The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.
It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.

It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who is behind the activity, or what the end goals of the campaign are.

"A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network," CISA said in an advisory.

It has also recommended organizations encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. Furthermore, it's urging users to verify the protection of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential issues.

"The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices," F5 notes in a support document.

"The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, \[and\] recommendations for resolution."

The disclosure comes as cybersecurity agencies from the U.K. and the U.S. have published a joint bulletin detailing Russian state-sponsored actors' attempts to target diplomatic, defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations.

The activity has been attributed to a threat actor tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is understood to be a key cog in the Russian military intelligence machine and is affiliated with the Foreign Intelligence Service (SVR).

"SVR cyber intrusions include a heavy focus on remaining anonymous and undetected. The actors use TOR extensively throughout intrusions – from initial targeting to data collection – and across network infrastructure," the agencies said.

"The actors lease operational infrastructure using a variety of fake identities and low reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers."

Attacks mounted by APT29 have been categorized as those designed to harvest intelligence and establish persistent access so as to facilitate supply chain compromises (i.e., targets of intent), as well as those that allow them to host malicious infrastructure or conduct follow-on operations from compromised accounts by taking advantage of publicly known flaws, weak credentials, or other misconfigurations (i.e., targets of opportunity).

Some of the significant security vulnerabilities highlighted include CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a critical authentication bypass bug that allows for remote code execution on TeamCity Server.

APT29 is a relevant example of threat actors continuously innovating their tactics, techniques and procedures in an attempt to stay stealthy and circumvent defenses, even going to the extent of destroying their infrastructure and erasing any evidence should it suspect their intrusions have been detected, either by the victim or law enforcement.

Another notable technique is the extensive use of proxy networks, comprising mobile telephone providers or residential internet services, to interact with victims located in North America and blend in with legitimate traffic.

"To disrupt this activity, organizations should baseline authorized devices and apply additional scrutiny to systems accessing their network resources that do not adhere to the baseline," the agencies said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

The third-party actor had access for two days, in the financial services company's second major breach of the year.

Source: Ryan McGinnis via Alamy Stock Photo

Just over 77,000 individuals will be receiving news from Fidelity Investments that their personal information has been compromised in a data security incident. 

The breach itself occurred between Aug. 17 and Aug. 19, when an unauthorized third-party gained access to two customer accounts and obtained private information. When the activity was detected on Aug. 19, access was terminated and an investigation began.

According to Fidelity's notification letter, the incident did not involve any access to Fidelity accounts and the information obtained by the threat actors "related to a small subset of our customers."

"While the attackers' specific motives remain unclear, it's likely that information gathering was a primary objective," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "The 'beachhead' theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities."

Indeed, though Fidelity iterates that it is unaware of any misuse of its customers' personal information obtained in this breach, this is the second time this year that it has faced a data breach. In March, Fidelity notified roughly 30,000 individuals that their information had been compromised in a third-party breach involving service provider Infosys McCamish (IMS).

Fidelity is providing free credit monitoring and identity restoration services for those impacted by this breach through TransUnion Interactive for 24 months.

It also encourages individuals to remain vigilant and review their financial statements often, reporting any suspicious or fraudulent activity.

Fidelity Notifies 77K Customers of Data Breach

Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.

Thursday, October 10, 2024 14:00

Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” 

The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.  

Here is a tl;dr version of what these proposed guidelines say: 

*   Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. 
*   Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. 
*   CSPs should allow ASCII and Unicode characters to be included in passwords. 
*   Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. 
*   There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) 
*   Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”) 

Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone \*has\* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way. 

While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.  

And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.  

The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords. 

Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.  

**The one big thing **

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.   

**Why do I care? **

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.   

**So now what? **

Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041. 

**Top security headlines of the week  **

**Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls.** AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post) 

**Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group.** ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer) 

**With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether.** 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years.  However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider) 

**Can’t get enough Talos? **

*   Cisco Talos: Advanced intelligence for global cyberthreats 
*   New MedusaLocker Ransomware Variant Deployed by Threat Actor 
*   MedusaLocker ransomware variant paired with ‘paid\_memes’ toolkit 
*   Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

What NIST’s latest password standards mean, and why the old ones weren’t working

ABB Cylon Aspect version 3.08.01 has a directory traversal vulnerability that can be exploited by an unauthenticated attacker to list the contents of arbitrary directories without reading file contents, leading to information disclosure of directory structures and filenames. This may expose sensitive system details, aiding in further attacks. The issue lies in the listFiles() function of the persistenceManagerAjax.php script, which calls PHP's readdir() function without proper input validation of the directory POST parameter.

    ABB Cylon Aspect 3.08.01 (persistenceManagerAjax.php) Directory TraversalVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The BMS/BAS controller has a directory traversal vulnerability thatcan be exploited by an unauthenticated attacker to list the contents ofarbitrary directories without reading file contents, leading to informationdisclosure of directory structures and filenames. This may expose sensitivesystem details, aiding in further attacks. The issue lies in the listFiles()function of the persistenceManagerAjax.php script, which calls PHP's readdir()function without proper input validation of the 'directory' POST parameter.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5837Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5837.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl "http://192.168.73.31/persistenceManagerAjax.php" \> -d "command=justList\> &directory=./lib/" \> | sed -e 's/.*\[$.*$\].*/\1/' \> | tr -d '\' \> | sed '1,1d' \> | sed '$d'INI.phpJSON.phpaspect-status.inccaldav-checksums.inccheckForLineFeed.phpcheck_networking.phpcommands.incconfigParameter.phpdatetime_includes.incerrorCall.phpfileDownload.phpfileUpload.incformOptions.phpgetUrlStatus.phpinString.phpjsFunctions.phpmatrix-php.incobtainPorts.phpphpCheck.phpphpTimezone.php

ABB Cylon Aspect 3.08.01 persistenceManagerAjax.php Directory Traversal

Boston and London, U.S. and U.K., 10th October 2024, CyberNewsWire

**Boston and London, U.S. and U.K., October 10th, 2024, CyberNewsWire**

The agreement has marked over 600,000 fraudulent domains for takedown in just two months through automated defense and proactive prevention. Abusix and Red Sift to hold exclusive webinar sharing insights on transforming cyber attack mitigation.

Abusix, an organization specializing in internet abuse prevention, and Red Sift, a leader in misconfiguration and exposure management, have announced a new partnership aiming to transform how organizations can navigate from a reactive to a proactive approach for managing security risk.

Cyber threats such as email phishing, business email compromise (BEC), and brand impersonation remain persistent challenges for organizations globally. Addressing these issues requires both visibility and automation to enable faster detection and mitigation of such attacks.

Addressing these challenges head on, Abusix and Red Sift’s partnership aims to offer security teams visibility and action to neutralize risks preemptively. Since the agreement was enabled in August 2024, over 630,000+ domains have been marked for takedown. This outcome is attributed to Abusix’s real-time reporting capabilities for the swift identification of potential threats, and Red Sift’s ability to transform data into actionable defenses and real-time value for its customers. This is enabled through Red Sift leveraging Abusix’s data in both Red Sift OnDMARC and Red Sift Brand Trust. 

> **Rahul Powar, CEO and Co-Founder of Red Sift said:** “We find ourselves in an ever changing landscape where new attacks and methods for cyber abuse are ever prevalent. Working together with Abusix, we are harnessing new innovation and knowledge sharing to offer increased visibility to a wider remit of large enterprises and small businesses that are vulnerable to cyber threat. This in turn allows us to provide real-time solutions to mitigate against costly reputational damage and shift the industry’s approach from reactive to proactive.” 

> **Tobias Knecht, CEO and Founder of Abusix said:** “It’s not just about sharing data—it’s about sharing it with the right organizations. 95% of all attacks on enterprises originate from service provider and hosting provider networks. Enabling rapid takedowns by sharing actionable intelligence with service providers and hosting providers is a crucial step in reducing overall attack volume at its core. Through our partnership with Red Sift and their unique data solutions, we are taking a significant step forward in safeguarding the internet and improving network security overall.”

The newly formed collaboration is a move to raise the effectiveness and application use of email threat data for cybersecurity across the board and to upgrade the industry’s approach to attack mitigation. Together, the two companies are addressing ongoing critical gaps in the cybersecurity landscape by addressing crucial business needs for increased domain security and prevention of brand abuse. 

Those interested can join an exclusive webinar to learn how Abusix and Red Sift are transforming cyber attack mitigation — readers can reserve a spot today and hear about proactive strategies to protect organizations from email phishing, brand impersonation, and other emerging threats.

Readers can also learn more about the partnership’s Success Story here.

****About Abusix****

Abusix transforms vast amounts of real-time data into actionable insights, helping organizations protect against cyber threats. Its unique data ecosystem enables security teams across all sectors to proactively mitigate attacks by pinpointing the origins of cyber abuse. By enabling collaboration between enterprises, security vendors, and service providers, Abusix works to reduce the overall volume of attacks, driving a more secure internet. 

Abusix serves a global client base, including Cloudflare, Amazon Web Services (AWS), Vodafone, Digital Ocean, and multiple government organizations worldwide. Dedicated to enhancing the global security ecosystem, Abusix continues to make threat intelligence accessible and impactful across industries. Readers can learn more at abusix.com

****About Red Sift****

Red Sift aims to enable organizations to anticipate, respond to, and recover from cyber attacks while continuing to operate effectively. The award-winning Red Sift Pulse Platform is an integrated solution that combines four interoperable applications, internet-scale cybersecurity intelligence, and innovative generative AI that intends to put organizations on a path to cyber resilience. 

Red Sift is a global organization supported by a diverse team across 15 countries. It boasts an international client roster that includes Capgemini, Domino’s, ZoomInfo, Athletic Greens, and several leading law firms. Red Sift is the official DMARC provider for Cisco and a trusted partner for Microsoft and Entrust, among others. Readers can learn more at redsift.com

**Contact**

**Head of Marketing**  
**Serena Li**  
**Abusix**  
**\[email protected\]**

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

OpenAI on Wednesday said it has disrupted more than 20 operations and deceptive networks across the world that attempted to use its platform for malicious purposes since the start of the year.
This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X.
"Threat

Cybercrime / Disinformation

OpenAI on Wednesday said it has disrupted more than 20 operations and deceptive networks across the world that attempted to use its platform for malicious purposes since the start of the year.

This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X.

"Threat actors continue to evolve and experiment with our models, but we have not seen evidence of this leading to meaningful breakthroughs in their ability to create substantially new malware or build viral audiences," the artificial intelligence (AI) company said.

It also said it disrupted activity that generated social media content related to elections in the U.S., Rwanda, and to a lesser extent India and the European Union, and that none of these networks attracted viral engagement or sustained audiences.

This included efforts undertaken by an Israeli commercial company named STOIC (also dubbed Zero Zeno) that generated social media comments about Indian elections, as previously disclosed by Meta and OpenAI earlier this May.

Some of the cyber operations highlighted by OpenAI are as follows -

*   SweetSpecter, a suspected China-based adversary that leveraged OpenAI's services for LLM-informed reconnaissance, vulnerability research, scripting support, anomaly detection evasion, and development. It has also been observed conducting unsuccessful spear-phishing attempts against OpenAI employees to deliver the SugarGh0st RAT.

*   Cyber Av3ngers, a group affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC) used its models to conduct research into programmable logic controllers.

*   Storm-0817, an Iranian threat actor used its models to debug Android malware capable of harvesting sensitive information, tooling to scrape Instagram profiles via Selenium, and translating LinkedIn profiles into Persian.

Elsewhere, the company said it took steps to block several clusters, including an influence operation codenamed A2Z and Stop News, of accounts that generated English- and French-language content for subsequent posting on a number of websites and social media accounts across various platforms.

"\[Stop News\] was unusually prolific in its use of imagery," researchers Ben Nimmo and Michael Flossman said. "Many of its web articles and tweets were accompanied by images generated using DALL·E. These images were often in cartoon style, and used bright color palettes or dramatic tones to attract attention."

Two other networks identified by OpenAI Bet Bot and Corrupt Comment have been found to use their API to generate conversations with users on X and send them links to gambling sites, as well as manufacture comments that were then posted on X, respectively.

The disclosure comes nearly two months after OpenAI banned a set of accounts linked to an Iranian covert influence operation called Storm-2035 that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election.

"Threat actors most often used our models to perform tasks in a specific, intermediate phase of activity — after they had acquired basic tools such as internet access, email addresses and social media accounts, but before they deployed 'finished' products such as social media posts or malware across the internet via a range of distribution channels," Nimmo and Flossman wrote.

Cybersecurity company Sophos, in a report published last week, said generative AI could be abused to disseminate tailored misinformation by means of microtargeted emails.

This entails abusing AI models to concoct political campaign websites, AI-generated personas across the political spectrum, and email messages that specifically target them based on the campaign points, thereby allowing for a new level of automation that makes it possible to spread misinformation at scale.

"This means a user could generate anything from benign campaign material to intentional misinformation and malicious threats with minor reconfiguration," researchers Ben Gelman and Adarsh Kyadige said.

"It is possible to associate any real political movement or candidate with supporting any policy, even if they don't agree. Intentional misinformation like this can make people align with a candidate they don't support or disagree with one they thought they liked."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OpenAI Blocks 20 Global Malicious Campaigns Using AI for Cybercrime and Disinformation

Austin, TX, USA, 10th October 2024, CyberNewsWire

**Austin, TX, USA, October 10th, 2024, CyberNewsWire –** IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading Investigations solution used by CTI teams, security operations, fraud and risk prevention analysts, and law enforcement globally

**SpyCloud**, the leader in Identity Threat Protection, announced that its SaaS Investigations solution has been enhanced with identity analytics that illuminates the scope of digital identities and accelerates successful outcomes of complex investigations from days or hours to minutes.

SpyCloud Investigations is a powerful cybercrime and identity threat investigation solution used by analysts and investigators to discover and act on threats by navigating the world’s largest repository of recaptured breach, malware, and phishing data. It powers rapid analysis of identity exposures across organizations, VIPs and supply chains, pattern of life analysis, threat actor attribution, insider risk analysis, financial crimes research, and more.

SpyCloud Investigations now includes IDLink, the company’s advanced analytics technology that automatically delivers expanded digital identity results from a simple search query. Where a traditional threat intelligence or investigations tool may provide a small number of records directly correlated to the search input, IDLink expands the pool of results to include identity data correlated across shared usernames, emails, passwords, and PII – with flexible options around pivoting depth, confidence levels, and visualization.

Based on more than a decade’s worth of techniques and expertise developed by renowned investigators at SpyCloud, including former intelligence agency personnel, IDLink uniquely provides a more comprehensive picture of identity compromise to give analysts more avenues for investigation while reducing errors and missed data points. Organizations with fewer in-house CTI, security operations, or fraud/e-crime prevention resources now have an easy-to-use solution to expand their investigative capabilities without adding additional expertise or headcount.

> “SpyCloud Investigations is the ultimate force multiplier for security teams,” said Jason Lancaster, SpyCloud’s senior vice president of investigations. “SpyCloud’s team of investigators have decades of experience investigating cybercrimes day and night, across all manner of use cases, with public and private sector partners. We’ve spent the last year infusing this knowledge into our solution so analysts at all skill levels can reap the benefits.”

With IDLink advanced analytics now foundational to its industry-leading solution, SpyCloud Investigations offers users the ability to visualize holistic identities of exposed employees, consumers, vendors, and cybercriminal actors themselves to more quickly and comprehensively identify and act on risks – helping them achieve:

*   **Up-leveled Analyst Output**: Investigative workflows automate the process of identifying hidden identity exposures, up-levelling analysts and investigators of all skill levels, increasing team productivity, discovery, and resolution.
*   **Hidden Connections:** IDLink automatically connects the dots and rapidly pieces together a holistic view of a digital identity, in minutes instead of hours of advanced analysis previously.
*   **Attribution:** Automated analytics deliver linked exposed identity assets and records, reducing dead ends in investigations and delivering critical details about criminal actors and threats.

This announcement comes at a time when adversaries are increasingly using stolen identity data to bypass security measures and exploit exposed access. This is evidenced by large-scale infostealer malware campaigns and headline-grabbing breaches, such as the National Public Data breach, which leaked 2.7 billion identity records – including hundreds of millions of Americans’ Social Security numbers.

> “There is a vast amount of personal information in criminals’ hands,” said Jason. “SpyCloud Investigations gets that same data into the right hands, faster, to protect businesses and their users. By illuminating connections, opening up new threads to investigate, and offering unlimited queries to SpyCloud’s enriched database of breached, phished, and malware-exfiltrated data, analysts can visualize threats and act decisively, enhancing organizational resilience against cybercrime and identity threats.”

For more information about SpyCloud Investigations or to schedule a complimentary demo to explore your data, users can contact us here.

****About SpyCloud****

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations.

SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include more than half of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

****Contact****

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Adds Identity Analytics to Cybercrime Investigation Solution for Insider Risk

All across the Asia-Pacific region, large and diverse marketplaces for AI cybercrime tools have developed, with deepfakes proving most popular.

Source: dpa picture alliance via Alamy Stock Photo

Artificial intelligence-powered cyberattacks are rising exponentially in the Asia-Pacific region, particularly those involving deepfakes.

The United Nations Office on Drugs and Crime (UNODC) tracked a panoply of AI threats in its new report covering cybercrime in Southeast Asia. Cybercrime gangs have been using generative AI (GenAI) to create phishing messages in multiple languages, chatbots that manipulate victims, social media disinformation en masse, and fake documents for bypassing know-your-customer (KYC) checks. They've been using it to power polymorphic malware capable of evading security software, and to identify ideal targets, among other nefarious activities.

The standout threat, though, is deepfakes. From February to June 2024, UNODC tracked a 600% increase in mentions of deepfakes in cybercriminal Telegram channels and underground forums. And that's above and beyond the heavy activity from 2023, when deepfake crimes rose more than 1,500% compared with the year prior, and face swap injections rose 704% in the second half of the year compared with the first.

**Deepfake Attacks Proliferate**

Cybersecurity leaders in the Asia-Pacific are, like those around the world, anticipating a wave of AI-driven cyber troubles. In an Asia-focused Cloudflare survey published on Oct. 9, 50% of respondents said they expect AI will be used to crack passwords and encryption, 47% expect it will boost phishing and social engineering, 44% think it will boost distributed denial-of-service (DDoS) attacks too, and 40% see it being used to create deepfakes and support privacy breaches.

Most, if not all, of those concerns, though, are no longer theoretical, as some organizations can attest.

In January, for example, an employee at the Hong Kong office of Arup, a British engineering firm, received an email purporting to come from the company's chief financial officer (CFO) in London. The CFO instructed the employee to conduct a secret financial transaction. The employee later joined a videoconference with the CFO and other participants purporting to be from senior management, all of whom were, in fact, deepfakes. The result: In May, Arup reported losing 200 million Hong Kong dollars ($25.6 million).

Deepfakes of major political figures have spread widely, like the fake video and audio recordings of Singapore's prime minister and deputy prime minister in December 2023, and the fake video this past July showing a Southeast Asian head of state with illicit drugs. In Thailand, a female police officer was deepfaked in a campaign tricking victims into thinking they were speaking with actual law enforcement.

According to UNODC, half of all deepfake crimes reported in Asia in 2023 came from Vietnam (25.3%) and Japan (23.4%), but the most rapid rise in cases came from the Philippines, which experienced 4,500% more in 2023 than 2022.

It's all underpinned by a large ecosystem of malicious developers and buyers, on Telegram and in even shadier corners of the Deep Web. UNODC identified more than 10 deepfake software vendors that specifically serve cybercriminal groups in Southeast Asia. Their offerings sport the latest and greatest in deepfake tech, like Google's MediaPipe Face Landmarker — which captures detailed facial expressions in real time — the You Only Look Once v5 (YOLOv5) object detection model, and much more.

**Why Asia Suffers**

Though AI-driven cybercrime threatens organizations in every part of the world, it enjoys some particular advantages in Asia.

"Southeast Asia is very densely populated, and a large portion of the population doesn't know English, or English is not their first language," notes Shashank Shekhar, managing editor at India-based CloudSEK. The typical signs that might indicate a scam to a native English speaker might not translate to a non-native speaker. Besides that, he notes, "A lot of people are unemployed, looking for jobs, looking for opportunity."

Desperation has the effect of lowering victims' defenses. "There are some kinds of scams which only work well in this part of the world," says CloudSEK threat researcher Anirudh Batra. "Simpler scams are particularly prevalent because of the poverty that this region of the world has seen."

In the face of intractable socioeconomic forces, those old, tired lines about cyber education and hygiene may not feel like enough. Instead, cybercriminals will need to be stymied at the source: in those underground forums and channels where they trade their deepfake tools and cryptocurrency winnings. It's been done before.

"It's possible by collaborating: different countries coming together, sharing intelligence," Batra says. Though he warns, "Unless these guys are caught, another forum will come up tomorrow. It becomes really difficult to stop them, because the threat actors know that all three letter agencies are looking at the forums — everybody's crawling everything. So they keep a lot of backups. At any point of time, if \[their assets are\] seized, they'll start again with the mirror."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI-Powered Cybercrime Cartels on the Rise in Asia

Global Signal Exchange will act as a global clearing house for online scams and fraud signals.

Source: Photo by Photo Boy via Adobe Stock Photo

Google has announced Global Signal Exchange (GSE), a new project to facilitate the collection and sharing of data related to online scams and fraud. While the company is already blocking millions of attempted scams daily across all its products and services, this project will provide organizations with the necessary information they need to identify and block scams.

"We know from experience that fighting scams and the criminal organizations behind them requires strong collaboration among industry, businesses, civil society and governments to combat bad actors and protect users," wrote Amanda Storey, senior director of trust and safety at Google, and Nafis Zebarjadi, product manager of account security at Google, in a post announcing the project. 

Google is partnering with the Global Anti-Scam Alliance (GASA) and DNS Research Federation to launch GSE. The project will benefit from GASA's extensive network of stakeholders and expand on the DNS Research Federation's robust data platform, which already has over 40 million fraud signals. The company is providing the funding to launch GSE and will hold the centralized data engine on Google Cloud, the company said.

Participants will be able to share and ingest signals, while leveraging artificial intelligence to find patterns and match signals. GASA and the DNS Research Federation will manage access for qualifying organizations.

As part of a pilot program, GSE was able to share over 100,000 URLs of bad merchants and receive roughly 1 million signals. The company plans to start by sharing Google Shopping URLs that have already been flagged as scams and then eventually add data from other product areas.

"By joining forces and establishing a centralized platform, GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services," the company said.

Google Launches Data-Sharing Initiative to Fight Fraud

PRESS RELEASE

PITTSBURGH, PA – October 1, 2024 – ForAllSecure, the world's most advanced application security testing company, today announced it is changing its corporate name to Mayhem Security (“Mayhem”), signaling a new era of growth and opportunity aligned with its award-winning Mayhem Application Security platform.

Founded by a team of researchers from Carnegie Mellon, the company’s focus has evolved from research, development, and education to a product company centered around its Mayhem platform that quickly went from a Defense Advanced Research Project Agency (DARPA) Cyber Grand Challenge prototype to an in-demand commercialized AI-driven application security platform. Today, the Mayhem platform has been integrated into thousands of open-source projects, building a library of behavioral tests, identifying new zero-days, and helping defend against software supply chain threats. The name change follows record product achievements, with platform ARR rising 275% year over year and 78% of customers expanding their Mayhem footprint at or before their first subscription renewal.

“ForAllSecure has a long, successful history, from winning the DARPA Grand Challenge to dedicating ourselves to research and innovation in the cybersecurity industry through Mayhem Heroes, hackathons, and consulting,” said David Brumley, CEO of Mayhem. “Our new name and focus mark an important evolution for us as the Mayhem brand becomes synonymous with the platform that is transforming API security testing and has powered our growth. In fact, for several years, it was the majority of our revenue. Our new positioning is a natural next step as we continue the hard work of our dedicated researchers and hackers who will continue to push out innovative research and prototype new ways to defend software.” 

The past year has been a banner year, with the company achieving key innovation milestones. Most notably, Mayhem released Mayhem Dynamic software bill of materials (SBOM), which brings Mayhem’s runtime intelligence to the world of software composition analysis (SCA) and SBOM by looking at an application’s actual behavior to find only real, exploitable vulnerabilities, eliminating triage and investigations, and reducing false positives to increase developer velocity and minimize application risks. Mayhem re-architected its symbolic executor to test and triage 60% faster, released support for Windows-based applications, and launched a beta of automated harnessing for embedded systems. 

Under the name Mayhem Security, the company will continue to collaborate with the government and the industry to advance cybersecurity and revolutionize how organizations approach cybersecurity by automating the process of finding and fixing software vulnerabilities.

For more information, visit https://www.mayhem.security/.

You May Also Like

Tag

#intel