Daily Brief

University of Illinois Urbana-Champaign (UIUC) researchers have shown that large language models (LLMs), such as GPT-4, can independently compromise web applications. LLMs were equipped with APIs, automated web browsing, and feedback-based planning to autonomously perform complex tasks like SQL union attacks. Experiments were carried out in a sandboxed environment on test websites to ensure no real-world harm, utilizing tools like OpenAI Assistants API, LangChain, and the Playwright browser testing framework. GPT-4 demonstrated a 73.3 percent success rate in hacking attempts, substantially outperforming other models, including its predecessor GPT-3.5. The success of GPT-4 is attributed to better response adaptation and processing of large context prompts required for hacking tasks. Cost analysis illustrated that using LLM agents for attacks could be significantly cheaper than employing a human penetration tester, with GPT-4 costing around $9.81 per website compared to a human's $80. Concerns arise about the potential for malicious use of LLMs in cybersecurity, emphasizing the need for careful consideration of the capabilities of LLMs and the development of robust safety measures.

Cyberattacks targeting business communication channels have surged, highlighting a critical area of vulnerability for companies. On average, companies take 277 days to identify a breach, with each occurrence costing around $4.35 million, accentuating the need for robust safeguards. Secure communication channel selection, rigorous password audits, and strict access permissions are vital first steps in fortifying against cyber threats. Investment in comprehensive cybersecurity tools, including antivirus systems, VPNs, and monitoring services, is pivotal to detect and mitigate breaches swiftly. Organizations must continually enhance their teams' abilities to recognize and respond to sophisticated phishing strategies to lessen the risk of successful cyber incursions. Development of clear standard operating procedures (SOPs) for cybersecurity and routine protocols can aid in prompt breach detection and response. By maintaining vigilance and staying abreast of evolving cybersecurity threats through regular update routines, organizations can protect their communication systems and preserve customer trust. These measures require concerted effort and resources, but are necessary to prevent significant financial losses and erosion of client confidence, ensuring the business's longevity and reputation.

Google has open-sourced Magika, an AI-powered tool that enhances identification of binary and textual file types, improving overall accuracy and precision. Magika's sophisticated deep-learning model can pinpoint file types in milliseconds and operates using the Open Neural Network Exchange (ONNX). Internally, Google leverages Magika for routing files across Gmail, Drive, and Safe Browsing to appropriate security and content policy scanners for improved user safety. The release aligns with Google's strategy to strengthen digital security, exemplified by their release of RETVec, and emphasizes the importance of AI in tilting cybersecurity dynamics in favor of defenders. Google advocates for a regulatory balance that encourages AI's positive potential in security while recognizing the risk of misuse by nation-state hackers from countries like Russia and China. The tech giant underscores the crucial role of AI in scaling threat detection, incident response, and other security operations, aiming to resolve the Defender's Dilemma, which traditionally favors attackers. Wider ethical discussions are ongoing regarding generative AI models' training on web-scraped data, potential privacy violations, and AI's 'backdoor' tendencies highlighted by new research.

Google has open sourced Magika, an AI tool designed for accurate file type identification, to aid in cybersecurity. Magika is being used by key Google services such as Gmail, Google Drive, Chrome's Safe Browsing, and VirusTotal to optimize data processing. Designed to identify the true contents of files, Magika addresses the challenge of correctly classifying documents which may masquerade as different file types. Google is promoting the use of AI in cybersecurity and believes it can shift the advantage from attackers to defenders. Magika claims 50% more accuracy than previous rule-based systems and has an alleged 99% accuracy rate, with a 3% failure to classify files. As part of the AI Cyber Defense Initiative, Google partners with numerous startups and expands cybersecurity education through seminars and university grants. The AI tool is expected to play a pivotal role in malware analysis, intrusion detection, and the broader scope of cybersecurity.

ALPHV/Blackcat ransomware group claims responsibility for breaches at Prudential Financial and loanDepot. The group has threatened to sell loanDepot's data and publish Prudential's data due to failed negotiations. loanDepot experienced a breach impacting 16.6 million individuals; the company has offered credit monitoring and identity protection. Prudential Financial's breach on February 4 involved employee and contractor data; customer data has not been confirmed as compromised. Prudential Financial, a leading life insurance company, employs 40,000 people worldwide with revenues over $50 billion. The U.S. State Department is offering rewards totaling $15 million for information leading to ALPHV gang leaders and associates. The FBI attributes over 60 global breaches and $300 million in ransoms to ALPHV within a year and has been tracking and combating the gang's operations. Despite previous disruptions by the FBI, ALPHV continues to operate a new Tor leak site hosting stolen data.

Wyze Labs is investigating a security issue in parallel to dealing with an ongoing service outage affecting their cameras and user login capabilities. The service disruption, which began in the morning, has been attributed to a connectivity problem with their AWS (Amazon Web Services) infrastructure. Wyze is actively working with AWS to address the connection problems and has instructed customers to restart any devices still facing issues after their attempts to restore service. Notably, the "Events" feature in the Wyze app has been disabled as the company looks into what it suspects to be a security vulnerability. Wyze's CMO Dave Crosby communicated to customers via the official forum, apologizing and committing to a full recovery and transparency about the incident's findings. There have been isolated customer reports of the app mistakenly displaying video feeds from other users, sparking privacy and security concerns. A Wyze spokesperson was requested for a statement but was unavailable to respond to inquiries from the press at the time of the report.

SolarWinds addressed five remote code execution vulnerabilities in its Access Rights Manager solution, with three classified as critical. Critical vulnerabilities permit unauthenticated attackers to execute code on systems that have not been updated. The access rights tool is designed to manage and audit permissions within IT environments, aiming to reduce insider threats. Four of the bugs were identified by anonymous researchers via the Zero Day Initiative; the fifth by ZDI researcher Piotr Bazydło. Updates were released in the Access Rights Manager version 2023.2.3, which includes both bug and security fixes. This follows SolarWinds' history with the March 2020 supply-chain attack by APT29, affecting numerous U.S. government agencies and large corporations. The U.S. government attributed the 2020 SolarWinds cyberattack to Russia's SVR, with subsequent legal actions from the SEC for investor disclosure failures.

Vyacheslav Igorevich Penchukov, associated with the Zeus and IcedID malware, pleaded guilty, facing up to 40 years in prison. Once featured on the FBI’s Cyber Most Wanted List, Penchukov was arrested in 2022 in Geneva, Switzerland. He played a significant role in defrauding millions from victims, leveraging 'money mules' to transfer wired funds overseas. The Zeus malware operation, which Penchukov was involved in since 2009, was dismantled by the FBI in 2014. Zeus and its variants, including Gameover Zeus and SpyEye RAT, caused significant losses estimated at over $100 million. Penchukov returned to the cybercrime scene with IcedID after the takedown of Zeus, which transitioned to facilitate ransomware and was linked to a major attack on UVM Medical Center. The Department of Justice emphasizes the threat to national security and economy posed by such malware, reaffirming their stance on prosecuting cybercriminals.

Alpha ransomware, reminiscent of NetWalker, exhibits similar patterns and tools indicating a possible connection. NetWalker, a former ransomware-as-a-service operation, was taken down by law enforcement in January 2021. The newly emerged Alpha ransomware has been lowkey until it launched a data leak site showcasing its victims. Neterich's analysis reveals Alpha's growing sophistication and increased ransom demands ranging from 0.272 BTC to $100,000. Symantec's report identifies overlaps in the modus operandi of Alpha and NetWalker attacks, suggesting a potential revival or reuse of NetWalker code. Common living-off-the-land tools used by Alpha for evasion mirror techniques used by several ransomware groups. Despite not being a significant player currently, the cybersecurity community is advised to monitor the activities of the Alpha ransomware group.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Akira ransomware exploiting a known vulnerability in Cisco ASA and FTD software. The exploited flaw, CVE-2020-3259, was a high-severity information disclosure issue that Cisco patched in May 2020. Cybersecurity firm Truesec discovered evidence of the Akira ransomware group compromising Cisco AnyConnect SSL VPN appliances over the past year. Akira ransomware, first seen in March 2023, has nearly 200 victims and is potentially connected to the Conti ransomware group. Federal Civilian Executive Branch agencies must address this vulnerability by March 7, 2024, to safeguard against such threats. Other ransomware gangs, like BlackCat, have also been active, with the U.S. offering substantial rewards for information leading to the identification or capture of key members. The U.S. Government Accountability Office urges enhanced oversight to combat ransomware, particularly within vital sectors.

North Korean hacker collective Lazarus is utilizing the YoMix bitcoin mixer to launder stolen cryptocurrency. Sanctions on previous laundering services have pushed Lazarus to adapt its methods, according to Chainalysis. Despite crackdowns, Lazarus continues to fund North Korea's weapons program through crypto heists, including high-profile hacks like the Ronin Network and Harmony Horizon breaches. North Korean hacking entities have amassed roughly $3 billion from crypto thefts since 2017, evading sanctions and employing coin mixers. The U.S. Treasury has sanctioned several mixers used by Lazarus, like Blender, Tornado Cash, and Sinbad, causing the group to find alternatives like YoMix. Chainalysis observed a significant surge in YoMix funds due to money laundering activities, with about one-third of inflows linked to crypto hacks. In 2023, laundering operations saw high concentration in a few off-ramping services but diversifying trends at the deposit address level to avoid asset freezing and detection.

A new macOS backdoor named RustDoor is actively targeting cryptocurrency firms with fake job offer schemes to carry out attacks. RustDoor is disguised as a Visual Studio update and is notably written in the Rust programming language. Initial infections occur through seemingly harmless PDF files that claim to offer employment but download and execute the RustDoor malware. Recent discoveries show that ZIP archives containing malicious shell scripts precede the RustDoor binaries and are also part of the attack mechanism. Four new Golang-based binaries associated with the malware gather extensive information about the infected macOS device and its network. Analysis of the command-and-control infrastructure of RustDoor exposed an endpoint leaking information about infected hosts, including registration timestamps and last activity data. South Korea's National Intelligence Service has identified a North Korean IT group selling malware-infected gambling websites for profit, but it's not established if there's a direct link to the RustDoor campaign.

A debate in the UK has emerged about children's access to the dark web, particularly following the murder of 16-year-old Brianna Ghey, which involved dark web exposure by one of the perpetrators. Ciaran Martin, former CEO of the National Cyber Security Centre, argues that technological solutions alone are not sufficient and emphasizes the need for educational approaches in schools concerning the dark web. The UK's strict laws against hosting and distributing harmful content, like child exploitation material, are highlighted as an existing measure against dark web misuses. The Tor browser, necessary for accessing the dark web, is used both for legitimate privacy reasons and malevolent activities, complicating the enforcement of restrictions. The UK's Online Safety Act is controversial due to its potential impact on end-to-end encryption and privacy. The National Crime Agency points to a significant proportion of UK children engaging in behaviors that violate the Computer Misuse Act and calls for proactive education and awareness for parents, teachers, and children to deter cybercrime. The NCA highlights young individuals' lack of awareness about the legality of certain actions, underlining the need to channel their technical interest into positive and legal avenues.

Threat actors are utilizing a Python script named 'SNS Sender' to conduct bulk smishing (SMS phishing) campaigns via Amazon's Simple Notification Service. SentinelOne attributes these smishing attacks to a threat actor with the moniker 'ARDUINO_DAS', who uses misleading prompts about missed package deliveries purportedly from USPS. The SNS Sender tool is notable for being the first observed method using AWS SNS for orchestrating SMS spamming attacks in the field. A trove of over 150 phishing kits linked to ARDUINO_DAS has been discovered for sale, primarily focusing on impersonating USPS to harvest personal and financial information. The malicious operation has potentially been active since July 2022, with traces found in shared bank logs on underground forums. There are indicators within the phishing kits that suggest a possible hidden backdoor exists to send collected data to another location, as noted by a security researcher. This incident is part of a broader trend where attackers are exploiting cloud services for smishing campaigns and is consistent with previous incidents involving AWS access keys. The misuse of legitimate platforms like Discord, along with innovations in deploying malware through advertising networks and spoofed documents, underscores the evolving strategies of cybercriminals.

Small to medium businesses (SMBs) struggle to find affordable and user-friendly cybersecurity tools despite increasing threat awareness. NTTSH, with over 20 years in threat intelligence, aims to democratize cybersecurity to protect SMBs. NTTSH's Global Threat Intelligence Center (GTIC) combines threat research with technology to provide actionable threat intelligence. GTIC leverages NTT's top-tier Internet backbone for unparalleled visibility into cyber threats and collaborates with major cybersecurity organizations. The annual Global Threat Intelligence Report offers insights for organizations to adapt to the threat landscape, highlighting specific sector vulnerabilities. SMBs facing SaaS adoption challenges must navigate shared responsibility for data and identity management, prone to credential stuffing and phishing attempts. The shift to hybrid IT has increased the attack surface for SMBs. The proprietary Samurai XDR product integrates multiple sources of telemetry into an accessible platform. Samurai XDR simplifies cybersecurity for SMBs with an easy-to-use interface, affordable pricing, and a free 30-day trial to encourage advanced SecOps capabilities.