"Think AI for hacking and defending Feb 11th - 17th, 2023 - F5 SIRT - This Week in Security"
This week in security editor is Lior Rotkovitch. Among the high profile security news for this week we have hackers targeting individuals with malware, Mirai Botnet variants is getting back to the game with new vulnerability hunting against Linux and IoT devices and breaches that are being discovered almost a year post exploitation.
Now, with the emerging AI technology anyone can use Chat GPT style engines to simply ask it to create malwares, virus, social engineers phishing and any attack one can imagine. Harnessing AI to attack can get you to very creative places where you just ask nicely to create different variant to evade signature-based detections or just say can you please attack this for me?
The next big question is can Chat GPT style engines also answer how to protect this specific attack that you the AI created? Or, how can I protect myself against phishing ? But even better, can you write protection code?
Will this move the attack and protect arms race to AI? Who will win? Time will tell.
Cybersecurity Experts Warn Against Valentine's Day Romance Scams
Nothing like a good social engineering. Does “I love you” rings a bell ?
“The Federal Bureau of Investigation (FBI) has issued two separate statements over the last week to warn citizens in Texas and New Mexico against these crime attempts.
“"Victims may feel embarrassed, but it's important to come forward and contact the FBI if you suspect your online admirer is a scammer, so we can help bring them to justice before they break someone else's heart and bank account."”
New Mirai Botnet Variant 'V3G4' Exploiting 13 Flaws to Target Linux and IoT Devices
Something last forever.
“A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices.”
"Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers said. "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks."
The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE).
Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps
Creating a hacking funnel.
“The attacks involve purchasing ad slots to appear in Google search results and direct users looking for popular applications to rogue websites hosting trojanized installers”
"The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible," the researchers said. "The fake websites are, in most cases, identical copies of the legitimate sites."
GoDaddy: Hackers stole source code, installed malware in multi-year breach
Hosting hacking for attacking platforms.
Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.
"Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," the hosting firm said in an SEC filing.
GoDaddy says it also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years.
"According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."
Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software
Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
"This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device."
Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.