Toggle light / dark theme

The fourth group is Curium, an Iranian group that has used LLMs to generate phishing emails and code to evade antivirus detection. Chinese state-affiliated hackers have also used LLMs for research, scripting, translations, and refining their tools.

Fight AI with AI

Microsoft and OpenAI say they have not detected any significant attacks using LLMs yet, but they have been shutting down all accounts and assets associated with these groups. “At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community,” says Microsoft.

This post is also available in: he עברית (Hebrew)

HP Wolf Security’s latest threat insights disclosure put a spotlight on DarkGate – a group of web-based criminals using legal advertising tools to enhance their spam-based malware attacks.

The security report claims DarkGate has been operating as a malware provider since 2018, with an apparent shift in tactics last year of using legitimate advertisement networks “to track victims and evade detection.” The claims are that by using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.

The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of “devolution.”

“Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications,” Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.

PikaBot, first documented by the cybersecurity firm in May 2023, is a malware loader and a backdoor that can execute commands and inject payloads from a command-and-control (C2) server as well as allow the attacker to control the infected host.

A multinational company was scammed out of $25.6 million by hackers who fooled employees at the company’s Hong Kong branch into believing their digital recreation of its chief financial officer — as well as several other video conference participants — were real.

The hack, believed to be the first of its kind, highlights just how far deepfake technology has progressed.

As the South China Morning Post reports, scammers are believed to have used publicly available footage to create deepfake representations of the staff. Some of the fake video calls apparently only had a single human on the line, with the rest being deepfakes created by the hackers.

The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before.

This means that “Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time,” Check Point said in a report this week.

Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that’s known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023–40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the Internet is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from.