By the CyberWire staff
At a glance.
- A look at state-sponsored threat actors' use of AI technologies.
- US Justice Department disrupts GRU botnet.
- US reportedly launches cyberattack against Iranian military ship.
- Turla deploys new backdoor.
- US DOD discloses data breach.
- Bumblebee loader resurfaces.
- Linux RaaS framework released as open-source tool.
- Researchers uncover DNSSEC vulnerability.
- Raspberry Robin uses undisclosed exploits.
- US Justice Department shutters Warzone RAT operation.
A look at state-sponsored threat actors' use of AI technologies.
Microsoft and OpenAI have published a report looking at how state-backed threat actors from China, Iran, North Korea, and Russia are using AI technologies, particularly large language models (LLM), as offensive tools. The researchers say a North Korean threat actor tracked by Microsoft as "Emerald Sleet" (also known as "Kimsuky") uses LLMs to assist in crafting spearphishing lures. An Iranian threat actor Microsoft tracks as "Crimson Sandstorm" has been using LLMs for "requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine."
Microsoft and OpenAI assess that a Chinese actor known as "Charcoal Typhoon" is using LLMs "to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets." Another China-affiliated threat actor, Salmon Typhoon (also known as "APT4" or "Maverick Panda"), appears to be "evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs."
The researchers also found that Forest Blizzard, a threat actor tied to Russia's GRU Unit 26165, has used LLMs to conduct "research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations."
Secure your future with a master’s degree in cybersecurity from Penn State World Campus.
Boost your cybersecurity career with Penn State World Campus! Our online master's program delivers cutting-edge knowledge, hands-on skills, and expert insights. Benefit from flexible learning that fits your schedule, while gaining industry-relevant expertise in areas like threat detection, risk management, and ethical hacking. Join a renowned institution, be guided by industry leaders, and advance your career in the dynamic field of cybersecurity. Elevate your skills, secure your future — apply today!
US Justice Department disrupts GRU botnet.
The US Federal Bureau of Investigation (FBI) announced yesterday that it had disrupted a botnet controlled by Russia's APT28 (also known as "Fancy Bear"), a threat actor attributed to the Russian GRU's Military Unit 26165. The botnet was composed of "hundreds of small office/home office (SOHO) routers," and was used to conduct "vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations."
The FBI stated, "This botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted by the Department in that the GRU did not create it from scratch. Instead, the GRU relied on the 'Moobot' malware, which is associated with a known criminal group. Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform."
US reportedly launches cyberattack against Iranian military ship.
NBC News reports that the US launched a cyberattack against an Iranian military ship that had been gathering intelligence on cargo vessels in the Red Sea and the Gulf of Aden. The publication quotes unnamed US officials as saying the operation "was intended to inhibit the Iranian ship’s ability to share intelligence with Houthi rebels in Yemen who have been firing missiles and drones at cargo ships in the Red Sea."
Turla deploys new backdoor.
Cisco Talos describes a new backdoor deployed by the Russian threat actor Turla. The backdoor, which Talos has dubbed "TinyTurla-NG," was used in December 2023 to target "a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion." The researchers assess that the malware is "a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems."
Team Cymru’s Threat Intelligence solutions allow you to aim your sights on the malicious actors.
Imagine a world where you're always one step ahead of cyber threats, where your defenses are impenetrable because you see what others don't. With real-time access to the worlds largest threat intelligence data ocean, we enable you to turn the tables on attackers. Transform your security from reactive to proactive through accelerated threat hunting and incident response, made possible through automation. Team Cymru: be the hunter, not the hunted.
US DOD discloses data breach.
The US Department of Defense has notified more than 20,000 individuals that their personal information was exposed in a data breach early last year, DefenseScoop reports. DefenseScoop quotes a notice sent by the Defense Intelligence Agency to a Defense Department official as saying, "During the period of February 3, 2023 through February 20, 2023, numerous email messages were inadvertently exposed to the Internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation."
TechCrunch says the affected cloud email server was hosted on Microsoft’s cloud for government customers, and was accessible from the internet without a password.
Bumblebee loader resurfaces.
Proofpoint warns that the Bumblebee malware downloader has resurfaced with a large phishing campaign targeting organizations in the US. The downloader had been popular with several cybercriminal groups following its appearance in March 2022 before going dark in October 2023. In this recent campaign, "Proofpoint observed several thousand emails targeting organizations in the United States with the subject 'Voicemail February' from the sender 'info@quarlesaa[.]com' that contained OneDrive URLs. The URLs led to a Word file with names such as 'ReleaseEvans#96.docm' (the digits before the file extension varied). The Word document spoofed the consumer electronics company Humane."
The researchers add, "It is notable that the actor is using VBA macro-enabled documents in the attack chain, as most cybercriminal threat actors have nearly stopped using them, especially those delivering payloads that can act as initial access facilitators for follow-on ransomware activity."
Linux RaaS framework released as open-source tool.
SentinelOne has published a report on the Kryptina ransomware-as-a-service (RaaS) operation, noting that the gang's Linux attack framework has shifted from a paid service to an open-source tool. Kryptina's developer published the tool's entire source code on BreachForums earlier this month: "The developer’s stated reasons for releasing the source code of Kryptina were that it had failed to attract buyers. Given the short period of time between its first appearance as a paid offering and release of the open source code, some may not find this credible. Other motivations could include an attempt to build kudos within the cybercrime community, feuds with other criminals and/or fear of attention from law enforcement. Whatever the motivation, the release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems."
Keep your teams performing at their best and stay ahead of the curve.
N2K’s Strategic Cyber Workforce Intelligence offers an all-in-one solution for security leaders to enhance hiring, development, and retention strategies. With our workforce experts and data-driven framework, we can help you benchmark skills, revamp job profiles, create configured training paths, and much more. Click here to learn more.
Researchers uncover DNSSEC vulnerability.
Researchers at the ATHENE National Research Center for Applied Cybersecurity in Germany have discovered a vulnerability (CVE-2023-50387) affecting the Domain Name System Security Extensions (DNSSEC), SecurityWeek reports. The researchers have developed a class of attacks they've dubbed "KeyTrap" that could enable a single DNS packet to "stall all widely used DNS implementations and public DNS providers."
The vulnerability's description explains, "The processing of responses coming from specially crafted DNSSEC-signed zones can cause CPU exhaustion on a DNSSEC-validating resolver. By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."
ATHENE said in a press release, "The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, February 13. It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability."
Raspberry Robin uses undisclosed exploits.
Researchers at Check Point warn that the Raspberry Robin malware exploited two Local Privilege Escalation exploits (CVE-2023-36802 and CVE-2023-29360) before they were publicly disclosed. The researchers note, "One of these exploits was also sold on the Dark Web as a 0-day exploit half a year before it was publicly disclosed. The second exploit was also used not long after it was publicly disclosed. We assume that Raspberry Robin buys the 1-day exploits from an exploit developer and does not create its own exploits for several reasons."
Eighteen Romanian hospitals disrupted by ransomware attack.
A ransomware attack over the weekend forced eighteen Romanian hospitals offline, BleepingComputer reports. The attack targeted the Hipocrate Information System (HIS), a platform used by hospitals for medical data management. The Romanian Ministry of Health said in a statement, "During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system. As a result of the attack, the system is down, files and databases are encrypted. The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed. Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
US Justice Department shutters Warzone RAT operation.
The US Department of Justice announced on Friday the seizure of several domains used to sell the Warzone remote access Trojan, the Record reports. The Justice Department has also charged two individuals, Daniel Meli of Zabbar, Malta and Prince Onyeoziri Odinakachi of Nigeria, for their alleged roles in operating the Trojan. The two suspects allegedly peddled the malware on underground forums and offered customer support to users of the Trojan.
The Justice Department said in a press release, "The disruption of the Warzone RAT infrastructure was the result of an international law enforcement effort led by FBI special agents in Boston and Atlanta and coordinated with international partners in large part through Europol. According to court documents, in addition to discovering instances of the Warzone RAT being used to attack victim computers in Massachusetts, the FBI covertly purchased and analyzed the Warzone RAT malware, confirming its multiple malicious functions. Separately, law enforcement partners in Canada, Croatia, Finland, Germany, the Netherlands, and Romania provided valuable assistance securing the servers hosting the Warzone RAT infrastructure."
Crime and punishment.
A Ukrainian national, Vyacheslav Igorevich Penchukov, pleaded guilty in the District of Nebraska to his role in "two separate and wide-ranging malware schemes involving tens of millions of dollars in losses," the US Justice Department says.