Welcome to this week’s edition of the Threat Source newsletter.
I didn’t attend the RSA Conference in person, and on top of that, I was at the NFL Draft while the conference was going on. I’m behind on the biggest talks, panels and presentations that came out during the annual security conference, so I’ve spent the past few days catching up on what seems like the major talking points last week in San Francisco.
Unsurprisingly, it seems like AI was brought up anywhere and everywhere. It’s all tech executives are asked about currently and shareholders seem to want to know what X Company is doing to keep up with AI tools like ChatGPT.
Former Cisco CEO John Chambers said that he believes AI will be bigger than the internet and cloud combined "in every aspect of defense.”
“If somebody could get AI and cybersecurity together uniquely, that gets exciting,” he said during an interview with theCUBE on the conference floor.
Longtime RSA panelist Adi Shamir, who said at least year’s conference that he wasn’t overly concerned about AI’s effects on cybersecurity, did a 180 and instead started sounding alarms.
"I now believe that the ability of ChatGPT to produce perfect English, to interact with people, is going to be misused on a massive scale,” Shamir said in a panel with other major cryptographers. He also said these tools will "have a major impact on social engineering."
This attitude matches how many people are feeling right now regarding AI. Several major tech executives are warning against unregulated AI tools and bots, and leaders from the G7 nations adopted a new agreement that their countries would take a “risk-based” approach to regulating AI.
Outside of AI, the other thing that stood out to me from RSA was a new level of transparency from the U.S. government regarding how it approaches fending off cyber attacks and cybercrime. At a joint panel at RSA, the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) disclosed a previously unknown defense of an Iranian state-sponsored actor infiltrating a local government elections’ page. The officials speaking at the conference said the U.S. government disrupted the attack before any votes were tallied or reported.
Several high-profile cybersecurity officials in the Biden administration appeared to show a united front against cybercrime, urging the importance of disrupting dark web forums and websites over trying to arrest the humans behind these sites.
The one big thing
The use of web shells is rising in cyber attacks, according to new data from Cisco Talos Incident Response. The latest Talos IR Quarterly Report found that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. However, Talos does not believe that data is reflective of the current threat landscape and is instead lower simply because several Talos IR ransomware engagements began in Q1 but did not close.
Why do I care?
These Talos IR reports are always a great way to see what tactics, techniques and procedures (TTPs) attackers are actively using in the wild. The types, and volume of, web shells Talos IR saw last quarter highlight the skills actors have in combining multiple means of access and tools and increase the likelihood that they will be able to deploy additional malware or obtain sensitive and private information.
So now what?
The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.
Top security headlines of the week
Meta says it flagged more than 1,000 domains since March that were spreading ChatGPT-themed tools and offers actually containing malware. A new quarterly security report from Facebook and Instagram’s parent company said it found at least 10 malware families on its platforms posing as ChatGPT and other similar tools to compromise user accounts. Many of these threats are fake browser extensions that claim to act like ChatGPT for users but instead steal sensitive information like login credentials, banking information and other user data. Meta Chief Information Security Officer Guy Rosen said at a press conference that "ChatGPT is the new crypto” for bad actors. (Axios, Reuters)
A federal judge this week gave Google permission to take down current and future domains associated with the CryptBot information-stealer malware. It's estimated that CryptBot has infected more than 670,000 users over the past year, stealing victims’ Google Chrome browser data and other sensitive information. With the court order, Google can identify the network providers whose services directly and indirectly make the malware’s distribution possible and allows the company to directly block traffic and disrupt other servers the malware’s actors could shift to. CryptBot is known for stealing login information and personally identifiable information (PII) that is then turned around and sold to other threat actors to carry out larger data breaches. (Decipher, SC Media)
A critical vulnerability in the popular Illumina DNA sequencing devices could allow adversaries to modify or steal patients’ sensitive medical data. A new warning from U.S. CISA states that the vulnerability, which has a maximum 10 out of 10 severity rating, allows attackers to remotely access an affected device over the internet without needing a password. “Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level,” according to CISA’s advisory. Illumina’s technology allows researchers and scientists to determine the order of certain DNA sequences, which is useful in researching disease and certain health conditions. (TechCrunch, CISA)
Can’t get enough Talos?
- Talos IR On Air: Reviewing Q1's top threats
- Video: State-sponsored campaigns target global network infrastructure
- Talos Takes Ep. #136: Analyzing the recent takedown of popular dark web forums
Upcoming events where you can find Talos
BSidesFortWayne (May 20)
Fort Wayne, IN
Cisco Live U.S. (June 4 - 8)
Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.ex
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311