Twitter Email Data Leak

Summary: Hackers have released over 200 million emails from Twitter users along with supplementary information. The leaks were available in the hacking forum called Breached for approximately $2. The data possessed in the leak include the email, the user’s name, the username, the account creation date, and the follower count.

This most recent data leak comes from a data leak from November 2022 but with removed duplicates to allow for decreased size and improved viewing. Bleeping Computer has independently confirmed that many of the detected emails are valid. The data provided by this leak not only comes with privacy concerns for the users who want to stay anonymous, but it can also allow attackers to identify anonymous users through email correlation from past data leaks.

Why it matters: The biggest concern these email data leaks pose to users is that they can be used to target users for targeted phishing attacks and other social engineering tactics. It is well-known that phishing is one of the largest digital crimes that take place every year. OSINT on specific targets such as verified accounts could allow attackers to target certain users in hopes of pivoting into their employee emails and accounts. While it is advised that users use different passwords across their accounts, many people reuse their passwords to remember their logins easily. The danger this habit possesses is that a phished user might use the same password on a known business account, thus endangering the business. It is thus recommended to not only train users to defend against phishing emails but to also use password managers to hold unique passwords as a secondary layer of protection against re-used passwords.

AI-Written Malware

Summary: Researchers at Check Point have analyzed threads of malicious actors using Artificial Intelligence (AI) technologies to help develop new hacking tools with little to no coding knowledge. The specific AI tool used by the attackers has been the newly released and widely lauded ChatGPT chatbot by OpenAI. ChatGPT is considered one of the most advanced AIs available to the public, and it allows users to give the AI creative prompts that will return realistic or near-realistic responses.

The three cases researched by Check Point were the usage of ChatGPT to create an info stealer, an encryption tool, and a script to manage cryptocurrency payments in real-time for use in the dark web. While these codes could be written by experienced malware programmers, they show an underlying trend of how threat actors can utilize artificial intelligence to reduce or even eliminate the work needed to create hacking tools.

Why it matters: AI and cybersecurity are two of the fastest-growing fields within the technology industry. Although outwardly they appear to be distinctly different from one another, they have been more recently on a convergence. Most notably, the machine learning sub-field of AI has been particularly useful for the growth of companies such as Splunk, Sumo Logic, and CrowdStrike which use Machine Learning to help detect and automate security incidents. On the other hand, malicious actors do not typically have the funding and may even lack the training to create their own AI software. While AIs are developing faster and are becoming more integrated with the public, their growing accessibility allows threat actors an easier time to utilize them for malicious purposes. As these tools become more advanced, threat actors will continue to use them to help improve their attacks.

ChatGPT Creates Polymorphic Malware

Summary: Researchers from CyberArk, a cybersecurity firm, has reportedly created a new strand of polymorphic malware using OpenAI’s ChatGPT. The researchers stated that the malware could easily circumvent current detection methods with very little effort. They went on to explain that using the API version of ChatGPT versus the web version, they were able to bypass security filters that enabled them to create working malware. From there, they were able to leverage ChatGPT’s ability to create and continually mutate injectors, thereby creating a polymorphic program that is highly elusive and difficult to detect.

One of the many spectacular tricks ChatGPT has been able to pull off is writing highly advanced malware that contains no malicious code at all, according to CyberArk. “As we have seen, the use of ChatGPT’s API within malware can present significant challenges for security professionals,” the report said. “It’s important to remember, this is not just a hypothetical scenario but a very real concern.”

Why it matters: As AI makes our lives easier, it also makes the adversaries lives’ easier as well. Security researchers told The Register this text-generating tool is worrisome because it can be used to experiment with creating polymorphic malware, which can be used in ransomware attacks. It’s called polymorphic because it mutates to evade detection and identification by antivirus. Not only that but low-skill miscreants could use the OpenAI bot to generate trivial malware that manages to infect naive or poorly defended networks. It’s apparent that malware using ChatGPT is going to be the future, and this is just the beginning for security vendors to become aware of the dangers inherent in this emerging environment of AI.

Roaming Mantis Hijacks Wi-Fi Routers’ DNS Settings

Summary: Roaming Mantis (AKA “Shaoye”) is a cybercriminal campaign first observed by Kaspersky in 2018. They use malicious Android application files (APKs) to control infected Android devices and steal their info, as well as phishing functions for iOS devices, and cryptomining for PCs. Recently, Roaming Mantis has introduced a DNS changer function to reroute users connected to a compromised router to a DNS server controlled by the criminals. Once users have been redirected, they are prompted to download malware which can control their device(s) or steal their credentials.

Further investigation has also revealed that Roaming Mantis landing pages are using a technique called “smishing” where text messages are used to spread malware. Once a user’s device is compromised, the malware then compromises other vulnerable routers to then compromise more devices. Kaspersky also stated: “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.”

Why it matters: While US-based routers are not currently being targeted does not mean that we are forever safe from these types of attacks. It’s important to be proactive in ensuring that Wi-Fi access points are up-to-date and wireless guest networks also employ some form of monitoring. An absolute worst-case situation would be a user inadvertently connects their company device to an unprotected guest network and corporate data is lost or stolen. It’s also prudent to install mobile software from their respective marketplaces and not from third-party sources to further minimize the risk of compromise from these new types of attacks.

PayPal Accounts Breached in Credential-Stuffing Attack

Summary: Approximately 35,000 users have been notified by PayPal that their accounts have been breached, however PayPal itself wasn’t hacked. These accounts were compromised by adversaries using previously leaked credentials for users of PayPal. Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. Credential stuffing also leverages users who use the same username and password combinations across multiple sites. This creates a huge vulnerability for users as if their info was previously leaked from a different source, those credentials can now be used to access other sites which may include payment card data or other sensitive PII.

These types of attacks rely more heavily on users being educated about the dangers of recycling passwords, and not being proactive in ensuring each site has unique credentials. “During the two days [of the attack], hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers,” Bleeping Computer reports. The tactics behind this attack were simple and user awareness is key to circumventing these types of attacks.

Why it matters: It’s important for users to be aware that data loss is not just a risk of major corporations; individuals are also targeted just as frequently. But as personal loss is significantly less than corporate losses, these attacks typically don’t make headlines. This is an issue that affects everyone, and simply ensuring username and password combinations are unique for each site makes it harder for adversaries to steal our hard-earned money and sensitive information. It’s also a good idea to use a trusted password manager or dark web monitoring service to alert users when their credentials have been leaked on the web.

Security Tip of the Month – How To Spot a Cyberbot

Summary: Bots are software created to perform repetitive tasks by infecting devices, which then infect other devices to create a network of zombie hosts to launch a cyberattack. The “botmaster” uses thousands of these systems to target a single or an isolated group of victims. The end-goal is to create a denial of service (DoS) for their victims to prevent them from being able to access network or online resources.

The first line of defense to prevent becoming one of these zombie systems is antivirus software. Use of a firewall is also essential to minimize the number of unauthorized connections made by a computer, as well as inspect the traffic being sent and received by the system. Network-based firewalls, web security/URL filtering, flow detection and intrusion detection and prevention systems are a good way to plus up the local firewall on a host. It is also important to ensure that operating systems and installed software is kept up to date to minimize the risk of compromise.

Why it matters: Botnets are an ever-growing threat for daily users of the internet, and to minimize this threat relies on the most people as possible using internet safety best practices and to be able to detect when you may be a victim. Signs of infection include sites opening slowly, the device running slower than normal, and apps behaving erratically. Checking what applications are running can help determine if anything is running that shouldn’t be. Running an antivirus scan is also essential but ensure that it has the most up-to-date signatures prior to executing a scan.