This Week in Cyber 21st July 2023

Microsoft Expands Access to Crucial Security Logs Amid Criticism, Improving Cybersecurity for All Users

Microsoft faced criticism for locking detailed security audit logs behind costly Microsoft 365 enterprise plans, leaving many users without access to crucial security data. These logs have proven essential in identifying and detecting security breaches, such as the incident where a Chinese hacking group gained unauthorized access to email accounts. In response to the feedback and scrutiny, Microsoft announced its decision to address the issue. Starting from September 2023, the company will begin rolling out logging updates to all government and commercial customers. This means that the valuable security log data will no longer be restricted to higher-priced plans but will be accessible to a broader user base. With the logging updates, customers will gain access to wider cloud security logs at no additional cost. Furthermore, Microsoft Purview Audit Standard customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data that were previously available only through the premium subscription. The decision to provide advanced logging features to all business plans is a significant step towards a more inclusive and robust cybersecurity approach for Microsoft's customer base. By making critical security log data available to a broader audience, Microsoft aims to improve overall digital forensics and incident response capabilities.

GitHub Actions Vulnerability Exposes Google's Orbit Users to Code Injection and Phishing Attacks

In a recent cybersecurity advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have disclosed a critical vulnerability discovered in Google's Orbit repository. This vulnerability, which revolves around the usage of GitHub Actions, poses a serious risk to the security and integrity of Google's Orbit users. By exploiting this vulnerability, threat actors can inject malicious code into the environment, opening the door to various forms of cyber attacks, including code injection and phishing attempts. The advisory underscores the importance of addressing code injection vulnerabilities and emphasizes the need for robust security measures to protect sensitive information. While the advisory does not explicitly attribute the vulnerability to any specific threat actor, it serves as a stark reminder of the ongoing challenges posed by sophisticated cyber threats and the critical role of proactive security measures in safeguarding software repositories and user data.

Exploiting Microsoft Word Vulnerabilities: Cybercriminals Deploy LokiBot Malware

In recent phishing attacks, cybercriminals are exploiting known vulnerabilities in Microsoft Word documents to distribute a malware called LokiBot. LokiBot, also known as Loki PWS, has been a well-known Trojan since 2015, mainly targeting Windows systems to steal sensitive information from infected machines. The attacks observed in May 2023 take advantage of CVE-2021-40444 and CVE-2022-30190 (also known as Follina) to achieve remote code execution. The malicious Word file leverages CVE-2021-40444 to download an HTML file from an external GoFile link embedded in an XML file. This HTML file, in turn, exploits CVE-2022-30190 to download a Visual Basic injector module responsible for decrypting and launching LokiBot. An alternative attack chain discovered in May involves a Word document with a VBA script that triggers a macro execution upon opening. This macro serves as a conduit for delivering an interim payload from a remote server, acting as an injector to load LokiBot and connect it to a command-and-control (C2) server. LokiBot is a potent malware with capabilities like keystroke logging, screenshot capture, stealing login credentials from web browsers, and siphoning data from various cryptocurrency wallets. Its functionalities have evolved over time, making it a popular choice for cybercriminals seeking to steal sensitive data from victims. The attackers frequently update their methods, making their malware campaign more efficient in spreading and infecting systems.

Threat group ‘FIN8’ employs altered Sardonic backdoor for launching BlackCat ransomware campaigns

FIN8, a financially motivated threat actor, has been observed using a modified version of the backdoor called Sardonic to distribute the BlackCat ransomware. This development is an attempt by the e-crime group to diversify its focus and increase profits from infected entities. The cybersecurity company tracking FIN8, known as Syssphinx, revealed that the group had been active since 2016, originally targeting point-of-sale systems with malware like PUNCHTRACK and BADHATCH. In March 2021, FIN8 resurfaced with an updated BADHATCH and later introduced a new bespoke implant named Sardonic. The latest version of Sardonic is written in C, deliberately avoiding similarities with its previous C++ variant. The backdoor has the capability to collect system information, execute commands, and load additional malware payloads delivered as DLLs. In a recent incident analyzed by Symantec, Sardonic was embedded into a PowerShell script, launched through a .NET loader and an injector module to run the implant. The backdoor supports up to 10 interactive sessions on the infected host for executing malicious commands and has features for dropping arbitrary files and exfiltrating data to actor-controlled infrastructure. Notably, this is not the first time FIN8 has been associated with Sardonic in ransomware attacks. The group's expansion into ransomware showcases their commitment to maximizing profits from victim organizations, constantly refining their tools and tactics to avoid detection.

WormGPT: Empowering Cybercriminals with Advanced Cyber Attack Capabilities through AI

The rising popularity of generative artificial intelligence (AI) has unfortunately led to its misuse by malicious actors, opening avenues for accelerated cybercrime. A new tool called WormGPT, a generative AI cybercrime tool, has been advertised on underground forums as a way for adversaries to conduct sophisticated phishing and business email compromise (BEC) attacks. WormGPT, designed for malicious purposes, automates the creation of highly convincing fake emails personalized to recipients, increasing the success chances of the attack. The tool is considered a rival to legitimate AI models like ChatGPT, allowing users to engage in illegal activities. The threat posed by such tools is heightened as legitimate AI models, such as ChatGPT and Google Bard, are taking measures to combat the abuse of large language models (LLMs) for malicious purposes. Cybercriminals are circumventing restrictions by using APIs, selling brute-force software, and promoting "jailbreaks" for ChatGPT to manipulate its output for harmful intentions. Generative AI democratizes the execution of sophisticated BEC attacks, enabling even attackers with limited skills to use this technology. Additionally, researchers have modified open-source AI models to spread disinformation, leading to LLM supply chain poisoning. The misuse of generative AI underscores the importance of addressing ethical boundaries to prevent novice cybercriminals from launching large-scale attacks without technical expertise.