Ransomware/Malware Activity

Future AI Boosts to Ransomware Capabilities Present Major Challenges to Cybersecurity Operations

Warnings have emerged from the United Kingdom's National Cyber Security Center, also known as the NCSC, that artificial intelligence will significantly increase the threat of ransomware in the near future. The NCSC stated that AI will allow for lower-level threat actors to increase their effectiveness and conduct more bespoke campaigns that currently only the more experienced and knowledgeable threat actors can execute. While most commercially available Large Language Model (LLM) products have specific censors and safeguards in place to prevent their use in hacking activities, there are certain products like WormGPT that allow for the creation of malware. The NCSC stated that there were threat actors already utilizing this technology in their campaigns and that it will continue up to and past 2025. The NCSC explains that some state-sponsored actors may have a large enough data bank of previously used malware to train LLMs to write effective malware. Besides the creation of malware, the other threat consists of threat actors using LLMs for phishing and other social engineering attacks during which many people would struggle to distinguish between a real human and AI. CTIX analysts will continue to monitor the usage of AI and LLMs in threat actor activity.

Threat Actor Activity

Russian-linked Hackers Stay Undetected for Six Months in HPE's Microsoft Office 365 Environment

It was disclosed by Hewlett Packard Enterprise (HPE) that the suspected Russian hackers known as Midnight Blizzard were found to have infiltrated the company's Microsoft Office 365 email environment to steal data and exfiltrate a small percentage of mailboxes belonging to individuals from their cybersecurity team and other departments. In the new SEC filing, the company stated that they were made aware on December 12th, 2023, that threat actors had gained access to their cloud-based email environment and had been exfiltrating data beginning in May 2023. HPE attributed the attack to the nation-state actor based upon their investigation. The threat actor, Midnight Blizzard (also known as APT29, CozyBear, and BlueBravo), is the same threat actor Microsoft identified as being behind the breach of their own corporate systems in late November 2023, targeting the email accounts of senior executives and other individuals from their cybersecurity and legal departments. Microsoft's recently reported that the security incident came just days before HPE's disclosure, but it's not yet known if the two (2) incidents are related. While the investigation of HPE's current breach is still ongoing, the company did suggest that they believe it is related to a previous breach that occurred in May 2023, also attributed to Midnight Blizzard, where the threat actor obtained unauthorized access to their SharePoint files and exfiltrated a limited number of them. While the threat actors persisted in the network undetected for up to six (6) months, there have been no details around the scale of the attack, or the exact nature of the emails accessed. HPE determined that there has not yet been any operational impact nor is it likely to cause any material financial impact to the company.

Vulnerabilities

Thousands of GitLab Instances Vulnerable to Zero-Click Exploitation

More than 5,300 internet-exposed GitLab server instances are still vulnerable to a critical zero-click vulnerability. This flaw, tracked as CVE-2023-7028 (CVSS score of 10.0/10.0), is an account takeover vulnerability allowing attackers to redirect password reset emails to an attacker-controlled email address, enabling them to change the password and take over victim accounts that are not protected by two-factor authentication (2FA). The vulnerability affects various GitLab Community and Enterprise Edition versions, with patches released in updates on January 11, 2024. Despite these updates, researchers report that 5,379 vulnerable instances remain online, with the majority located in the United States, Germany, Russia, and China. These servers are at high risk of supply-chain attacks, code disclosure, and API key leaks. GitLab has provided detection tips and advises those who haven't patched to first investigate for signs of compromise, rotate all credentials, enable 2FA, and inspect their development environments for any tampering. As of now, there are no confirmed in-the-wild exploitations of the vulnerability, but given the number of vulnerable instances, the risk remains significant. CTIX analysts recommend that all administrators responsible for these instances ensure that they have upgraded to the most recent software versions and analyze their own environments to ensure that there hasn't already been a compromise.

