Ransomware/Malware Activity
OpenAI Reports on Threat Actors using ChatGPT to Advance Cyber Attacks
OpenAI recently released an October 2024 report “Influence and cyber operations: an update” which the company releases as a form of transparency reporting regarding their efforts to identify, prevent, and disrupt attempts to abuse their models for harmful ends. The report states that OpenAI has disrupted more than twenty (20) operations and deceptive networks from around the world maliciously using their Large Language Model (LLM) – ChatGPT – since May 2024. While cybersecurity experts identified campaigns that were assessed to have leveraged Generative AI in the creation of malware earlier this year, this report from OpenAI is the first official confirmation of the practice. Activities outlined in the report include those performed by threat actors “SweetSpecter”, “CyberAv3ngers”, and “Storm-0817”. SweetSpecter is linked to China, and OpenAI was directly targeted by spear phishing emails containing the SugarGhost RAT sent to the personal email addresses of employees. OpenAI discovered that SweetSpecter used ChatGPT to perform scripting and vulnerability analysis research asking questions about specific CVE numbers, using sqlmap to upload web shells, and for debugging code. CyberAv3ngers is a threat actor allegedly associated with the Iranian government and reportedly used ChatGPT to build false credentials in Programmable Logic controllers (PLCs), develop bash and Python scripts, and to obfuscate code. Storm-0817 is also associated with Iran, and OpenAI reports that the group used ChatGPT to create an Instagram scraper and write and debug custom Android-based malware. OpenAI banned the accounts tied to the malicious activity and threat actors after discovery. CTIX analysts expect the misuse of Generative AI for the advancement of cybersecurity attacks to only become more prevalent. CTIX analysts will continue to report on new and emerging malware and associated campaigns.
Threat Actor Activity
Did INC Ransomware Rebrand to Lynx?
Researchers have reported that the INC ransomware group may have rebranded itself as Lynx following a notable shift in recent activity and tactics over the last three (3) months. While INC was previously known for targeting organizations like Leicester City Council and NHS Scotland, its activity has decreased since Lynx emerged in July 2024. The number of Lynx ransomware samples detected since its emergence has outpaced those of INC ransomware, leading to speculation about a rebranding. This is supported by code analysis, revealing a 70.8% match in shared functions between the two (2) groups, suggesting that Lynx likely repurposed the INC codebase. This practice of code reuse is common among cybercriminals, allowing them to build upon existing frameworks to expedite the development of new attacks. Despite the decline in INC's visibility, recent victim postings on its leak site suggest ongoing activity. Both INC and Lynx maintain clear web presences with similarly designed leak sites, reinforcing the idea of a connection between the two (2). However, Lynx distinguishes itself by claiming to avoid targeting hospitals, governments, and nonprofits, marking a potential shift in operational ethics compared to INC's historical attacks. CTIX will continue to monitor the activity of Lynx, along with other emerging threat actor shifts and trends.
Vulnerabilities
Iranian State Sponsored Threat Actor "OilRig" Exploits Windows Flaw in Cyber Espionage Campaign
The Iranian state-sponsored hacking group OilRig, also known as APT34 or Earth Simnavaz, has escalated its cyber espionage activities, targeting government and critical infrastructure in the UAE and the broader Gulf region. Recent campaigns involve exploiting a now-patched Windows Kernel vulnerability, tracked as CVE-2024-30088, which allows attackers to gain SYSTEM-level privileges. OilRig uses this vulnerability in conjunction with a new backdoor called StealHook, designed to steal credentials through compromised Microsoft Exchange servers and exfiltrate data via legitimate email traffic. The attack chain begins with the exploitation of vulnerable web servers to deploy web shells, enabling remote execution of code and PowerShell commands. The group then uses tools like ngrok for stealthy communications and a password filter DLL (psgfilter.dll) to extract plaintext credentials from domain users. These tactics are part of a broader strategy to maintain persistence in compromised networks and leverage government infrastructure to obfuscate malicious activity. OilRig's link to another Iranian APT group, FOX Kitten, raises concerns about the potential for ransomware attacks, especially given their focus on critical energy sectors in the region, where operational disruptions could have severe impacts. The group's latest tactics suggest an evolution of previous campaigns, building on past malware like PowerExchange and Karkoff, but refining methods for credential theft and persistence in high-value targets. CTIX analysts recommend that all users make a concerted effort to ensure that their operating systems are always up-to-date with the latest patches to prevent exploitation of known vulnerabilities.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice