Daily Brief

Microsoft has revealed the identities of four individuals involved in the Azure Abuse Enterprise scheme, known as LLMjacking, targeting AI services. The criminals exploited exposed customer credentials to access and alter Microsoft's Azure OpenAI Service for producing harmful content. The operation, termed Storm-2139 by Microsoft, involves creating tools for abusing AI to generate illicit content, such as non-consensual intimate images. Microsoft's Digital Crimes Unit is actively pursuing legal action and has already obtained a court order to seize a central website used by the cybercriminals. The group, Storm-2139, includes creators of malicious tools, providers who modify and sell these tools, and end-users who produce synthetic content violating Microsoft’s policies. Microsoft has also identified additional actors involved in the United States, located in Illinois and Florida, whose names have been withheld due to ongoing investigations. The exposure of these individuals is part of Microsoft's broader effort to combat misuse of AI technology and enforce its software use policies.

Nearly 12,000 live secrets, including API keys and passwords, were discovered in a dataset used to train large language models (LLMs). The dataset, sourced from Common Crawl, featured 400TB of web content and data from 47.5 million hosts. Live secrets found varied widely, including AWS root keys and Slack webhooks, evidencing a severe security oversight. Training LLMs with such data not only propagates insecure coding practices but may also expose secret credentials used in past coding samples. This follows recent findings by Lasso Security that cached and indexed data by Bing makes private GitHub repositories accessible, even after they are no longer public. Such vulnerabilities pose significant risks as they allow extraction of private tokens and secrets affecting many large organizations. The study highlighted the potential broader impacts of training AI models on insecure coding, pushing them to act unpredictably and even advise malicious actions.

Sticky Werewolf, identified by Kaspersky as Angry Likho, targets organizations in Russia and Belarus with Lumma Stealer malware. The group uses a previously undocumented implant for malware delivery, suspected to be associated with pro-Ukrainian cyber-spy activities. Exploitation primarily involves spear-phishing emails with booby-trapped attachments to initiate the infection. The implant, crafted with Nullsoft Scriptable Install System, functions as a self-extracting archive to evade detection and deploy malware. Lumma Stealer collects sensitive data, including usernames, passwords, banking details, and information from cryptocurrency wallets and browsing activities. Angry Likho’s operational tactics include maintaining a small, efficient infrastructure and focusing on high-value targets, such as government entities and their contractors. The group utilizes darknet-sourced tools complemented by custom phishing strategies for effective malware distribution.

Belgium's federal prosecutor is investigating if Chinese hackers infiltrated the State Security Service (VSSE) email server from 2021 to May 2023. Hackers accessed approximately 10% of all emails exchanged through a server used for communication with various government bodies. The compromised system included internal HR communications, potentially exposing sensitive personal data of VSSE staff and applicants. Post-breach measures included ceasing the use of Barracuda as a cybersecurity provider and advising updated identification documents to prevent identity fraud. No stolen data has been detected on the dark web so far, and the judicial investigation into the breach began in November 2023. Further context reveals Chinese state-backed hackers were previously accused of targeting other Belgian ministries. The breach leveraged a zero-day vulnerability in Barracuda's Email Security Gateway, connected to the Chinese-supported hacker group UNC4841.

Microsoft filed a civil lawsuit against the "Azure Abuse Enterprise" group for stealing Azure cloud credentials and misusing its AI services to create harmful deepfake content. The lawsuit was initiated in Virginia in December 2024; it now includes the names of four out of ten defendants identified as part of the cybercrime group referred to as Storm-2139. Suspects used leaked API keys from Microsoft customers to access and resell Azure’s OpenAI service, facilitating the production of sexually explicit deepfakes of celebrities. Microsoft obtained a court order to seize web domains associated with the group, aiming to gather evidence, disrupt their operations, and track monetization efforts. The four named individuals are from Iran, the UK, Hong Kong, and Vietnam, with further suspects in the US, UK, Austria, Turkey, and Russia remaining unidentified to not compromise ongoing investigations. Microsoft's investigation benefitted from monitoring platforms like 4chan, where suspects and others discussed the operation and inadvertently leaked information. The company is preparing criminal referrals to both U.S. and international law enforcement agencies and is seeking damages and injunctions against the misuse of its services.

A new variant of the Vo1d malware botnet has infected approximately 1.6 million Android TV devices in 226 countries. Xlab researchers have monitored the botnet, which saw its highest activity with 800,000 active bots as of the latest report. The botnet employs advanced techniques for encryption and stealth, with a robust DGA-powered command and control infrastructure. Significant infection spikes in Brazil, South Africa, and Indonesia indicate the global reach and impact of this malware campaign. Vo1d malware not only uses compromised devices as proxy servers for illegal activities but also for ad fraud via automated interactions. The botnet's operators possibly "rent out" their infrastructure, causing rapid shifts in botnet size as devices are moved across networks. Researchers recommend a comprehensive security approach for Android TV users, including regular updates and cautious app installations. The vast command and control infrastructure with over 21,000 domains complicates efforts to disrupt the botnet's operations.

U.S. Army soldier Cameron John Wagenius has been charged with unlawfully accessing and disclosing AT&T customer data, including call logs of high-profile figures. Wagenius admitted in a federal court to his involvement and indicated a willingness to plead guilty. Accusations include attempts to sell stolen information to foreign intelligence and extortion of telecom companies by threatening to leak their data. Investigations link Wagenius to broader criminal activities involving over 150 compromised Snowflake cloud accounts and collaborations with other cybercriminals. Search history on Wagenius' devices suggests plans to defect to countries without extradition treaties with the U.S. Additional evidence found included thousands of stolen ID documents and considerable amounts of cryptocurrency, hinting at potential plans to flee. Two associates of Wagenius, involved in similar cybercrimes, have been arrested abroad and are awaiting extradition.

The FBI has officially linked North Korea's Lazarus Group to a significant theft of $1.5 billion in Ethereum from the crypto-exchange Bybit. The heist occurred earlier this month, and North Korea's cybercrime unit, dubbed TraderTraitor, is purportedly responsible. In efforts to recover the stolen funds, the FBI released wallet addresses associated with the hackers, hoping to block further illicit transactions. The stolen assets have been partially converted to Bitcoin and other cryptocurrencies, with attempts underway to launder them through thousands of blockchain addresses. Bybit has initiated a bounty program, offering a 10% reward for assistance in tracing and halting the movement of the stolen funds. Despite efforts, more than $40 million in tokens have been frozen, but a significant amount remains under North Korea's control. Chainflip, another crypto-exchange, has blocked about $1 million worth of stolen funds from being transferred and cautions other exchanges to be vigilant.

France proposes laws requiring backdoors in encrypted services and VPN restrictions, raising significant privacy concerns. The "Narcotrafic" law amendment demands that providers make decrypted communications accessible to law enforcement within 72 hours or face severe fines. The amendment has passed the French Senate and is moving to the National Assembly, with privacy advocates urging its rejection. Critics argue that creating backdoors undermines the security of all users, not just criminals, making systems vulnerable to malicious entities. Tuta stresses that the proposal conflicts with EU's GDPR and Germany's IT security laws, questioning its legality. Meanwhile, the VPN Trust Initiative (VTI) protests against a separate amendment targeting VPN services to block access to pirate sites, equating it to censorship practices in restrictive countries. These developments are part of a broader global trend where governments are intensifying efforts to monitor and control internet communications.

Researchers at Modat found 49,000 misconfigured Access Management Systems (AMS) internationally, posing significant security threats. The exposed AMS systems enabled unauthorized changes such as editing employee records, adding fake employees, and modifying building entry permissions. Major security lapses included unencrypted sensitive data, vulnerable to being used for spear-phishing or social engineering attacks. Geographically, the largest number of exposed AMS were in Italy (16,678), followed by Mexico (5,940), and Vietnam (5,035). Researchers have reached out to affected system owners and vendors to inform them about the breaches and recommend security measures. Recommended security measures include offline system maintenance, use of VPNs, changing default admin credentials, implementing multi-factor authentication, and ensuring all biometric and personal data is encrypted. The response from those notified is still unclear, indicating potential ongoing risks if corrective actions are not implemented swiftly.

The Belgian federal prosecutor's office is probing a potential breach by Chinese state-backed hackers into the Belgian State Security Service's email system. Hackers accessed about 10% of all emails from a server used by VSSE personnel to communicate with various governmental bodies from 2021 to May 2023. The compromised server also handled internal HR communications, possibly exposing sensitive personal data of current and former VSSE staff. Following the discovery, VSSE ceased using Barracuda as its cybersecurity provider and has taken measures to mitigate identity theft risks among affected personnel. Despite concerns, there has been no evidence found of any stolen data from the breach being sold or used for extortion on the dark web. The attack aligns with past activities linked to Chinese state-sponsored groups known for targeting government entities. Barracuda identified zero-day vulnerabilities in its Email Security Gateways, which were reportedly exploited in these and other separate incidents against U.S. federal networks.

Suspected cybercriminal associated with "DESORDEN Group" arrested in Bangkok for compromising 90 organizations worldwide. The hacker, known by aliases including ALTDOS and GHOSTR, leaked over 13TB of personal data since 2020. The operation involved Royal Thai Police, Singapore Police Force, and cybersecurity experts from Group-IB. Targeted primarily in Asia-Pacific, but also affected companies in Europe and North America. Employed tactics like SQL injection and remote desktop protocol exploitation to extract and ransom data. The hacker occasionally encrypted data and contacted victims’ customers to elevate extortion pressure. Luxury items and electronic evidence seized during the raid; the suspected hacker has confessed to the crimes. Facing charges for unauthorized access, extortion, and illegal residence, the suspect purportedly acted alone.

A new malware campaign targeting Taiwanese companies has been identified, utilizing Winos 4.0 embedded in phishing emails. These phishing emails impersonate Taiwan's National Taxation Bureau, tricking recipients into downloading a ZIP file containing malicious DLLs. Once executed, the malware component can log keystrokes, capture screenshots, alter clipboard contents, and monitor USB connections. Fortinet detected a secondary attack involving an online module capturing screenshots specifically from WeChat and online banking applications. Silver Fox APT, also linked to the ValleyRAT trojan, derives both malware types from Gh0st RAT, indicating a continuous evolution and varying deployment tactics. Recent observations also point to Silver Fox using trojanized DICOM viewers for broader malicious activities including keylogging and cryptocurrency mining. The malware includes geographical targeting checks in its installer, focusing primarily on Chinese or Vietnamese language settings to launch its payload. Enhanced functions in this malware allow execution of risky commands when prompts from specific Chinese security software appear, highlighting a sophisticated understanding of targeted systems.

Space Pirates, a known threat actor, has launched a campaign against Russian IT organizations using the new LuckyStrike Agent malware. The activity, named Erudite Mogwai by Solar—the cybersecurity division of Rostelecom—was first detected in November 2024. In addition to LuckyStrike Agent, the attackers utilized Deed RAT (also known as ShadowPad Light) and a modified proxy utility called Stowaway, which is linked to China-based groups. Since 2017, Erudite Mogwai has targeted government agencies, IT departments, and high-tech industry enterprises, notably in aerospace and electric power, for espionage and data theft. The LuckyStrike Agent malware is a .NET backdoor using Microsoft OneDrive for command and control operations, facilitating stealthy infiltration and data exfiltration. The attackers initially compromised a government sector's publicly accessible web service in March 2023, then used the compromised systems to gradually penetrate deeper into the network over 19 months. Stowaway was altered by the group to reduce its original functionalities, adapting it for specific proxy use, and integrating additional cryptographic and transport layer capabilities, indicative of advanced technical modification to avoid detection.

Cybersecurity experts identified an evolved version of the TgToxic banking trojan, featuring sophisticated anti-analysis characteristics. The malware, updated in response to security research insights, currently targets mobile users in an expanded list of countries including Italy, Portugal, and Hong Kong. TgToxic utilizes dropper APK files distributed presumably through SMS or phishing websites for its distribution, complicating traceability. Notable enhancements include advanced emulator detection and dynamic command-and-control URL generation via community forums, improving evasion capabilities. The use of a domain generation algorithm (DGA) allows the malware to dynamically generate new C2 domains, thus maintaining operational resilience and longevity. Intel 471 analysis highlights the malware's focus on evading detection through techniques like hardware and system evaluation to detect emulated environments. Security analysts express concern over TgToxic's advanced capabilities in payload encryption, obfuscation, and user interface hijacking, underscored by its potential for widespread financial theft from digital wallets and banking apps.