Tag Archive for: helped

An AI Chatbot May Have Helped Create This Malware Attack

/in


A hacking group has been spotted possibly using an AI program such as ChatGPT, Google’s Gemini, or Microsoft Copilot to help refine a malware attack. 

Security firm Proofpoint today published a report about the group, dubbed “TA547,” sending phishing emails to businesses in Germany. The emails are designed to deliver the Windows-based Rhadamanthys malware, which has been around for several years. But perhaps the most interesting part of the attack is that it uses a PowerShell script that contains signs it was created with an AI-based large language model (LLM).

Hackers often exploit PowerShell since it’s a powerful tool in Windows that can be abused to automate and execute tasks. In this case, the phishing email contains a password-protected ZIP file, that when opened, will run the hacker-created PowerShell script to decode and install Rhadamanthys malware on the victim’s computer. 

While investigating the attacks, Proofpoint researchers examined the PowerShell script and found “interesting characteristics not commonly observed in code used” by human hackers, the company wrote in a blog post.  

What stuck out was the presence of the pound sign #, which can be used in PowerShell to make single line comments explaining the purpose of a line of computer code

Image of the powershell script code

(Credit: Proofpoint)

“The PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script. This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it,” Proofpoint says.

Indeed, if you ask ChatGPT, Copilot, or Gemini to create a similar PowerShell script, they’ll respond in the same format, placing pound symbols along with an explanation. In contrast, a human hacker would probably avoid such comments, especially since their goal is to disguise their techniques.

Recommended by Our Editors

ChatGPT placing the pound symbols

(Credit: ChatGPT)

Still, Proofpoint can’t definitively say TA547 created the PowerShell script with the help of an AI chatbot. Nevertheless, the case illustrates how cybercriminals can harness…

Source…

How ITDR Could Have Helped Microsoft in the Midnight Blizzard Hack

/in


Identity-based attacks are on the rise, but they can be prevented with the right identity threat detection and response (ITDR) measures. 

As winter crept in last year, so did identity threat actors. Microsoft revealed in January that the Russia-backed group Midnight Blizzard (aka Nobelium) had compromised senior-level email accounts and stolen sensitive information in a password-spraying attack dating back to November 2023. 

Thought to be affiliated with the Russian Foreign Intelligence Service, Midnight Blizzard performs espionage attacks on targets across the US and Europe. The group is perhaps best known for the SolarWinds hack in 2020 – a massive supply chain breach that affected thousands of organizations, including the US government. 

Midnight Blizzard’s latest attack on Microsoft was sophisticated but easily preventable. A protective layer of identity threat detection and response (ITDR) measures would have stopped the group from gaining a foothold in Microsoft’s corporate environment. In this blog, we’ll look at how. 

How It Happened

In late November 2023, Midnight Blizzard used a password-spraying attack to compromise an old Microsoft test account that didn’t have multifactor authentication (MFA) enabled. To avoid being detected or locked out of the system, the group used residential proxy networks to masquerade as legitimate users. It focused its attack on a small number of accounts. 

With a foothold in the system, Midnight Blizzard took over a legacy test OAuth application connected to Microsoft’s corporate environment and created more OAuth applications. It leveraged the privileges that came with these to grant itself the Microsoft 365 Exchange Online full_access_as_app role, which provided access to the entire 365 stack. In what Microsoft says was a bid to find information about itself, Midnight Blizzard then stole data, such as documents and emails from senior-level accounts. 

How It Was Discovered

“The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024,” Microsoft disclosed in an 8-K filing, “and immediately activated our response process to investigate, disrupt malicious activity, mitigate…

Source…

Lessons from a ransomware attack: How one healthcare CIO helped her company recover

/in


In the early-morning hours of Feb. 25, 2021, Terri Ripley got the call every chief information officer dreads: Her company, OrthoVirginia Inc., had been hit by a massive attack of the Ryuk ransomware that had shut down its entire computing fabric.

Although it would be 18 months before systems were fully restored, OrthoVirginia never shut down operations or abandoned patients. What it learned during the crisis is a lesson for any organization that might become an attack target. Today, that’s everyone.

Speaking at the Healthcare Information and Management Systems Society Inc.’s Healthcare Cybersecurity Forum in Boston this week, Ripley gave a blow-by-blow description of the events immediately following the attack, the critical choices that were made and how the company is insulating itself from future incidents.

OrthoVirginia is Virginia’s largest provider of orthopedic medicine and therapy, encompassing 105 orthopedic surgeons spread across the state. Its 25-person information technology organization had put cyber protections in place before the attack hit, but the pandemic was a curveball they didn’t anticipate.

“When COVID hit and we sent everybody home, some of those protections were not in place,” she said. “We put a lot of good measures in place, but we still got hit.”

System-wide shutdown

The attack took down servers, workstations, network storage and backups, but fortunately not electronic health records, which were hosted offsite. It encrypted the picture archiving and communication system that contains the X-rays vital to orthopedic surgery. The application and database needed to view the images were also hit and the internet protocol phones went down.

To make matters worse, OrthoVirginia’s chief cybersecurity expert was on vacation at the time. Knowing that ransomware attacks can be unpredictable, “we made the decision to shut everything down,” Ripley said. “That stopped the script from running so we were able to save the data files.”

Forensics would later determine that the attack was triggered by a remote worker clicking on a malicious link. The attackers were able to compromise the system administration password, tunnel through the…

Source…

Prison officer who helped smuggle cocaine into convicted murderer’s cell facing jail time

/in


Prison officer, 31, who helped smuggle cocaine and a mobile phone into convicted murderer’s cell at maximum-security jail after ‘forming a close relationship’ is now facing time behind bars herself

  • Heather McKenzie was working at HMP Shotts when she teamed up with convicted murderer Zak Malavin to supply drugs to inmates
  • McKenzie will be sentenced at the High Court in Glasgow on February 23

By David Meikle and Ashlie Mcanally

Published: | Updated:

A prison officer is facing time behind bars after helping to smuggle cocaine into one of Scotland’s most notorious maximum-security jails.

Heather McKenzie was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with convicted murderer Zak Malavin to supply drugs to inmates.

Prison officials and police started an investigation after noticing a significant rise in the quantities of drugs being found in the jail – and receiving a tip-off about possible staff corruption.

Intelligence suggested McKenzie, 31, was illegally bringing drugs and mobile phones into the prison.

Heather McKenzie (pictured) was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with a convicted murderer

Heather McKenzie (pictured) was working at HMP Shotts – home to some of the country’s most hardened criminals – when she teamed up with a convicted murderer

Zak Malavin who is serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell

Zak Malavin who is serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell

Malavin, serving life for murdering a man in a park by attacking him with a sword, was found to have an iPhone, 1.45g of cocaine and a sleeping pill in his cell when officers searched it in May 2020.

A search the following month uncovered two knotted bags containing a further 5.7g of cocaine, while data on the iPhone revealed texts and calls to McKenzie.

Police later raided McKenzie’s home in Forth, Lanarkshire, and arrested her after finding £2,500 in cash, mobile phones, syringes and trenbolone – a powerful steroid – as well as traces of cocaine and 28g of another drug, benzocaine.

An iPhone found by police had a missed WhatsApp call from a contact named ‘Zak’….

Source…