Critical Chatter: Info-stealing malware, FraudGPT, RCE vulnerabilities and Decoy Dog malware

Posted on 28 Jul 23Updated 16 Oct 23

Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).

Over 400,000 corporate credentials stolen by info-stealing malware

Key takeaways:

Analysis of 20 million information-stealing malware logs highlights significant infiltration into business environments.
Prominent families like Redline, Raccoon, Titan, Aurora, and Vidar offer subscription-based models for cybercriminals to conduct malware campaigns and steal data.
Corporate environments are impacted due to personal device use, leading to theft of business credentials and authentication cookies, emphasizing the importance of security measures and employee training

The details:

The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed significant infiltration into business environments. Information stealers target data stored in applications like web browsers, email clients, cryptocurrency wallets, and more, packaging stolen information into ‘logs’ for cybercriminal use.

The most prominent information-stealing families, including Redline, Raccoon, Titan, Aurora, and Vidar, are offered on a subscription-based model to cybercriminals, allowing them to conduct malware campaigns and steal data from infected devices.

Notably, these information-stealing malware infections have a massive impact on corporate environments due to employees using personal devices for work or accessing personal content on work computers. This practice results in the theft of business credentials and authentication cookies, with approximately 375,000 logs containing access to business applications such as Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign.

Flare, a cybersecurity firm, discovered over 200,000 stealer logs containing OpenAI credentials, posing a risk of leaking proprietary information, internal business strategies, and source code.

The logs containing corporate access were mainly found on Russian-speaking marketplaces and VIP Telegram channels, suggesting possible intentional targeting of corporate entities. Corporate credentials are highly valued in the cybercrime underground and are sold on private Telegram channels or forums for significant profit.

To minimise the risk of info-stealer malware infections, businesses are advised to enforce the use of password managers, multi-factor authentication, and strict controls on personal device use. Additionally, employees should receive training to identify and avoid common infection channels such as malicious Google Ads, YouTube videos, and Facebook posts.

Article link: https://www.bleepingcomputer.com/news/security/over-400-000-corporate-credentials-stolen-by-info-stealing-malware/

New AI tool ‘FraudGPT’ emerges, tailored for sophisticated attacks

Key takeaways:

FraudGPT, a new cybercrime AI tool, emerges on the dark web and Telegram channels for offensive purposes, offering various capabilities for a monthly subscription.
The tool can be used to craft spear-phishing emails, generate undetectable malware, and identify leaks and vulnerabilities, posing significant risks for data theft and unauthorised transactions.
The use of AI tools by threat actors highlights the need for robust defence strategies and security telemetry to identify and stop potential attacks before they escalate into major security incidents.

The details:

A new cybercrime AI tool named FraudGPT has surfaced on the dark web and Telegram channels, following the release of WormGPT. Offered for a monthly subscription of $200 (or $1,000 for six months and $1,700 for a year), FraudGPT is designed exclusively for offensive purposes, including crafting spear-phishing emails, creating cracking tools, and carding.

Netenrich security researcher Rakesh Krishnan revealed that the tool can be used for writing malicious code, generating undetectable malware, finding leaks and vulnerabilities. The specific large language model (LLM) used to develop FraudGPT remains unknown. The actor behind the tool, known as CanadianKingpin, claims it provides exclusive tools and features with limitless possibilities.

Threat actors are increasingly leveraging AI tools like ChatGPT from OpenAI to create new adversarial variants for various cybercriminal activities without restrictions. This development poses a significant risk, as it enables novice actors to launch convincing phishing and business email compromise (BEC) attacks on a large scale, leading to data theft and unauthorised wire payments.

Krishnan highlights that although organisations can develop AI tools with ethical safeguards, cybercriminals can easily reimplement the technology without these restrictions. To counter these fast-moving threats, implementing a defence-in-depth strategy and utilsing security telemetry for fast analytics have become crucial in identifying and stopping potential attacks before they escalate into ransomware or data breaches.

Article link: https://thehackernews.com/2023/07/new-ai-tool-fraudgpt-emerges-tailored.html

Storm-0558 breach: Chinese APT actors’ access to US government emails goes beyond initial estimates

Key takeaways:

The Storm-0558 breach gave Chinese APT actors access to emails in 25 US government agencies using a stolen Microsoft account (MSA) key.
Wiz’s research reveals the attackers could forge access tokens for various Azure AD applications, including SharePoint, Teams, OneDrive, and more.
Organisations lack authentication logging, making detection challenging, but Microsoft’s free advanced logging commitment may help. Mitigation includes updating Azure SDKs and refreshing certificates.

The details:

The Storm-0558 breach, which granted Chinese advanced persistent threat (APT) actors’ access to emails in at least 25 US government agencies, may have a more extensive and severe impact than initially thought. The breach involved a stolen Microsoft account (MSA) key, allowing the APT to forge authentication tokens and pose as authorised Azure Active Directory (AD) users. This provided access to Microsoft 365 enterprise email accounts and potentially sensitive information.

Further research by Wiz has revealed that the stolen MSA key could have allowed the attackers to forge access tokens for various Azure Active Directory applications, including personal account authentication services like SharePoint, Teams, OneDrive, and applications supporting “login with Microsoft” functionality. Personal Microsoft accounts for services like Skype and Xbox were also found to be vulnerable.

Although Microsoft has revoked the stolen key and released indicators of compromise (IoCs) for the email attack, the full scope of the breach’s impact remains uncertain. Many organisations lack authentication logging, making it challenging to detect the use of forged tokens against applications. This lack of visibility stems from advanced logging, which was previously available only as a paid premium service. Microsoft’s commitment to making advanced logging free may help, but implementation will take time.

The stakes are high, as compromised Azure AD keys can lead to serious consequences, similar to the SolarWinds breach. Wiz warns that despite key revocation, some Azure AD customers may still be at risk, as the attackers could have established persistence or set up backdoors using their access. Applications relying on cached keys or older certificates may also remain susceptible to token forgery.

Organisations are advised to update their Azure SDKs and refresh trusted certificates to mitigate the risk. The incident’s impact is expected to have long-lasting implications for cloud trust, especially concerning the identity layer, which forms the basis of cloud operations.

Article link: https://www.darkreading.com/cloud/microsoft-365-breach-risk-widens-millions-of-azure-ad-apps

Critical RCE vulnerabilities expose Atlassian Confluence and Bamboo to system takeover

Key takeaways:

Atlassian discloses RCE vulnerabilities in Confluence and Bamboo, posing a risk to cloud infrastructure and software supply chains.
CVE-2023-22505 and CVE-2023-22508 affect Confluence, while CVE-2023-22506 impacts Bamboo Data Centre, granting system-level access without user interaction.
Patches released for Confluence 8.3.2 and 8.4.0 and Bamboo 9.2.3 and 9.3.1 to mitigate the risks, CISA urges prompt application of patches for safeguarding Atlassian instances.

The details:

Software company Atlassian has disclosed three remote code execution (RCE) security vulnerabilities in Atlassian Confluence Data Center & Server and Bamboo, which pose a significant risk to cloud infrastructure and software supply chains. Confluence, a widely used corporate wiki for collaboration, has more than 60,000 customers, including LinkedIn, NASA, and the New York Times. Bamboo is a continuous integration and continuous delivery server for software development.

The CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0) vulnerabilities affect Confluence, while the CVE-2023-22506 (CVSS 7.5) vulnerability impacts Bamboo Data Centre. Successful exploitation of these flaws grants attackers’ system-level access without requiring any user interaction. Although authenticated access is needed, the vulnerabilities open a wide-open door for threat actors to execute arbitrary code and compromise confidentiality, integrity, and availability.

Atlassian has released patches for Confluence versions 8.3.2 and 8.4.0 to address the security issues. For Bamboo, users should update to versions 9.2.3 and 9.3.1 to mitigate the risks.

Given Atlassian’s presence in corporate networks, the US Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the importance of promptly applying the patches to safeguard Atlassian instances.

Article link: https://www.darkreading.com/cloud/atlassian-rce-bugs-plague-confluence-bamboo

Decoy Dog malware: A sophisticated upgrade with far-reaching impact

Key takeaways:

Decoy Dog, a new malware based on Pupy RAT, exhibits powerful capabilities, including moving victims to another controller for prolonged communication and hidden presence.
The malware executes arbitrary Java code on the client and uses DNS for command-and-control communication, enabling endpoint compromise and instructions exchange.
Believed to be operated by nation-state hackers, Decoy Dog remains an ongoing threat with geofencing techniques limiting responses to specific locations. Using DNS is the best defense against this evolving malware.

The details:

Decoy Dog, a new malware discovered by Infoblox, has been identified as a significant upgrade over the Pupy RAT, a remote access trojan it is based on. Decoy Dog possesses powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing the malware to maintain communication with compromised machines and stay hidden for extended periods. Some victims have been actively communicating with Decoy Dog servers for over a year.

The malware’s additional features include executing arbitrary Java code on the client and connecting to emergency controllers using a mechanism similar to a traditional DNS domain generation algorithm (DGA). The use of DNS for command-and-control (C2) communication enables endpoint compromise and instructions exchange between the malware and the controller.

The origins of Decoy Dog remain unclear, but it is believed to be operated by a few nation-state hackers who adapt their attack infrastructure in response to disclosures. They have taken down DNS nameservers and registered new replacement domains to maintain remote persistence and access to existing victims.

Decoy Dog’s deployment dates to late-March or early-April 2022, with several clusters detected under the control of different controllers. The threat actors have demonstrated agility by incorporating a geofencing technique to limit responses to client IP addresses in specific locations, particularly Russia and Eastern Europe.

Infoblox warns that Decoy Dog is an ongoing and serious threat, with its lack of insight into the vulnerabilities exploited in victim systems. The best defence against this malware is using DNS. The malware’s modifications to Pupy RAT for C2 raise questions about the motives behind this choice and highlight the need to remain vigilant and adaptive in defending against evolving threats.

Article link: https://thehackernews.com/2023/07/decoy-dog-new-breed-of-malware-posing.html