Executive Summary
The Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Wrap-Up is a collection of high-level cyber intelligence summaries pertaining to current or emerging cyber events in May 2023, originally published in CTIX FLASH Updates throughout May. This publication includes malware threats, threat actor activity, and newly identified vulnerabilities impacting a wide range of industries and victims. The CTIX FLASH Update is a semi-weekly newsletter that provides a timely snapshot of cyber events, geared toward cyber professionals and end users with varying levels of technical knowledge. The events published in the FLASH typically occurred close in time to publication of the report.
To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.
MALWARE ACTIVITY
New "ViperSoftX" Variant Evolved to Target Password Managers, Cryptocurrency Wallets, and Browsers
Reported in the May 2nd, 2023, FLASH Update
- Researchers have identified a new variant of the "ViperSoftX" cryptocurrency and informationstealing malware currently targeting password managers, including KeePass and 1Password. In the latest campaign, ViperSoftX targets a new range of browsers, including Brave, Opera, Edge, and Firefox, and impacts both the consumer and enterprise sectors. As of April 24, 2023, over 50% of the campaign's activity has taken place in the United States, Australia, Japan, India, Taiwan, Malaysia, Italy, and France. The malware has evolved to have a stronger encryption measure of byte remapping, which increases analysis difficulty as analysts cannot correctly decrypt the encrypted shellcode without having the correct byte map. The malware is also changing its command-and-control (C2) server monthly in order to make detection evasion easier. Researchers explained that ViperSoftX arrives as "a software crack, an activator or a patcher, or a key generator (keygen)" and is often carried through the files of legitimate, non-malicious software in order to remain hidden while posing as illegal software versions. Once the victim machine has the carrier software, the malware checks for virtual machines, monitoring tools, and antivirus products. If the machine passes these checks, the malware then decrypts the Powershell code and downloads the malware's main routine. Researchers noted that ViperSoftX is known as a cryptocurrency stealer and, in the new variant, still reviews for a wide range of cryptocurrency wallets in local directories as well as browser extensions. CTIX analysts will continue to monitor the evolution and activity of ViperSoftX and will provide new details as they become available. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the report linked below.
North Korean Threat Group Kimsuky Observed Using New "ReconShark" Tool in Latest Campaign
Reported in the May 5th, 2023, FLASH Update
- Researchers have discovered Kimsuky, a North Korean state-sponsored threat group also known as APT43, utilizing a new reconnaissance tool dubbed "ReconShark" during their latest campaign. This campaign has been targeting government organizations, research centers, think tanks, and universities in the United States, Asia, and Europe. ReconShark is noted to have expanded reconnaissance capabilities, including "unique execution instructions and server communication methods," and is delivered through spear-phishing emails to specifically targeted individuals. The emails involve malicious OneDrive links that lead victims into downloading password-protected malicious documents that have filenames relevant to the targeted user's subject matter. ReconShark is suspected to be the evolution of the malware "BabyShark" that the group utilized in its campaigns in 2018. ReconShark has the ability to exfiltrate valuable machine information, such as deployed detection mechanisms, running processes, battery information, and deployed endpoint threat detection measures. This ability is critical as researchers suspect that ReconShark is "part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses." CTIX analysts will continue to monitor North Korean threat groups' activity and detail emerging malware as they are observed. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
NextGen Healthcare Discloses Data Breach Impacting Over 1 Million Patients
Reported in the May 9th, 2023, FLASH Update
- NextGen Healthcare, Inc., a software, and services company headquartered in Georgia, has disclosed a data breach impacting the personal data of over 1 million patients. NextGen develops and sells electronic health record software as well as management systems to organizations within the healthcare industry. NextGen, in their data breach notification, stated that on March 30, 2023, suspicious activity was identified in their Office system, which is a "cloud-based EHR and practice management solution," and measures were taken to contain the incident, such as resetting passwords. An investigation was launched with a third-party forensic vendor, which determined that an unknown third-party gained unauthorized access to "a limited set of electronically stored personal information" between March 29 and April 14, 2023. The exposed information includes names, dates of birth, physical addresses, and Social Security numbers (SSNs). NextGen emphasized that there is currently no evidence that health or medical data was compromised during this unauthorized access. The company also noted that no fraudulent use of the exposed personal information has been identified as of April 28, 2023. It is currently suspected that the compromise stems from the "use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen." CTIX analysts will continue to monitor the ongoing threats against the healthcare industry and report on critical cyberattacks as they are detailed.
New Phishing-as-a-Service Platform Targeting Microsoft 365 Users
Reported in the May 12th, 2023, FLASH Update
- Researchers have released a new report on a previously undocumented phishing-as-a-service (PaaS) platform called "Greatness" that was first seen in various phishing campaigns in mid-2022, with spikes in activity occurring in December 2022 and March 2023. The observed campaigns have been targeting organizations utilizing Microsoft 365 (commonly within the manufacturing, healthcare, and technology sectors) throughout the United States, Canada, the United Kingdom, South Africa, and Australia. Researchers emphasized that Greatness is only focused on Microsoft 365 phishing pages as of May 10, 2023, and is a platform specifically well-suited for phishing business users. Actors utilizing the platform receive a phishing kit (including an admin panel), the service PAI, and a Telegram bot or email address. The service has various features, including "having the victim's email address pre-filled and displaying their appropriate company logo and background image." The images utilized are captured from the organization's legitimate Microsoft 365 login page. If a victim enters their password into the fraudulent login page and their account is protected by MFA, Greatness prompts the victim for the one-time code while triggering the real Microsoft service request, which sends the code to the user's device. Once the code is entered, the platform forwards the authenticated session cookie to an actor-controlled Telegram channel or the service's web panel. This session cookie can be utilized to quickly access the victim's email account, files, and other data in Microsoft 365 services. Researchers noted that the platform can be used by threat actors of all skill levels. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Year-Long Campaign Targeting Organizations in South and Southeast Asia Attributed to Lancefly APT Group
Reported in the May 16th, 2023, FLASH Update
- Researchers have attributed a highly targeted year-long campaign to the new advanced persistent threat (APT) group Lancefly. The latest ongoing activity began in mid-2022 and has targeted the government, aviation, telecom, and education sectors throughout South and Southeast Asia. Lancefly is noted to "have some links to previously known groups" that were low-confidence, but the group's custom malware dubbed "Merdoor" is believed to have existed since 2018. This malware has been used previously in activity occurring in 2020 and 2021 and in Lancefly's latest campaign to gather intelligence on its victims. Merdoor is an advanced backdoor that has low prevalence and is "used very selectively." The malware is typically injected into the legitimate processes "perfhost.exe" and "svchost.exe" and has the capabilities to install itself as a service, conduct keylogging, communicate to its command-and-control (C2) server through various methods, and listen for commands. Researchers emphasized that the campaign also has access to an updated version of the "ZXShell" rootkit, which was first documented in October of 2014. ZXShell's source code is publicly available, making the malware easily accessible to multiple threat groups, and has been previously linked to Chinese actors (Apt17 and APT27 specifically). Despite not having an exact initial attack vector documented as of May 15, 2023, it is suspected that the campaign involves "phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers." Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Lemon Group Threat Organization Capitalizing on 8.9 Million Pre-Infected Android Devices in Latest Campaign
Reported in the May 19th, 2023, FLASH Update
- Researchers have observed the Lemon Group threat organization leveraging previously infected Android devices around the globe to carry out their latest campaign. This activity involves approximately 8.9 million devices that are mainly located in the United States, Mexico, Indonesia, Thailand, Russia, India, the Philippines, South Africa, Angola, and Argentina. Researchers have noted that the infection of the Android devices "turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud." It is also suspected that threat groups are beginning to utilize additional Android-based Internet-of-Things (IoT) devices, such as smart televisions, television boxes, entertainment systems, and children's watches. Researchers observed the "Guerilla" malware in this latest campaign, which was first documented in 2018 and has been observed previously with the ability to conduct SMS interception, engage in click fraud, and act as a backdoor. In addition to the SMS plugin, Lemon Group's infrastructure involves many other plugins associated with the main Guerilla plugin in this campaign. The plugins include a proxy plugin that allow actors to rent access to the network resources of the impacted device, a cookie plugin to harvest Facebook cookies and profile information, a WhatsApp plugin to hijack sessions, a Splash plugin to serve adware, and a silent plugin to install an APK file and launch the associated application. Researchers noted the overarching goal of the campaign is to "bypass SMS-based verification and advertise bulk virtual phone numbers – which belong to unsuspecting users of the infected Android handsets – for sale to create online accounts." Lemon Group is believed to have a linkage with the Triada malware through previous collaboration with its operators. Technical details of the Lemon Group campaign as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Researchers Observed New Capability in ALPHV Ransomware Involving Malicious Windows Kernel Drivers
Reported in the May 23rd, 2023, FLASH Update
- The ALPHV (aka BlackCat) ransomware has been observed in February 2023 with a new capability that correlates with activity detailed in three (3) reports published in late 2022. The three (3) reports detailed "malicious kernel drivers being signed through signed Microsoft hardware developer accounts," which were seen in various cyberattacks involving ransomware-based incidents. Researchers noted the capability, which is a malware dubbed "POORTRY", was used in the recent activity for the defense evasion phase of the attack and was an updated version that "inherited the main functionality from the samples disclosed in previous research," as the threat actor initially attempted to deploy a kernel driver identified in December 2022. The updated POORTRY malware can conduct the following actions: activating and deactivating the driver, killing any user-mode processes, deleting specific file paths, copying files, force-deleting files, force-copying files, registering and unregistering process and thread notification callbacks, and rebooting the system. It is explained that the commands for the process and thread notification callbacks are currently in development and not working as of May 22, 2023. The malicious driver has been used previously by UNC3944 (aka oktapus and Scatter Spider) in order to bypass detection, so there is suspicion of a loose linkage between the two (2) threat groups. Researchers emphasized that ALPHV affiliates have "a high level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks" and that kernel-based threats are most commonly observed in advanced persistent threat (APT) espionage malware and ransomware. CTIX analysts will continue to monitor ALPHV's activity and advancements as it evolves. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Buhti Ransomware Operation Observed Using LockBit Black and Babuk Ransomware to Target Windows and Linux Machine
Reported in the May 26th, 2023, FLASH Update
- Researchers observed a new ransomware operation, dubbed "Buhti", utilizing the leaked source code of LockBit and Babuk ransomware in its latest activity. Buhti, first discovered in February 2023, is targeting Windows with "LockBit Black" alongside Linux systems with variants of the "Babuk" ransomware and is using a custom data exfiltration tool for double extortion. The exfiltration tool is a Go-based information stealer that can target specifically chosen file systems and twenty-nine (29) file types. Buhti's operators, tracked as Blacktail, have also been observed exploiting the PaperCut NG and MF remote code execution (RCE) vulnerability, tracked as CVE2023-27350, in order to "install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise" on targeted machines, leveraging them to "steal data from, and deliver the ransomware payload to, multiple computers on the targeted network." In February 2023, the actors were also identified exploiting CVE-2022-47986, which is a critical RCE flaw that impacts the IBM Aspera Faspex file exchange product. Researchers have witnessed Buhti attacks in various countries, including the United States, the United Kingdom, China, Germany, Czechia, Ethiopia, and more. Researchers also advise administrators and researchers not to underestimate Blacktail. Despite the group using leaked ransomware code in its latest activity, the group's ability to exploit recently discovered vulnerabilities along with its tactics observed in their early attacks thus far renders them a considerable threat. CTIX analysts will continue to monitor Blacktail's activities and provide updates on the Buhti ransomware operation as it evolves. Additional details and indicators of compromise (IOCs) can be viewed in the report linked below.
AceCryptor Malware-Packer Has Been Detected in Over 240,000 Attacks
Reported in the May 30th, 2023, FLASH
- AceCryptor, a prominent crypter malware that has been used to pack a handful of malware strains since 2016, has been detected 240,000 times between 2021 and 2022, accumulating over 10,000 hits per month. Unlike packers that use compression to obfuscate code, crypters use encryption to enhance stealth and increase the difficulty of reverse engineering. Researchers found that AceCryptor contained prominent malware families including SmokeLoader, RedLine Stealer RanumBot, Racoon Stealer, Stop ransomware, Amadey, and more. AceCryptor is sold to threat actors in a crypter-as-a-service (CaaS) format, and it's been observed being used to propagate a wide host of malware families by a multitude of threat actors. It can be both time-consuming and technically difficult for threat actors to maintain their own crypters that are difficult to detect, leading crimeware threat actors to seek CaaS options to pack malware. AceCryptor is heavily obfuscated with a three-layer architecture that decrypts and unpacks at each stage to eventually launch the payload and contains anti-VM, anti-debugging, and anti-analysis features to help avoid detection. AceCryptor's malware is delivered using trojanized installers of pirated software, malicious links embedded in phishing emails, or with the help of other malware that has already compromised a host.
THREAT ACTOR ACTIVITY
APT28 Targets Ukrainian Governments
Reported in the May 2nd, 2023, FLASH Update
- A group of state-sponsored Russian hackers are back in the news this week after launching their new campaign against Ukraine and its allies. The group is tracked as APT28 (Fancy Bear, Pawn Storm) and is known for their espionage campaigns against NATO countries. Campaigns attributed to the group include the French TV5Monde defacement of 2015, Democratic National Committee (DNC) compromise of 2016, and German government compromises between 2015 and 2017. Several group members were arrested in 2018 after their participation in the DNC attack, including nine (9) GRU officials. In this new campaign, APT28 actors distributed malicious phishing correspondence to the Ukrainian government. Masking themselves as system administrators, APT28 actors lured victims into interacting with their so-called "Windows Update" application. Upon executing this application at the command line, a PowerShell script is downloaded which begins to simulate a simple Windows system update. However, once this script begins a second-stage payload runs additional commands in the background to gather information about the infected system. Threat actors utilized the ".\tasklist.exe" and ".\systeminfo.exe" PowerShell commands and transmitted that data back to actor-controlled command-and-control (C2) servers. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Meta Conducts Massive Campaign to Stop State-Sponsored Hackers from Conducting Counter-Espionage Operations
Reported in the May 5th, 2023, FLASH Update
- Three distinct threat actors used hundreds of fake personas on Facebook and Instagram to target individuals in South Asia during separate cyberattacks. These advanced persistent threat (APT) groups relied heavily on social engineering to deceive people into clicking malicious links or sharing personal information. The fake accounts impersonated recruiters, journalists, or military personnel and utilized traditional lures, such as romantic connections. Two (2) of the cyber espionage efforts employed low-sophistication malware to bypass app verification checks by Apple and Google. Meta, Facebook's parent company, identified and removed accounts linked to Pakistan and Indiabased APT groups that targeted military personnel and government employees in India and Pakistan. At least two (2) of these groups were identified as Patchwork APT and Bahamut APT, both of which operate in the South Asia sphere. 110 Facebook accounts were purged that had a connection to Bahamut, and fifty (50) accounts from Patchwork were also purged. Both groups used various malware apps uploaded to the Google Play Store disguised as VPN apps. Additionally, Meta has disrupted six adversarial networks from countries including the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo, which engaged in "coordinated inauthentic behavior" on Facebook and other social media platforms. These geographically diverse networks set up fake news media brands, hacktivist groups, and NGOs to establish credibility. Some were linked to marketing firms and strategic communication departments in various countries. Two Chinese networks targeted users in India, Tibet, Taiwan, Japan, and the Uyghur community through fraudulent accounts on Facebook and Instagram. Meta successfully took down the threat actor accounts and pages before they could gain significant traction. To further add to the number of actors in this region, an Iranian network focused on Israel, Bahrain, and France was also discovered and had accounts purged as a result. Iranian state-sponsored activity has been linked to twenty-four (24) such campaigns in 2022, up from seven (7) in 2021.
Threat Profile: Dragon Breath
Reported in the May 9th, 2023, FLASH Update
- A newly discovered threat organization has surfaced in the landscape and is targeting gambling companies with various cyberattacks. The group is tracked under many names including Dragon Breath, Golden Eye Dog, or APT-Q-27 and has targeted several entities throughout China, the Philippines, Singapore, Hong Kong, Japan, and Taiwan. Primarily focused on exploiting gambling companies, Dragon Breath has utilized dynamic link library (DLL) sideloading attacks with a new twist. Typically, attacks identified in the landscape involve the standard sideloading attack with an application and malicious loader/payload. The twist Dragon Breath actors implemented adds a second clean application in the first stage of the attack, auto executing the malicious loader once deployed on its target. Applications that were seen forged in this campaign include WhatsApp, Telegram, and LetsVPN installers which were laced with first-stage malware. Once all loaders are installed on the system, the malicious code will clear any system event logs, copy all clipboard data, execute arbitrary commands, and in some cases harvest cryptocurrency from the victim's device. CTIX continues to monitor threat actor activity globally and will provide additional updates accordingly.
Threat Profile: Red Stinger
Reported in the May 12th, 2023, FLASH Update
- Security researchers have uncovered a new threat organization targeting users in the Eastern Ukraine region throughout the Russia/Ukraine conflict. The group is known by the monikers 'Red Stinger' and 'Bad Magic' and is believed to be operational since 2020. Since their operations began, the group launched a cyber campaign in April 2021, another campaign in February 2022 after the Russia/Ukraine conflict began, and a recent campaign affecting those throughout Eastern Ukraine. Each of these operations had varying delivery methods with different payloads and scripts, all of which deployed a variant of the "DBoxShell" ("PowerMagic") malware. Threat actors conducting these operations have had success with exfiltrating documents from government entities. In one such case, Red Stinger actors targeted an individual in Ukraine and were able to detonate malware on their systems. In the short time before its detection, the malware was able to gather system screenshots, microphone audio recordings, internal documentation, and relay the data back to threat actor endpoints. Additional victims were also observed in Vinnitsya and Zhytomyr in the same operation while Russian-aligned entities were targeted in the most recent Red Stinger campaign. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Threat Profile: RA Ransomware Group
Reported in the May 16th, 2023, FLASH Update
- Security researchers have uncovered a new ransomware family whose attacks include source code of the Babuk ransomware. Many groups have emerged since the leak of the Babuk code in September 2021, including the Rook, Night Sky, Pandora, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA ransomware groups. Specific to the RA Group, these threat actors have been operating for just over a month and have set their sights on targeting insurance, manufacturing, wealth management, and pharmaceutical industries throughout the United States and South Korea. The RA group also integrates a double extortion tactic into their attacks by first ransoming the victim, then posting their exfiltrated data if payment is not met swiftly. As of May 16, 2023, there are four (4) total victims listed on their public leak site, including an organization from each of the targeted industries above. Analysis of RA Group's ransomware code shows high customization variant of the Babuk ransomware payload, including a rapid encryption process and detection evasion. Furthermore, the ransomware payload attempts to remove any breadcrumbs by deleting specific files, emptying the Recycle Bin, and removing volume shadow copies. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Threat Profile: OilAlpha
Reported in the May 19th, 2023, FLASH Update
- A new espionage campaign against the Arabian Peninsula has exposed OilAlpha threat actors to new media attention. Historically, the OilAlpha threat group has targeted numerous sectors including political figures/officials, media outlets, and journalists through espionage-related campaigns. In their newest campaign, OilAlpha threat actors have changed up some of their targets to include non-governmental organizations, humanitarian, and development industries. Tactics utilized by threat actors in this campaign include deployment of the remote access tools "SpyNote" and "SpyMax" across mobile devices, often exploiting Arabic-speaking individuals using Android devices. Utilizing social engineering techniques, OilAlpha actors attempted to communicate with journalists and political figures over encrypted chat platforms such as WhatsApp by luring users in with Yemeni-related security and development matters. Should social engineering be successful, the deployed SpyNote and SpyMax malware allows for the continuous collection and exfiltration of the mobile device's network configuration, camera and audio recording, SMS data, contacts list, call logs, and location data. Technical details associated with recent OilAlpha attacks are included in the report below. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
FIN7 Deploys Cl0p Ransomware in Latest Attacks
Reported in the May 23rd, 2023, FLASH Update
- FIN7 is known throughout the threat landscape as a longstanding financially motivated organization often targeting the United States during their operations. The group utilizes a variety of malware strains to carry out their attacks, including those developed by the REvil and Maze threat groups.Recent activity has shown that FIN7 actors have adopted a strain of the Cl0p ransomware variant to deploy during their attacks. Current attacks highlight the use of a PowerShell-based malware dropper script called "POWERTRASH" as first stage deployment in FIN7 attacks. In the second stage deployment, a post-exploitation tool codenamed "Lizar" is executed on the compromised system allowing for remote access into the compromised entity. In addition, threat actors are given the capability to move laterally within the network and spread the Cl0p ransomware strain. Aside from Cl0p, security researchers note additional ransomware strains such as "Bl00dy" and "LockBit" being used in FIN7 attacks. This recent activity shows that the FIN7 organization is continuing to operate even though numerous key members were arrested several months ago. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Chinese Threat Group Reportedly Targets United States Critical Infrastructure
Reported in the May 26th, 2023, FLASH Update
- An emerging Chinese threat organization has reportedly been targeting United States critical infrastructure in their current operations. The group is tracked under the codename Volt Typhoon and has been actively targeting critical infrastructure companies within the government, communications, transportation, maritime, information technology, education, and communications sectors. During these attacks, Volt Typhoon actors would often compromise their victims through vulnerable public-facing FortiGuard devices, giving direct access into their network. Attackers will often attempt to gain privileged access in Active Directory by harvesting credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory space. In addition to privilege escalation, threat actors also deployed a command line utility to install new domain controllers, allowing for multiple authentication attempts on network-connected devices. As the final step, Volt Typhoon actors establish a command-and-control (C2) connection back to their infrastructure to allow for the execution of remote commands and remote access to the victims' network(s). Additional tactics utilized by the group include capitalizing on local resources of compromised infrastructure, or 'living-off-the-land' activities through the system on-screen keyboard and LOLBin binaries to transfer additional payloads from the C2 server to victim networks. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Threat Actor Tied to Tortoiseshell Compromises Israeli Websites, Steals User Information
Reported in the May 30th, 2023, FLASH Update
- A nation-state actor believed to be associated with the Tortoiseshell threat organization has conducted several cyber-attacks against Israeli websites. Tortoiseshell, also tracked as Crimson Sandstorm, is an Iran-based APT group conducting malicious activities throughout the Middle East, as well as targeting key United States officials within the government, military, and political atmosphere. One of the group's most regarded tactics includes the use of detailed personas to lure individuals into social engineering compromises. In this most recent operation, a Tortoiseshell actor targeted eight (8) Israeli-related websites with a watering hole attack, which is a form of attack where websites frequently visited by a group of users are infected with malicious code. These websites reached across several industries including shipping and receiving, financial services, restaurant suppliers, medical, and supply importing. The threat actor was able to inject a block of malicious Javascript code allowing for the passive collection of digital footprint data of visiting users, including the user's operating system, IP address, screen resolution, and redirection URL. Attribution to the Tortoiseshell group originates with the main typosquatted domain utilized in the attack and the usage of jQuery framework, Metaspolit, and Browser Exploitation Framework Project. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
VULNERABILITIES
CISA Adds Three Vulnerabilities to its KEV Catalog Impacting TP-Link, Apache, and Oracle Products
Reported in the May 2nd, 2023, FLASH Update
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three (3) critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities affect TPLink, Apache, and Oracle products, and are all under active-exploitation by threat actors according to CISA. The first flaw, tracked as CVE-2023-1389, is a command injection vulnerability in the TPLink Archer AX-21 router that could be exploited to conduct remote code execution (RCE). Researchers have observed threat actors associated with the Mirai botnet exploiting CVE-2023- 1389 since early April 2023. The second vulnerability, tracked as CVE-2021-45046, is a deserialization of untrusted data flaw in the Apache Log4j2 logging library which is also being exploited to conduct RCE. Although specific threat actors have not been attributed to exploiting this weakness, researchers have observed exploitation attempts from at least seventy-four (74) unique IP addresses that have also been observed exploiting the notorious Log4Shell vulnerability (CVE2021-44228). The third flaw, tracked as CVE-2023-21839, is an unspecified server vulnerability in Oracle WebLogic Servers that allows unauthenticated threat actors who have already gained access to the target network to access sensitive data for exfiltration. The presence of these vulnerabilities on CISA's KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies patch these vulnerabilities or apply vendor-approved mitigation techniques by no later than May 22, 2023, or face being held accountable by regulators. CTIX analysts urge any users or organizations leveraging the aforementioned devices/software to update and harden their systems as soon as possible.
Researchers Publish PoC for Bypassing Detection Measures for the Exploitation of the PaperCut Vulnerability
Reported in the May 5th, 2023, FLASH Update
- UPDATE: Researchers have published a new proof-of-concept (PoC) that completely bypasses detection measures for exploiting a known vulnerability affecting servers running the PaperCut print management solution. The flaw, tracked as CVE-2023-27350 (CVSS score: 9.8/10), is an improper access control vulnerability that allows remote attackers to bypass authentication and conduct remote code execution (RCE) to execute Windows PowerShell commands or drop malicious Java archive (JAR) files on servers running vulnerable instances of PaperCut NG and MF. This flaw is being actively exploited by multiple threat groups like Cl0p and LockBit to drop ransomware and other malware payloads. In the published PoC, the researchers explain that in previous attacks, whether the threat actors ran PowerShell or dropped JAR files, the activity left distinct digital footprints and logs on the victim machines. These indicators allow the system's security infrastructure to detect malicious behavior like authentication bypassing. In this PoC, the researchers abuse the "User/Group Sync" feature, which synchronizes the user and group information from sources like Active Directory (AD), making it possible to synchronize user and group information from AD, Lightweight Directory Access Protocol (LDAP), or a custom source. The researchers were able to bypass detection by exploiting the custom directory source feature, which allows the user to specify the authentication program they want to use, which could be any executable. In the PoC, the researchers were able to launch a Python reverse shell on Linux servers and download a custom reverse shell on Windows servers without activating any detection measures. A VulnCheck security researcher named Jacob Baines stated that an attacker with administrator permissions could exploit this flaw in multiple ways. Because of this, system mitigation measures should be robust. To prevent exploitation administrators should not exclusively focus on a single code execution method or set of methods to detect exploitation attempts. This is a dynamic matter that has been quickly changing, and CTIX analysts will continue to monitor the situation, providing relevant updates to our readers in the future.
Critical PaperCut Vulnerability Now Under Active Attack by Iranian State Sponsored Hackers
Reported in the May 9th, 2023, FLASH Update
- UPDATE: Threat intelligence researchers from Microsoft have identified two (2) Iranian statesponsored hacking groups tracked as Mint Sandstorm (aka Phosphorus) and Mango Sandstorm (aka Mercury) exploiting the popular print management server vulnerability known as PaperCut. Since its initial disclosure and patching on March 8, 2023, PaperCut has been under active exploitation by multiple financially motivated threat actors to deliver Cl0p and LockBit ransomware. The fact that nation state-affiliated threat actors have pivoted their efforts to targeting this flaw is indicative of how severe the vulnerability is and how easy it is to exploit. The flaw, tracked as CVE2023-27350 (CVSS score of 9.8/10), is an improper access control vulnerability allowing remote attackers to bypass authentication and conduct remote code execution (RCE) with SYSTEM privileges to run malicious Windows PowerShell commands or drop infected Java archive (JAR) files on servers running vulnerable instances of PaperCut NG and MF. On May 5, 2023, CTIX analysts reported on a proof-of-concept (PoC) exploit published by researchers that bypassed the new detection measures of the March 8 PaperCut security patch. As soon as the PoC went public, Microsoft researchers began seeing the Iranian threat actors adding this vulnerability to their list of initial access tools. Mint Sandstorm and Mango Sandstorm both have ties to the Iranian government, with Mango Sandstorm attributed to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm attributed to the Islamic Revolutionary Guard Corps (IRGC). This new development comes days after the publishing of a Microsoft report showing that in-general, Iranian threat actors are increasingly aggressive and shifting to new tactics, techniques, and procedures (TTPs) that combine offensive cyber-attacks with multi-faceted cyber espionage and influence operations. This activity indicates that these threat actors have worked to adapt and get ahead of their adversaries by rapidly incorporating brand new vulnerabilities and PoCs into their attack strategies, as opposed to relying on their tried-and-true methods and TTPs. The situation is very dynamic, and this is the fourth CTIX FLASH Update where analysts have published profound updates to the PaperCut campaign. CTIX analysts will continue to monitor this matter and provide further information to our readers if new developments arise.
"AndoryuBot" Malware Botnet Exploits Critical Vulnerability to Conduct DDoS Attacks
Reported in the May 12th, 2023, FLASH Update
- A critical remote code execution (RCE) vulnerability is under active exploitation via a new malware botnet used to takeover Wi-Fi access points to conduct distributed denial-of-service (DDoS) attacks. The botnet is named "AndoryuBot", and the flaw it is exploiting exists in the Ruckus Wireless Admin panel within Ruckus wireless devices. The vulnerability, tracked as CVE-2023- 25717, has a CVSS score of 9.8/10 and allows the threat actor to conduct RCE by sending maliciously crafted HTTP GET requests to vulnerable Ruckus Wireless devices. After the malware successfully infects a vulnerable wireless device, it downloads an additional script that establishes communication with actor-controlled command and control (C2) servers. This is covertly executed by utilizing the Socket Secure (SOCKS) proxy protocol, a network protocol that facilitates server communication through a firewall by routing any type of network traffic to the target server on behalf of the client. This allows the threat actor to bypass any firewalls and then wait for instructions from the C2. AndoryuBot malware supports twelve (12) DDoS attack modes and once communication is established, AndoryuBot is able to receive commands from the C2 server that dictate the target IP address, the DDoS type, and the service or port number to attack. AndoryuBot is a commercial product, and the operators/developers of the botnet advertise that they rent the service out to other threat actors, utilizing cryptocurrency as secure and anonymous payment. AndoryuBot poses a threat to individuals, organizations, and governments, as it could be leveraged by financially motivated and state-sponsored threat actors alike. To prevent exploitation, CTIX analysts urge all Ruckus Wireless customers to ensure their product has the most up-to-date software.
Threat Actors Target WordPress Plugin for XSS Campaign 24 Hours After a PoC Exploit Was Published
Reported in the May 16th, 2023, FLASH Update
- A recently patched critical vulnerability affecting the WordPress plugin "Advanced Custom Fields" is under active exploitation by malicious threat actors, who began targeting the flaw just twentyfour (24) hours after researchers published a working proof-of-concept (PoC) exploit. Advanced Custom Fields is a WordPress plugin which allows users to add extra content fields (commonly referred to as Custom Fields) to WordPress edit screens, allowing them to develop websites faster and disseminate information to visitors more quickly. The vulnerability, tracked as CVE-2023- 30777, is a reflected cross-site scripting (XSS) flaw in which attackers inject malicious code into a victim website for distribution to the visitors of that site. If exploited, the XSS flaw could allow unauthenticated attackers who've gained access to the Advanced Custom Fields plugin to escalate their privileges and exfiltrate sensitive information from vulnerable WordPress sites. Although this vulnerability is severe, the exploitation requires prior access to the victim's plugin. These factors resulted in the vulnerability being assessed a CVSS score of 7.1/10. This vulnerability was patched on May 5, 2023, and CTIX analysts recommend that all users leveraging Advanced Custom Fields and Advanced Custom Fields Pro upgrade to version 6.1.6 or later immediately to prevent exploitation.
Another Popular Password Manager "KeePass" is Vulnerable to Exploitation and Account Takeover
Reported in the May 19th, 2023, FLASH Update
- A cybersecurity researcher who goes by "vdohney" has published a proof-of-concept (PoC) exploit for a critical vulnerability in the popular open-source password manager KeePass. If successfully exploited, this flaw could allow threat actors to retrieve a user's secret KeePass account master password in plaintext, allowing them to change it and take complete control of the user's account and password database. Password managers or "wallets" are an efficient way for users to generate and store strong passwords that they don't have to memorize and can access whenever they want from their mobile devices and personal computers. With a password wallet such as KeePass, instead of a user memorizing all of their passwords, they only need to memorize their master password for the KeePass account. The vulnerability, tracked as CVE-2023-32784, stems from the way that KeePass's software processes user input via a custom-developed password entry box known as "SecureTextBoxEx". In this custom text box, when a user enters a password, there are leftover strings leaked through memory that allow a threat actor to reverse engineer the password minus the first or second character(s). This attack could be executed by a threat actor who has gained read access to a user's KeePass filesystem or RAM, through physically or remotely accessing the user's device via the exploitation of a device vulnerability or social engineering. Adding to this vulnerability's severity is the fact that the master password can be retrieved by attackers even if the victim has already closed out or locked the KeePass application. This is not the first time that researchers have uncovered gaps in password manager application security, and in recent months there have been security issues uncovered at LastPass, Bitwarden, Dashlane, 1Password, and Safari's Password Manager. Although this vulnerability poses a significant threat, it is unlikely to be exploited en masse due to the attack being highly targeted, where the threat actor would first have to find and compromise an individual through social engineering. The security patch has been developed and is likely to be deployed in early June 2023. For the time being, CTIX analysts recommend that any KeePass users update their password to having at least fifteen (15) random characters, as well as monitoring their account for any signs of exploitation until the official patch is released. Technical details about the PoC can be found in vdhoney's GitHub repository linked below.
Apple Device Vulnerabilities Likely Being Exploited by State-Affiliated Threat Actors to Deliver Spyware
Reported in the May 23rd, 2023, FLASH Update
- Apple has released emergency security updates for iOS and iPadOS, macOS, tvOS and watchOS devices that patch three (3) critical multi-platform Webkit browser engine zero-day vulnerabilities. According to researchers, there are indications that the flaws are likely being exploited in highly targeted attacks by state-sponsored threat actors to deliver spyware to the mobile devices of highprofile individuals, such as politicians, journalists, and dissidents. The first vulnerability, tracked as CVE-2023-28204, is an out-of-bounds read bug that may cause the browser to disclose sensitive information after the processing of certain web content. CVE-2023-32373 is a use-after-free vulnerability that could be exploited to allow arbitrary code execution through the processing of malicious web content. The third flaw, tracked as CVE-2023-32409, is a browser sandbox escape vulnerability that allows an attacker to break free of the constraints of the sandbox. The exploitation of this flaw could allow a remote attacker to directly access the host device and outside processes. Although Apple has stated that it's aware that these zero-days may be under active exploitation, it didn't disclose any technical information regarding these attacks or information about the threat actors who may be exploiting them. These flaws have been fixed, and CTIX analysts recommend all Apple product users ensure that their devices are running the most up-to-date software to prevent exploitation.
Critical AT&T Zero-day Vulnerability Allowed for Account Takeover by Only Knowing the Victim's Phone Number and Zip Code
Reported in the May 26th, 2023, FLASH Update
- AT&T has patched a critical zero-day vulnerability that could have been exploited by attackers to take over any user's ATT.com account using only the victim's zip code and phone number. The flaw was discovered by a security researcher named Joseph Harris after he was able to abuse and exploit an account merging feature, allowing him to merge his own account with any other user account he wanted. According to Harris' proof-of-concept (PoC) exploit, the attack is made possible by creating a free ATT.com profile, then using a button called "combine accounts" and selecting "already registered accounts." The attacker is then prompted to enter the account phone number and zip code, disclosing the victim's account and sending a prompt to the victim to enter their password. Harris utilized the ATT.com backend to intercept the password request to the victim, rerouting it to accounts he already owned. Once an attacker receives the victim's password, they can carry out a host of malicious activity including account takeover, SIM swapping, and adding other devices or phone numbers to a victim's account. Several well-known researchers have publicly stated that this is a very dangerous vulnerability given how easy it is to exploit. Roger Grimes from KnowBe4 also stated that the ease of which anyone could merge accounts is troubling, and indicative of the fact that there are likely multiple related and unrelated ATT.com zero-day vulnerabilities that are still susceptible to exploitation. Telecommunications companies are very lucrative targets for both financially-motivated and state sponsored threat actors, and the Federal Communications Commission (FCC) has confirmed that there have been multiple breaches impacting some of the largest providers like Verizon, T-Mobile, and AT&T.
CISA Adds Critical Barracuda Networks ESG Vulnerability to their Known Exploited Vulnerabilities Catalog
Reported in the May 30th,
2023, FLASH Update
- The Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical vulnerability affecting Barracuda Networks devices to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies apply the update by no later than June 16, 2023. The flaw, tracked as CVE-2023-2868, is an improper input validation bug in Barracuda Networks' Email Security Gateway (ESG) appliances, stemming from a failure to properly sanitize .tar file archives. A threat actor could exploit this vulnerability by providing a maliciously crafted .tar file to conduct remote code execution (RCE) with the privileges of the ESG product. Barracuda Networks is a very popular company and serves more than 200,000 customers across the world. The CISA advisory states that these types of vulnerabilities "are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." Barracuda Networks has stated that any users who they believe were impacted by the exploitation of this vulnerability have been notified and given actions to take to mitigate the damage. Barracuda Networks sent out automatic patches on May 20 and 21, and CTIX analysts recommend that any administrators responsible for these devices ensure that they've been patched.
HONORABLE MENTIONS
Leading Cold Storage Company Shuts Down Network After Reporting Breach
Reported in the May 2nd, 2023, FLASH Update
- Americold, a leading cold storage and logistics company based in Atlanta, filed an incident report with the Securities and Exchange Commission (SEC) regarding a cybersecurity incident that occurred on April 25, 2023, relating to their computer network being breached. Americold controls 250 warehouses across the world, a large majority of which are used by food producers, distributors, and retailers. The company is the largest publicly traded real estate investment trust focused on the ownership, operation, acquisitions, and development of temperature-controlled warehouses. In response to the attack, Americold was able to contain the intrusion and shut down their network to secure their system as well as avoid further disruption to non-contained areas. One (1) customer alleged that the company's "phones [were] down and they had the truck entrance barricaded off with the main entrance gates shut." The company sent out a memo requesting that all inbound deliveries be rescheduled until further notice and that only the most critical outbound deliveries be continued, such as those having the potential to reach an expiration date. While the company hasn't released a statement about the incident nor confirmed this to be a ransomware attack, Americold noted that they are assessing what data can be recovered while they focus on rebuilding impacted systems. It should be noted that there has been an observed increase in cyberattacks on food and beverage supply chain companies within the past few years, with fiftytwo (52) reported ransomware attacks in 2022. This incident is the second cyberattack Americold has faced, as their last event occurred in late 2020. Dragos CEO Rob Lee stated that the "hyperconnectivity and scalability of automation is what's allowing ransomware authors to do what they're doing," and that threat actors are targeting companies that cannot function when their digital systems go offline, taking advantage of companies' digital transformation projects.
International Law Enforcement Operation, SpecTor, Leads to the Arrest of 288 Dark Web Vendors
Reported in the May 5th, 2023, FLASH Update
- Efforts by US and European governments to dismantle dark web vendors and their infrastructures continue. This time, the Federal Bureau of Investigation and Europol, along with police in the UK, France, Poland, Germany, Austria, Brazil, and Switzerland conducted an international law enforcement operation codenamed "SpecTor" leading to the arrest of 288 dark web vendors. Additionally, police seized $53.4M in cash and cryptocurrency as well as 1,874 pounds of narcotics and 117 firearms. Arrests stem from evidence gathered after the secret takedown of the Monopoly marketplace by German authorities in December of 2021, along with information obtained in additional recent dark web takedowns and the help of cryptocurrency tracing tools. Since then, Europol has been compiling intelligence packages from the evidence provided by German authorities to pinpoint major vendors and customers who were highly active on the Monopoly market and other illicit marketplaces. Using this data, they were able to put together a list of highvalue targets who engaged in tens of thousands of sales of illicit goods across Europe, the United States, and Brazil who were arrested in the coordinated police effort in their respective countries. The most arrests were made in the US, totaling 153, followed by the UK with fifty-five (55), Germany with fifty-two (52), the Netherlands with ten (10), Austria with nine (9), France with five (5), Switzerland with two (2), Poland with one (1), and Brazil with one (1). CTIX analyst will continue to monitor further crack downs on criminal cryptocurrency transactions and the online criminal marketplaces that enable them.
Scammers Identified Leveraging Fraudulent QR Codes to Invade Victims' Bank Accounts
Reported in the May 9th, 2023, FLASH Update
- Scammers are getting more creative as instances of fraudulent QR codes have increasingly been seen being used to access victims' bank accounts. QR codes have been an effective mode of accessing everything from restaurant menus to advertisements to payment links and surveys for sweepstakes. Users are easily able to scan a QR code with their phone's camera that redirects them to a URL for their intended purpose. More recently, however, the popularity of QR codes has been the target of scammers to redirect unsuspecting users to typosquatted domains or malicious applications where users enter sensitive information that could grant attackers access to their financial information. Officials in San Francisco, Texas, and the United Kingdom have warned about fraudulent parking tickets with QR codes that allow victims to pay online. The malicious QR codes take victims to a parking citations portal hosted on a copycat website to pay the alleged fines. There have also been instances in these areas where threat actors have stuck fake parking meter QR code stickers to parking meters which also brings users looking for quick-pay options to illicit domains where users are prompted to enter their credit card information. More recently, a sixty (60) year-old woman in Singapore reportedly scanned a QR code outside a bubble tea shop to fill out a survey for a "free cup of milk tea." She was then redirected to download a third-party app which granted the malicious actor access to her phone. This allowed the scammer to passively monitor the user's banking app, obtain her login credentials, and exfiltrate $20,000 from her bank account. CTIX analysts will continue to monitor for and report on emerging initial access vectors.
Google's New Privacy, Safety, and Security Update will Include Dark Web Monitoring Services
Reported in the May 12th, 2023, FLASH Update
- At their annual developer conference, Google unveiled new features related to privacy, safety, and security. This new initiative is aimed at protecting users from cybersecurity threats such as phishing attacks and harms related to malicious websites while additionally looking to grant users with greater control and transparency over their personal data. Included in these new features is a dark web report tool that United States based users will soon have access to. Gmail users will be able to monitor whether their profile data is present on the dark web, such as if they were linked to data breaches or mentioned on dark web forums, to further protect their accounts and data. If a presence of their Gmail address is reported, Google will take further action by offering guidance on how to best protect their account, such as enabling multi-factor authentication. The Google dark web reporting tool makes services available that haven't been feasible for everyday working-class users to implement due to pricing. The tool would grant these users a starting point to identify if their personal data is available on the dark web, which would help them identify what organization or tool to go to for help moving forward. That being said, knowing is only half the battle; once a user identifies their data on the dark web, they must take highly technical measures to safely access the marketplaces where this data is sold and analyze the datasets themselves. Ankura CTIX offers comprehensive dark web monitoring services, with a presence on the most popular dark web marketplaces and forums on the internet.
PharMerica Data Breach Leads to Leaked Medical Data of 5.8 Million Patients
Reported in the May 16th, 2023, FLASH Update
- The second largest institutional pharmacy services company in the United States, PharMerica, has suffered a data breach and sent out notifications on May 12, 2023. The company reported that they had discovered suspicious activity in their network on March 14, 2023, after the unknown thirdparty had already been in the breached computer system for two (2) days. After the discovery, PharMerica immediately hired a security company to conduct an investigation who, after one (1) week, concluded that the breached data contained the personal information of 5.8 million individuals. The data included victims' names, addresses, dates of birth, Social Security numbers (SSNs), as well as medications and health insurance information. There is an underlying potential here for deceased victims' information being used to open credit cards or take out loans; however, Maine regulators have extended Experian identity protection services to victims for one (1) year to help prevent such possibilities. While PharMerica has yet to release additional information about attack specifics or attribution speculations, the Money Message ransomware group posted the company on their leak site on March 28, 2023, claiming to have stolen 4.7 terabytes of data that was then officially published on their leak site on April 7, 2023. The data has since been seen on additional hacker forums and has been posted on the clear net, broken down into thirteen (13) sections for greater ease of downloading. This is the latest attack in recent months on healthcare giants, a hot target for the beginning of 2023.
LayerZero Launches Record Breaking Crypto Bug Bounty Program with Up to $15 Million
Reported in the May 19th, 2023, FLASH Update
- LayerZero Labs has teamed up with bug bounty and security services platform Immunefi to launch a record high $15 million bug bounty program for critical smart contract and blockchain vulnerabilities related to the company's protocol. LayerZero Labs is the creator of the LabZero blockchain messaging protocol that facilitates secure communication across thirty (30) different blockchains, having enabled the exchange of 10,000,000 messages. Unlike other messaging platforms like WhatsApp and Telegram, LayerZero eliminates the need for intermediaries, allowing users to send messages between blockchains such as cross-chain interactions. The crypto ecosystem has lost around $9.33 billion to exploits, hacks, and scams. CEO and co-founder, Bryan Pellegrino, said "the security protocol comes before anything else" and that they "have enough money to pay out plenty of bounties." LayerZero is currently valued at $3 billion, having seen transaction volumes of over $15 billion since launching fourteen (14) months ago. The company has set out different payout tiers based on the severity level of the findings and impacted blockchains. For the higher-paying group of discoveries, the maximum payout is $15,000,000 for critical vulnerabilities, $250,000 for high-severity flaws, $25,000 for medium-severity vulnerabilities, and $10,000 for low-severity issues.
Researchers Infiltrate Qilin Ransomware Group, Gaining Insight into How the Gang Function
Reported in the May 23rd, 2023, FLASH Update
- Cybersecurity researchers have managed to infiltrate the Qilin ransomware group, shining light into the prosperous underworld of cybercrime. Qilin, also known as "Agenda," is a ransomware-as-asservice (RaaS) group that was founded back in July of 2022 and has attacked twelve (12) organizations across the globe, with the primary victims being healthcare organizations, tech companies, education, and critical infrastructure. Additionally, the group explicitly abstains from attacking Russia and several of its neighbors. Within the inner workings of the Qilin RaaS group, actors of the organization recruit affiliates to identify targets of interest and stage attacks. Researchers found that "many Qilin ransomware attacks are customized for each victim to maximize their impact." An administrative panel exists within the group to help oversee and coordinate operations. This panel helps divide sections of the operations into Targets, Blogs, Stuffers, News, Payments, and FAQs. Attacks carried out by Qilin typically begin with phishing emails containing malicious links to obtain access to victims' servers. Once access is gained, sensitive data is exfiltrated and encrypted. Researchers uncovered that affiliates take home 80% of ransom payments and will receive 85% if the ransom payment is over $3 million. These numbers are significantly higher than alternative RaaS models, such as that of the REvil ransomware group where affiliates take home 60% to 70% of the ransom payment. While the researchers didn't release how or when they gained access into Qilin's RaaS program, their findings show an interesting look into how the gang functions and rewards affiliates for attacks. CTIX analysts will continue monitoring the evolving ransomware landscape.
OpenAI Leaders Push for AI Regulations to Avoid Dangers and Reap Benefits
Reported in the May 26th, 2023, FLASH Update
- Concerns about the development of Artificial Intelligence and the negative consequences it poses to society have been increasingly warned about over the past decade. There are predictions of catastrophic consequences but also some more pernicious harms such as society becoming dependent on machines and losing its ability to self-govern, or a world where only a few who hold the power of AI are able to rule the many, creating an eternal caste system. In recognizing such concerns, leaders of ChatGPT developer OpenAI, including their cofounders and chief executive, have come out stating an urgent need for the regulation of "superintelligent" AIs, an equivalent to the International Atomic Energy Agency for AI that will help protect humanity from developing something with the power to destroy itself. Within the next ten (10) years, experts foresee AI exceeding "expert skill level in most domains" with the capability to "carry out as much productive activity as one of today's largest corporations" and that "superintelligence will be more powerful than other technologies humanity has had to contend with in the past." Instead of the recently published letter by AI experts pushing to pause AI development, the leaders at OpenAI are encouraging an international regulator to figure out how to "inspect systems, require audits, test for compliance with safety standards, [and] place restrictions on degrees of deployment and levels of security." These leaders are hoping that we can use such capabilities to foster a prosperous future, believing that humanity cannot afford the dangers of halting developments and missing out on the tremendous upsides AI has to offer, such as what's already being seen in the areas of education, creativity, and personal growth. However, they are also critical to point out that "given the possibility of existential risk, we can't just be reactive" and are thus encouraging companies working on the cutting-edge of AI research to coordinate their efforts to leverage this great technology and incorporate them smoothly into society while prioritizing safety.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.