Mexico out of over $55 million. Named “Manipulated Caiman,” since the attack used “Loader Manipulado” in its script, it starts as a phishing scam, in which the victim receives an email with a faked tax receipt attached. This leads to a malware download. This attack was geofenced to Mexico only, meaning that a potential victim with an IP outside of Mexico is redirected to a legitimate website and the attack is terminated. This method can make it extremely difficult for even the most advanced threat detection solutions to identify and catch. It also helped the attacker uses the victims’ own computers to distribute the attack.
Colorado State University says MOVEit-related data breach impacts students, staff
The university has confirmed that the Clop ransomware operation stole sensitive PII of current and former students and employees. Thie attack has been attributed to the recent MOVEit Transfer data-theft attacks. Although the breach is still being assessed, CSU stated that PII dating back to 2021 of prospective, current, and former CSU students and current and former employees may have been impacted. They added that the leak is not the result of a direct breach of any CSU systems but instead a compromise of the University’s service vendors, TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife, and The Hartford, all of whom used the MOVEit Transfer security file transfer platform.