Tag Archive for: code

Malware Taps Generative AI to Rewrite Code, Avoid Detection

/in


Artificial Intelligence & Machine Learning
,
Cybercrime
,
Events

Mikko Hypponen Talks GPT-Enhanced Malware, Russian Cyber Operations and More

Mathew J. Schwartz (euroinfosec) •
May 5, 2023    

Mikko Hyppönen, chief research officer, WithSecure

Finnish cybersecurity expert Mikko Hyppönen recently received an email he wasn’t expecting: A malware developer sent him a copy of “LL Morpher,” a brand-new virus he’d written, which uses OpenAI’s GPT large language models.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources


“It’s the first malware we’ve ever seen which uses GPT to rewrite its code,” said Hyppönen, who’s chief research officer at WithSecure, of the worm, which is written in Python and designed to infect Python files on a victim’s system. Instead of copying its functions into the infected file, the malware uses an API key to call GPT and give it English-language instructions about the malicious functionality it wants to be created.


“It calls GPT to write the code for it, which means every time it’s different, and it will be trivial to modify to write it in any other language,” Hyppönen said. “The whole AI thing right now feels exciting and scary at the same time.”


Thus far, this piece of malware is more proof-of-concept than actual threat, in that it’s available via GitHub, and for now could be contained by blocking the API key. Even so, Hyppönen says it should…

Source…

Security experts are using malware’s own code to protect potential victims

/in


Hacking the hackers: Gootloader is a long-running cyber-criminal operation based on an “initial access-as-a-service” model: the gang behind the malware infects organizations. Then it sells access to “customers” looking for an entry point to go deeper into the victim’s network. To successfully thwart the operation, researchers fought fire to with fire.

The Gootloader malware originated from the Gootkit banking trojan, which has been active against European targets since 2010. The malicious operation allows third-party criminals to put their malware (especially ransomware) into a compromised network. The gang behind it has been particularly successful over the past several years.

Security researchers at eSentire have tracked recent Gootloader activities and are now explaining how it works and what’s needed to fight it. The Gootloader operation uses SEO poisoning techniques, luring potential victims to an “enormous array” of compromised WordPress blogs.

The operation is tailored to exploit victims more inclined to pay a ransom to get their data back. The blogs are populated with bait content, including links to malicious documents, templates, and other generic forms. When the target clicks these links, they unintentionally infect Windows with the main Gootloader malware.

Gootloader’s most common victims are professionals working for law firms and corporate legal departments. The analysts explain that bad actors use blog posts about legal agreements and contracts to lure people in those positions into downloading their malicious code. Legal professionals have essentially been the primary target of the Gootloader gang for the past 15 months, with 12 different organizations targeted between January and March 2023.

The eSentire researchers created a specialized web crawler to keep track of Gootloader-related web pages and previously infected sites. They found around 178,000 live Gootloader pages and another 100,000+ previously infected sites. The researchers collected evidence that links Gootloader to the infamous Russian REvil gang, which regularly partnered with the malware’s network between 2019 and 2020 to infect, encrypt, and scam compromised organizations.

Source…

Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug • The Register

/in


The chunk of internal source code Twitter released the other week contains a “shadow ban” vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone’s account of sight “without recourse.”

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that’s said to power Twitter’s For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.

That recommendation engine, we’d like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we’re not sure there’s enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon’s. It’s more marketing sauce than open source.

According to Lois’s study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter’s recommendation algorithm treats negative actions. 

As a result, Lois said, Twitter’s current recommendation algorithm “allows for coordinated hurting of account reputation without recourse.” Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter’s recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially “shadow-banned,” and won’t show up in recommendations despite the user being unaware they’ve been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn’t be possible to game the system in this way, but it is.

Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that – whether intentional or not – end up having…

Source…

Exploit Code Released for Critical Fortinet RCE Bug

/in


Researchers have released details for how to exploit a critical remote code execution (RCE) bug in Fortinet’s FortiNAC product, which allows an unauthenticated attacker to write arbitrary files on the system and achieve RCE as a root user.

Organizations use FortiNAC as a network access control solution to oversee and secure all digital assets connected to the enterprise network. The product can be used to manage a range of devices, including: corporate endpoints, Internet of Things (IoT), operational technology and industrial control systems (OT/ICS), and connected medical devices (IoMT), among others. The idea is to provide visibility, control, and automated response for everything that connects to the network, and as such, the device offers a golden opportunity for attackers to pivot and move deep into networks, enumerate environments, steal sensitive information, and more.

Researchers at Horizon3.ai released a blog post with a technical analysis of and proof of concept (POC) exploit for the vulnerability, tracked as CVE-2022-39952, and revealed and patched by Fortinet last week. They subsequently released the exploit code on GitHub.

Fortinet’s Gwendal Guégniaud discovered the vulnerability, which earned a critical rating of 9.8 on the CVSS vulnerability-severity scale. The bug allows attackers to take external control of a file name or path vulnerability in the FortiNAC Web server, Fortinet said in its advisory, thus allowing unauthenticated arbitrary writes on the system.

Fortinet has patched in its affected product versions, with customers urged to update to FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.8, or FortiNAC version 7.2.0 or above.

How to Exploit the Fortinet FortiNAC Flaw

While there are several ways for attackers to obtain RCE by exploiting arbitrary file write flaws, the researchers wrote what’s called a “cron job to /etc/cron.d/” to take advantage of the vulnerability, they said.

The researchers extracted filesystems from both the vulnerable and patched versions of the product to examine the flaw, finding that Fortinet removed an offending file called /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp in the update that…

Source…