Microsoft and OpenAI warn that nation-state actors are using ChatGPT to automate some phases of their attack chains, including target reconnaissance and social engineering attacks


Multiple nation-state actors are exploiting artificial intelligence (AI) and large language models (LLMs), including OpenAI ChatGPT, to automate their attacks and increase their sophistication.

According to a study conducted by Microsoft in collaboration with OpenAI, the two companies identified and disrupted operations conducted by five nation-state actors that abused their AI services to carry out their attacks.

The researchers observed the following APT groups using artificial intelligence (AI) and large language models (LLMs) in various phases of their attack chain:

“Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.” reads the report published by Microsoft. “Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.”

Read more…

5 Steps to Improve Your Security Posture in Microsoft Teams


The cybersecurity risks of SaaS chat apps, such as Microsoft Teams or Slack, often go underestimated. Employees feel secure when communicating on apps that are connected to their corporate network. It’s exactly this misplaced trust within intra-organizational messaging that opens the door to sophisticated attacks by criminal threat actors using a wide range of malicious activities.

By contacting employees who are off-guard in SaaS chat apps, threat actors can conduct phishing campaigns, launch malware attacks, and employ sophisticated social engineering tactics.

These sophisticated tactics make it challenging for security teams to detect threats. Employees also lack education when it comes to cybersecurity awareness around messaging apps, as cyber training mainly focuses on phishing via email.

Microsoft Teams chats is a platform that is susceptible to a growing number of incidents as its massive user base is an attractive target for cybercriminals. 

Read more…

Hackers used new Windows Defender zero-day to drop DarkMe malware


Microsoft has patched today a Windows Defender SmartScreen zero-day exploited in the wild by a financially motivated threat group to deploy the DarkMe remote access trojan (RAT).

The hacking group (tracked as Water Hydra and DarkCasino) was spotted using the zero-day (CVE-2024-21412) in attacks on New Year’s Eve day by Trend Micro security researchers.

“An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks,” Microsoft said in a security advisory issued today.

“However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.”

Trend Micro security researcher Peter Girnus, credited for reporting this zero-day, revealed that the CVE-2024-21412 flaw bypasses another Defender SmartScreen vulnerability (CVE-2023-36025).

CVE-2023-36025 was patched during the November 2023 Patch Tuesday, and, as Trend Micro revealed last month, it was also exploited to bypass Windows security prompts when opening URL files to deploy the Phemedrone info-stealer malware.

Read more…

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days


Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation.

Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to 24 flaws that have been fixed in the Chromium-based Edge browser since the release of the January 24 Patch Tuesday updates.

The two flaws that are listed as under active attack at the time of release are below –

  • CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability
  • CVE-2024-21412 (CVSS score: 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability

“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said about CVE-2024-21351.

Read more…

ExpressVPN bug has been leaking some DNS requests for years


ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers.

The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature.

The split tunneling feature allows users to selectively route some internet traffic in and out of the VPN tunnel, providing flexibility to those needing both local access and secure remote access simultaneously.

A bug in this feature caused DNS requests of users not to be directed to ExpressVPN’s infrastructure, as they should, but to the user’s internet service provider (ISP).

Read more…

A deep dive into .NET malware obfuscators:Part 1


As a preface 

In the modern world, it is rare to encounter purely clean malware during analysis. Malware code is commonly modified to hinder researchers from analyzing and decompiling it. 

Software that alters code to hinder analysis is known as obfuscators. Some are designed to mutate machine code, targeting malware primarily developed using C/Asm/Rust, while others modify IL (Intermediate Language) code generated by .NET compilers. 

This series of articles will delve into modern techniques employed by obfuscators like .NET Reactor and SmartAssembly, which are widely favored by malware creators. We will acquaint ourselves with deobfuscation methods and attempt to either develop our own deobfuscators or adapt existing ones. We will also explore tools designed to counter them if any. 

Read more…

New RustDoor macOS malware impersonates Visual Studio update


A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang.

The campaign delivering the backdoor started since at least November 2023 and is still underway distributing newer variants of the malware.

Written in Rust, the malware can run on Intel-based (x86_64) and ARM (Apple Silicon) architectures, say researchers at cybersecurity company Bitdefender, who are tracking it as RustDoor.

Read more…