Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).
Top stories – 21 July 2023
- WormGPT: A rising threat in cybercrime
- Data breach exposes VirusTotal customer information, including government accounts
- Microsoft offers free access to advanced cloud logging data for enhanced cybersecurity
- TeamTNT’s sophisticated cloud attack expands to Azure and Google Cloud
- Phishing campaign exploits Microsoft Word flaws to deliver LokiBot malware
WormGPT: A rising threat in cybercrime
- Cybercriminals employ WormGPT, a malicious AI tool, for advanced phishing and BEC attacks
- Unlike legitimate AI models, WormGPT automates highly convincing fake emails, evading cybersecurity measures
- The lack of ethical boundaries and bypassing AI defences make WormGPT accessible to even novice cybercriminals, raising concerns about digital security.
Cybercriminals are leveraging the power of generative artificial intelligence (AI) with the emergence of a new malicious tool called WormGPT. Uncovered on underground forums, this cybercrime tool enables adversaries to launch advanced phishing and business email compromise (BEC) attacks.
Unlike legitimate AI models, WormGPT proudly promotes itself as a blackhat alternative, specifically designed for malicious activities. It automates the creation of highly convincing fake emails, personalised to recipients, significantly increasing the success rates of these attacks.
WormGPT poses a significant challenge to cybersecurity, especially as industry leaders like OpenAI and Google combat the abuse of large language models (LLMs) for generating malicious content. The Check Point report revealed that Bard, Google’s AI model, has weaker anti-abuse restrictors compared to ChatGPT, further enhancing the threat posed by WormGPT.
Compounding the issue, cybercriminals are finding ways to bypass ChatGPT’s defences, exploiting its API and trading stolen premium accounts to access ChatGPT accounts using extensive lists of email addresses and passwords.
The lack of ethical boundaries surrounding WormGPT allows even novice cybercriminals to execute large-scale attacks swiftly without significant technical expertise. Furthermore, they are promoting “jailbreaks” for ChatGPT, engineering specialised inputs to manipulate the AI model into generating harmful content, including sensitive information leaks and executing malicious code.
Generative AI’s ability to craft emails with impeccable grammar reduces suspicion and democratizes sophisticated BEC attacks, making them accessible to a broader spectrum of cybercriminals with limited skills.
The rise of WormGPT parallels another alarming development called PoisonGPT. Mithril Security researchers surgically modified GPT-J-6B, an open-source AI model, to spread disinformation, resulting in LLM supply chain poisoning.
Addressing this growing threat requires collaborative efforts from AI developers and cybersecurity experts to implement robust safeguards against the misuse of AI technology. Only through proactive measures can we protect our digital landscape from the escalating perils of cybercrime.
Data breach exposes VirusTotal customer information, including government accounts
- VirusTotal, a malware scanning platform owned by Google, experienced a data breach involving names and email addresses of about 5,600 registered customers.
- The leaked data included accounts associated with U.S. entities like the FBI, NSA, and government agencies in other countries.
- Google took immediate action to remove the exposed information and is reviewing internal processes to prevent similar incidents in the future, emphasizing the importance of handling sensitive data with care in cybersecurity platforms.
In a security incident, a subset of registered customers’ data from VirusTotal, a malware scanning platform owned by Google, was exposed due to an employee’s inadvertent upload. The leaked data includes names and email addresses of approximately 5,600 users, encompassing a 313KB database. VirusTotal, launched in 2004, is a popular service that analyses suspicious files and URLs using antivirus engines and website scanners.
Google confirmed the data breach and took immediate action to remove the information from the platform. The leaked data includes accounts associated with U.S. entities such as the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), as well as government agencies in Germany, the Netherlands, Taiwan, and the U.K.
In response to the incident, a Google Cloud spokesperson acknowledged the unintentional distribution of customer group administrator emails and organisation names, and they are reviewing internal processes and technical controls to prevent similar occurrences in the future.
This incident serves as a reminder of the importance of handling sensitive data with utmost care, especially when using cybersecurity platforms. As previously warned by Germany’s Federal Office for Information Security (BSI), automating the uploading of suspicious email attachments to VirusTotal can lead to the exposure of sensitive information, necessitating enhanced caution when dealing with such services.
Microsoft offers free access to advanced cloud logging data for enhanced cybersecurity
- Microsoft offers wider access to additional cloud logging data globally for easier breach detection, following Chinese hackers stealing a signing key.
- Previously limited to paying customers, advanced logging faced criticism, hindering intrusion investigations.
- Collaborating with CISA, Microsoft will expand access to premium cloud logging for all customers, enhancing detection of advanced attacks and global cybersecurity. CISA and FBI released a guide on monitoring APT activity targeting Outlook Online.
Microsoft is providing wider access to additional cloud logging data for its customers worldwide, free of charge, aiming to facilitate easier detection of breached networks and compromised accounts. The decision comes after Chinese hackers stole a Microsoft signing key, enabling them to breach corporate and government Microsoft Exchange and Microsoft 365 accounts to steal sensitive emails.
Previously, advanced logging capabilities were limited to customers who paid for Microsoft’s Purview Audit (Premium) logging feature. The lack of availability to all customers drew criticism, with concerns that this approach hindered effective intrusion investigations.
In response to these concerns, the US Cybersecurity and Infrastructure Security Agency (CISA) collaborated with Microsoft to identify critical logging data points that should be accessible for all customers at no additional cost. Consequently, Microsoft will expand access to premium cloud logging for all customers, with more features becoming available in September 2023.
The expanded logging includes detailed logs of email access and 30 other data points previously exclusive to licensed customers. Microsoft also plans to increase the default retention period for Audit Standard customers, offering 180 days of historical data access for incident response investigations.
While Microsoft Purview Audit (Premium) remains available for licensed users, this move by Microsoft is expected to enhance the detection of advanced attacks and bolster cybersecurity for organisations globally.
CISA and the FBI have also released a guide on monitoring and detecting APT activity targeting Outlook Online, providing valuable insights for security and email administrators.
TeamTNT’s sophisticated cloud attack expands to Azure and Google Cloud
- Researchers uncover sophisticated cloud-credential stealing and cryptomining campaign targeting AWS, now expanded to Azure and GCP, resembling TeamTNT’s tactics.
- TeamTNT focuses on cloud misconfigurations, vulnerability exploits, and cryptomining but has extended to data theft and backdoor deployment.
- Attackers use Tsunami worm for AWS and UPX-packed, Golang-based ELF binary for Azure and GCP, emphasizing the need to understand evolving attack frameworks.
Researchers have discovered a sophisticated cloud-credential stealing and cryptomining campaign targeting Amazon Web Services (AWS) since December. The attack has now expanded to include Azure and Google Cloud Platform (GCP), with similarities to the tactics used by the notorious threat actor, TeamTNT.
The campaign, which started targeting Azure and GCP in June, shares core attack scripts used in the AWS attacks. The threat actor behind the campaign has been continuously refining its methods, with an implementation of the Azure credential collection module added recently. It is expected that more tools will emerge for these environments as the attacker sees their value.
TeamTNT is known for exploiting cloud misconfigurations and vulnerabilities, primarily focusing on cryptomining campaigns. However, it has extended its activities to include data theft and backdoor deployment, targeting exposed Docker services. The attacker’s toolset can profile systems, search for credential files, and exfiltrate them.
The researchers found that TeamTNT is developing an “aggressive cloud worm” designed for AWS environments to facilitate credential theft, resource hijacking, and backdoor deployment called “Tsunami.” Similarly, in Azure and GCP environments, they have identified a UPX-packed, Golang-based ELF binary capable of propagating to vulnerable targets.
These attacks underscore the importance of understanding attack frameworks that work well against cloud platforms like Azure and GCP. Administrators are advised to collaborate with red teams to bolster cybersecurity and stay ahead of evolving threats.
Sysdig also reported a similar cloud credential stealing and cryptomining campaign targeting AWS and Kubernetes services, linked to TeamTNT’s activity. The attackers use known AWS exploitation frameworks like Pacu, suggesting similar tactics may be adopted for Azure and GCP attacks.
Phishing campaign exploits Microsoft Word flaws to deliver LokiBot malware
- Cybercriminals use Microsoft Word documents to distribute LokiBot Trojan, exploiting known vulnerabilities (CVE-2021-40444 and CVE-2022-30190).
- Attackers employ GoFile links and VBA scripts in Word files to drop LokiBot on compromised systems, utilizing evasion techniques to avoid detection.
- LokiBot, active since 2015, steals sensitive data, logs keystrokes, captures screenshots, and targets cryptocurrency wallets, with continuously evolving methods.
Cybercriminals are using Microsoft Word documents as phishing lures to drop LokiBot, an information-stealing Trojan, on compromised systems. The attacks were first spotted by Fortinet FortiGuard Labs in May 2023 and take advantage of known remote code execution vulnerabilities, specifically CVE-2021-40444 and CVE-2022-30190 (aka Follina).
The Word files weaponise CVE-2021-40444 with an embedded external GoFile link that leads to the download of an HTML file, which exploits CVE-2022-30190 to deliver an injector module written in Visual Basic. The injector decrypts and launches LokiBot while employing evasion techniques to avoid detection, such as checking for debuggers and virtualissed environments.
An alternative attack chain discovered in May involves a Word document with a VBA script executing a macro immediately upon opening the document using “Auto_Open” and “Document_Open” functions. The macro acts as a conduit to deliver an interim payload from a remote server, functioning as an injector to load LokiBot and establish a connection to a command-and-control (C2) server.
LokiBot, an information-stealing Trojan active since 2015, is equipped with various capabilities, including logging keystrokes, capturing screenshots, harvesting login credentials from web browsers, and siphoning data from cryptocurrency wallets.
Fortinet researcher Cara Lin warns that LokiBot is a longstanding and widespread threat with continuously evolving access methods, making it easy for cybercriminals to steal sensitive data from victims. The attackers behind LokiBot regularly update their tactics, making their malware campaign more efficient and successful in spreading and infecting systems.