DragonForce ransomware, Salt Typhoon hits ISPs, ChatGPT SpAIware
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
DragonForce uses ransomware’s greatest hits
Researchers at Group-IB disclosed that this threat group’s toolset includes a customized Conti variant and leaked Lockbit ransomware. Dragonforce operates a selective ransomware-as-a-service operation that works with experienced affiliates. It targeted 82 victims across the manufacturing, real estate, and transportation industries, with most victims in the US. The researchers note DragonForce customizes its toolkit for specific attacks, so it’s not surprising to see them use tools from other high-profile organizations. While Group-IB did not indicate a country of origin for DragonForce, previous researchers have suggested the group might operate out of Malaysia.?
Salt Typhoon strikes US ISPs
The Wall Street Journal’s sources say US investigators discovered a cyberattack campaign from a Chinese-linked threat actor dubbed Salt Typhoon. This campaign sought to establish footholds in several US-based cable and broadband providers. It’s unclear if the goal was simply reconnaissance or a potential staging for further cyberattacks. It’s been a busy year for China-linked threat groups operating under a “Typhoon” epithet. In January, the US disrupted operations by Volt Typhoon against critical infrastructure, and just last week, a Flax Typhoon botnet was disrupted. US officials frequently warn that due to the depth and frequency of China-linked cyberattacks, these campaigns likely represent the “tip of the iceberg.”
(WSJ)
Finding SpAIware on the ChatGPT Mac app
Security researcher Johann Rehberger documented this technique, SpAIware, which abuses ChatGPT’s memory feature to plant persistent spyware on a user’s account. This is an indirect prompt injection where an attacker could point user inputs and ChatGPT outputs to a server under control. This could be done by visiting a malicious site or uploading a malicious document to ChatGPT. Rehberger created a proof of concept and alerted OpenAI of the issue. The issue only impacted the macOS app due to API restrictions on the web app. OpenAI subsequently patched the issue, but Rehberger said periodically clearing out ChatGPT memories was a good practice going forward.?
A Rust-based splinter, a tetanus shot won’t fix
Threat actors using security research tools for nefarious means isn’t new. Just look at Cobalt Strike. Palo Alto Networks Unit 42 just found a new post-exploitation red team tool in the wild called Splinter. There’s no information on who developed it, but it was written in Rust and includes features typically found in pentest tools. Functions include executing Windows commands, remote process injection to run modules, file transfers, and deleting system info. Unit 42 has not yet found any threat actor activity tied to the use of Splinter.?
领英推荐
Huge thanks to our sponsor, Vanta
“Unsophisticated methods” used against industrial systems
Not all cyberattacks need the advanced capabilities of nation-states behind them. CISA warned that threat actors continue to target critical infrastructure OT and ICS devices with “unsophisticated” methods. This includes using default credentials or brute force attacks. The agency said it “continues to respond to active exploitation of internet-accessible” devices, particularly citing the Water and Wastewater Systems Sector being hit by pro-Russian hacktivists since 2022. CISA issued an advisory back in May on securing against these basic attacks, recommending changing default passwords, enabling MFA, applying security updates, and putting human-machine interfaces behind firewalls.?
Researcher warns about hackable door access controllers
Last year, security researcher Shawn Merdinger started a project called Box of Rain, which documented instances of corporate buildings using vulnerable S2 Security door access controllers. Merdinger found dozens of door controllers with control interfaces exposed on the internet, accessible with default admin/admin credentials. This opens the doors to modifying access privileges, opening the doors on demand, and being used for further attacks on a network. In an update, Merdinger said several doors remained exposed for over a year after contacting the organization, including one at a Cedars-Sinai building. Cedars-Sinai said the issue did not impact its facilities, but SecurityWeek verified the door’s web interface was still exposed online.???
Most phishing sites target mobile devices
It’s a mobile-first world, and phishing sites are following suit. According to a new research report from Zumperium, 82% of all phishing sites target mobile devices. The report found this was particularly useful for gaining access to enterprise systems, where attackers exploit mobile endpoints with more limited security indicators. The report also found that 76% of these mobile sites use HTTPS, with sites using healthcare lures accounting for 39% of sites. These sites also spin up fast, almost a quarter going live within 24 hours of activating a domain.?
Wiz in talks to sell shares at $20 billion valuation
Remember the great Wiz acquisition that wasn’t earlier over the summer? The cybersecurity startup walked away from a $23 billion Alphabet offer in July. Now, Bloomberg’s sources say the company began talks with existing shareholders to sell up to $700 million in holdings at a price range that would value the company up to $20 billion. The company is also considering another direct investor funding round, but how that would impact its value remains unclear. Its last funding round in May valued it at $12 billion, and reportedly it rejected Alphabet’s offer after deciding it would be worth more going public.?