Microsoft researchers, in collaboration with OpenAI, disrupted the activities of five state-affiliated threat actors that sought to misuse OpenAI’s large language model (LLM) AI service in support of malicious cyber activities. OpenAI accounts associated with the China-affiliated actors Charcoal Typhoon and Salmon Typhoon, Iran-affiliated Crimson Sandstorm, North Korea-affiliated Emerald Sleet, and Russia-affiliated Forest Blizzard were all terminated. The threat actors used OpenAI services to facilitate malicious cyber activities through querying open-source information for research, translating technical papers, finding coding errors, running basic coding tasks, and drafting content for phishing campaigns.
The South Korean National Intelligence Service (NIS) identified an ongoing scam linked to North Korea involving gambling websites that are pre-infected with malware. Malicious code was found in a feature that makes automatic bets, with attackers having reportedly attempted to sell about 1,100 pieces of personal data of South Korean citizens. The sites are believed to be produced and sold by threat actors linked to North Korea’s Office 39, also known as Gyeongheung, with its developers posing as Chinese IT workers. They are rented out to South Korean cybercrime organisations at around $5,000 a month, with potential incentives of $2,000 to $5,000 for gathering Chinese nationals’ PayPal account details.
Researchers at Volexity identified multiple malware families and distribution techniques leveraged by the Iranian threat actor, CharmingCypress, throughout 2023 and in early 2024. Its spear phishing campaigns have targeted journalists, activists, academics, and policy experts. CharmingCypress phishing emails are typically sent from spoofed accounts and involve URL redirection chains that lead to malicious RAR archives. Recent campaigns delivered a new Visual Basic malware, dubbed BASICSTAR, which has limited functional overlap with POWERSTAR. The group also recently used malware-laden VPN applications, promoted under guise of access to a webinar portal, to deploy the POWERLESS and NOKNOK backdoors.
In May 2023, Cisco Talos researchers identified a stealthy espionage campaign targeting an Islamic charitable non-profit organisation in Saudi Arabia. The campaign uses a previously undisclosed backdoor, dubbed Zardoor, and is likely conducted by sophisticated threat actors. The attack has likely persisted since at least March 2021, with data exfiltrated approximately twice a month. Whilst initial access remains unknown, the Zardoor backdoor is leveraged for persistence. Open-source reverse proxy tools, such as Fast Reverse Proxy, are used to establish C2 connection, with a customised version of sSocks used to remove dependencies on Visual C Runtime libraries. Windows Management Instrumentation is then used to move laterally and spread the attacker’s tools by spawning processes on the target system and executing commands from the C2.
Citizen Lab researchers recently discovered a China-linked disinformation campaign, dubbed PAPERWALL, attributed to Shenzhen Haimaiyunxiang Media Co Ltd, a public relations firm in China. The campaign uses a network of at least 123 websites, posing as local news outlets in 30 countries across Europe, Asia, and Latin America to disseminate pro-Beijing disinformation. A key characteristic of PAPERWALL is its concealment of ad hominem attacks within larger volumes of seemingly benign commercial press releases. Notably, the most aggressive articles targeting Beijing’s critics are only available on the websites briefly before being taken down.
Volume of blog posts by operators during the last week.
High Priority Vulnerabilities
|Related: CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
|Related: Fortinet Warns of Critical FortiOS SSL VPN Vulnerability Under Active Exploitation
|Related: Microsoft Warns of Exploited Exchange Server Zero-Day
|Related: Raspberry Robin devs are buying exploits for faster attacks
|Ivanti Connect …
|Related: Ivanti Connect Secure: Journey to the core of the DSLog backdoor