Weekly Threat Briefing: Oct 7 - 11, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
New Variants of BeaverTail and InvisibleFerret Malware Identified
Bottom Line: By impersonating recruiters to deliver malware, North Korean threat actors gain access to a variety of industries, leading to the theft of sensitive data and cryptocurrency, as well as potentially enabling espionage.
On October 9th, Unit 42 published a detailed report on an ongoing campaign named Contagious Interview (CL-STA-0240), led by threat actors associated with Democratic People’s Republic of Korea (DPRK). The primary targets of this campaign are job seekers in the tech industry, particularly those using platforms like LinkedIn and X (formerly Twitter) to find opportunities.
The attackers impersonate recruiters to build trust and then manipulate their victims into executing malicious software under the guise of an actual interview process. Two key malware components observed in this campaign are the BeaverTail downloader and InvisibleFerret backdoor, both of which are designed for cross-platform attacks, capable of affecting macOS and Windows systems.
BeaverTail acts as the initial downloader in the attack. Its primary role is to infiltrate the victim’s system and execute additional payloads, including the InvisibleFerret backdoor. Its built using the Qt framework and can execute on both macOS and Windows platforms.
This malware focuses on stealing browser passwords and cryptocurrency wallets, targeting 13 cryptocurrency wallet browser extensions. It is typically delivered through fake software packages masquerading as legitimate applications, such as MicroTalk and FreeConference. Once the malware is executed, it establishes connection with the Command-and-Control(C2) server to download the Python payload.
InvisibleFerret is the final stage malware deployed after BeaverTail. It is a Python-based backdoor observed in the CL-STA-0240 campaign. It has multiple components that facilitate the attackers to maintain long-term control over infected system. The backdoor is capable of fingerprinting the infected endpoint, performing remote control functions, and keylogging to capture user input. It also exfiltrates sensitive files and can steal browser credentials and credit card information.
Additionally, InvisibleFerret can download and run the Anydesk client for further remote access and control. Recent update to InvisibleFerret’s code were observed, indicating active development and refinement of the malware’s code.
The new variants of these malware do not expand their core capabilities. Rather, they are focuses on efficiency improvements.
In response to the disclosure of this report, the eSentire Threat Response Unit (TRU) team performed threat hunts across the customer base, evaluated current detection capabilities, and blocked known malicious infrastructure via the eSentire Global Block List.
It should be noted that eSentire has detected and mitigated activity that matches the findings of this report, prior to report disclosure. This incident was discussed in the October TRU Intelligence Briefing webinar . A technical blog on eSentire observations of InvisibleFerret will be published in the near future.
OpenAI - Influence and Cyber Operations
Bottom Line: OpenAI continues to monitor for the abuse of its platform for influence and cyber operations. While OpenAI indicates that there has not been successful virality of content, the full impact of this activity remains unclear.
On October 9th , OpenAI, the American artificial intelligence research organization behind ChatGPT, released a long-form report on state-sponsored abuse of the company’s services in both information operations and cyberattacks.
According to OpenAI, in the past year, the company has disrupted twenty separate campaigns, three of which involved known APT groups, with the remainder being focused on information operations. Information operations included election disinformation across multiple countries.
APT groups observed abusing ChatGPT have been attributed to China and Iran. The Chinese APT group is tracked under the name SweetSpecter. This group was observed leveraging “OpenAI’s services for reconnaissance, vulnerability research, scripting support, anomaly detection evasion, and development”.
Outside of this activity, SweetSpecter also targeted both governments and OpenAI employees in a spear- phishing campaign that resulted in the deployment of the SugarGhost Remote Access Trojan (RAT).
领英推荐
Iranian state-sponsored groups confirmed to abuse OpenAI services are CyberAv3ngers and STORM-0817. The CyberAv3ngers group masquerades as a hacktivist organization but is believed to operate at the behest of the Iranian Islamic Revolutionary Guard Corps (IRGC).
The group was observed using OpenAI services to conduct research on Programmable Logic Controllers (PLC), commonly used in critical infrastructure such as water and wastewater treatment facilities. According to OpenAI, the group was attempting to discover vulnerabilities, build debugging code, and gain scripting advice.
This is highly notable, as in December 2023, CISA, in coordination with other intelligence agencies, released a report on CyberAv3ngers and their active targeting of water treatment facilities.
STORM-0817 was observed using OpenAI services in order to develop both malware and social media scraping tools. The group employed AI models to assist with building an Instagram scraper, debugging android malware, and translating profiles on LinkedIn. Information submitted to OpenAI platforms indicates that the group was building “surveillanceware”.
With the continued improvement and interest in LLM models, the eSentire Threat Response Unit (TRU) team expects to see an increase in the testing and abuse of commercial platforms by threat actors of varying skill levels. eSentire security teams continue to monitor for abuse of AI and LLM models by real-world threat actors.
U.S. Wiretap Systems Targeted in China-Linked Hack
Bottom Line:?Targeting Internet Service Providers (ISPs) in a breach of this scale would provide espionage-focused threat actors with a trove of valuable information, ranging from privileged conversations to sensitive technical data and financial information. The impact of this intrusion depends on whether persistence was established and exfiltration was completed.
On September 26th, the Wall Street Journal (WSJ) reported that a Chinese APT group compromised multiple Internet Service Providers (ISPs). This week, WSJ released a follow-on article , naming the impacted companies as Verizon Communications, AT&T, and Lumen Technologies, as well as multiple non-U.S. telecoms. It is reported that threat actors carried out this activity to gain access to wiretap systems used by U.S. law enforcement.
The activity described in this report is attributed to the Chinese state-sponsored APT group Salt Typhoon, also referred to as FamousSparrow, GhostEmperor. The group is reported to have operated since at least 2019 and has a history of targeting government agencies, telecommunications and internet providers, hotels, and other private businesses. The group’s past activity is reported to have impacted companies in North and South America, Europe, Asia, Africa, and the Middle East.
In the recent campaign, WSJ reports that threat actors potentially targeted “information from systems the federal government uses for court-authorized network wiretapping requests”. These systems are in place to enable law enforcement to work with telecommunications companies on ongoing investigations. As such, similar companies have a legal responsibility to intercept and store information related to court orders.
Technical details on the breaches have not been shared publicly at this time. WSJ states that the breaches were discovered “in recent weeks and remains under active investigation by the U.S. government and private-sector security analysts”.
It is unclear when or how initial compromises occurred, but Salt Typhoon is suspected to have had access to domestic surveillance systems for “months or longer”. It couldn’t be determined if systems that support foreign intelligence surveillance were also impacted by the breach.
According to sources familiar with the matter, Salt Typhoon collected large amounts of internet traffic, and the goal of the activity is tentatively believed to be information theft. It should be noted that this reporting is focused on the breach of American companies, but the campaign is also reported to have impacted a small number of non-U.S. providers.
The eSentire Threat Response Unit (TRU) team is actively tracking this topic for additional details and detection opportunities.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.