Sandworm-linked group tied to attack on water utilities
In 2024, the threat group Cyber Army of Russia claimed credit for attacks on several water utility systems in the US, France, and Poland. A new report from Mandiant claims this group is linked to the threat group Sandworm, a suspected part of Russia’s GRU military intelligence agency. It’s unclear if Cyber Army of Russia operates as just another personae of Sandworm or as an independent entity. Analysts note that Sandworm previously never hit US networks with disruptive cyberattacks. This also comes at a time when Sandworm itself changes tactics, moving from opportunistic disruptions to more coordinated attacks with Russia’s war with Ukraine.
GPT-4 reads security advisories
Researchers at the University of Illinois Urbana-Champaign published a paper showing that OpenAI’s GPT-4 LLM can exploit vulnerabilities in real world systems after injecting a CVE advisory. The researchers used 15 one-day vulnerabilities, half categories as “high” or “critical”, spanning website vulnerabilities, container vulnerabilities, and vulnerable Python packages. GPT-4 exploited 13 of them. No other LLMs tests successfully exploited one. The researchers found without the CVE description, GPT-4 only exploited one vulnerability. The researchers estimate the time to train and execute the vulnerabilities cost $8.80 per exploit.
Cell carrier workers solicited for SIM swaps
Bleeping Computer reports that employees at T-Mobile and Verizon both report receiving cold call text messages on work and personal phones, offering up to $300 to perform a SIM swap. Various reports of the campaign on Reddit show texts claiming that the send got the phone number off an employee directory. T-Mobile acknowledged these reports, but said it did not suffer another data breach. The FBI received over 2000 SIM-swap complaints in 2023, resulting in over $72 million in losses.
State of DDoS report
Cloudflare released its Q1 DDoS threat report. It found a 50% increase on the year in mitigated DDoS attacks, up to 4.5 million in the quarter. Geopolitics played into this, as DDoS attacks on Sweden spiked 466% after it entered into NATO. Cloudflare followed a similar pattern with Finland last year. HTTP-based DDoS attacks increased 93% on the year, while DNS -based attacks increased 80%, making up 54% of all Network-layer DDoS attacks. Cloudflare saw almost weekly attacks that peaked at over 1 terabit per second in volume, with the top 2024 attack in 2024 from a Mirai botnet varient surpassing 2 terabits per second.
Huge thanks to our sponsor, Conveyor
Use Conveyor to fly through any customer security review in minutes.
It might sound like every other software claim out there, but there’s a reason our customers have dubbed Conveyor their ‘favorite security tool of the year’.
Test it out in a free proof of concept at www.conveyor.com
ASML still dependent on China
Given the multi-year chip making technology export bans imposed by the US against China, it’s somewhat surprising to see that the Dutch chip making equipment giant ASML still counts the country as it’s biggest market. In its most recent earnings, China accounted for 49% of system sales, up from just 8% a year ago, even as the proportion of sales to the US and Taiwan fell on the year. US export bans cut off its sale of cutting edge chip making equipment, but allow for sales of more mature technology.
2015 malware still at work in Ukraine
Researchers at Cisco Talos discovered that a piece of malware known as OfflRouter caused documents from government and police sources in Ukraine to get uploaded to VirusTotal. The shows its age by only spreading via sneakernet on removable media and targeting files with a .doc extension. Ukrainian National Police files also saw exfiltration through OfflRouter in 2018, indicating that the virus survived on media for over five years in the same environment. It’s unclear what group uses the malware.
Botnets flock to old TP-Link flaw
In a blog post, researchers at Fortiguard Labs Threat Research found that several botnets continue to exploit a year-old flaw in the TP-Link Archer AX21 Wi-Fi router. TP-Link patched the flaw on April 27, 2023, but because router firmware often gets neglected, it’s still being exploited. This unauthenticated command-injection vulnerability in the ‘locale’ API is accessible through the router’s web portal. Researchers found Mirai variants, Moobot, Miori, and AGoent botnets using the exposed routers.
Election disinformation efforts “kicked into gear”
A new report from Microsoft’s Threat ANalysis Center detailed that over the last 45 days, Russian election disinformation campaigns ramped up activity in the US, much later than the last several election cycles. Microsoft believes many prolific influence actors now work out of the Russian Presidential Administration, rather than with intelligence agencies used in previous campaigns. These efforts attempt to “undermine US support for Ukraine,” promote domestic discord, and turn public opinion against other NATO members. Right now Microsoft hasn’t seen widespread deception from high quality deep fake videos. It partnered with Democracy Forward and AI For Good Lab to identify GenAI usage for misinformation this election cycle.