Thursday, July 20th, 2023
Cybersecurity Week in Review (21/07/2023)
North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack
An analysis of the indicators of compromise (IoCs) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that’s reminiscent of the supply chain attack targeting 3CX.
The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It’s worth noting that JumpCloud, last week, attributed the attack to an unnamed “sophisticated nation-state sponsored threat actor.”
In a related development, researchers have pinned the attack to a North Korean actor known as Labyrinth Chollima, a sub cluster within the infamous Lazarus Group. The infiltration was used as a springboard to target cryptocurrency companies, indicating an attempt on part of the adversary to generate illegal revenues for the sanctions-hit nation.
They also coincide with a low-volume social engineering campaign identified by GitHub that targets the personal accounts of employees of technology firms, using a mix of repository invitations and malicious npm package dependencies. The targeted accounts are associated with blockchain, cryptocurrency, or online gambling sectors.
The Microsoft subsidiary attributed the campaign to a North Korean hacking group it tracks under the name Jade Sleet (aka TraderTraitor).
“Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms,” GitHub’s Alexis Wales said.
The attack chains involve setting up bogus personas on GitHub and other social media services such as LinkedIn, Slack, and Telegram, although in some cases the threat actor is believed to have taken control of legitimate accounts.
Under the assumed persona, Jade Sleet initiates contact with the targets and invites them to collaborate on a GitHub repository, convincing the victims into cloning and running the contents, which feature decoy software with malicious npm dependencies that act as first-stage malware to download and execute second-stage payloads on the infected machine.
The malicious npm packages, per GitHub, are part of a campaign that first came to light last month, when Phylum detailed a supply chain threat involving a unique execution chain that uses a pair of fraudulent modules to fetch an unknown piece of malware from a remote server.
SentinelOne, in its latest analysis, said 144.217.92[.]197, an IP address linked to the JumpCloud attack, resolves to npmaudit[.]com, one of the eight domains listed by GitHub as used to fetch the second-stage malware. A second IP address 23.29.115[.]171 maps to npm-pool[.]org.
“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks,” SentinelOne security researcher Tom Hegel said. “The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions.”
“The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks,” Hegel added.
Russian Hackers Threaten to Release Masses of Private Data Stolen from Irish Communications Regulator
A notorious Russian cybercriminal gang has threatened to publish masses of private information stolen from ComReg, the Irish communications regulator. The group, which is known as Cl0p, said on Tuesday it has 143 gigabytes of ComReg data which was stolen in a ransomware attack on the Government agency in May.
Neither ComReg or the National Cyber Security Centre (NCSC), which is responding to the attack, would confirm yesterday if the data belongs to the agency or if it has yet been published.
ComReg is responsible for regulating communications companies, including internet service providers, broadcasters and mobile phone providers. It holds large amounts of sensitive data relating to the telecommunications industry.
The agency was one of many organisations targeted in a cyberattack by the Cl0p ransomware group which is based in Russia. The group carried out the attack by exploiting a weakness in Moveit, a file transfer system used by ComReg.
ComReg said last month a “relatively small number” of its files were impacted. “Of these, an even smaller proportion concerned either personal data or confidential commercial information that had been provided to ComReg by regulated entities.”
It is understood the agency has drafted in a private cyber security company to help respond to the attack. The Garda National Cyber Crime Bureau is also investigating and the Data Protection Commission has been notified. Last month, ComReg wrote to various telecommunications companies to inform them their data had been stolen.
“The NCSC is aware of the recent cyberattack on the secure file transfer platform ‘MoveIt’. The NCSC does not comment on operational issues,” said a spokesman for the Department of Communications, which oversees the NCSC.
Cl0p is the name of the ransomware used in the attack but it is also used to refer to the loose network of cybercriminals which control it. Almost two million individuals and 369 organisations have been impacted so far including Siemens Energy, Deutsche Bank and many United States educational institutes.
The criminals threatened to publish victims’ data if they did not receive a ransom payment in cryptocurrency. The deadline to begin the process of paying the ransom was June 14th.
Cl0p’s targeting of a Government agency is unusual as it claims it does not go after public bodies.
“If you are a Government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information,” the group states in the ransom instructions it sends to victims.
As well as ComReg, the group also appears to have targeted its equivalent agency in the UK, Ofcom. It claims to have 62 gigabyte of data from the organization. It is Irish Government policy not to pay ransoms to cybercriminals, as demonstrated following the ransomware attack on the HSE in 2021 by Russian based criminals. Cl0p is one of the oldest cybercrime gangs still in existence. As well as operating from Russia, many of its members are believed to have operated from Ukraine and other eastern European countries.
Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions –
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on “unmitigated appliances.” However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.
Also addressed alongside CVE-2023-3519 are two other bugs –
- CVE-2023-3466 (CVSS score: 8.3) – An improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack
- CVE-2023-3467 (CVSS score: 8.0) – An improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot)
Wouter Rijkbost and Jorren Geurts of Resillion have been credited with reporting the bugs. Patches have been made available to address the three flaws in the below versions –
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS, and
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Customers of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version to mitigate potential threats.
The development comes amid active exploitation of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).
Leaving security flaws in WordPress plugins could open the door to complete compromise, enabling threat actors to repurpose the compromised WordPress sites for other malicious activities.
Last month, an attack campaign dubbed Nitrogen was disclosed which infected WordPress sites have been used to host malicious ISO image files that, when launched, culminate in the deployment of rogue DLL files capable of contacting a remote server to fetch additional payloads, including Python scripts and Cobalt Strike.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added the Citrix remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the issue by August 9, 2023, to secure their networks against potential threats.
Ukraine Takes Down Massive Bot Farm, Seizes 150,000 SIM Cards
The Cyber Police Department of the National Police of Ukraine dismantled another massive bot farm linked to more than 100 individuals after searches at almost two dozen locations. The bots were used to push Russian propaganda justifying Russia’s war in Ukraine, to disseminate illegal content and personal information, and in various other fraudulent activities.
In a joint operation, the cyber police and units of the Ukrainian National Police executed 21 search operations in Vinnytsia, Zaporizhzhia, and Lvivand. They seized computer equipment, mobile phones, over 250 GSM gateways, and roughly 150,000 SIM cards of multiple mobile operators.
”The cyber police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine,” a cyber police press release reads.
“In addition to spreading hostile propaganda, the accounts were also used for unauthorized distribution of personal data of Ukrainian citizens on the Internet, in Internet fraud schemes, and for sending known false messages about threats to citizens’ safety, destruction or damage to property.”
Since the start of the war in Ukraine, Russian threat actors have been involved in disinformation campaigns targeting Ukraine and have invested in Ukraine-based bot farms. For instance, in September 2022, the Cyber Department of the Ukrainian Security Service (SSU) took down another army of thousands of bots spreading Russian disinformation across multiple messaging platforms and social networks.
In August 2022, the Ukrainian cyber police dismantled a massive bot farm of more than 1,000,000 bots that was also used to spread Russian disinformation and fake news on social networks. Months earlier, the SSU also announced it shut down five fake news networks controlling over 100,000 fake social media accounts.
These disinformation bot farms operated from Kharkiv, Cherkasy, Ternopil, and Zakarpattia to discourage Ukrainians and instill panic by pushing false information about the Russian invasion of Ukraine.
Ukraine’s President Volodymyr Zelenskyy was also targeted in several misinformation campaigns, two of them pushing video deepfakes on Facebook and hacked Ukrainian radio stations to spread fake news that Zelenskyy was in critical condition—Russian threat actors are believed to be behind both.
Recycling Giant Tomra Takes Systems Offline Following Cyberattack
Norwegian recycling giant Tomra has taken some of its systems offline after falling victim to what it describes as an extensive cyberattack. A multinational company, Tomra manufactures waste collection and sorting products, including reverse vending machines and food sorters. The company operates close to 100,000 recycling systems worldwide.
On Monday, Tomra announced that some of its data systems were impacted by a cyberattack that was discovered on July 16, and that it immediately disconnected some systems to contain the incident.
In an update on Tuesday, the company announced that it had disconnected additional systems, and that it would keep all impacted systems offline until the incident is resolved.
“No new hostile activities have been detected,” the company announced.
“Our primary aim is to continue to deliver our services to customers, reducing the impact this attack has on them. The attack currently has limited impact on Tomra’s customer operations. Most of Tomra’s digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim,” Tomra said.
The company announced that its internal IT services and some back office applications remain offline, with an impact on its supply chain management. With major office locations offline, employees have been asked to work remotely.
Tomra’s reverse vending machines (RVMs) in Australia and North America remain fully operational, RVMs in Europe and Asia continue to work in offline mode, but some older models are no longer operating. The company’s recycling and food sorter systems are operating as usual, with some limited functionality due to digital services being offline.
“We continue to work tirelessly to resolve the situation, and remain in dialogue with relevant authorities. We have not received any contact from those who are behind the attack,” the company said.
While Tomra has not shared details on the type of cyberattack it experienced, it is likely that file-encrypting ransomware was involved. Taking systems offline is a typical incident response step in the event of ransomware.
Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation. Discovered yesterday, the ransomware was initially thought to be part of a red team exercise by Sophos.
However, the Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.
“We found this on VT earlier and have been investigating. Our preliminary findings shows Sophos InterceptX protects against these ransomware samples,” tweeted Sophos.
While little is known about the RaaS operation and how it is being promoted, a sample of the encryptor was found, allowing us to get a quick look at how it operates.
The ransomware encryptor is written in Rust and uses the ‘C:\Users\Dubinin\’ path for its crates. Internally, the ransomware is named ‘sophos_encrypt,’ so it has been dubbed SophosEncrypt, with detections already added to ID Ransomware.
When executed, the encryptor prompts the affiliate to enter a token associated with the victim that is likely first retrieved from the ransomware management panel.
When a token is entered, the encryptor will connect to 220.127.116.11:21119 and verify if the token is valid. Ransomware expert Michael Gillespie found it possible to bypass this verification by disabling your network cards, effectively running the encryptor offline.
When a valid token is entered, the encryptor will prompt the ransomware affiliate for additional information to be used when encrypting the device. This information includes a contact email, jabber address, and a 32-character password, which Gillespie says is used as part of the encryption algorithm.
The encryptor will then prompt the affiliate to encrypt one file or encrypt the entire device, as shown below. When encrypting files, Gillespie told BleepingComputer that it uses AES256-CBC encryption with PKCS#7 padding.
Each encrypted file will have the entered token, the entered email, and the sophos extension appended to a file’s name in the format :.[].[].sophos. This is illustrated below in a test encryption by BleepingComputer.
In each folder that a file is encrypted, the ransomware will create a ransom note named information.hta, which is automatically launched when the encryption is finished. This ransom note contains information on what happened to a victim’s files and the contact information entered by the affiliate before encrypting the device.
The ransomware also has the capability to change the Windows desktop wallpaper, with the current wallpaper boldly displaying the ‘Sophos’ brand that it is impersonating. This wallpaper was created by the threat actors and has no association with the legitimate Sophos cybersecurity company.
The encryptor contains numerous references to a Tor site located at http://xnfz2jv5fk6dbvrsxxf3dloi6by3agwtur2fauydd3hwdk4vmm27k7ad.onion.
This Tor site is not a negotiation or data leak site but rather what appears to be the affiliate panel for the ransomware-as-a-service operation.
Sophos also released a report on the new SophosEncrypt ransomware. According to their report, the ransomware gang’s command and control server at 18.104.22.168 is also linked to Cobalt Strike C2 servers used in previous attacks.
“In addition, both samples contain a hardcoded IP address (one we did see the samples connect to),” explains Sophos’ report.
“The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.”
FIN8 Deploys ALPHV Ransomware Using Sardonic Malware Variant
A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.
Since they were first spotted and tagged as a threat group, FIN8 has been linked to many large-scale campaigns characterized by their sporadic nature. However, their attacks have impacted numerous organizations, leaving a footprint of hundreds of victims in their wake.
The arsenal employed by this threat actor is extensive, encompassing a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, as well as the exploitation of Windows zero-day vulnerabilities and spear-phishing campaigns.
They’ve also switched from BadHatch to a C++-based backdoor known as Sardonic, which, according to security researchers who discovered it in 2021, can collect information, execute commands, and deploy additional malicious modules as DLL plugins. A revamped version of this backdoor was deployed in December 2022 attacks, a variant that shares functionality with the version discovered by Bitdefender.
While their attacks’ end goal revolves around stealing payment card data from Point-of-Sale (POS) systems, FIN8 has expanded from point-of-sale to ransomware attacks to maximize profits. For instance, the gang was, for the first time, seen in June 2021 deploying ransomware (Ragnar Locker payloads) on the compromised systems of a financial services company in the United States.
Six months later, in January 2022, White Rabbit ransomware was also linked to FIN8 after researchers discovered links to the gang’s infrastructure when analyzing the ransomware’s deployment stage. Moreover, the Sardonic backdoor was also used during the White Rabbit ransomware attacks, further linking them to FIN8.
In a more recent development, FIN8 hackers were also observed deploying BlackCat (aka ALPHV) ransomware in the December 2022 attacks where the new Sardonic malware variant was used.
Google Cloud Build Bug Lets Hackers Launch Supply Chain Attacks
A critical design flaw in the Google Cloud Build service recently discovered can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls against the artifact registry and take control over application images. This allows them to inject malicious code, resulting in vulnerable applications and potential supply chain attacks after deploying the malicious applications within customers’ environments.
The first and immediate impact is disrupting the applications relying on these images. This can lead to DOS, data theft and spreading malware to users. Their method to exploit this privilege escalation flaw is complex, involving the use of the GCP API and exfiltrated Cloud Build Service Account access tokens.
The attack takes advantage of the cloudbuild.builds.create permission to escalate privileges and allow attackers to tamper with Google Kubernetes Engine (GKE) docker images using artifact registry permissions and run code inside the docker container as root.
After the issue was reported, the Google Security Team implemented a partial fix revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account, unrelated to Artifact Registry.
It is important to note that this measure did not directly address the underlying vulnerability in the Artifact Registry, leaving the privilege escalation vector and the risk of a supply chain attack intact.
It’s therefore important that organizations pay close attention to the behavior of the default Google Cloud Build service account. Applying the Principle of Least Privilege and implementing cloud detection and response capabilities to identify anomalies are some of the recommendations for reducing risk.
Google Cloud Build customers are advised to modify the default Cloud Build Service Account permissions to match their needs and remove entitlement credentials that go against the Principle of Least Privilege (PoLP) to mitigate the privilege escalation risks.
In April, Google also addressed a Google Cloud Platform (GCP) security vulnerability dubbed GhostToken that let attackers backdoor any Google account using malicious OAuth applications.
VirusTotal Data Leak Exposes Some Registered Customers’ Details
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The security incident, comprises a database of 5,600 names in a 313KB file.
Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud’s Chronicle unit in 2018.
When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data.
“We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform,” a Google Cloud spokesperson said.
“We removed the list from the platform within an hour of its posting and we are looking at our internal processes and technical controls to improve our operations in the future.”
Included among the data are accounts linked to official U.S. bodies such as the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). Other accounts belong to government agencies in Germany, the Netherlands, Taiwan, and the U.K.
Last year, Germany’s Federal Office for Information Security (BSI) warned against automating uploading of suspicious email attachments to VirusTotal, noting that doing so could lead to the exposure of sensitive information.
Meet NoEscape: Avaddon Ransomware Gang’s Likely Successor
The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. NoEscape launched in June 2023 when it began targeting the enterprise in double-extortion attacks. As part of these attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers.
The threat actors then threaten to publicly release stolen data if a ransom is not paid. NoEscape ransomware demands are thought to be ranging between hundreds of thousands of dollars to over $10 million.
Like other ransomware gangs, NoEscape does not allow its members to target CIS (ex-Soviet Union) countries, with victims from those countries receiving free decryptors and information on how they were breached. At this time, the ransomware gang has listed ten companies from different countries and industries on their data leak site, illustrating that they are not targeting a particular vertical.
The Avaddon ransomware operation launched in June 2020 using phishing campaigns to target corporate victims. However, in June 2021, a month after the FBI and Australian law enforcement released Avaddon advisories, the ransomware gang suddenly shut down its operation and shared victims’ decryption keys in an anonymous tip. Since then, there has not been any known ransomware or extortion activity associated with the threat actors until last month with the launch of the NoEscape ransomware operation.
NoEscape’s and Avaddon’s ransomware encryptors are almost identical, with only one notable change in encryption algorithms. Previously, the Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm. Otherwise, the encryptors are virtually identical, with the encryption logic and file formats almost identical, including a unique way of chunking of the RSA encrypted blobs.
Avaddon and NoEscape encryptors use the same configuration file and directives as described in this Mandiant article and outlined below. While it is possible that the NoEscape threat actors purchased the source code of the encryptor from Avaddon, researchers believe that some of the core Avaddon members are now part of the new ransomware operation.
When executed, NoEscape will run commands to delete Windows Shadow Volume Copies, local Windows backup catalogs, and to turn off Windows automatic repair. The encryptor will then begin to terminate the following processes, including those associated with security software, backup applications, and web and database servers. It will also stop Windows services associated with databases, QuickBooks, security software, and virtual machine platforms.
The ransomware terminates these applications to unlock files that may be opened and prevented from being encrypted. However, even if files are locked, the encryptor utilizes the Windows Restart Manager API to close processes or shut down Windows services that may keep a file open and prevent encryption.
During encryption, it could be configured to use three modes:
- Full – the entire file is encrypted
- Partial – Only the first X megabytes are encrypted.
- Chunked – Uses intermittent encryption to encrypt chunks of data.
However, NoEscape includes a configuration option that forces the encryptor to fully encrypt files with the accdb, edb, mdb, mdf, mds, ndf, and sql file extensions.
Files are encrypted using Salsa20, with the encryption key encrypted with a bundled RSA public key. Encrypted files will have a 10 character extension appended to the filename, which is unique for each victim. The encryptor will also configure a scheduled task named ‘SystemUpdate’ for persistence on the device and to launch the encryptor when logging into Windows.
The ransomware will also change the Windows wallpaper to an image telling victims they can find instructions in the ransom notes named HOW_TO_RECOVER_FILES.txt. The HOW_TO_RECOVER_FILES.txt ransom notes are located in each folder on the device and include information on what happened to a victim’s files and links to the NoEscape Tor negotiation site.
“We are not a politically company and we are not interested in your private affairs. We are a commercial company, and we are only interested in money,” promises the NoEscape ransom note.
On Linux, the /etc/motd is also replaced with the ransom note, which is displayed to victims when they log in.
The ransom notes contain a “personal ID” required to log in to the threat actor’s Tor payment site and access the victim’s unique negotiation page. This page includes the ransom amount in bitcoins, a test decryption feature, and a chat panel to negotiate with the threat actors.
After paying, victims will be shown a list of available decryptors, which are those for Windows XP, modern versions of Windows, and Linux.
For enterprise victims running VMware ESXi, NoEscape provides a shell script that can be used to restore the /etc/motd and decrypt files using the Linux decryptor.
Like other ransomware operations, NoEscape will breach a corporate network and spread laterally to other devices. Once the threat actors gain Windows domain admin credentials, they will deploy the ransomware throughout the network.
However, before encrypting files, the threat actors have already stolen corporate data to be used as leverage in their extortion attempts. The threat actors then warn victims that their data will be publicly released or sold to other threat actors if a ransom is not paid.
NoEscape has leaked the data or begun extorting ten victims on their data leak site, with the size of leaked data ranging from 3.7 GB for one company to 111 GB for another.
Criminals Launch Subscription-based WormGPT Without Ethical Constraints
Cybercriminals are now fluent in the AI-based tool WormGPT, which automates phishing emails and facilitates business email compromise (BEC) attacks using exceptional grammar in multiple languages. It’s like ChatGPT without any ethical boundaries or limitations.
The new cyber weapon WormGPT is supposed to revolutionize phishing attacks by generating human-like text based on the input it receives. This is a whole new vector for business email compromise attacks.
Cybercriminals can now use the technology to automate the creation of compelling fake emails personalized to recipients, and hold conversations without much personal involvement. This increases the scope and chances of successful attacks.
Interestingly, WormGPT doesn’t use OpenAI’s tech. It’s based on the GPT-J open-source large language model developed in 2021, has over 6 billion parameters, and boasts various features including unlimited character support, chat memory retention, and code formatting capabilities. Its performance is described as similar to an older GPT-3 model.
The WormGPT’s author supposedly used diverse data sources, mainly concentrating on malware-related data, to train WormGPT.
Experiments with WormGPT showed that unsuspecting account managers would have difficulty distinguishing fraudulent emails, as those are remarkably persuasive, strategically cunning, and have impeccable grammar.
WormGPT is subscription-based and costs 100 euros monthly or 550 euros yearly, while the private setup would set adversaries back with 5000 euros. A 5 percent discount is offered using the coupon code “SAGE.” Potential buyers must contact the developer by Telegram.
According to researchers, companies should train employees, implement strict email verification, and test security measures.
Even ChatGPT, when “jailbroken” with carefully crafted prompts, is able to “facilitate a significant number of criminal activities, ranging from helping criminals to stay anonymous to specific crimes including terrorism and child sexual exploitation,” Europol noted in a recent report.
Malicious actors are now filling dark-web forums with their own custom modules that are specifically trained to help with cybercrimes. And the subsequent iterations of large language models will be worse as they will have access to more data and be able to solve more complex problems.
“Dark LLMs trained to facilitate harmful output may become a key criminal business model of the future,” Europol noted.