8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
31.1%
Welcome to this week's edition of the Threat Source newsletter.
AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children's books for you.
There are all sorts of ethical and legal implications that AI-generated art has that I don't have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.
These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I've written about this in the newsletter before.
There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to "zhuzh up" users' profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).
I have more to get to this week, so I'm not going to go much deeper into the subject, but as always, be vigilant of apps' privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.
I'm also excited to show off this new video featuring a behind-the-scenes interview with Talos.
This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.
Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.
The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."
All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling "users and administrators to review [Apple's] advisories and apply the necessary updates."
The self-identifying hacktivist group "Anonymous Sudan" is more active than initially thought. While researchers are still unsure as to the group's connections to any nation-states, the group says it's advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, "these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools" and that there is "no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)
The list of companies affected by the MOVEit breach continues to grow. Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy – two major electric corporations – to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college's incident response team and patched the issue. Since the attack went public, Clop's leak site mainly called out seven U.S. state and local governments, including the nation's largest public-employee pension fund – the California Public Employees' Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)
The FBI seized the domain belonging to the infamous hacking site BreachForums, three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as "Pompompurin," was arrested. However, the site's newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies' logos who were involved in the takedown, BreachForums' homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)
BlackHat** (Aug. 5 - 10)**
Las Vegas, Nevada
Grace Hopper Celebration (Sept. 26 - 29)
Orlando, Florida
> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don't Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5:**3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename: **IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:**df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:**DOC001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **MD5:**7bdbd180c081fa63ca94f9c22c457376 **Typical Filename:**c0dwjdi6a.dll **Claimed Product:**N/A **Detection Name: **Trojan.GenericKD.33515991
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c **MD5:**a087b2e6ec57b08c0d0750c60f96a74c **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product:**N/A Detection Name: Trojan.GenericKD.65065311
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
31.1%