The IT Nerd

 ESET published their H2 threat report over the holidays that reveals latest malware trends as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

The second half of 2023 saw notable cybersecurity incidents, including the Cl0p group’s “MOVEit hack,” a kill switch affecting the Mozi IoT botnet, emergence of the Android/Pandora threat, AI-enabled attacks on tools like ChatGPT, increased Android spyware cases with SpinOk, persistent threats like JS/Agent and Magecart due to unpatched websites, and a rise in cryptostealers, particularly the Lumma Stealer targeting cryptocurrency wallets, highlighting the dynamic nature of the cybersecurity landscape.

Read the full report here.

Everyone’s talking about ChatGPT, Bard and generative AI as such. But after the hype inevitably comes the reality check. While business and IT leaders alike are abuzz with the disruptive potential of the technology in areas like customer service and software development, they’re also increasingly aware of some potential downsides and risks to watch out for.

In short, for organizations to tap the potential of large language models (LLMs), they must also be able to manage the hidden risks that could otherwise erode the technology’s business value.

How do LLMs work?

ChatGPT and other generative AI tools are powered by LLMs. They work by using artificial neural networks to process enormous quantities of text data. After learning the patterns between words and how they are used in context, the model is able to interact in natural language with users. In fact, one of the main reasons for ChatGPT’s standout success is its ability to tell jokes, compose poems and generally communicate in a way that is difficult to tell apart from a real human.

RELATED READING: Writing like a boss with ChatGPT: How to get better at spotting phishing scams

The LLM-powered generative AI models, as used in chatbots like ChatGPT, work like super-charged search engines, using the data they were trained on to answer questions and complete tasks with human-like language. Whether they’re publicly available models or proprietary ones used internally within an organization, LLM-based generative AI can expose companies to certain security and privacy risks.

5 of the key LLM risks

1. Oversharing sensitive data 

LLM-based chatbots aren’t good at keeping secrets – or forgetting them, for that matter. That means any data you type in may be absorbed by the model and made available to others or at least used to train future LLM models. Samsung workers found this out to their cost when they shared confidential information with ChatGPT while using it for work-related tasks. The code and meeting recordings they entered into the tool could theoretically be in the public domain (or at least stored for future use, as pointed out by the United Kingdom’s National Cyber Security Centre recently). Earlier this year, we took a closer look at how organizations can avoid putting their data at risk when using LLMs.

2. Copyright challenges  

LLMs are trained on large quantities of data. But that information is often scraped from the web, without the explicit permission of the content owner. That can create potential copyright issues if you go on to use it. However, it can be difficult to find the original source of specific training data, making it challenging to mitigate these issues.

3. Insecure code

Developers are increasingly turning to ChatGPT and similar tools to help them accelerate time to market. In theory it can help by generating code snippets and even entire software programs quickly and efficiently. However, security experts warn that it can also generate vulnerabilities. This is a particular concern if the developer doesn’t have enough domain knowledge to know what bugs to look for. If buggy code subsequently slips through into production, it could have a serious reputational impact and require time and money to fix. 

4. Hacking the LLM itself

Unauthorized access to and tampering with LLMs could provide hackers with a range of options to perform malicious activities, such as getting the model to divulge sensitive information via prompt injection attacks or perform other actions that are supposed to be blocked. Other attacks may involve exploitation of server-side request forgery (SSRF) vulnerabilities in LLM servers, enabling attackers to extract internal resources. Threat actors could even find a way of interacting with confidential systems and resources simply by sending malicious commands through natural language prompts.

RELATED READING: Black Hat 2023: AI gets big defender prize money

As an example, ChatGPT had to be taken offline in March following the discovery of a vulnerability that exposed the titles from the conversation histories of some users to other users. In order to raise awareness of vulnerabilities in LLM applications, the OWASP Foundation recently released a list of 10 critical security loopholes commonly observed in these applications.

5. A data breach at the AI provider

There’s always a chance that a company that develops AI models could itself be breached, allowing hackers to, for example, steal training data that could include sensitive proprietary information. The same is true for data leaks – such as when Google was inadvertently leaking private Bard chats into its search results.

What to do next

If your organization is keen to start tapping the potential of generative AI for competitive advantage, there are a few things it should be doing first to mitigate some of these risks:

• Data encryption and anonymization: Encrypt data before sharing it with LLMs to keep it safe from prying eyes, and/or consider anonymization techniques to protect the privacy of individuals who could be identified in the datasets. Data sanitization can achieve the same end by removing sensitive details from training data before it is fed into the model.
• Enhanced access controls: Strong passwords, multi-factor authentication (MFA) and least privilege policies will help to ensure only authorized individuals have access to the generative AI model and back-end systems.
• Regular security audits: This can help to uncover vulnerabilities in your IT systems which may impact the LLM and generative AI models on which its built.
• Practice incident response plans: A well rehearsed and solid IR plan will help your organization respond rapidly to contain, remediate and recover from any breach.
• Vet LLM providers thoroughly: As for any supplier, it’s important to ensure the company providing the LLM follows industry best practices around data security and privacy. Ensure there’s clear disclosure over where user data is processed and stored, and if it’s used to train the model. How long is it kept? Is it shared with third parties? Can you opt in/out of your data being used for training?
• Ensure developers follow strict security guidelines: If your developers are using LLMs to generate code, make sure they adhere to policy, such as security testing and peer review, to mitigate the risk of bugs creeping into production.

The good news is there’s no need to reinvent the wheel. Most of the above are tried-and-tested best practice security tips. They may need updating/tweaking for the AI world, but the underlying logic should be familiar to most security teams.

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter (X).

ESET Research announced today the release of the report “Looking into TUT’s tomb: The universe of threats in LATAM,” which analyzes more than a dozen operations and various cybercriminal campaigns in Latin America. With evolving targeting strategies and techniques, these campaigns exhibit a high level of sophistication, specifically tailoring their approaches to exploit enterprise users, including government sectors. The predominant method of compromising victims is through phishing emails that deliver multiple malicious components.

In the paper, ESET Research looks back at various publicly documented campaigns targeting the LATAM region between 2019 and 2023; the vast majority of the detections surrounding these cybercriminal activities are in Latin America and are not associated with global crimeware. Since each of these operations has its own unique traits, and they don’t appear to be linked to a single threat actor, it’s highly likely that multiple actors are at play.

ESET analysis revealed a notable shift from simplistic, opportunistic crimeware to more complex threats. Notably, researchers have observed a transition in targeting, moving from a focus on the general public to high-profile users, including businesses and governmental entities. These threat actors continually update their tools, introducing different evasion techniques to increase the success of their campaigns. Furthermore, while the LATAM region contains the vast majority of victims, in some cases we have seen an expansion of these campaigns targeting countries outside the region, with the actors taking their crimeware business beyond Latin America and mirroring the pattern seen in banking trojans born in Brazil.

The precision and specificity observed in these attacks point to a high level of targeting, indicating that the threat actors have detailed knowledge about their intended victims. In these campaigns, attackers utilize malicious components like downloaders and droppers, mostly created in PowerShell and VBS. Regarding the tools used in these malicious operations in Latin America, ESET observations indicate a preference for remote access trojans.

For more technical information about “Operation King TUT: The universe of threats in LATAM,” read the blog post on WeLiveSecurity. 

ESET Research has released its analysis of Spacecolon, a small toolset used to deploy variants of Scarab ransomware to victims all over the world. It likely penetrates victim organizations through operators compromising vulnerable web servers or via brute forcing RDP credentials. Several Spacecolon builds contain many Turkish strings; therefore, ESET believes it is written by a Turkish-speaking developer. ESET was able to track the origins of Spacecolon back to at least May 2020, and its campaigns are ongoing. ESET named Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab.” 

Spacecolon incidents identified by ESET telemetry encompass the globe, with high prevalence in European Union countries, such as Spain, France, Belgium, Poland and Hungary; elsewhere, ESET has detected high prevalence in Turkey and Mexico. CosmicBeetle appears to be preparing the distribution of new ransomware — ScRansom. Post-compromise, along with installing ransomware, Spacecolon offers a large variety of third-party tools that allow the attackers to disable security products, extract sensitive information and gain further access.

“We have not observed any pattern to Spacecolon’s victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Neither have we found any pattern among the targets’ areas of focus or size. However, to name a few (by type and geography), we have observed Spacecolon at a hospital and tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey and a school in Mexico,” says ESET researcher Jakub Souček, author of the analysis.

CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon vulnerability or those with RDP credentials that it is able to brute force. Additionally, Spacecolon can provide backdoor access for its operators. CosmicBeetle doesn’t make any considerable effort to hide its malware and leaves plenty of artifacts on compromised systems. 

After CosmicBeetle compromises a vulnerable web server, it deploys ScHackTool. ScHackTool is the main Spacecolon component that CosmicBeetle uses. It relies heavily on its GUI and active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit. If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it to install ScService, which provides further remote access.

The final payload CosmicBeetle deploys is a variant of Scarab ransomware. This variant internally deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems likely to be a cryptocurrency wallet address to an attacker-controlled address.

Furthermore, a new ransomware family is being developed, with samples being uploaded to VirusTotal from Turkey. ESET Research believes with high confidence that it is written by the same developers as Spacecolon, and ESET has named it ScRansom. ScRansom attempts to encrypt all hard, removable and remote drives. ESET has not observed this ransomware being deployed in the wild, and it appears to still be in a development stage.

For more technical information about Spacecolon and CosmicBeetle, check out the blogpost “Scarabs colon-izing vulnerable servers” on WeLiveSecurity.

ESET, the industry-leading cybersecurity software company, has released their latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry from December 2022 through May 2023.

Here are a few highlights:

• The H1 2023 ESET Threat Report highlights the remarkable adaptability of cybercriminals: through exploiting vulnerabilities, gaining unauthorized access, compromising sensitive information, or defrauding individuals.
• Attackers developed new methods to attempt to bypass Microsoft security measures, including using weaponized OneNote files instead of Office macros. ESET researchers observed the comeback of so-called sextortion scam emails and an alarming growth of deceptive Android loan apps.
• ESET telemetry data also suggests that operators of the Emotet botnet have struggled to adapt, possibly indicating that a different group acquired the botnet.
• Leaked source code of ransomware families such as Babyk, LockBit, and Conti has been increasingly used in the development of new ransomware variants in H1 2023.
• The H1 2023 Threat Report covers December 2022 through May 2023, transitioning from a triannual to a semiannual release schedule.

The full report can be found here: https://www.welivesecurity.com/2023/07/11/eset-threat-report-h1-2023/

Today, ESET Research released its analysis of Asylum Ambuscade, a cybercrime group that has been performing cyberespionage operations on the side. The group has been running cyberespionage campaigns since at least 2020. ESET found previous compromises of government officials and employees of state-owned companies in Central Asian countries and Armenia. In 2022 the group reportedly targeted government officials in several European countries bordering Ukraine. ESET Research assesses that the goal of the attackers was to steal confidential information and webmail credentials from official government webmail portals. Asylum Ambuscade usually targets small- and medium-sized businesses (SMBs) and individuals in North America and Europe. 

In 2022, when the group targeted government officials in several European countries bordering Ukraine, the compromise chain started with a spearphishing email containing a malicious Excel spreadsheet or Word document attachment. If the machine was deemed interesting, the attackers eventually deployed AHKBOT, a downloader that can be extended with plugins to spy on the victim’s machine. These plugins provide various capabilities, including taking screenshots, recording keystrokes, stealing passwords from web browsers, downloading files and executing an infostealer.

Even though the group entered the spotlight because of its cyberespionage operations, it has mostly run cybercrime campaigns since early 2020. Since January 2022, ESET Research has counted more than 4,500 victims worldwide. While most of these are located in North America, it should be noted that we have also seen victims in Asia, Africa, Europe and South America. Targeting is very wide and mainly includes individuals, cryptocurrency traders, bank customers, and SMBs in various verticals.

For more technical information about Asylum Ambuscade, check out the blogpost “Asylum Ambuscade – A curious case of a threat actor at the border between crimeware and cyberespionage” on WeLiveSecurity. 

 ESET, a global leader in cybersecurity, is proud to announce the establishment of its new Marketing, Communication, and Digital Business division, appointing Mária Trnková as Chief Marketing Officer. This strategic move, effective June 1, 2023, reflects ESET’s commitment to innovation, enhancing partner and customer experiences, and strengthening its brand presence in the market.

Mária Trnková, previously Vice President for the Consumer and IoT Segment at ESET, brings on board experience with the creation and implementation of an effective data-driven strategy. Mária started her career at ESET in the autumn of 2016. Her journey began as the EMEA Territory Marketing Manager, where she collaborated closely with regional teams to shape effective marketing strategies. During her six-year tenure, Mária showcased exceptional leadership skills, progressively taking on more responsibility and driving impactful results. When she stepped into the position of Segment VP in October 2019, she moved into a role with interfaces across the entire organization. She also worked closely with the company´s management to ensure Consumer and IoT segment strategy definition and effective implementation.

In her new role as Chief Marketing Officer, Mária will spearhead the newly formed Marketing, Communication, and Digital Business division. This strategic division will enhance ESET’s marketing support across segments, fortify its brand position, and foster innovation through closer collaboration with technology and Environmental, Social, and Governance (ESG) teams. The key enabler for successful marketing implementation will be close cooperation with regional and local branches, ensuring delivery of the utmost value to customers.

ESET researchers revealed today details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families. This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns. During 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits every month. It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.

“For malware authors, protecting their creations against detection is challenging. Cryptors are the first layer of defense for malware that gets distributed. Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state. Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says ESET researcher Jakub Kaloč, who analyzed AceCryptor.

Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware available for purchase on underground forums and used to steal credit card credentials and other sensitive data, upload and download files, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloč.

During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor. Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. AceCryptor is heavily obfuscated and has incorporated many techniques to avoid detection throughout the years.

“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theorizes Kaloč.

Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. According to ESET telemetry, devices were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software, or spam emails containing malicious attachments. Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.

Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim. AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by, for example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.

AceCryptor has multiple variants and currently uses a multistage, three-layer architecture.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET Research expects that AceCryptor will continue to be widely used. Closer monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.

For more technical information about AceCryptor, check out the blogpost “Shedding light on AceCryptor and its operation” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Earn their trust, then attack.

ESET researchers discovered a perfectly safe Android app that had been available on the Google Play store with over 50,000 installs that only went bad in version 1.3.8.  This approach could work with any software.

In this case the iRecorder app was working perfectly for an entire year before the clean version was updated with malicious spyware code.

Apparently it’s very rare for a developer to upload a legitimate app, operate perfectly for almost a year, and then provide an update with malicious code. In this case, the code added was a customized version of the open-source AhMyth Android RAT that researchers have named AhRat.

From the research:

“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign.”

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The AhMyth Android RAT (Remote Access Trojan) specifically targets Android devices, and allows attackers to spy on victims and collect sensitive information such as call logs, text messages, GPS location, contacts, record audio and take screenshots. Cases like this where a ‘legitimate’ app developer inserts malware is not as uncommon as you may think, especially with “free” utilities where the user’s data is essentially the product deliverable. Even reputable mobile security apps tend to make a land grab when it comes to requesting permissions on devices for information that is certainly unnecessary for the proper functioning of the mobile app.

   “While more and more Android devices are supporting a feature called “Play Protect” (formerly “SafetyNet”) that can make sure apps are free of potential malware, in this case it would prove absolutely ineffective as the malware was added by the developer that is setting up the attestation criteria. In cases like these end-users need to be vigilant in making sure the permissions are commensurate with the requirements of the app and be cautious of apps from unofficial app stores. It is also important to avoid rooting (Android) or jailbreaking (iOS) devices as these processes will further weaken the device’s security and make it more vulnerable to malware attacks.”

Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:

   “In many cases, a legitimate action may turn out to be of malicious intent. In this case a mobile application was delivering on its promise but easily turned malicious after trust was achieved. The same could be said of rogue employees, once they gain systems access, and could apply to most any software whether on mobile or desktop.

   “Being stealthy can be accomplished by hiding below detection radars with a low and slow attacks, hidden with a benign traffic, or the exact opposite and fully open as a legitimate application. This is why continuous monitoring and behavioral pattern monitoring of usage and code is mandatory to defend against this risk.”

This reinforces the fact that downloading apps is sometimes a risky business. Thus I would recommend that both individuals and companies take steps to make sure that they are not a victim of this attack vector. For individuals, that can mean practising safe computing habits. For businesses it can mean restricting what one can or cannot download onto devices. Those at the very least would limit the exposure to this.

ESET has released its APT Activity Report, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023. The report is being published on a semi-annual basis. During this period, several China-aligned threat actors such as Ke3chang and Mustang Panda focused on European organizations. In Israel, Iran-aligned group OilRig deployed a new custom backdoor. North Korea-aligned groups continued to focus on South Korean and South Korea-related entities. Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers.

Malicious activities described in the ESET APT Activity Report are detected by ESET technology. “ESET products protect our customers’ systems from the malicious activities described in this report. The intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers,” says Director of ESET Threat Research Jean-Ian Boutin.

China-aligned Ke3chang employed tactics such as the deployment of a new Ketrican variant, and Mustang Panda used two new backdoors. MirrorFace targeted Japan and implemented new malware delivery approaches, while Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents. India-aligned groups SideWinder and Donot Team continued to target governmental institutions in South Asia with the former targeting the education sector in China, and the latter continuing to develop its infamous yty framework, but also deploying the commercially available Remcos RAT. Also in South Asia, ESET Research detected a high number of Zimbra webmail phishing attempts. 

In addition to targeting the employees of a defense contractor in Poland with a fake Boeing-themed job offer, North Korea-aligned group Lazarus also shifted its focus from its usual target verticals to a data management company in India, utilizing an Accenture-themed lure. ESET also identified a piece of Linux malware being leveraged in one of their campaigns. Similarities with this newly discovered malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one ESET calls SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilizing spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Finally, ESET detected that the previously mentioned Zimbra email platform was also exploited by Winter Vivern, a group particularly active in Europe, and researchers noted a significant drop in the activity of SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.

For more technical information, check the full “ESET APT Activity Report” on WeLiveSecurity. Make sure to followESET Research on Twitter for the latest news from ESET Research.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM that deliver high-quality strategic, actionable, and tactical cybersecurity threat intelligence is available at the ESET Threat Intelligence page.