Cyberattacks On Embassies, Threat Actor Using ChatGPT To Write Malware, and MMS Vulnerabilities

Notable security news for the week of Oct 6th-12th 2024, brought to you by the F5 Security Incident Response Team. This week your editor is Dharminder. In this edition, I have security news about cyberattacks on embassies and government organisations, Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) deprecated in future versions of Windows Server, Threat actors leveraged on AI chatbot and ChatGPT for developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks, multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol, and Google's  initiative Global Signal Exchange (GSE) to combat online scams and fraud.

We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok let's get started and the find details of security news.

 

Cyberattacks on Embassies and Air-Gapped Systems Using Malware Toolsets.

GoldenJackal, a threat actor, has been tied to cyberattacks targeting embassies and government organisations with a focus on infiltrating air-gapped systems. Victims include a South Asian embassy in Belarus and an EU government organisation, according to Slovak cybersecurity firm ESET. The group’s goal appears to be stealing confidential data from high-profile systems, which may not be connected to the internet.

GoldenJackal was first revealed in May 2023 by Kaspersky, with its origins traced back to at least 2019. Key tools include JackalWorm, a worm capable of infecting USB drives, and a trojan called JackalControl. The attacks also used tools like JackalSteal and JackalWorm. Notably, GoldenJackal’s activities show some overlap with campaigns associated with the threat actors Turla and MoustachedBouncer.

ESET discovered GoldenJackal artifacts at a South Asian embassy in Belarus between 2019 and 2021. From 2022 to 2024, a revamped toolset was used against an EU government entity, demonstrating the group's sophistication in developing distinct toolsets over five years.

Three malware families were used in the Belarus attacks:

  1. GoldenDealer: Delivers executables to air-gapped systems via compromised USB drives.

  2. GoldenHowl: A modular backdoor with capabilities like stealing files, creating tasks, and SSH tunneling.

  3. GoldenRobo: A file collector and exfiltration tool.

In the EU government attacks, a new malware set mostly written in Go was identified. It included:

  • GoldenUsbCopy and GoldenUsbGo: Monitor USB drives for file exfiltration.

  • GoldenAce: Spreads malware using USB drives.

  • GoldenBlacklist and GoldenPyBlacklist: Process email messages for exfiltration.

  • GoldenMailer and GoldenDrive: Used to send stolen data via email and Google Drive.

It’s still unclear how GoldenJackal initially compromises its targets, but trojanized Skype installers and malicious Word documents are suspected vectors. GoldenDealer plays a critical role by using USB drives to move malware between internet-connected machines and air-gapped systems.

ESET highlights that GoldenJackal’s ability to develop two separate toolsets in five years points to a highly resourceful and sophisticated threat actor.

https://www.theregister.com/2024/10/09/goldenjackal_custom_malware/ 

https://thehackernews.com/2024/10/goldenjackal-target-embassies-and-air.html 

https://www.pcmag.com/news/hacking-group-targets-air-gapped-computers-with-usb-malware 

 

PPTP AND L2TP VPN Protocols Are Deprecated.

Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending administrators transition to more secure protocols like Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2).

PPTP and L2TP have been widely used for over 20 years to provide remote access to corporate networks. However, as cyberattacks have become more sophisticated, these protocols are no longer considered secure. PPTP, for instance, is vulnerable to offline brute force attacks on authentication hashes, while L2TP lacks encryption unless combined with IPsec. Misconfigurations in L2TP/IPsec can introduce vulnerabilities, making networks susceptible to attacks.

To enhance security and performance, Microsoft is recommending users transition to more secure and efficient alternatives: Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2).

Benefits of SSTP:

  • Strong encryption: Uses SSL/TLS encryption for secure communication.

  • Firewall traversal: Easily passes through most firewalls and proxy servers.

  • Ease of use: Native support in Windows makes it simple to configure and deploy.

Benefits of IKEv2:

  • High security: Supports robust encryption and authentication methods.

  • Mobility and multihoming: Ideal for mobile users, maintaining connections during network changes.

  • Improved performance: Faster tunnel establishment and lower latency compared to older protocols.

Though PPTP and L2TP are deprecated, they are not immediately removed. Microsoft advises admins to begin migrating to SSTP and IKEv2, and future Windows versions will no longer accept incoming PPTP or L2TP connections for VPN servers, though outgoing connections will still be possible.

To help with this transition, Microsoft has released a support bulletin with detailed steps for configuring SSTP and IKEv2.

https://techcommunity.microsoft.com/t5/windows-server-news-and-best/pptp-and-l2tp-deprecation-a-new-era-of-secure-connectivity/ba-p/4263956 

https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-and-l2tp-vpn-protocols-in-windows-server/

 

Use Of ChatGPT By Threat Actors To Write Malware.

OpenAI has reported the disruption of over 20 malicious cyber operations that leveraged its AI chatbot, ChatGPT, for developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks. This marks the first official confirmation that generative AI tools are being used to enhance offensive cyber operations.

Key findings include:

  1. SweetSpecter (a Chinese cyber-espionage group): This group targeted OpenAI directly by sending spear-phishing emails to employees. These emails contained malicious attachments leading to the installation of SugarGh0st RAT. SweetSpecter used multiple ChatGPT accounts for scripting and vulnerability analysis.

  2. CyberAv3ngers (an Iranian IRGC-affiliated group): This group used ChatGPT to exploit industrial systems in critical infrastructure. They utilized ChatGPT for tasks such as generating default credentials for Programmable Logic Controllers (PLCs), developing scripts, obfuscating code, and post-compromise planning.

  3. Storm-0817 (another Iranian group): This group used ChatGPT to debug malware, develop Android malware, and build command-and-control infrastructure. Their malware could steal contact lists, call logs, files, and more, while also supporting server-side code for compromised devices.

All accounts linked to these malicious activities were banned, and related indicators of compromise (IOCs) were shared with cybersecurity partners. While the AI tools did not enable entirely new capabilities, they significantly streamlined offensive cyber operations for less-skilled threat actors, enhancing efficiency at all stages from planning to execution.

https://www.bleepingcomputer.com/news/security/openai-confirms-threat-actors-use-chatgpt-to-write-malware/ 

https://informationsecuritybuzz.com/openai-says-bad-actors-using-chatgpt/ 

 

Major Security Vulnerabilities in Industrial MMS Protocol Libraries.

Recent research has uncovered multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol, which could have critical impacts in industrial environments. These vulnerabilities were identified in the libIEC61850 library by MZ Automation and TMW IEC 61850 library by Triangle MicroWorks, both widely used in industrial control systems. If exploited, the vulnerabilities could lead to crashes, remote code execution, or denial-of-service (DoS) conditions.

Key vulnerabilities include:

  1. CVE-2022-2970 and CVE-2022-2972 (CVSS 10.0) - Stack-based buffer overflow vulnerabilities in libIEC61850 allowing crashes or remote code execution.

  2. CVE-2022-2971 (CVSS 8.6) - Type confusion vulnerability in libIEC61850, potentially crashing the server.

  3. CVE-2022-2973 (CVSS 8.6) - Null pointer dereference causing server crashes.

  4. CVE-2022-38138 (CVSS 7.5) - Uninitialized pointer access leading to a DoS condition.

These flaws were patched in late 2022 following responsible disclosure.

Additionally, Siemens' SIPROTEC 5 IED was found to rely on an outdated version of SISCO’s MMS-EASE stack, which had a DoS vulnerability (CVE-2015-6574), now patched in an updated firmware version.

The report highlights the challenge of securing outdated protocols like MMS, which are hard to replace but essential in industrial systems. The vulnerabilities shows up a gap between modern security demands and the resilience of legacy systems. Also, the findings emphasises on the growing threat of vulnerabilities in industrial control systems and the need for vigilance in securing critical infrastructure.

Researchers have urged vendors to follow security guidelines provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

https://industrialcyber.co/reports/clarotys-team82-discovers-five-vulnerabilities-in-mms-protocol-posing-significant-risks-to-industrial-devices/ 

https://thehackernews.com/2024/10/researchers-uncover-major-security.html 

 

Google's "Global Signal Exchange" Initiative To combat Scams And Fraud.

Google is strengthening its efforts to combat online scams and fraud through new partnerships and expanded protective measures. A new initiative, the Global Signal Exchange (GSE), was announced in collaboration with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNSRF). The GSE will act as a global clearinghouse for signals of online scams and fraud, improving the sharing of threat data to quickly identify and disrupt fraudulent activities. Google's experience in preventing scams, combined with GASA's network and DNSRF's data platform, which currently holds over 40 million signals, will power this exchange. The GSE will be hosted on Google Cloud Platform and leverage AI to efficiently analyse and match scam signals. Google has already shared over 100,000 URLs of bad Shopping merchants and ingested 1 million scam signals during the pilot phase.

Google is also expanding its Cross-Account Protection, a tool that safeguards 3.2 billion users by sharing security notifications across sites and apps where users sign in with their Google Account. This collaboration includes partners like Canva, Electronic Arts, and Indeed, providing enhanced security across multiple platforms by detecting suspicious activities and preventing cybercriminals from exploiting user accounts. Google's commitment to user safety involves continuous innovation, partnerships, and the development of tools to protect against scams and cyber threats on a large scale.

https://blog.google/technology/safety-security/the-new-global-signal-exchange-will-help-fight-scams-and-fraud/

https://thehackernews.com/2024/10/google-joins-forces-with-gasa-and-dns.html

 

Published Oct 17, 2024
Version 1.0
f5 sirt
Security
twis
No CommentsBe the first to comment