WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software

[Bob comments: For those of my readers not familiar with RMM software, RMM stands for Remote Monitoring and Management.  These are products such as Kaseya, N-Able, ConnectWise, and ManageEngine.  These programs are used in enterprise networks and by Managed Service Providers (MSPs) to provide management oversight and remote support services.  When Kaseya’s update servers were compromised last year, this allowed attackers to send malicious updates to any computer using Kaseya to be easily compromised.  This breach affected enterprise class businesses, as well as MSPs and their customers, any computer or server with a Kaseya agent installed, literally tens or even hundreds of thousands of computers could be remotely accessed by cyber-attackers.]

Original release date: January 25, 2023

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint Cybersecurity Advisory (CSA) Protecting Against Malicious Use of Remote Monitoring and Management Software. The advisory describes a phishing scam in which cyber threat actors maliciously use legitimate remote monitoring and management (RMM) software to steal money from victim bank accounts.

CISA encourages network defenders to review the advisory for indicators of compromise, best practices, and recommended mitigations, which highlights the threat of additional types of malicious activity using RMM, including its use as a backdoor for persistence and/or command and control (C2).

ChatGPT’s Dark Side: An Endless Supply of Polymorphic Malware

CyberArk researchers are warning that OpenAI’s popular new AI tool ChatGPT can be used to create polymorphic malware.

“[ChatGPT]’s impressive features offer fast and intuitive code examples, which are incredibly beneficial for anyone in the software business,” CyberArk researchers Eran Shimony and Omer Tsarfati wrote this week in a blog post that was itself apparently written by AI. “However, we find that its ability to write sophisticated malware that holds no malicious code is also quite advanced.”

While ChatGPT’s built-in content filters are intended to prevent it from helping to create malware, the researchers were quickly able to bypass those filters by repeating and rephrasing their requests – and when they used the API rather than the web version, no content filter was applied at all.

Worse, the researchers found, ChatGPT can take the code produced and repeatedly mutate it, creating multiple versions of the same threat. “By continuously querying the chatbot and receiving a unique piece of code each time, it is possible to create a polymorphic program that is highly evasive and difficult to detect,” they wrote.   More...

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society ransomware group made headlines in late 2022 and early 2023 during a spate of attacks against several targets, such as the one that affected the rapid transit system in San Francisco. Most reports have the threat actor focusing its efforts on the education and the healthcare industries. However, through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels. We have detected the presence of Vice Society in Brazil (primarily affecting the country’s manufacturing industry), Argentina, Switzerland, and Israel.

Vice Society, which was initially reported to be exploiting the PrintNightmare vulnerability in their routines, have previously deployed ransomware variants such as Hello Kitty/Five Hands and Zeppelin (the group’s email has been in their ransom notes). More recently, Vice Society has been able to develop its own custom ransomware builder and adopt more robust encryption methods. This, and any further enhancements, could mean that the group is preparing for their own ransomware-as-a-service (RaaS) operation.  More…

Great Resources for Learning Linux for Security+ and Other Cybersecurity Exams.

This great post is from Lavatorr on Reddit/r/CompTIA.  If learning Linux is in your future (or the present) check this out.

“Yesterday, I watched two of networkchuck’s Linux for Hackers videos, and within two hours went from “Linux is my mortal enemy” to “oh my god I understand Linux”. I spent six hours yesterday binging his amazing videos on hacking, networking, the Sec+, everything. And every single time, I was blown away at how simple, relatable, and entertaining he was. I learned so much so fast, and I’m actually retaining it.

Networkchuck is, by far, the single best tech teacher on Youtube. He’s got tons of material, and it’s all dynamite. His greatest strength is knowing exactly how to frame his lessons in simple, human terms.

I cannot understate how much time and frustration he has saved me, and if you’re struggling with this, he’ll do the same for you.

Here’s his Youtube page. Ignore the obnoxious thumbnails, he seems really nice.

(Edit: Had to include this video for anyone confused by basic movement in Linux. Perfectly organized and great for beginners. Also check out his videos on the Linux file system , downloading packages, and getting help. I cannot stress enough how much time they will save you. )”

CISA Releases Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats

Original release date: January 24, 2023

Today, CISA released Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats. The report provides recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. It also provides insight into the current threat landscape specific to the K-12 community and offers simple steps school leaders can take to strengthen their cybersecurity efforts.

The report’s findings state that K-12 organizations need resources, simplicity and prioritization to effectively reduce their cybersecurity risk. To address these issues, CISA provides three recommendations in the report to help K-12 leaders build, operate, and maintain resilient cybersecurity programs:

1. Invest in the most impactful security measures and build toward a mature cybersecurity plan.
2. Recognize and actively address resource constraints.
3. Focus on collaboration and information-sharing.

Along with the report, we are providing an online toolkit which aligns resources and materials to each of CISA’s three recommendations along with guidance on how stakeholders can implement each recommendation based on their current needs. To read the full report and to access the toolkit, visit Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

Hive ransomware servers shut down at last, says FBI

Read the full story on the Naked Security blog.

There are three main ways that victims can get their businesses back on the rails without paying up after a successful network-wide file-lockout attack:

• Have a robust and efficient recovery plan. Generally speaking, this means not only having a top-notch process for making backups, but also knowing how to keep at least one backup copy of everything safe from the ransomware affiliates (they like nothing better than to find and destroy your online backups before unleashing the final phase of their attack). You also need to have practised how to restore those backups reliably and quickly enough that doing so is a viable alternative to simply paying up anyway.
• Find a flaw in the file lockout process used by the attackers. Usually, ransomware crooks “lock” your files by encrypting them with the very same sort of secure cryptography that you might use yourself when securing your web traffic or your own backups. Occasionally, however, the core gang makes one or more programming blunders that may allow you to use a free tool to “crack” the decryption and recover without paying. Be aware, however, that this path to recovery happens by luck, not by design.
• Get hold of the actual recovery passwords or keys in some other way. Although this is rare, there are several ways it can happen, such as: identifying a turncoat inside the gang who will leak the keys in a fit of conscience or a burst of spite; finding a network security blunder allowing a counter-attack to extract the keys from the crooks’ own hidden servers; or infiltrating the gang and getting undercover access to the needed data in the criminals’ network.

More…

Dutch suspect locked up for alleged personal data megathefts

Apparently, the courts have taken a strict approach to this case, effectively keeping the arrest secret from late 2022 until now, and not allowing the suspect out on bail.  According to the Ministry’s report, a court order about custody was made in early December 2022, when the authorities were given permission to keep the suspect locked up for a further 90 days, meaning that they can hold him until at least March 2023 as work on his case continues.

The suspect is being investigated for multiple offences: possessing or publishing “non-public” data, possessing phishing software and hacking tools, computer hacking, and money laundering.  The prosecutors claim that he laundered close to half-a-million Euros’ worth of cryptocurrency during 2022, so we’re assuming that the court considered him a flight risk, decided that if released he might be able to destroy evidence and, presumably, thought that he might try to warn others in the cybercrime forums where he’d been active to start covering their tracks, too.

More…