The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service.
"The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (

The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service.

"The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (ASEC) said in a technical report. "The API key value required for command communication was saved in a GitHub repository."

ScarCruft is a state-sponsored outfit with links to North Korea's Ministry of State Security (MSS). It's known to be active since at least 2012.

Attack chains mounted by the group entail the use of spear-phishing lures to deliver RokRAT, although it has leveraged a wide range of other custom tools to harvest sensitive information.

In the latest intrusion detected by ASEC, the email comes bearing a Microsoft Compiled HTML Help (.CHM) file -- a tactic first reported in March 2023 -- that, when clicked, contacts a remote server to download a PowerShell malware known as Chinotto.

Chinotto, in addition to being responsible for setting up persistence, retrieving additional payloads, including a backdoor codenamed AblyGo (aka SidLevel by Kaspersky) that abuses the Ably for command-and-control.

It doesn't end there, for AblyGo is used as a conduit to ultimately execute an information stealer malware dubbed FadeStealer that comes with various features to take screenshots, gather data from removable media and smartphones, log keystrokes, and record microphone.

"The RedEyes group carries out attacks against specific individuals such as North Korean defectors, human rights activists, and university professors," ASEC said. "Their primary focus is on information theft."

"Unauthorized eavesdropping on individuals in South Korea is considered a violation of privacy and is strictly regulated under relevant laws. Despite this, the threat actor monitored everything victims did on their PC and even conducted wiretapping."

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

CHM files have also been employed by other North Korea-affiliated groups such as Kimsuky, what with SentinelOne disclosing a recent campaign leveraging the file format to deliver a reconnaissance tool called RandomQuery.

In a new set of attacks spotted by ASEC, the CHM files are configured to drop a BAT file, which is then used to download next-stage malware and exfiltrate user information from the compromised host.

Spear-phishing, which has been Kimsuky's preferred initial access technique for over a decade, is typically preceded by broad research and meticulous preparation, according to an advisory from U.S. and South Korean intelligence agencies.

  
The findings also follow the Lazarus Group's active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks

WordPress BookIt plugin versions 2.3.7 and below suffer from an authentication bypass vulnerability.

    On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.We contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch.We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible.READ THIS POST ON THE BLOGVulnerability Summary from Wordfence IntelligenceDescription: BookIt <= 2.3.7 – Authentication Bypass Affected Plugin: Booking Calendar | Appointment Booking | BookItPlugin Slug: bookitAffected Versions: <= 2.3.7CVE ID: CVE-2023-2834CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/Researcher/s: Lana Codes Fully Patched Version: 2.3.8The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.Technical AnalysisThe BookIt plugin provides the shortcode ‘[bookit]‘ to embed an appointment booking calendar into a page on a WordPress site. By using this functionality, after selecting the date and time in the calendar, it is possible to book an appointment by providing the name, email address, and password for registration.Examining the code reveals that the plugin checks for the user id based on the email address supplied via the ‘email’ parameter. If the email belongs to an existing WordPress user, it will associate the request to that user and set the authentication cookies for that user.[View this code snippet on the blog]  Unfortunately, this functionality was insecurely implemented as it does not include any authentication checks such as password verification. It is simply looking for an identity and authorizing that claim without proper verification and authentication.This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, this makes it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.Disclosure TimelineMay 22, 2023 – Discovery of the Authentication Bypass vulnerability in BookIt.May 22, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.May 23, 2023 – The vendor confirms the inbox for handling the discussion.May 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 13, 2023 – A fully patched version of the plugin, 2.3.8, is released.July 21, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Authentication Bypass vulnerability within the BookIt plugin affecting versions 2.3.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to accounts of users, if the attacker knows the email address. The vulnerability has been fully addressed in version 2.3.8 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of BookIt as soon as possible.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress BookIt 2.3.7 Authentication Bypass

Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023.
The cyber attacks, per Broadcom's Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as

Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named **Flea** as part of a recent campaign that spanned from late 2022 to early 2023.

The cyber attacks, per Broadcom's Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country.

"Flea used a large number of tools in this campaign," the company said in a report shared with The Hacker News, describing the threat actor as "large and well-resourced." "As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea."

Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group that's known to strike governments, diplomatic missions, and embassies since at least 2004.

Earlier this January, the group was attributed as behind a series of attacks targeting Iranian government entities between July and late December 2022.

Then last month, it emerged that the Kenyan government had been singled out in a far-reaching three-year-long intelligence-gathering operation aimed at key ministries and state institutions in the country.

The nation-state crew has also been implicated in multiple Android surveillance campaigns – SilkBean and BadBazaar – targeting Uyghurs in the People's Republic of China and abroad, as detailed by Lookout in July 2020 and November 2022, respectively.

Graphican is said to be an evolution of a known Flea backdoor called Ketrican, features from which have since been merged with another implant known as Okrum to spawn a new malware dubbed Ketrum.

The backdoor, despite having the same functionality, stands apart from Ketrican for making use of Microsoft Graph API and OneDrive to obtain the details of command-and-control (C&C) server.

"The observed Graphican samples did not have a hardcoded C&C server, rather they connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the "Person" folder," Symantec said.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"The malware then decoded the folder name and used it as a C&C server for the malware."

It's worth pointing out that the abuse of Microsoft Graph API and OneDrive has been previously observed in the case of both Russian and Chinese threat actors like APT28 (aka Sofacy or Swallowtail) and Bad Magic (aka Red Stinger).

Graphican is equipped to poll the C&C server for new commands to run, including creating an interactive command line that can be controlled from the server, download files to the host, and set up covert processes to harvest data of interest.

One among the other noteworthy tools used in the activity comprise an updated version of the EWSTEW backdoor to extract sent and received emails on breached Microsoft Exchange servers.

"The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools," Symantec said. "The group has developed multiple custom tools over the years."

"The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor

VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild.
The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution.
It impacts VMware

Vulnerability / Network Security

VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild.

The flaw, tracked as **CVE-2023-20887**, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution.

It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023.

Now according to an update shared by the virtualization services provider on June 20, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet.

"VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company noted.

Data gathered by threat intelligence firm GreyNoise shows active exploitation of the flaw from two different IP addresses located in the Netherlands.

The development comes after Summoning Team researcher Sina Kheirkhah, who identified and reported the flaws, released a proof-of-concept (PoC) for the bug.

"This vulnerability comprises a chain of two issues leading to remote code execution (RCE) that can be exploited by unauthenticated attackers," Kheirkhah said.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

If anything, the speed at which either state actors or financially motivated groups turn around newly disclosed vulnerabilities and exploit them to their advantage continues to be a major threat for organizations across the world.

The disclosure also follows a report from Mandiant, which unearthed active exploitation of another flaw in VMware Tools (CVE-2023-20867) by a suspected Chinese actor dubbed UNC3886 to backdoor Windows and Linux hosts.

Users of Aria Operations for Networks are recommended to update to the latest version as soon as possible to mitigate potential risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert! Hackers Exploiting Critical Vulnerability in VMware's Aria Operations Networks

New product provides customers with an attacker's view of their cyber resilience aligned to business context.

**NEW YORK – June 20, 2023 –** Cymulate, the leader in exposure management and security validation, today announced the release of a ground-breaking new solution for organizations to run an informed continuous threat exposure management (CTEM) program. The CTEM program, which was coined by Gartner, Inc. is designed to diagnose the severity of exposures, create an action plan for remediation and facilitate a common language for discussions between business and technical teams. Disparate data sources, point-in-time collection, and lack of business context create challenges for cybersecurity teams to ingest and contextualize exposure data and translate it from a security concern to a business impact. The new Cymulate Exposure Analytics solution bridges this gap by ingesting data from Cymulate products and other third-party data on vulnerabilities, risky assets, attack paths, threat intelligence, and other security controls to create a risk-informed defense with business context.

Unlike other programs that focus on reactive detection and response, the Gartner CTEM program is centered on proactively managing risk and resilience. By aligning with this program, organizations apply a repeatable framework to scope, discover, prioritize, validate, and mobilize their offensive cybersecurity initiatives. The Cymulate Exposure Analytics solution has a quantifiable impact across all five of the CTEM program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture.

**CTEM Alignment**

*   **Scoping:** Understand by organizational segment, the risk posture of business systems and security tools and its risk to immediate and emergent threats to define the highest impact programs needed to reduce or manage risk scores and tolerance
*   **Discovery:** Correlated analysis from Cymulate and multi-vendor data that assesses on-premises and cloud attack surfaces, risky assets, attack paths, vulnerabilities, and business impact
*   **Prioritization:** Vulnerability prioritization & remediation guidance based on multi-vendor aggregated data that is normalized, contextualized, and evaluated against breach feasibility
*   **Validation:** Analyze exposure severity, security integrity, and effectiveness of remediation from security validation assessment data. Immediate threat and security control efficacy data can be used to answer questions such as “Are we at risk to this emergent threat?”, “Do we have the necessary capabilities to protect us when under attack?”.
*   **Mobilization:** Utilize Cymulate contextualized data to understand various response outcome options, and establish and track performance against baselines, benchmarks, and risk profiles

"Cymulate has always taken an attacker’s view on cybersecurity defense, and through our experience in breach and attack simulation we have carefully studied the ways attackers creatively exploit vulnerabilities and other exposures driven by human error, misconfiguration, or control weaknesses," said Avihai Ben-Yossef, chief technology officer and co-founder of Cymulate. "This latest announcement provides customers with a centralized tool that leverages data collected from the Cymulate platform and other third-party exposure data sources and contextualizes it for scoping security risk, prioritizing remediation, tracking the performance of cybersecurity initiatives, and effectively communicating risk."

**Cymulate Exposure Analytics Capabilities**

**Contextualized Vulnerability Management:** Integrates with common vulnerability scanners and cybersecurity validation solutions to continuously provide organizations visibility, context, and risk for each vulnerability. Rather than simply prioritizing based on CVSS scores, Cymulate Exposure Analytics provides a security data fabric for contextualized vulnerability prioritization, which correlates vulnerability findings with business context and security control effectiveness. By integrating with tools for breach and attack simulation and continuous automated red teaming, Cymulate Exposure Analytics creates a risk score that considers the exploitability and effectiveness of compensating security controls.

**Risk-Based Asset Profile:** Creates a consolidated view of assets with context to their risk. The product aggregates data from vulnerability management, attack surface management, configuration databases, Active Directory, cloud security posture management, and other systems and then applies its risk quantification to score each asset. This risk-profiled asset inventory contains a quantified risk score for every endpoint, system, cloud container, virtual machine, application, email address, web domain, IoT/OT device, and more. This data can also be aggregated by business or operational context. The inventory includes details for each asset, including existing security controls, currently enforced policies, known vulnerabilities, un-patchable vulnerabilities or security gaps, and mitigation status.

**Remediation Planning:** Applies its risk quantification and aggregated asset inventory to create a prioritized list of mitigations that deliver the most significant risk reduction and improvement in cyber resilience. When available, the remediation plan presents remediation options that consider urgency, severity, and compensating controls – as well as the forecasted outcomes by modeling the risk impact of the mitigation.

**Measure and Baseline Cyber Resilience:** Quantifies risk as a key metric of cyber resilience to understand security resilience and business risk in the context of business units, mission-critical systems, and business operations. Risk scoring considers the attack surface, business context, control efficacy, breach feasibility, and external data such as CVSS scores and threat intel. With dynamic reporting and dashboards for baselines and visualizations, security leaders gain insights to measure and communicate cyber resilience and risk to executives, boards, and their peers.

**Platform Alignment:** Complements the company’s current platform, which includes Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) solutions. Exposure management and control validation tools are consolidating as businesses need to simplify how they understand risk and resilience to emergent threats and a rapidly changing attack surface. With the Cymulate modular offering, customers can deploy aligned to their current cybersecurity maturity and grow to leverage the platform's additional capabilities as their needs change.

Deployed on its own, Cymulate Exposure Analytics creates centralized intelligence and visibility to security posture with business context essential to an exposure management program. When deployed as part of the Cymulate Exposure Management and Security Validation Platform, the total solution enables and optimizes CTEM programs by merging the traditional vulnerability-based view of risk with the “attacker’s view” of the attack surface.

**Resources**

*   Datasheet
*   Website

**About Cymulate**

Cymulate, the leader in exposure management and security validation, provides a modular platform for continuously assessing, testing, and improving cybersecurity resilience against emergent threats, evolving environments, and digital transformations. The solution has a quantifiable impact across all five continuous threat exposure management (CTEM) program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture. Customers can choose from its Attack Surface Management (ASM) product for risk-based asset profiling and attack path validation, Breach and Attack Simulation (BAS) for simulated threat testing and security control validation, Continuous Automate Red Teaming (CART) for vulnerability assessment, scenario-based and custom testing, and Exposure Analytics for ingesting Cymulate and third-party data to understand and prioritize exposures in the context of business initiatives and cyber resilience communications to executives, boards, and stakeholders. For more information, visit www.cymulate.com.

Cymulate Announces Security Analytics for Continuous Threat Exposure Management

ChatGPT usage growing 25% monthly in enterprises, prompting key decisions to block or enable based on security, productivity concerns.

**SANTA CLARA, Calif. – June 20, 2023 –** Netskope, a leader in Secure Access Service Edge (SASE), today announced general availability of a comprehensive data protection solution to help enterprises securely manage employee use of ChatGPT and other generative AI applications, such as Google Bard and Jasper. As part of its award-winning Intelligent Security Service Edge (SSE) platform and decade-long commitment to data security innovation, Netskope today can successfully enable safe usage of generative AI thanks to unique, patented data protection techniques not found in other vendors’ SSE platforms.

Following incidents in 2023 of sensitive data exposure from generative AI, many enterprises are now prioritizing if and how to safely enable the use of these applications and support AI innovation without putting their businesses at risk. According to Netskope research, currently \[1\]:

*   About 10% of enterprise organizations are actively blocking ChatGPT use by teams
*   ChatGPT adoption is growing exponentially in enterprises, currently at a rate of 25% month over month
*   Approximately 1 out of 100 enterprise employees actively uses ChatGPT daily, with each user submitting, on average, 8 prompts per day

To address this challenge, Netskope Intelligent SSE combines longstanding, industry-recognized Netskope data protection features with newly released innovations specifically for classifying and dynamically controlling safe usage of generative AI applications. These are available to Netskope customers today as a unified solution offering from Netskope and its network of channel partners. (Click to get started right away: http://netskope.com/chatgpt)

"Enterprises today are faced with deciding whether to block access to ChatGPT and other generative AI apps to reduce security risk, or allow usage and reap the efficiencies and other benefits these apps can bring about. The safe enablement of these apps is ultimately an advanced data protection challenge—one Netskope is uniquely positioned to solve," said Krishna Narayanaswamy, Netskope Co-Founder and Chief Technology Officer. "Netskope helps all organizations encourage the responsible use of these increasingly popular applications using the right data protection controls in place that help keep the business safe and productive."

As part of Intelligent SSE, Netskope Zero Trust Engine capabilities for the safe enablement of generative AI applications include:

**Comprehensive Application Usage Visibility**

*   Instant access to specific ChatGPT usage and trends within the organization via industry’s broadest discovery of SaaS (using a dynamic database of 60,000+ applications) and Advanced Analytics dashboards
*   Best-in-class Cloud Confidence Index™ (CCI) that actively classifies new generative AI applications and evaluates their risks accordingly
*   Granular context and instance awareness via patented Cloud XD™ inspection, which discerns access levels and data flows through application accounts, such as corporate vs. personal accounts
*   Visibility via a new web category specially created for identifying generative AI domains, enabling teams to configure access control and real-time protection policies, and manage traffic destined specifically for generative AI applications

**Advanced Application Access Control**

*   The ability to dynamically perform granular access to ChatGPT and other generative AI applications
*   Visual coaching messages to alert users in real-time on potential data exposure and other risks every time generative AI applications are accessed— promoting responsible use of generative AI applications and training employees in real time, without stopping harmless queries

**Advanced Data Protection**

*   The ability to monitor, allow, or block enterprise sensitive data (such as source code) from being posted to AI chatbots
*   Support for regulatory compliance needs such as GDPR, CCPA, HIPAA, and many others, using advanced data classifiers and ML-based detection

**The Highest Performing Security Services**

*   With SSE services powered by NewEdge, the world’s largest security private cloud presence with data centers in 65+ regions globally, Netskope provides customers with unparalleled service coverage, performance, and resilience

**A History and Tradition of AI/ML Innovation in Data Protection and Beyond**

Since its founding in 2012, Netskope has been continuously lauded for its advanced data protection capabilities and the uses of AI and machine learning (ML) innovation in its platform. These innovations include in data security, embedded UEBA, threat protection, IoT security, Borderless SD-WAN, AIOps and other areas, with advanced techniques for personally identifiable information (PII) image classification, whiteboard image detection, sensitive document classification, IoT device detection, WAN access anomaly detection, encrypted file detection, and many other critical use cases.

In addition, Netskope AI Labs is recognized as an authority in solving security and fraud problems through the responsible use of AI/ML in different domains, developing large-scale AI/ML models for real-time SSE and SASE use cases. Netskope’s team also includes inventors listed on hundreds of patents worldwide.

"As a leader in the transformation of network, cloud, and data security, Netskope is committed to the responsible use of artificial intelligence and machine learning. We work with peers, academia, thought leaders, and governments alike to safely direct AI/ML efforts in a way that will benefit and not cause harm to our customers, partners, employees, and their families," said Dr. Yihua Liao, Head of Netskope AI Labs. "Netskope AI Labs is a critical component of Netskope product and service innovation. Even more importantly, we help drive the right outcomes regarding AI's role in security and networking and how we can all take advantage of innovation with the right protections in place, whether for generative AI applications or any other compelling use case."

Among other recent accolades, Netskope was named a Leader in the 2023 Gartner®  Magic Quadrant™  for Security Service Edge and was the only SSE Leader to also rank among the highest three scoring vendors for all Use Cases in the companion Critical Capabilities for SSE report. Those use cases include “Identify and Protect Sensitive Information,” a data protection category in which Netskope received the highest scores among any SSE vendor.

For more on Netskope AI innovations:

*   Get the Netskope for ChatGPT solution brief
*   Join Netskope at Infosecurity Europe at ExCEL London this week, June 20-22, where Netskope AI innovations will be featured as part of Netskope SASE and Intelligent SSE demonstrations at Stand Z60. Click here to register for free and get the full list of Netskope Infosecurity activities.
*   Join Netskope for a special LinkedIn Live discussion, **“ChatGPT: Fortifying Data Security in the AI App-ocalypse”** featuring Netskope experts Krishna Narayanaswamy, Neil Thacker, and Naveen Pallavalli, on Thursday, June 22, at 12:30pm ET / 9:30am PT. Click here to confirm attendance.
*   Read the latest Netskope AI and ML insights via the Netskope blog
*   Visit the Netskope AI Labs resources page

**Gartner Disclaimer**

Gartner, “Magic Quadrant for Security Service Edge,” Charlie Winckless, Aaron McQuaid, John Watts, Craig Lawson, Thomas Lintemuth, Dale Koeppen. Published 10 April 2023 – ID G00766751.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark, MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Enables Secure Enterprise Use of ChatGPT and Generative AI Applications

Infostealers are as alive as ever, wantonly sweeping up whatever business data might be of use to cybercriminals, including OpenAI credentials.

In the last year, at least 100,000 devices infected by various infostealer malwares have leaked ChatGPT credentials to the Dark Web.

Infostealers can collect just about anything: information about a target machine, cookies and browser histories, documents, and so on. More often than not, hackers profit off of this kind of bounty not just by utilizing it themselves, but by reselling it on the Dark Web. For example, online marketplaces regularly traffic in logs that contain victims' account credentials for popular applications.

From June 2022 through last month, cybersecurity firm Group-IB tracked how many of these for-sale logs expose ChatGPT accounts. In total, it counted 101,134.

The malware overwhelmingly responsible for these leaks was Raccoon, the infamous Russian-designed tool first discovered in 2019. The Raccoon operation briefly shut down early last year after the death of its creator, only to come back new and improved three months later. Since then, it has been responsible for at least 78,348 devices leaking ChatGPT credentials.

Besides Raccoon, the researchers tracked 12,984 GPT-laden logs attributed to Vidar and 6,773 to Redline.

In the entire sample size, less than 5,000 infected devices were traced to North America. A plurality originated in the Asia-Pacific, with the biggest offenders being India (12,632) and Pakistan (9,217). Other countries with many exposed ChatGPT credentials included Brazil (6,531), Vietnam (4,771), and Egypt (4,558).

**ChatGPT Logins the Tip of the Iceberg**

Last December — the first month ChatGPT was made available to the public — the researchers tracked 2,766 Dark Web stealer logs containing compromised accounts. That number surpassed 11,000 the following month and doubled two months after that. By May, the figure was up to 26,802.

In other words, the trendline is clearly only moving in one direction.

But ChatGPT credentials are almost beside the point, says Mike Parkin, senior technical engineer at Vulcan Cyber. "Infostealers can be an issue, at least in part, because they're not as outwardly destructive as, say, ransomware, which is hard to miss. A well obfuscated infostealer can be much harder to detect, precisely because it doesn't make itself known."

Because organizations can more easily miss infostealers than certain other kinds of malware, they're liable to realize their sensitive data is gone only after it's too late.

"Depending on the strain of information stealer, hackers can be gathering everything from application and Web credentials to personal information, stored files, and system configurations. Organizations that have these malware infections in their environment could face having intellectual property, company financials, and pretty much any other data that lands on infected systems exposed," Parkin says.

As long as infostealers continue to run rampant, ChatGPT credentials will be the least of anybody's worries. "The real question," Parkin asks, "is what kind of data isn't being leaked by these kinds of malware?"

100K+ Infected Devices Leak ChatGPT Accounts to the Dark Web

The ransomware landscape is energized with the emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims.

There was a rise in the number of ransomware victims in May compared to the previous month, although LockBit, the leading ransomware group, saw a 30% decrease in observed victims (110 to 77) from April to May.

Ransomware heavyweight AlphV also experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April.

That drying up was offset by several new branded groups entering the scene, contributing to an overall increase in observed ransomware victims, according to GuidePoint Security's latest GRIT report.

The May GRIT report highlighted a diverse slate of active threat groups, with 28 observed groups claiming victims. There was a 13.57% increase in publicly posted ransomware victims from April to May, and 410 incidents total, led by victims in the United States — far and away the most targeted country.

The report noted that the fledgling Akira ransomware group has gained particular prominence just since April (the name a potential nod to the 1988 Japanese anime cult classic in which a biker is turned into a rampaging psychopath). The gang is primarily known for a unique data-leak site designed as an interactive command prompt using jQuery.

Educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims. The group follows the "double extortion" approach: stealing data from victims and threatening to leak it if the ransom is not paid.

While there isn't enough data to make a definitive hypothesis, GuidePoint Security threat intelligence consultant Nic Finn notes he has observed some of the new groups significantly lowering their initial ransomware demand.

"If this trend continues, it could indicate that ransomware groups are attempting to shorten the time between victimization and ransomware payment," he says.

Overall, though, the GRIT findings echoed the 2023 Verizon Data Breach Investigations Report in noting escalating ransomware costs.

**Emergence of New Ransomware Groups**

GRIT has also identified other fresh-faced ransomware groups on the scene, such as 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

8Base, which claimed 67 victims in the past year, has primarily targeted the banking and finance industry and is focused primarily on the US and Brazil, while the extortion group Malas was observed performing mass exploitation of business email and collaboration software Zimbra.

There is little known about Rancoz, which has posted just two victims so far — one in the tech sector and one in manufacturing — while BlackSuit was flagged for the maturity of its operations despite only one observed victim.

These emerging threat groups have deployed a combination of established and innovative tactics, aiming to blend in and profit amid the crowded ransomware landscape, explains Finn.

He notes one method that's been observed lately is a shift toward single extortion, focused around exfiltrated data — no encryption necessary.

"This is much more sustainable for ransomware groups because it involves less troubleshooting with victims when the decryptors fail," he says.

Finn explains the recent behavior of ransomware groups suggests they are following whatever tactics they believe to be more novel and successful.

"The trend back toward single extortion through the threat of data publication could be the result of perceived success by other groups, or it could be a determination they are making based on their interactions with victims," he says.

For example, if a good portion of their victims are asking to lower the ransom demand in exchange for just proof of deletion and guarantees not to attack them again, this may lead ransomware groups to assume that a good portion of their victims have backups in place, making it the effort of encrypting a victim network seem superfluous.

"Organizations following data backup best practices should remain diligent about developing detections and monitoring activity for any potential data exfiltration efforts, as this single extortion trend will definitely continue and likely grow throughout 2023," Finn says.

**Education Sector in the Sights**

As evidenced by Akira and older groups like Vice Society, ransomware groups are increasingly targeting educational institutions, from daycare centers to major universities. In total, ransomware groups posted 35 unique victims in the education industry in May.

"A recent influx in vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability," the report noted.

"It seems like the education sector is seeing heavy targeting because there is so much personally identifiable (PII) and sensitive student data available in the resulting data," Finn says. "Additionally, the number of individuals impacted is exponential to the size of the victim organization."

For example, a school system with just a thousand or so active students could still house records and data on thousands more former students, plus information relating to parents of the students who have data at risk.

"Another big factor is media attention," he adds. "Ransomware actors follow the trends that get them media coverage. The cyberattack against the LA Unified School District brought about a lot of media attention, so it's likely that more groups are matching that trend to replicate the coverage."

**MOVEit and Mass Exploitation**

Another factor in the recent growth of successful ransomware attacks is the phenomenon of ransomware groups are exploiting zero-day vulnerabilities _en masse_, the report noted, conducting exfiltration, and expecting victims to reach out to them to coordinate for ransoms.

The ongoing Cl0p attacks exploiting the MOVEit vulnerability against hundreds of organizations are emblematic of the trend, which is also seen with the DeadBolt ransomware variant and another recently exploited by a threat actor to deploy Nokoyawa ransomware.

"It appears that Cl0p has a team of highly technical hackers working on mass exploitation, especially of file transfer software," Finn adds.

Recent reporting indicates that the group began working on the MOVEit exploitation as far back as 2021, and even delayed the mass exploitation of the vulnerability until it completed a different mass exploitation campaign against the GoAnywhere MFT service earlier this year.

"This indicates a significant strategic planning capability, even down to the decision to begin exploitation of this MOVEit vulnerability over the Memorial Day weekend, when less staff is available to respond right away," he says.

While there has been a noted slowdown in ransomware activity over the summer for the past two years, which Finn adds may still occur this year, there's also "a good chance" that other ransomware groups attempt to mimic the behavior of groups like Cl0p and attempt mass exploitation, which could offset declines in activity elsewhere.

Fresh Ransomware Gangs Emerge as Market Leaders Decline

A criminal crowd-sourcing campaign has led to swift adoption of the stealer, which can pilfer key computer data, credentials from browsers and chat apps, and cryptocurrency from multiple wallets.

A stealthy stealer that can lift credentials from scores of Web browsers and extensions, and steal cryptocurrency, has quickly become a favorite of cybercriminals since it first appeared on underground marketplaces in April.

The Mystic Stealer has established a strong foothold in the threat landscape in only its first several months of existence thanks to a combination of advanced capabilities, pricing, and the crowdsourcing of recommendations that have led to ongoing updates and improvements. That's according to two simultaneously released reports, one by Cyfirma and the other a collaboration between Inquest and Zscaler.

The stealer — which typically goes for a subscription fee of $150 per month, or $390 for a three-month subscription — has similar capabilities to pilfer data from a victim's computer to other forms of this type of malware, paired with obfuscation techniques that make it, by design, capable of advanced evasion, the researchers said.

"It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," Zscaler researchers wrote in their post.

Mystic Stealer can steal a wide array of information, ranging from computer data such as the system hostname, username, and GUID, to credentials from nearly 40 Web browsers and more than 70 browser extensions, they said. Additionally, it targets Bitcoin, DashCore, Exodus, or any other popular cryptocurrencies, and can steal Telegram and Steam credentials.

So far, the regions where researchers have found the most instances of attackers wielding Mystic Stealer are the US, Germany, Finland, France, and Russia, in that order.

**Commitment to Evasion & Malware Improvement**

Unique to Mystic Stealer compared to similar forms of malware is its inventors' vested interested in making it difficult to detect or analyze, as well as a commitment to continuously advancing its capabilities by appealing to its user base for feedback, the researchers said.

In terms of evasion, Mystic Stealer's code is heavily obfuscated, with its creators using polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants, as well as a custom binary protocol that is encrypted with RC4, according to InQuest and Zscaler.

But perhaps the key reason the malware has caught on so fast — with the researchers already discovering more than 50 actively operational command and control (C2) servers in only about two months — is that its creators did something unique soon after its release. That is, they made the stealer available for testing to underground forum veterans to verify its effectiveness and make suggestions for enhancement, which were incorporated into new versions of the stealer, noted Cyfirma researchers.

"The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product," Cyfirma researchers wrote in their post. "Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product."

**Mystic Stealer De-Mystified: Technical Details**

On the technical side of things, Mystic Stealer is implemented in C for the client and Python for the control panel and is purported to target all Windows versions from XP to Windows 11, with support for both x86 and x64 architectures, according to Cyfirma.

It can evade detection by most AV products, operating in memory and using system calls for compromising targets, the researchers said. This ensures that no trace is left on the hard disk during the data exfiltration process.

"Once target data is identified, the malware compresses, encrypts, and transmits it," the Cyfirma researchers wrote. "Client authentication is not required; data is transmitted as it is received.

Moreover, its developers created the malware without reliance on third-party libraries for decrypting or in decoding target credentials, both reports noted, which is unique to stealer malware.

"Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system," the InQuest and Zscaler researchers wrote.

Instead, of doing this, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the C2 server that handles parsing, they said.

"This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers," the researchers wrote.

**Defending Against Infostealers**

With the quick spread of the particularly evasive Mystic Stealer — and the prevalence of stealer malware in general — the Cyfirma team recommends that organizations implement robust security measures to avoid compromise in the advent of an attack, the researchers said.

"Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management," they wrote.

This should include a best-practices layered defense strategy that combines threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching, which can significantly reduce the risk of Mystic Stealer infiltration, the researchers said.

Organizations should also put into place continuous monitoring of threat-intelligence sources by sharing threat information within security communities and leveraging threat-intelligence feeds so they can stay updated on the latest indicators of compromise associated with Mystic Stealer, the researchers said. "This allows for early detection, response, and mitigation efforts," they wrote.

Educating employees on security best practices, how to recognize phishing attempts — which may attempt to spread the stealer — and maintaining an overall culture of security awareness is also crucial to helping organizations avoid compromise, the researchers said.

Finally, every organization should have a strong incident-response plan in case of attack that includes communication protocols, forensics investigation processes, and backup and recovery strategies, they added.

Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months

It's still important to use other security measures, such as strong passwords and two-factor authentication, to protect your data.

Google has introduced new blue verified check marks for Gmail addresses. According to Google, the new feature helps protect inboxes against malicious and unwanted emails and increases confidence that those emails are from legitimate sources. Gmail users who added Google's Brand Indicators for Message Identification (BIMI) feature will now see a check mark icon instead of the verified brand logo.

Creating a verification process makes sense — until hackers and spammers decide to make it their mission to find flaws in the capability. Bypassing blue check marks will be another chapter in the long history of business email compromise schemes designed to propagate malicious code. By sending out emails with impersonated blue check marks, legacy security protection layers will likely pass the message to the suspecting victims.

**Another Layer of Protection or Just Another Layer?**

Hackers can create fake email accounts that look like they have been verified by Google. They can create a new account and then use a tool to generate a fake verification badge. Once the account has been created, the hacker can then send phishing emails or other malicious messages that appear to come from a legitimate source.

Hackers can use social engineering to trick users into revealing their passwords. They can send emails that appear to be from a legitimate source, such as a bank, government agency, or customer service representative. Or they may create a message that offers a free gift or discount. The email typically will contain a link that takes the user to a fake website that looks like the real thing. Once the user enters their login credentials, the hacker can then use them to access the user's Gmail account.

Hackers can use malware to steal login credentials. This can be done by sending emails that contain attachments infected with malware. Once the user opens the attachment, the malware will be installed on their computer. The malware can then be used to steal the user's login credentials for Gmail and other online accounts.

Also, don't be surprised when hackers send phishing emails with an artificial Gmail verification process to potential victims, fooling them into thinking they're helping them earn their blue check marks and stealing their credentials instead.

Creating accounts impersonating a domain and a user isn't something new. Email impersonation, especially with recently established email-sending domains, continues to create havoc with organizations trying to avoid email phishing attacks. Hackers have made these accounts and placed a fake verified badge to fool the receiving email user.

**Integrating Security Layers Continue to Be a Proven Strategy**

To contend with this new attack vector, organizations must invest in security solutions, including DMARC, SPF, and DKIM for domain authentication, sandboxing all attachments, and leveraging threat intelligence to help stop malware.

Using passwords with multifactor authentication, leveraging one-time passwords, biometrics, and even challenge and reply tokens could help businesses protect its data while standardizing a universal authentication strategy across the company.

The continuous investment in security as a platform instead of bolting on a new control layer is a wise move. With every innovative way to stop hackers from impersonating, stealing data, and spreading malware, there will be an element of exploitation the hackers will soon discover.

Security platforms using agile and DevOps rapid deployment can quickly add additional protection layers without the everyday user experience. Through the rapid deployment of features, security providers can respond quickly to changing threat landscape without causing service outages or exposing organizations to other attack vectors.

Google's new verified blue check mark feature is just one layer of security. It is important to use other security measures, such as strong passwords and multifactor authentication, to protect your Gmail account. And companies must continue to invest in end-user education and security awareness training to make sure those verified emails actually come from authentic people.

Tag

#intel