Lazarus Group profits from crypto thefts
The North Korean threat actor is estimated to have stolen more than $3 billion
↘️ A new study found that getting OpenAI’s ChatGPT to repeat words like “poem,” “company,” “send,” “make,” and “part” over and over again can cause it to regurgitate large amounts of its training data, including personal contact information, verbatim paragraphs from books and poems, explicit content, bitcoin addresses, and programming code. With OpenAI not disclosing the dataset used to train its generative AI models, the new research is an example of a divergence attack that attempts to understand the privacy implications of developers using massive datasets scraped from disparate sources. Following the publication of the research, OpenAI has said that asking ChatGPT to repeat specific words “forever” will be flagged as a violation of the chatbot’s terms of service and content policy. Complicating matters further, it has also emerged that it’s surprisingly easy to leak data from custom GPTs. [Scalable Extraction of Training Data from (Production) Language Models / Stack Diary / 404 Media / WIRED]
↘️ A new version of the infamous information stealer LummaC2 has emerged with a sophisticated anti-sandbox technique that relies on trigonometry to discern genuine human behavior, delaying its activation until authentic mouse activity is identified. By only deploying when on a human-controlled computer, LummaC2 avoids revealing its presence to threat hunters who might be attempting to analyze the malware in a sandbox. This innovative strategy marks a new level of sophistication, underscoring the fact that the off-the-shelf malware is under constant development. [The Hacker News]
↘️ Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Gamaredon, as the cluster is tracked as, may lack the sophistication of its peers, but it makes up for it by staging persistent campaigns that aim to gather as much intelligence as possible. [The Hacker News]
↘️ Microsoft has momentarily removed support for the SketchUp file format used for 3D model data storage after the fixes it issued to address 117 security flaws impacting Microsoft 365 applications were circumvented. “These security vulnerabilities demonstrate the importance of performing security code audits and blackbox fuzzing for third-party libraries before they are introduced into a new or existing product,” security researcher Kai Lu said. [Zscaler - Part I / Part II / Microsoft]
↘️ Apple has shared more details of iMessage Contact Key Verification, which allows users to manually authenticate another account and prevent sophisticated attacks. The feature was originally announced in December 2022. “iMessage Contact Key Verification advances the state of the art of Key Transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account,” Apple said. “These improvements protect against key directory compromise as well as compromise of the transparency service itself, and can detect split views presented by both services.” [Apple]
↘️ Users who search for adult content on YouTube have discovered a bug that enables them to continue hosting porn on the platform, even if their channels are deleted. The exploit works by “breaking YouTube’s video tagging system,” preventing its deletion. [404 Media]
↘️ A secretive U.S. government surveillance program called Data Analytical Services (DAS) is allowing federal, state, and local law enforcement to access phone records of Americans who are not suspected of any crime. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well. The existence of the program, previously known as Hemisphere, was first reported by The New York Times in 2013. [WIRED]
↘️ Apple issued a software fix for a feature called Private Wi-Fi Address, a way to spoof network identifiers called MAC addresses, after it was found that it did not work as advertised since it was introduced in iOS 14, iPadOS 14, and watchOS 7 in September 2020, effectively exposing users unique MAC address to anyone connected to the same Wi-Fi network as them. The issue, tracked as CVE-2023-42846, was fixed in iOS 17.1. “The flaw only leaks your MAC address when *connected* to a Wi-Fi network,” security researcher Mathy Vanhoef said. “Usage of random MAC addresses while *scanning* for Wi-Fi networks seems to have properly worked all the time.” If there is any takeaway, it’s that it always a good idea to turn off Wi-Fi when you’re not using it. [Ars Technica / Mathy Vanhoef]
↘️ The late October 2023 breach of Okta’s customer support system, impacted all users of the system, and not just about 1 percent of its 18,400 customers, as previously disclosed. If anything, the disclosure is a reminder that companies like Okta are prime targets for cyber attacks because they can serve as a sort of one-stop shop for hackers looking to compromise numerous organizations. [The Hacker News / WIRED]
↘️ The pro-Russia hacktivist group KillNet is back under the scanner after the Russia-based Gazeta.ru unmasked the real-world identity of its leader — who goes by the online alias KillMilk — as Nikolai Serafimov, a 30-year-old Russian citizen. Killmilk has since announced that he was retiring, and appointed a new leader named “Deanon Club.” [Gazeta.ru / The Record]
↘️ A new variant of the infamous Gh0st RAT malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. Like its progenitor, SugarGh0st is a multi-functional espionage tool capable of harvesting sensitive information from compromised hosts. [The Hacker News]
↘️ Multiple unpathed security flaws have been disclosed in Ray (versions 2.6.3 and 2.8.0) — an open-source unified compute framework to scale AI workloads — that could be exploited to obtain highly privileged credentials from an AWS cloud account where Ray is installed, access sensitive information, and execute arbitrary code. Ray’s documentation states that the platform “expects to run in a safe network environment and to act upon trusted code” and that it “doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection.” [Bishop Fox]
↘️ The cyber espionage group known as XDSpy has been attributed to phishing campaign targeting industrial entities in Russia to deliver a C#-based dropper malware that’s used as a conduit to deploy additional payloads, including a backdoor that's capable of establishing contact with a remote server. The group, first discovered by ESET in 2020, is believed to be active since at least 2011. Also targeting Russian companies via courier delivery-themed phishing emails is the DarkWatchman trojan. It’s currently not clear which countries are behind these attacks on Russia. [F.A.C.C.T.]
↘️ The U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) announced it has sanctioned cyberespionage group Kimsuky for collecting intelligence on behalf of the Democratic People’s Republic of Korea (DPRK), more than four years after similar sanctions were levied against the Lazarus Group and its offshoots Andariel and BlueNoroff in September 2019. In recent months, the state-sponsored actor has evolved into persistent threat, carrying out “unusually aggressive” social-engineering campaigns that are both high in velocity and volume, and stealing and laundering cryptocurrency to advance its espionage goals. [The Hacker News]
↘️ A malicious campaign targeting mobile banking users in Iran is relying on a deluge of malicious Android applications for credential and credit card information theft. The campaign was first exposed in July 2023, when it came to light that as many as 40 malicious applications were used to compromise customers of four Iranian banks. But the initial discovery was just the tip of the iceberg, as 245 more malicious apps linked to the same campaign have been uncovered, with at least two dozen of them virtually undetected by the VirusTotal scanning engine. Masquerading as their legitimate counterparts available through the popular Iranian marketplace Cafe Bazaar, the apps are distributed via phishing websites. What’s more, the new iterations have expanded their targeting to include 12 banks as well as cryptocurrency wallets. Also spotted were phishing websites mimicking the banking apps’ Apple App Store pages, indicating that the campaign may expand to iPhones in the near future. [The Hacker News]
↘️ North Korean threat actors are believed to have stolen more than $3 billion in cryptocurrency to date, about $1.7 billion plundered in 2022 alone, as part of relentless cyber assaults designed to generate revenue for the sanctioned nation. The attacks are known to take various forms, including through phishing, supply chain attacks, and infrastructure hacks which involve private key or seed phrase compromises “North Korean threat actors also use the accounts and personal information of phishing victims to register verified accounts at trusted cryptocurrency exchanges where they can send the stolen cryptocurrency and cash out,” Recorded Future said. The country’s supercharged crypto theft has prompted the U.S. and its allies to sanction key pieces that facilitate money laundering for the threat actors. [The Hacker News]
↘️ A stealthier version of a botnet called P2Pinfect is now focusing on infecting devices embedded with 32-bit MIPS processors. The leap in sophistication indicates a strategic shift in its targeting and an evolution of the project's scope, making it more pervasive. The latest move also signifies an alarming escalation in the botnet’s tactics, showcasing a deliberate focus on routers and IoT devices. Since its emergence in July 2023, this Rust-based malware has been on the radar for its rapid evolution. [The Hacker News]
↘️ A new scam campaign is targeting hotels’ Booking.com credentials by sending spear-phishing emails to the operations staff under the pretext of losing their ID during their stay and seeking their assistance in finding it. Clicking on the embedded attachment, a link to a Google Drive URL that allegedly hosted photos of the passport and their check-in details, results in the deployment of Vidar stealer. “Access to the Booking.com management portal allows the threat actor to see upcoming bookings and directly message guests,” Secureworks said. The development comes amid a surge in new stealer and trojan malware such as Nova, Serpent, Riddle, X1na Crypto Stealer, Jigsaw, Meow, RDPCredentialStealer, Rude Stealer, Persian RAT, Saw RAT that are designed to capture sensitive data. [Secureworks]
↘️ Attackers are targeting WordPress users with a fake security email advisory that warns of a fabricated remote code execution flaw tracked as CVE-2023-45124 to ultimately infect the sites with a backdoor plugin that masquerades as a “patch.” At this time, the operational goal of the plugin remains unknown. [Wordfence / Patchstack]
↘️ A security vulnerability in an unspecified open-source library that is commonly used across the Web3 space poses risks to multiple pre-built smart contracts, including Coinbase. Additional details about the bug have been withheld to prevent tipping off attackers. There is no evidence that the vulnerability has been actively exploited. “The issue is inherent to a problematic integration of specific patterns, and NOT particular to the implementations contained in the OpenZeppelin Contracts library,” OpenZeppelin said. [thirdweb]
↘️ The U.S. and U.K. governments jointly accused Russian intelligence of orchestrating a wide-ranging, global hacking campaign over the past eight years that targeted British lawmakers, journalists and civil society organizations. The U.S. Justice Department unsealed an indictment against two Russian nationals of waging the hacking campaign. They were also sanctioned Thursday by the U.K. and the U.S., and the U.S. State Department announced a $10 million bounty for information leading to the location of the two Russians or identification of their co-conspirators. [The Hacker News]
↘️ Veracode is warning that 38% of applications are running vulnerable versions of Log4j, although only 2.8% are still vulnerable to the Log4Shell vulnerabilities. Additionally, 32% of applications are using Log4j 1.2.x, which reached end-of-life in 2015 and no longer receives patches. [Veracode]
↘️ About 40% of files stored in Google Drive contain sensitive data, including personally identifiable information (PII): “Among the files identified as containing sensitive information — including confidential employee contracts and spreadsheets full of passwords — 18,000 files were flagged as ‘Critical Level’ data files, meaning the information contained ‘Highly Sensitive’ data or the file permissions were not applied securely,” Metomic said. Additionally, the researchers “discovered that 34.2% of all the files scanned were shared with external contacts (email addresses outside of the company’s domain) and more than 350,000 files (0.5%) had been shared publicly, giving access to anyone who had the document link.” [Metomic]
↘️ A new survey undertaken by Claroty on ransomware attacks against industrial organizations found that 75% of entities in the industrial sector experienced a ransomware attack in the past year: “Of that 75% of respondents, 69% paid the ransom, and more than half (54%) of those who paid the ransom suffered financial ramifications of $100,000 USD or more.” [Claroty]
↘️ A new version of a cryptocurrency mining botnet malware called HeadCrab has surfaced in the wild, indicating that the threat actor behind the operation is actively working on improvements to it. Furthermore, over 1,100 new victims of the malware have been discovered since it was first exposed in February 2023. [Black Hat Europe]
↘️ With generative AI all the craze these days, it’s perhaps not surprising that attention has been rightfully focused on identifying flaws in AI and ML tools and frameworks. The latest discovery involves a security flaw in MLflow (CVE-2023-43472, CVSS score: 7.8) that could be exploited by a remote attacker to obtain sensitive information, including the ML model and the training data, and even poison it. [Contrast Security]
↘️ A trio of security vulnerabilities discovered in Google Chromecast’s U-Boot component — CVE-2023-6181, CVE-2023-48424, and CVE-2023-48425 — that could be chain to result in execution of unsigned code. [DirectDefense]
↘️ Europol and the U.S. Federal Trade Commission (FTC) have warned of the misuse of Bluetooth trackers and QR codes for malicious purposes, leveraging them to geolocate illicit commodities and perpetrate scams or information theft. [Europol / FTC]
↘️ Nation-state actors linked to China and North Korea have been observed resorting to atypical programming languages like Lua and DLang to develop stealthy bespoke malware capable of evading detection. [The Hacker News]
↘️ Spanish police said they arrested a Venezuelan national last week for his alleged involvement in the Kelvin Security hacktivist group. Kelvin Security, which dates back to 2013, is estimated to have attacked more than 300 organizations from over 90 countries in the last three years and profited from the sale of stolen information obtained illicitly. In addition to Spain, their targets include countries such as the U.S., Germany, Italy, Argentina, Chile, and Japan. The group’s main targets are critical infrastructures and government institutions. In April 2023, links were discovered between Kelvin Security and ARES, a new cybercrime platform dedicated to selling databases stolen from state organizations. [Policía Nacional]
↘️ Microsoft successfully dismantled a network and websites and social media pages operated by a cybercrime ring called Storm-1152, which offered a black market for more than 750 million fraudulent Microsoft accounts for other threat actors. It described the group as the “number one seller and creator of fraudulent Microsoft accounts,” which deployed bots capable of tricking the CAPTCHA systems normally used to confirm that humans are creating accounts. Fraudulent accounts tied to fake profiles offer cybercriminals an anonymous launchpad for automated criminal activities like phishing, spamming, ransomware, and other types of fraud and abuse. [The Hacker News / WIRED]