F5 QSN, ChatGPT Malware, and Crypto Hacks - May 1 to May 7, 2023- F5 SIRT - This Week in Security

Jordan here as your editor this week. This week I reviewed the F5 Quarterly Security Notification, ChatGPT Malware, and Cryptocurrency Hacks.  Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT. The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form.

It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

F5 Quarterly Security Notification

F5 disclosed a set of vulnerabilities on May 3rd, 2023 in a scheduled Quarterly Security Notification (QSN). For those unaware, F5 publishes disclosure dates in advance to provide customers adequate time to plan for updates/upgrades before the public disclosure. For F5 customers, it is worth reviewing the overview, along with the specific vulnerabilities which be found here K000133251: Overview of F5 vulnerabilities (May 2023) 

Each QSN the F5 SIRT team does a lives stream for customers to get a high-level briefing on the issues, along with *most* answers to questions asked during the stream. I'm posting this article a week after the announcement but you can still watch the pre-recorded video on YouTube. 

ChatGPT Malware

As defenders, one challenge we all face is that threat actors are quick to evolve their tactics, often using multiple platforms to evade detection and ensure that no one service has complete visibility into their operation. This year we saw a dramatic growth of large language models (LLM), spawned by the release of ChatGPT to the masses. As with any tool, there are use cases for both good and bad purposes.

In the Q1 2023 Security report from Meta, they found "Since March alone, our security analysts have found around 10 malware families posing as ChatGPT and similar tools to compromise accounts across the internet.".  In the same report, Meta gives examples of how threat actors are creating malicious browser extensions that claim to offer ChatGPT-related tools, which in fact contain malware. Some of these malicious extensions even include working ChatGPT functionality alongside the malware to avoid suspicion.

Additionally, the report notes that malware families posing as ChatGPT apps have switched their lures to other popular themes like Google's Bard or TikTok marketing support in response to detection. These tactics demonstrate how threat actors are constantly evolving and adapting their strategies to evade detection and gain access to sensitive information.

It's important to be aware of the potential for abuse of new technology and tools, and to remain vigilant against evolving threats. Defenders must continue to collaborate and share threat intelligence to stay ahead of threat actors and protect users from malicious activity.

Cryptocurrency Hacks

On May 1st, Level Finance, a DeFi project on the Binance Smart Chain, fell victim to an attack resulting in $1.1 million in stolen referral rewards. The attacker(s) exploited a bug in the LevelReferralControllerV2 contract, enabling repeated reward claims during the same epoch. The stolen 214,000 LVL tokens were swapped for 3,345 BNB, causing an initial 65% LVL price drop. The attack on Level Finance went unnoticed until a tweet by Definalist raised an alert, demonstrating the significance of on-chain monitoring systems for detecting suspicious activities.

Third-party audits, such as the two performed for Level Finance, both missed this vulnerability. Therefore, it is important to supplement audits with decentralized security controls and on-chain monitoring systems to ensure comprehensive security. This is often called defense in depth, not relying on one security control by itself. Implementing defense in depth is crucial for securing your organization's assets against cyber threats. By combining multiple layers of security controls, you can better protect against vulnerabilities and detect attacks early on.