Archive for August 10, 2023

HP sees attackers combine simple methods to fool detection tools and deploy multi-language malware

Posted in Commentary with tags on August 10, 2023 by itnerd

new threat blog from HP Wolf Security’s threat research team has just gone online. The blog shows how opportunistic threat actors can use simple techniques and inexpensive cybercrime tools to bypass Windows security features and anti-virus scanners. HP Sure Click protects users from this type of attack, as it enabled HP to capture the malware trace. The blog also outlines HP’s analysis of the attack and describes mitigations for organizations that aren’t protected. In this case, threat actors used a mix of simple-but-effective and clever tricks to infect victim PCs with AsyncRAT, a remote access trojan that steals sensitive information:

  • The art of illusion: What’s in a name? By simply mislabelling unusual file types (such as batch files) as something more familiar (like a PDF), attackers can trick users into clicking on malicious attachments. This basic technique takes advantage of Windows hiding file extensions by default. i.e., if you save a batch (.bat) file as “hello.pdf.bat”, it will show up as “hello.pdf” in Windows File Explorer. While this technique is not new, we see it being used more frequently by commodity threat actors.
  • Ones and zeroes – Attackers are artificially inflating their malicious files by padding them with millions of meaningless ones and zeros. Some were almost 2GB in size, too large for many anti-malware scanners to analyze, allowing malware to slip past a critical detection measure. Because the inflated section follows a repeating pattern, the malware can be compressed into an archive file only a few megabytes large – ideal for spreading the malware in spam campaigns.
  • Here comes the clever part: multi-language malware – by using multiple programming languages, the threat actor evaded detection by encrypting the payload using a crypter written in Go, before disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
    • In-memory execution of .NET files from C++ requires in-depth knowledge of undocumented Windows internals, but threat actors can access these techniques through tools sold in hacker forums. 

 The blog is here for your reading pleasure. 

Leave a comment »

ARPA Launches $20 Million AI Cyber Challenge To Hunt & Fix AI Vulnerabilities

Posted in Commentary with tags , on August 10, 2023 by itnerd

The US Defense Advanced Research Projects Agency (DARPA) has just launched the AI Cyber Challenge –  a new competition that challenges the nation’s top AI and cybersecurity talent to automatically find and fix software vulnerabilities, defend critical infrastructure from cyberattacks. The Challenge offers $20 million in prize money. 

AIxCC will allow two tracks for participation: the Funded Track and the Open Track. Funded Track competitors will be selected from proposals submitted to a Small Business Innovation Research solicitation. Up to seven small businesses will receive funding to participate. Open Track competitors will register with DARPA via the competition website and will proceed without DARPA funding. 

Teams on all tracks will participate in a qualifying event during the semifinal phase, where the top scoring teams (up to 20) will be invited to participate in the semifinal competition. Of these, the top scoring teams (up to five) will receive monetary prizes and continue to the final phase and competition. The top three scoring competitors in the final competition will receive additional monetary prizes.

Chloé Messdaghi, Head of Threat Research, Protect AI, said: 

“We applaud the administration for its recognition of the crucial role the hacker community can play in identifying, codifying and closing the major security gaps that AI and ML platforms embody, foster or at the least, don’t address.  

“Protect AI has just launched the Huntr platform to pay security researchers for discovering vulnerabilities in open-source software, focusing exclusively on AI/ML threat research. We launched Huntr specifically because we noticed two things. 

“First, people in security aren’t aware of all of the vulnerabilities inherent in AI & ML or that improper usage can create and amplify. A platform that helps bug bounty hunters find vulns is critically important to helping drive new generations of safe, secure and effective AI-driven technologies and systems. 

“Also, we are offering educational content for security professionals to help them learn and grow as a community through our MLSecOps community platform.  

“Again, it’s great to see the Administration, the cybersecurity community and the hacker community come together to help ensure a safe future. The hacker community has been committed to and contributing to exactly this type of future for the last two decades.”

This is a good initiative by DARPA as we need to get ahead of any AI related vulnerabilities before a threat actor takes advantage of them. Hopefully we see more of this.

Leave a comment »

Google’s Messages App Now Defaults To RCS In Latest Move To Replace SMS

Posted in Commentary with tags on August 10, 2023 by itnerd

Google has announced it’s making its Messages by Google app more secure by making RCS the default for both new and existing Messages app users and end-to-end encryption for group chats is now also fully available to all RCS users.   “RCS is the modern industry standard for dynamic and secure messaging.  And now, all of your RCS conversations in Messages by Google are end-to-end encrypted, including group chats, which keeps them private between you and the people you’re messaging,” Google says.  With RCS enabled, users can take advantage of more advanced messaging features similar to those iMessage users have, like: 

  • Sharing high-res photos and videos 
  • See typing indicators  
  • Get read receipts 
  • Send messages over mobile data and Wi-Fi 
  • Rename, edit and remove themselves from group chats 
  • Use end-to-end encryption 

 Since rolling out RCS to U.S. Android users in 2019, Google has been pressuring Apple to adopt the technology in iMessage by launching a website to explain why RCS benefits consumers, but Apple has expressed in court filings, it has no interest in making a version of iMessage for Android. 

Ted Miracco, CEO, Approov Mobile Security had this to say:   

“Securing the mobile ecosystem is an important focus for both Google and Apple. RCS helps the Android ecosystem by adding some important security features that can help mitigate phishing messages, such as encryption and verified sender information. However, no messaging platform, including iMessage, is completely immune to phishing attempts. It’s still important for users to be cautious and exercise good judgment when interacting with messages. A more secure mobile environment is in everyone’s best interest, so we support this move by Google.”

I’m pretty sure that Apple doesn’t support this move as they have no need to do so. We’ll see how this latest move by Google works out.

Leave a comment »