Daily Brief

OpenAI has deactivated accounts of state-backed threat groups from Iran, North Korea, China, and Russia that were abusing ChatGPT. The actions were taken after collaboration with Microsoft's Threat Intelligence team, which helped identify the malicious use of OpenAI's services. Threat groups utilized ChatGPT for various nefarious activities such as reconnaissance, social engineering, and developing tactics to evade detection. While there has been an increase in the use of AI tools for phishing and social engineering, there was no direct evidence of these tools being used to write malware or build sophisticated cyber attack tools. The UK's NCSC had forecasted in January that by 2025, AI tools would become instrumental for APT groups in creating advanced malware. OpenAI is employing specialized monitoring technology and information sharing with partners to detect and prevent misuse by sophisticated actors. OpenAI emphasizes the importance of learning from these incidents to improve security measures and prepare for potential future widespread malicious activities.

Zoom has disclosed a series of security vulnerabilities, including a critical privilege escalation flaw with a CVSS score of 9.6. The critical vulnerability (CVE-2024-24691) could allow unauthenticated users to gain escalated privileges through network access. Affected products include various Windows-based Zoom applications, with the company urging updates to the latest versions for security. The security issues were identified by Zoom's Offensive Security division; however, no in-the-wild exploitation has been reported. Additional vulnerabilities addressed include denial of service (DoS) risks, information disclosure flaws, and other medium-severity concerns. One high-severity vulnerability (CVE-2024-24697) could allow local privilege escalation for authenticated attackers on some 32-bit Windows clients. All Zoom desktop apps, mobile apps, and various clients are affected by at least one of the disclosed vulnerabilities, necessitating a review of the advisories for version-specific details.

Over 13,000 Ivanti gateway servers remain unpatched for critical security vulnerabilities that were disclosed over a month ago. These vulnerabilities range from high to critical severity, impacting Ivanti Connect Secure and Policy Secure endpoints. The security flaws include an XXE vulnerability in the SAML component, command execution, and injection issues, with some already exploited by nation-state actors. More than 3,900 Ivanti endpoints are vulnerable to an unauthorized access flaw (CVE-2024-22024), predominantly affecting servers in the United States. As of February 15, 2024, security updates for four of the critical vulnerabilities (CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887) have not been applied to over 13,000 servers. The global patching rate for the most recent vulnerability (CVE-2024-22024) is just 21.1%, leaving 19,132 servers at risk. Due to the short disclosure period for these flaws, administrators may face challenges in applying the necessary patches promptly, potentially leaving systems exposed for extended periods.

A Russian-linked threat group, Turla, has launched a campaign targeting Polish NGOs using a new backdoor variant called TinyTurla-NG. The malware campaign against Polish NGOs lasted for over three months, starting from December 2023. TinyTurla-NG operates as a "last-chance" backdoor, used when other unauthorized accesses are compromised or detected. Turla's activities have recently focused on the defense sector in Ukraine and Eastern Europe, with other tools like the DeliveryCheck backdoor and Kazuar implant. The campaign's beginnings trace back to November 2023, indicated by the malware's compilation dates. The backdoor is distributed via compromised WordPress websites, executes commands, downloads/uploads files, and can deliver scripts to exfiltrate sensitive data. The ongoing actions of nation-state actors, including Turla, show an interest in generative AI tools to support espionage and cyber operations.

Automated vulnerability scanners are essential but can miss critical application security flaws that entail complex logic and context-specific understanding. Logic flaws and the ability to bypass business rules in applications are often overlooked by automated scanners because they cannot comprehend complex business logic. Vulnerability scanners may not cover all areas of an application, potentially underestimating the risk of vulnerabilities in less visible features. False positives and generic risk assessments by automated scanners do not provide the nuanced vulnerability evaluations needed for precise threat mitigation. Advanced attack techniques, such as zero-day exploits and obfuscated payloads, are often not detectable by automated scanners, highlighting the need for human analytical skills. Manual penetration testing adds significant value by understanding the specific context of an application and executing attack simulations that mimic real-world threats. The combination of automated scanning with manual penetration testing can create a more robust security posture for organizations, addressing vulnerabilities that automated tools alone might not catch. Outpost24's Pen Testing-as-a-Service (PTaaS) aims to provide continuous monitoring and expert manual testing to ensure a comprehensive level of application security.

Turla, a Russian hacker group linked to FSB, has used new malware, TinyTurla-NG, to backdoor NGOs and steal data. Exploiting vulnerable WordPress sites, Turla placed C2 infrastructure to control the malware and gather stolen information. Cisco Talos revealed TinyTurla-NG during an investigation of a Polish NGO supporting Ukraine, indicating espionage activities. TinyTurla-NG serves as a persistent backdoor, providing ongoing access to compromised systems and executing commands via infected WordPress websites. The malware focuses on exfiltrating passwords for key management software utilizing TurlaPower-NG PowerShell scripts. Researchers identified several variants of TinyTurla-NG, with attacks dating back to as early as November last year. Despite some coding differences from previous TinyTurla versions, the new backdoor shares similar traits and aims. Indicators of compromise associated with TinyTurla-NG have been published by Cisco Talos to aid in detection and defense.

Russian hacker group Turla used a new malware variant, TinyTurla-NG, to target non-governmental organizations (NGOs) and maintain network access. Compromised WordPress websites were utilized for command and control (C2), hosting malicious scripts, and data exfiltration. Cisco Talos uncovered the threat whilst aiding a Polish NGO that supports Ukraine, revealing the attack dates back to at least December. TinyTurla-NG serves as a 'secret backdoor', ensuring persistent access to systems, even when other entry points are detected and closed. TurlaPower-NG PowerShell scripts exploit this access to steal master passwords and sensitive information, avoiding files like .MP4 videos during data harvesting. At least three variants of the backdoor exist, with the campaign potentially initiated in November, and indicators of compromise have been published by Cisco Talos.

Ivanti Pulse Secure appliance found running on extremely outdated CentOS 6.4 Linux version, unsupported since November 2020. Security flaws in Ivanti Connect Secure, Policy Secure, and ZTA gateways actively exploited by threat actors for malware delivery. Eclypsium's reverse engineering using a PoC exploit unveiled numerous vulnerabilities across outdated packages and libraries. Perl and Linux kernel versions used have not been updated in over 23 and 11 years, respectively, raising significant security concerns. Analysis revealed over 1,200 script issues, 5,218 vulnerabilities in Python files, and 133 outdated certificates. Ivanti's Integrity Checker Tool (ICT) found to skip critical directories, potentially allowing attackers to evade detection. The demonstration of a theoretical attack shows the risk of attackers exploiting zero-day flaws and lack of comprehensive integrity checks. Calls for better systems of checks and balances for validating product integrity, with emphasis on an open system enabling visibility into vendor processes.

A Chinese-speaking cybercrime group, GoldFactory, is deploying malware targeting both Android and iOS users to steal Face ID scans and break into banking accounts. The group has developed Trojan apps called GoldPickaxe and GoldPickaxe.iOS, which trick users into giving biometric data that bypasses bank app security checks in Thailand and Vietnam. The iOS attacks use sophisticated social engineering, enrolling victims in an MDM program via TestFlight and LINE messaging app impersonations, to infiltrate tighter security controls of Apple devices. By combining stolen Face ID scans with deepfake technology and intercepted SMS messages, attackers are able to perform unauthorized banking transactions remotely. The threat actors are highly versatile, utilizing tactics like impersonation, phishing, and ID theft to adapt tools specifically for their target environment. The Gold factory's malware evolution highlights an urgent need for proactive cybersecurity measures, emphasizing user education and modern detection systems to counter new Trojan variants.

Developers of Qakbot malware are testing new variants, evidenced by recent email campaigns using fake Adobe installers. The infamous QBot, linked to significant financial damages and system infections, evaded a takedown and continues to operate. Post-takedown campaigns indicate the malware's spam infrastructure remains intact, with new variants emerging since December. Sophos X-Ops identified up to 10 new Qbot builds employing advanced obfuscation and evasion techniques. Unlike older versions, the new samples do not inject code into benign processes but use .MSI and .CAB files for distribution. The Qbot malware now actively searches for endpoint protection and virtual environments to avoid detection. Researchers underscore the importance of monitoring QBot’s resurgence to keep security measures updated and the community informed.

Wing Security's analysis of 493 companies using SaaS applications in Q4 2023 highlights increased susceptibility to cyber threats. Nation-state actors, such as North Korean group UNC4899 and Russian Midnight Blizzard APT, have been targeting SaaS applications used by high-profile organizations. SaaS applications are now integral to modern organizations and can bypass traditional IT security approvals, posing new supply chain security risks. Unauthorized or unnoticed SaaS use, MFA bypassing practices, forgotten access tokens, and the unchecked integration of AI capabilities create significant security gaps. The proliferation of AI across SaaS platforms has led to inadvertent sharing of sensitive data due to overlooked term changes, increasing the risk of data misuse. Wing Security recommends strategies for mitigating SaaS-related threats, emphasizing the need for continuous monitoring and control of SaaS security settings. The report encourages companies to adopt advanced SaaS security measures and provides actionable tips to safely navigate the evolving SaaS landscape.

GoldFactory, a Chinese-speaking cybercrime group, has developed sophisticated banking trojans targeting the Asia-Pacific region. Their malware suite includes GoldPickaxe for iOS and Android, GoldDigger, and GoldDiggerPlus, with the latter two designed for Android. Malware distribution involves smishing, phishing, and the use of counterfeit websites, with GoldPickaxe iOS leveraging Apple's TestFlight and MDM profiles. GoldPickaxe bypasses facial recognition security by prompting victims to record a video, later used to create deepfake videos for fraudulent transactions. The malware features capabilities for stealing identities, intercepting SMS, and proxying traffic, with Android variants posing as over 20 applications to steal credentials. GoldDigger targets over 50 Vietnamese finance apps, logging keystrokes and on-screen content, and its variant includes an additional trojan, GoldKefu. GoldKefu masquerades as a messaging app and integrates with the Agora SDK to facilitate fake customer service interactions, convincing users of false fund transfers. Cybersecurity experts advise caution against clicking suspicious links, installing apps from untrusted sources, and reviewing app permissions, especially regarding accessibility services.

Cybercriminals are utilizing advertisement technology to track and enhance the effectiveness of their malware distribution, evading conventional detection methods. HP Wolf Security's Q4 2024 Threat Insights Report indicates that malware operators are applying ad tech to improve social engineering tactics and user-targeting precision. The use of ad networks enables attackers to gather analytics on click-through rates and misuse CAPTCHA defenses, thereby hindering automated malware scans and potentially leading to misclassification of malicious files. The analysis of malware trends in Q4 2023 showed an increase in malware delivery through PDF files, rising from 4 percent in earlier quarters to 11 percent. The WikiLoader and DarkGate campaigns are highlighted as examples where attackers employ fake PDFs, such as a parcel delivery notice or OneDrive error message, to deploy malware like Ursnif and enable backdoor access. Attackers are increasingly leveraging cloud services to host malware, exploiting the inherent trust users have in these platforms, as with the Remcos remote access trojan using Discord and TextBin. HP Wolf Security recommends adhering to zero trust principles to mitigate the risk from sophisticated cyber threats, including isolating risky activities like email attachments and browser downloads.

A new mobile trojan called 'Gold Pickaxe' is being used to steal facial recognition data and ID information from Android and iOS users. The malware is distributed via social engineering through phishing or smishing messages on the LINE app, urging users to install fake government apps. Group-IB, a cybersecurity firm, has observed 'Gold Pickaxe' primarily targeting individuals in the Asia-Pacific region, with a focus on Thailand and Vietnam. For iOS, attackers have used a TestFlight URL and later switched to malicious Mobile Device Management profiles to bypass security. Gold Pickaxe performs functions such as intercepting SMS, manipulating network traffic, and requesting ID scans to commit fraud. The Android version of the trojan can carry out a larger range of malicious activities due to fewer security restrictions on the platform. The collected facial data is suspected to be used for unauthorized bank access, but the malware does not compromise the biometric data encrypted in the devices' secure enclaves.

The European Court of Human Rights (ECHR) ruled that mandatory encryption backdoors and extensive data retention violate human rights. The decision comes from a case involving Russia's demand in 2017 that Telegram assist in decrypting user communications. Russian laws were deemed disproportionate and unnecessary in a democratic society, as they risk weakening encryption for all service users. The ruling affects European countries contemplating similar laws that could weaken encryption, such as the proposed Chat Control legislation. Chat Control, an EU data surveillance initiative, aims to scan digital communications for illegal content, which contradicts the ECHR ruling. European Parliament member Patrick Breyer praised the decision, stating that it proves such surveillance tactics are illegal and incompatible with EU law. The judgment puts pressure on EU governments to reconsider their stance on proposals that undermine secure encryption and mass surveillance.