OpenAI disrupts five covert influence campaigns abusing its AI models
OpenAI said that over the past three months, it disrupted five influence operations (IO) using AI models for various tasks, including generating short comments and longer articles, creating names and bios for social media accounts, conducting open-source research, debugging code, and translating and proofreading texts.
The campaigns include:
-
Bad Grammar: A previously unreported Russian operation targeting Ukraine, Moldova, the Baltic States, and the United States. The operation used AI models to debug code for a Telegram bot and create political comments in Russian and English, which were then posted on Telegram.
-
Doppelganger: Another Russian operation where AI models generated comments in English, French, German, Italian, and Polish for platforms like X and 9GAG. They also translated and edited articles in English and French, created headlines, and converted news articles into Facebook posts.
-
Spamouflage: A Chinese network that used AI to research public social media activity and generate texts in Chinese, English, Japanese, and Korean. These texts were posted across platforms including X, Medium, and Blogspot. The operation also involved debugging code for managing databases and websites, including the domain revealscum[.]com.
-
International Union of Virtual Media (IUVM): An Iranian operation using AI to generate and translate long-form articles, headlines, and website tags, which were then published on iuvmpress[.]co, a site linked to this Iranian threat actor.
-
Zero Zeno: A commercial operation by an Israeli company named STOIC. The operation used AI to generate articles and comments posted on Instagram, Facebook, X, and associated websites.
Chalubo malware botnet disabled 600K routers in 2023 cyberattack
Lumen Technologies' Black Lotus Labs published details on a cyberattack in which over 600,000 small office/home office (SOHO) routers were rendered permanently inoperable over a 72-hour period between October 25-27, 2023. This affected a single internet service provider (ISP), removing 49% of all modems from the ISP’s autonomous system number (ASN). The routers required hardware replacements due to this incident.
The culprit was the “Chalubo” remote access trojan (RAT), a malware first identified in 2018. The malware can target all major SOHO/IoT kernels, perform DDoS attacks, and execute Lua scripts, which were probably used to deploy the destructive payload. No connections to known nation-state activities have been identified, and the attack appears to be a deliberate attempt to cause an outage within the targeted ASN, according to researchers.
New LilacSquid APT targets IT, energy and pharmaceutical sectors
Cisco Talos threat intelligence team discovered a new espinage-motivated advanced persistent threat actor (APT) it dubbed “LilacSquid.” The threat actor’s victimology spans a range of sectors, including information technology organizations in the US, energy companies in Europe, and pharmaceutical firms in Asia, suggesting the threat actor targets various industries to steal data.
The campaign utilizes MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT named “PurpleInk” as primary implants after compromising vulnerable internet-facing application servers. By exploiting public-facing server vulnerabilities and compromised RDP credentials, LilacSquid deploys various open-source tools and customized malware, including “PurpleInk” and two loaders, “InkBox” and “InkLoader.” The campaign aims to establish long-term access to siphon data to attacker-controlled servers.
Russian FlyingYeti group unleashes phishing attacks on Ukraine
Cloudflare said it shut down accounts on its platform used by a Russian threat actor known as FlyingYeti to launch phishing attacks against Ukraine. The techniques, tactics, and procedures (TTPs) employed by FlyingYeti are similar to those used by the threat group UAC-0149, known for targeting Ukrainian defense entities with COOKBOX malware since at least the fall of 2023. The alignment in TTPs between FlyingYeti and UAC-0149 suggests a coordinated effort or a possible overlap between these threat actors.
Russian BlueDelta targets key networks in Europe with multi-phase espionage campaigns
Recorded Future has released a report detailing a cyber-espionage campaign by the Russian APT group BlueDelta, which targeted Ukrainian and European organizations amid Russia's war in Ukraine. The campaign, conducted from April to December 2023, involved the deployment of the information-stealing Headlace malware and credential-harvesting web pages. BlueDelta utilized phishing attacks, compromised internet services, and “living off the land” binaries to gather intelligence. Among the targets were Ukraine's Ministry of Defense, European transportation infrastructures, and an Azerbaijani think tank.
Transparent Tribe APT targets Indian gov’t and defense sectors with cross-platform malware
The Pakistan-linked APT group known as Transparent Tribe has been targeting the Indian government, defense, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust to enhance their attack vectors and evade detection. The threat actor has also exploited popular web services like Telegram, Discord, Slack, and Google Drive for their malicious activities.
New North Korean APT linked to FakePenny ransomware
Microsoft has shared some details about a new North Korean threat actor, now tracked as Moonstone Sleet (formerly known as Storm-1789), which employs traditional and novel attack methods, aiming at financial gain and cyberespionage. Moonstone Sleet was observed distributing a trojanized version of open-source terminal emulator PuTTY delivered via apps like LinkedIn, Telegram, and freelancing platforms. Also Moonstone Sleet was seen targeting victims with malicious npm packages and launching a new ransomware variant called FakePenny.
RedTail cryptominer exploits Palo Alto PAN-OS firewall bug
Threat actors behind the RedTail cryptomining malware have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit, Akamai said. In addition, the new variant of RedTail now also includes anti-research techniques that were not previously observed.
A bug in Check Point Network Security gateway products exploited in the wild
Check Point has issued a warning about a zero-day vulnerability, tracked as CVE-2024-24919, affecting its Network Security gateway products. The impacted products include CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. The US Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) list, along with a Linux Kernel Use-After-Free Vulnerability, tracked as CVE-2024-1086.
Check Point has also noticed an increase in the targeting of remote-access VPN environments by threat actors. The company said it detected a small number of login attempts using old VPN local-accounts relying on password-only authentication method.
Police hit 100+ servers distributing IcedID, Smokeloader, Bumblebee, and other malware
An international law enforcement operation aimed at dismantling criminal infrastructure has targeted major droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. As part of the operation dubbed “Operation Endgame,” law enforcement agencies carried out a series of actions, leading to the takedown of over 100 servers globally and the arrest of four individuals, including one in Armenia and three in Ukraine. The authorities conducted 16 searches in Armenia, the Netherlands, Portugal, and Ukraine, and took control over 2,000 domains used by cyber criminal networks.
US sanctions Chinese nationals for running 911 S5 proxy botnet, arrests admin
US authorities have dismantled the 911 S5 residential proxy botnet, which was used for various cybercrimes, including facilitating bomb threats. Three Chinese nationals—Yunhe Wang, Jingping Liu, and Yanni Zheng—were indicted and sanctioned as alleged operators of the botnet. Additionally, three entities linked to Yunhe Wang—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—were also sanctioned. Yunhe Wang, the primary administrator of the 911 S5 service, was arrested on May 24, 2024. Jingping Liu is said to be responsible for laundering the botnet's proceeds.
Two Estonians extradited from Estonia to the US for $575M crypto fraud
Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 39, have been extradited from Estonia to the US to face charges related to a large-scale cryptocurrency Ponzi scheme. Arrested on November 20, 2022, in Tallinn, Estonia, the two are accused in an 18-count indictment of defrauding hundreds of thousands of victims through their company, HashFlare, from 2015 to 2019. Potapenko and Turõgin allegedly sold contracts promising shares in a cryptocurrency mining operation that generated over $550 million, but the mining service was purportedly fraudulent.
Potapenko and Turõgin are charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. If convicted, they each face a maximum penalty of 20 years in prison on each count.
BreachForums resurrected mere weeks after US-led takedown
The infamous criminal marketplace BreachForums has been back online just two weeks after a coordinated law enforcement action led by the United States dismantled and seized control of its infrastructure. Multiple cybersecurity researchers reported that BreachForums has resurfaced at breachforums[.]st. The site reopened for registration on Tuesday, using a new dark web domain while reclaiming its original clearnet domain, breachforums[.]st. In addition to breachforums[.]st, other associated clearnet domains such as escrow[.]breachforums[.]st, breached[.]in, and two other parked domains, have also been reacquired from the FBI's control.
Google Search document leak reveals inner workings of ranking algorithm
A trove of leaked documents exposed the inner workings of Google Search, revealing key elements and factors that Google uses to rank content. The leak, named “Google API Content Warehouse” contains over 2,500 pages of internal API documentation. These documents appear to be current and detail the functioning of Google Search’s ranking algorithms.
Okta warns of credential-stuffing attacks on Customer Identity Cloud
Security technology provider Okta has issued an advisory warning users of active credential-stuffing attacks targeting its cross-origin authentication feature in the Customer Identity Cloud (CIC).
CERT-UA warns of increasing cyberattacks targeting popular messaging accounts
The Ukrainian Government Computer Emergency Response Team (CERT-UA) has issued a warning about a surge in cyberattacks aimed at compromising accounts on popular messaging platforms. The attacks involve deceptive messages sent via SMS and messaging apps like Telegram and WhatsApp. These messages often reference voting themes and contain links purportedly leading to artistic competition materials, including visual and performing arts. Recipients are encouraged to visit a website featuring these materials, “log in,” and support a contestant. If a recipient scans a QR code or enters their phone number and a one-time code, a third-party device is added to their account, resulting in the account being compromised.
Once an account is compromised, it is used to spread similar messages with links to the victim's contacts, either through existing or newly created groups. Ultimately, these stolen accounts are monetized through various fraudulent schemes.
Ongoing campaign distributes malware via cracked MS Office versions
Cybercriminals are distributing various malware through cracked versions of Microsoft Office promoted on torrent sites. The malware includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-antivirus programs, AhnLab’s Security Intelligence Center (ASEC) warns.
In related news, the Trellix Advanced Research Center team identified multiple fraudulent AV sites masqueraded as legitimate antivirus solutions from well-known companies Avast, Bitdefender, and Malwarebytes hosting sophisticated malicious files, including APK, EXE, and Inno Setup installers with spy and stealer capabilities.
CatDDoS botnet exploits over 80 security flaws to launch DDoS attacks worldwide
Threat actors behind the CatDDoS malware botnet have exploited over 80 known security vulnerabilities in various software systems over the past three months to compromise vulnerable devices and integrate them into a botnet, which has been used to conduct distributed denial-of-service (DDoS) attacks on a global scale. CatDDoS is a variant of the infamous Mirai malware, originally named for its use of “cat” and “meow” in early domain names and samples. The botnet first emerged in August 2023 and has since evolved in sophistication. It employs the ChaCha20 encryption algorithm to secure communications with its command-and-control (C2) server and uses an OpenNIC domain for its C2 operations, a tactic designed to evade detection.
Morocco-based cybercriminals hack large retailers for gift card theft
Microsoft has published a new “Cyber Signals” report highlighting an alarming increase in cyber activity by the hacking group Storm-0539, also known as “Ant Lion,” with a notable rise in gift card theft.
Spyware found on US hotel check-in computers, leaking guest information
A consumer-grade spyware app called ‘pcTattletale’ has been discovered on the check-in systems of several hotels across the United States, exposing sensitive guest information to the internet. The app is designed to operate covertly, capturing and transmitting screenshots of the infected systems. A security flaw in the app has made these screenshots accessible to anyone on the internet, not just the intended users of the spyware. This vulnerability allows any knowledgeable individual to download the screenshots directly from pcTattletale’s servers.