Theft of AI tech becomes a concern
U.S. claims China is stealing AI tech to boost its espionage efforts
↘️ The U.S. government is raising concerns about Chinese hackers stealing AI technologies to “turbocharge” its cyber espionage efforts. The development comes as The New York Times reported that “the United States has sharply stepped up its spying on Chinese companies and their technological advances,” as China increasingly looks towards AI to track American spies and others. “The M.S.S. [i.e., the Ministry of State Security of China] has intensified its intelligence collection on American companies developing technology with both military and civilian uses, while the C.I.A., in a change from even a few years ago, is pouring resources into collecting data on Chinese companies developing A.I., quantum computing and other such tools,” the Times reported, citing American officials and a review of internal Chinese corporate documents and public M.S.S. documents [Wall Street Journal / The New York Times]
↘️ While Meta rolled out support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default last month, the company internally grappled with concerns from its child-safety experts that the efforts could shield child predators. Meta said it has since worked to address those risks, saying the company has “spent years developing robust safety measures on Facebook and Instagram to prevent and combat abuse or unlawful activity.” The company also has an internal tool called Macsa, short for “Malicious Child Safety Actor,” that “flags accounts with suspicious interactions such as adult users repeatedly blocked by young users, or ones with posts removed for containing child exploitation content.” [Wall Street Journal]
↘️ A decryptor for the Black Basta ransomware called Black Basta Buster has been made available after uncovering a cryptographic weakness that made it possible to recover files. The flaw has been fixed in newer versions. In related news, Mikhail Vasiliev, a 33-year-old Canadian-Russian dual national who is currently awaiting extradition to the U.S. for his alleged role as a LockBit ransomware administrator, has been charged in Ontario with three counts of extortion, three counts of unauthorized use of a computer, and failure to comply with a release order. [SR Labs / Bleeping Computer / The Record]
↘️ The emergence of generative AI chatbots has opened doors to a new kind of attack called prompt injection, aka adversarial prompt engineering, in which a bad actor tricks a machine learning model into performing unintended actions, including leaking sensitive data from training data. Taking it a step further, security researchers have demonstrated that it’s now possible to devise a malicious GPT app (OpenAI has pushed the launch of the GPT store to sometime this year) that can ask the user for sensitive information, which can then be exfiltrated to an actor-controlled server by rendering a hidden image with the data appended to it, which, in turn, is possible due to ChatGPT’s ability to render markdown images from any website. The disclosure comes as PromptArmor revealed a similar vulnerability in Writer.com that could allow attackers to steal a user’s private documents by manipulating the language model used for content generation over a chat session. [Embrace The Red / PromptArmor]
↘️ The Stuxnet malware targeting Iran cost at least $1 billion to develop, with a Dutch spy named Erik van Sabben enlisted by the U.S. CIA and the Israeli intelligence agency, the Mossad, to release the virus into the Iranian nuclear infrastructure. The malware, which has since mutated to spawn new variants (e.g., Havex, Industroyer, and Triton) and spread to other industries, targeted the programmable logic controllers (PLCs) used to automate machine processes. The attack was discovered in 2010. It has since emerged that van Sabben may have planted an early variant of the virus (Stuxnet 0.5) on a water pump that he had installed in the nuclear complex in Natanz. Van Sabben passed away in the U.A.E. two weeks after the Stuxnet attack as a result of a motorcycle accident. [De Volkskrant / Yahoo]
↘️ Researchers are calling attention to the rapid increase of attacks against network infrastructure by ransomware gangs since 2020, with VPNs, firewalls, load balancers, switches, and routers targeted more than ever before by nation-state and ransomware actors alike. “Network devices have become a favorite initial access vector for ransomware operators because they exist in highly privileged parts of an organization and lack security tooling like EDR, while providing ample opportunity for lateral movement within the internal network and the ability to covertly route command and control traffic,” Eclypsium said. [Eclypsium]
↘️ Cybercriminals collectively leaked about 50 million records containing sensitive personal information on the dark web coinciding with the Christmas holiday season late last month. The leaks, which carried the tag “Free Leaksmas,” were shared as a form of mutual gratitude and in a bid to attract new buyers by offering discounts. [Resecurity]
↘️ Threat actors are leveraging employee’s annual responsibilities like open enrollment, 401k updates, salary adjustments, and even employee satisfaction surveys as lures to siphon credentials via booby-trapped QR codes (a technique called quishing) that lead to phishing landing pages. [Cofense]
↘️ Sebastien Raoult (aka Sezyo Kaizen), a member of the ShinyHunters group, to three years in prison in the U.S. and ordered a restitution of $5,000,000. Raoult, a 22-year-old French national, previously pleaded guilty to fraud and aggravated identity theft in September 2023 for luring victims with specially crafted phishing pages that mimicked the login portals of their targets’ employers, tricking them into entering their account credentials and other sensitive data. The stolen information was then sold on various dark web marketplaces and cybercrime forums, netting them illicit profits of more than $6 million. He was arrested in Morocco in 2022 and was extradited to the U.S. in January 2023. [U.S. Department of Justice / DataBreaches.net]
↘️ A pro-Ukraine hacktivist group named Blackjack has claimed responsibility for a cyber attack against Russian provider of internet services M9com as a direct response to the attack against mobile operator Kyivstar last month. The threat actor is likely related to the Security Service of Ukraine. In a related development, another pro-Ukrainian group called Nebula was observed opportunistically attacked an Iranian software company known as Raykasoft, a deviation from its typical targeting of Russian and Belarusian entities. [Ukrinform / The Record / Reuters / Dark Reading]
↘️ Malicious actors are continuing to target the hospitality industry by convincingly impersonating Booking.com in email messages to execute malicious payloads and steal hotels’ Booking.com credentials. [Perception Point]
↘️ Conor Brian Fitzpatrick (aka pompompurin), the owner of the now-defunct BreachForums website, was arrested again on January 2, 2024, for violating pretrial release conditions, including using an unmonitored computer and a VPN. In September 2023, he had pleaded guilty to charges related to his operation of the cybercrime forum as well as having possessed child pornography images. He was released a day after his arrest in March on a $300,000 bond signed by his parents. He is scheduled to be sentenced later this month. [The Register / GovInfoSecurity / The Record]
↘️ Purveyors of child sexual abuse material (CSAM) are increasingly using privacy tools like “mixers” and “privacy coins” like Monero that obfuscate their money trails across blockchains despite a decline in revenue from CSAM sole since 2021. The study further found that “in 2023, the lifespan of the average active CSAM vendor is 884 days, up from 560 days in 2022,” even as only 43 new vendors emerged in 2023, compared to 112 in 2022, suggesting increased resilience through the use of “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash. [Chainalysis / WIRED]
↘️ The maintainers of GrapheneOS, an Android-based, open source, privacy and security-focused mobile operating system, have identified firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones, which are being exploited by forensic companies to steal data and spy on users when the device is not at rest (i.e., either turned off or has not been unlocked after booting up). To get devices back at rest automatically and reduce the attack surface, an auto-reboot feature has been implemented in operating system, alongside bringing down the default auto-reboot timer from 72 hours since last unlock to 18 hours since last unlock. “It exists for getting the device back at rest when it hasn’t been successfully unlocked for a certain amount of time,” GrapheneOS said. “This puts a limit on how long attackers have to try to exploit the device while the user is still logged in, since it’s going to reboot automatically if it’s not successfully unlocked soon.” [GrapheneOS]
↘️ Digital money has supercharged Southeast Asian organized crime as a method for money laundering and as a way of reaping illegal revenue, with Tether (aka USDT) playing a heavy role and acting as the center of regional fraud, including sextortion and social engineered romance scams called pig butchering. “USDT on the TRON blockchain has become a preferred choice for regional cyber fraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions,” the United Nations said. Tether, however, said the analysis “ignores the traceability of Tether tokens and the proven record Tether has of collaborating with law enforcement.” [United Nations Office on Drugs and Crime / Tether / Vox]
↘️ The U.K. Government Communications Headquarters (GCHQ) announced the release of previously unseen images and documents related to Colossus, one of the first digital computers. The release marks the 80th anniversary of the code-breaking machines that significantly aided the Allied forces during World War II. “The Colossus computer was created during the Second World War to decipher critical strategic messages between the most senior German Generals in occupied Europe, but its existence was only revealed in the early 2000s after six decades of secrecy,” GCHQ said. [GCHQ / Ars Technica]
↘️ The Russia-backed advanced persistent threat (APT) known as COLDRIVER is wading into the territory of custom malware, rolling out a proprietary backdoor called SPICA, marking the latest reinvention for the Kremlin-affiliated group, which consistently changes up its tactics to throw defenders off its scent. It also demonstrates a shift from mainly credential-theft operations to the deployment of malware to maintain persistence on target machines and gather information over a longer period of time. [The Hacker News]
↘️ 2023 witnessed a significant drop in value received by illicit cryptocurrency addresses to a total of $24.2 billion, down from $39.6 billion in 2022. While crypto scamming and hacking revenue both fell, ransomware and darknet markets saw their revenues rise in 2023, in contrast with overall trends. Another shift is that stablecoins now account for the majority of all illicit transaction volume. “Perhaps the most obvious trend that emerges when looking at illicit transaction volume is the prominence of sanctions-related transactions,” Chainalysis said. “Sanctioned entities and jurisdictions together accounted for a combined $14.9 billion worth of transaction volume in 2023.” [Chainalysis]
↘️ A credential stuffing list named Naz.API containing more than 70 million unique email addresses was found available for sale on a popular hacking forum last year. What makes it different from the typical password dump is that one-third of the email addresses have never been seen before in data breaches owing to the fact that they have been harvested from information stealer logs. [Troy Hunt / Ars Technica]
↘️ A WhatsApp user’s device setup information (including linked devices) can be exposed to any other user, even if they are blocked or not in the contacts list. “Monitoring this information over time allows potential attackers to gather actionable intelligence about their victim’s devices setup and changes to it (device replaced/added/removed),” Tal Be’ery said. All that’s required to access this information is to know a victim’s phone number and add them to the contacts without having to send a message. However, in Meta’s view this is not an implementation bug but the way the protocol is designed to work. “With multi device users can send and receive their personal messages across devices privately with end-to-end encryption — and that’s the direction we’ll continue to take,” WhatsApp said. [Tal Be’ery / TechCrunch]
↘️ Since March 2022, pro-Russian threat actor NoName057(16) has launched over 1,500 DDoS attacks against NATO-aligned nations, to counter anti-Russia hostility. [NETSCOUT / CSO Online]
↘️ A now-defunct crypto wallet drainer named Inferno Drainer impersonated over 100 brands to entice victims into connecting their crypto-wallets to attacker-controlled infrastructure, stealing at least $80 million in assets from more than 137,000 victims. The attacks are part of a broader airdrop scam in which the threat actors “exploit the way transaction information is processed and presented, using proxy contracts and unverified contract codes to obscure their actions.” [The Hacker News / Check Point]
↘️ A malicious actor may be able to eavesdrop on smart device users by leveraging the built-in ambient light sensor. The study, conducted by researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), proposed a computational imaging algorithm to recover an image from the data gathered via the sensor, which could be leveraged to infer how users interact with their phones, such as scrolling, swiping, or sliding, even during video playback. [MIT CSAIL / IEEE Spectrum]
↘️ Chinese authorities, quoting an assessment from the Beijing Wangshendongjian Forensic Appraisal Institute, said the techniques Apple uses to anonymize AirDrop users’ identities can be trivially circumvented because identifiable information is only hashed and a technique called a “rainbow table” allows access to the relevant information in plain text. This weakness has been used help law enforcement officials in the country to identify the sender of “unauthorized” AirDrop materials. “While this new capability may not (yet) be in widespread deployment, it represents a new tool that could strongly suppress the use of AirDrop in China and Hong Kong,” security researcher and professor Matthew Green said. Apple has been aware of the weakness as early as 2019 and that it could be used to identify and track AirDrop users. It’s worth noting that the attack method was previously disclosed by academics from the Technical University of Darmstadt way back in April 2021. [CNN / Matthew Green / Ars Technica / The Hacker News]