1. Russia accuses the U.S. of hacking thousands of iPhones to spy on Russian-based foreign diplomats
According to a recent statement from the Ministry of Foreign Affairs of Russia, the country's Federal Security Service (FSB) claimed to have obtained new evidence of surveillance from the U.S. government. The FSB accused the U.S. government of hacking thousands of iPhones to spy on Russian and foreign citizens, including foreign diplomats based in Russia. Kaspersky Lab also reported that dozens of its employees had been targeted by the U.S. government's spying efforts.
The FSB emphasized that the U.S. government's espionage activities were primarily conducted through Apple devices. The agency also accused Apple of close collaboration with the U.S. government, claiming that Apple provides technical assistance to the National Security Agency (NSA) in their spy activities.
The FSB did not provide evidence to support its claim that Apple cooperated directly or indirectly with the U.S. government in the spy operation.
Apple completely denied the FSB's claim in a statement, saying "We have never worked with any government to insert a backdoor into any Apple product and never will." Meanwhile, the NSA refused to comment on the matter. Amid the rising geopolitical tensions, experts predict that mobile phones could become the new frontline of cyber warfare.
2. A significant rise in ChatGPT-themed malware and attackers using ChatGPT to boost productivity
As public interest in generative AI chatbots grows, hackers are increasingly using ChatGPT-themed baits to spread malware across Facebook, Instagram, and WhatsApp.
Facebook's parent company Meta said in a report that malware masquerading as ChatGPT is on the rise across its platforms. Meta stated that its security teams uncovered 10 malware families that have used the ChatGPT theme (and similar themes) to spread malicious software to users’ devices since March 2023.
Meanwhile, ChatGPT is increasingly used as a tool for cybercriminals to enhance their productivity or conduct criminal activities. According to a study by NordVPN, new posts on dark web forums about AI tools increased from 120 in January to 870 in February, a surge of 625%. The number of ChatGPT posts increased from 37 to 91 during the same period, making chatbot exploitation one of the most popular topics among dark web users. These included discussions about using ChatGPT to generate malware. Over time, the hacker community has taken more daring approaches, including taking control of chatbots or creating glitches that could cause significant disruption. Today, expertise on topics like "How to Hack ChatGPT," "ChatGPT Jailbreak 2.0," "ChatGPT - Advances in Malware," and "ChatGPT as a Phishing Tool" can be easily accessed by dark web users.
ChatGPT's ability to generate highly interactive conversations makes it a prime target for social engineering attacks such as phishing, scams, and pretexting, which can be used to extract sensitive information. Cybercriminals can leverage ChatGPT to create convincing conversations or scripts that manipulate people into performing certain activities or revealing confidential information. ChatGPT's ability also makes it easy for non-native speakers to engage in cybercrime on a larger scale, with higher success rates, by avoiding poorly worded emails and grammatical errors.
Reference: https://techcrunch.com/2023/05/03/malware-chatgpt-lures-facebook/.
3. Patchwork APT leverages multiple open-source software components in recent attacks
Sangfor FarSight Labs recently detected multiple attacks in China perpetrated by the Patchwork APT group and captured numerous private samples. Patchwork, also known as Monsoon, Dropping Elephant, APT-Q-36, and APT-C-09, is an APT group from South Asia. It mainly carries out cyber-espionage attacks in China, Pakistan, and other countries in Asia, with the intention of stealing sensitive information. This group was first observed in November 2009 and has been active ever since. Its attacks in China mainly target government agencies and particularly scientific research and educational institutes. Our analysis reveals that Patchwork leveraged multiple open-source software components in their attacks.
We captured a sample of the malicious LNK file used by Patchwork in the recent attacks. The LNK file downloads the second-stage payload, BADNEWS RAT (remote access trojan), which is delivered by the hiiresloader loader. During association analysis of the loader, we found that it was also used to load and execute a file that was uploaded from Pakistan. Initial analysis suggests that the loader belongs to Patchwork.
Further analysis revealed that this file is an open-source RAT, available on GitHub at https://github.com/XZB-1248/Spark/tree/master.
We also captured a sample of the NorthStarC2 open-source RAT Patchwork used in the recent attacks. NorthStarC2 is also delivered using a loader and is available on GitHub at https://github.com/EnginDemirbilek/NorthStarC2. Analysis of the loader showed that it is an open-source loader, available on GitHub at https://github.com/EddieIvan01/gld. The loader uses AES-256-GCM and Base64 to encrypt and store the RAT as the payload. After decryption, the payload is executed in memory and communicates with the C2 server through the domain jillin[.]online.
4. Exploitation of outdated drivers is gaining traction among cybercriminals and APT groups
In May 2023, Sangfor FarSight Labs detected dark web transactions of tools that introduce vulnerable or malicious drivers onto systems to enable the installation of ransomware or high-risk backdoors. An example of such a tool is a piece of malware dubbed AuKill, disclosed by Sophos in April. AuKill uses a technique called Bring-Your-Own-Vulnerable-Driver (BYOVD), where threat actors drop a malicious version of a driver signed by Microsoft. Consequently, Windows trusts and allows the execution of these signed malicious codes. The AuKill malware has been observed to exploit the outdated Microsoft Process Explorer driver v16.32 in the wild. After breaching a victim machine, attackers used AuKill to drop the malicious driver procexp.sys next to the one used by Process Explorer v16.32 in the system drivers directory as well as disable Endpoint Detection & Response (EDR) software. This technique has been used in at least three ransomware attacks since the turn of the year. In two of these incidents, the attackers deployed the MedusaLocker ransomware after disabling EDR detection.
Sophos has collected six variants of AuKill over the past few months and discovered numerous similarities between the open-source tool Backstab and AuKill. These include distinctive debug strings and almost identical code flow logic to interact with the driver. Moreover, relevant transactions have been observed on the dark web, indicating a growing popularity of this technique among hackers and APT groups. Microsoft has also taken action in response to this. On May 12th, Microsoft released an update featuring a list of vulnerable drivers aimed at enhancing protection against driver exploitation.
References:
1. https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/
2. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
