Last Updated on August 1st, 2023, By
 In AppSec Bulletin

WormGPT: Emerging AI Tool Raises Concerns over Advanced Cyber Threats

WormGPT is a cutting-edge generative AI cybercrime tool recently identified in the wild. This powerful tool empowers adversaries to execute advanced phishing and BEC (Business Email Compromise) attacks with unprecedented efficiency. By automating the process of crafting highly persuasive fraudulent emails tailored to individual recipients, WormGPT significantly heightens the likelihood of a successful attack.

With the relentless advancement of AI, novel attack vectors emerge, necessitating robust preventive measures. To effectively combat AI-enhanced BEC attacks, companies must invest in updated training programs. These initiatives will equip employees with the knowledge and skills to recognize and thwart sophisticated fraudulent attempts. Additionally, enforcing stringent email verification processes will serve as a formidable defense against AI-driven phishing and BEC attacks, bolstering overall cybersecurity posture.

News Source – Cyware

TeamTNT Steals to Azure and Google Cloud Credentials

What –
A recently uncovered cloud credential stealing campaign is specifically targeting Azure and Google Cloud Platform (GCP) services. While this campaign exhibits similarities to the TeamTNT cryptojacking group, cybersecurity experts remain cautious about making definitive attributions at this time.

More details –
Ongoing attacks are specifically directed at public-facing Docker instances, utilizing a propagation module resembling a worm. These targeted attacks form part of a larger intrusion set that previously focused on Jupyter Notebooks in December 2022. Between June 15, 2023, and July 11, 2023, researchers made a concerning discovery – they identified up to eight new versions of the credential harvesting script, indicating an actively evolving campaign.

The latest iterations of this malware have been intricately designed to gather credentials from a wide range of sources. Notably, the targeted platforms include AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The comprehensiveness of this list raises significant security concerns across multiple cloud and network services.

Source – Cyware

Dating App That Claims 50 Million Users Suffered a Data Breach

What –
Jeremiah Fowler, a cybersecurity researcher, made a significant discovery when he came across an unprotected database containing around 2.3 million records. After promptly reporting this finding to vpnMentor, further investigation revealed that these records were linked to various dating applications all stored within one unsecured database.

More details –
A staggering total of 2,357,896 records, occupying a massive 340.6 GB, came to light. Among these records, 959,571 were images of users, some of which were explicit and not safe for work (NSFW). These images included close-ups of body parts and individuals’ faces, making them easily identifiable when combined with their names and email addresses. This posed a significant risk to the users’ privacy and security. Within a single backup log, there were 236,681 Gmail addresses, 15,703 Yahoo Mail accounts, 3,872 iCloud addresses, and numerous other email addresses from various providers. It is crucial to note that this log represented just a fraction of the data from the db_backup folder, which contains approximately 600 server logs. Additionally, more than 500 profiles were discovered in the same backup file, using the word “escort” and promoting sexual services. These profiles were linked to associated phone numbers, email addresses, and social media accounts.

What’s more, the exposed database also contained Software Development Kit (SDK) files, which are collections of tools, libraries, documentation, and resources utilized by developers to create software applications for specific platforms or frameworks. The presence of these exposed SDK files poses a grave concern, as it opens the door to the development of applications with hidden malicious functionalities or vulnerabilities.

Source – VPNMentor

USB Flash Drives for Malware Attack Surges

What –
As of the first half of 2023, USB drives remain a favored tool for cybercriminals to deploy malware. Mandiant’s security researchers have observed a notable three-fold surge in malware attacks through USB drives, specifically aimed at stealing sensitive information. In light of this alarming trend, they have disclosed the specifics of two such attack campaigns to raise awareness about the growing threat.

SOGU Malware Infection –
The SOGU malware infection was part of an extensive attack campaign, attributed to the China-linked cyberespionage group TEMP.Hex. Their targets included both public and private sector organizations spread across Europe, Asia, and the U.S. The attackers employed USB flash drives as the delivery mechanism to infect hosts with the SOGU malware, enabling the theft of sensitive data. These flash drives were equipped with multiple malicious software, utilizing a DLL hijacking technique to surreptitiously download the final payload into compromised systems’ memory.

Once activated, the SOGU malware executed various malicious operations, such as capturing screenshots, recording keystrokes, initiating reverse shell actions, and establishing remote desktop connections to facilitate the execution of additional files.

The stolen data was then discreetly exfiltrated using a custom binary protocol over TCP, UDP, or ICMP channels to a Command and Control (C2) server under the attackers’ control.

This attack campaign targeted a wide range of industries, including construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors, making it a significant and concerning cyber threat.

SNOWYDRIVE Malware Infection –
The SNOWYDRIVE malware infection initiates when the victim unwittingly clicks on a file, seemingly a legitimate executable within the root folder of a USB drive. This action activates an infection chain that leads to the download and deployment of a shellcode-based backdoor named SNOWYDRIVE.

Once installed, the malware exhibits several malicious behaviors. It propagates itself to other removable drives connected to the infected system, increasing its potential spread. Additionally, SNOWYDRIVE carries out various operations, including writing or deleting files, initiating file uploads, and executing reverse shell commands. These actions grant the attackers significant control over the compromised system, posing a considerable security risk.

Conclusion –
Organizations are strongly advised to give priority to access restrictions on USB devices or perform comprehensive scans to detect any malicious files before connecting them to their networks. Additionally, it is of utmost importance for organizations to enhance their ability to detect and respond to such attack campaigns at their earliest stages. This can be achieved through the implementation of a robust and automated Threat Intelligence Platform (TIP), providing real-time access to tactical and technical details of potential attacks. By adopting these proactive measures, organizations can significantly bolster their cybersecurity posture and protect their networks from evolving threats.

Source – Cyware

Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts

Facebook business accounts are currently facing significant threats from Vietnamese threat actors. These attackers employ deceptive tactics by promoting fake Ads Manager software on the very platform they target. To steal and extract login information, they rely on malicious Google Chrome extensions. The impact of these attacks has been far-reaching, with over 800 victims worldwide, 310 of which are located in the United States alone. The financial ramifications are substantial, amounting to more than $180,000 in compromised ad budgets. It is crucial for businesses to remain vigilant and take appropriate measures to safeguard their accounts against these persistent and damaging cyber threats.

Source – MalwareBytes

AppSealing is the only cloud-based pay-as-you-go solution to protect mobile apps without writing a single line of code. Our solution is easy to use and allows you to protect mobile apps from hackers and illegal application modification, thus making it secure in run-time with RASP Security Features.