WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

CISA and Partners Release Advisory on Black Basta Ransomware

05/10/2024 05:00 PM EDT

Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint Cybersecurity Advisory (CSA) #StopRansomware: Black Basta to provide cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates and identified through FBI investigations and third-party reporting.

Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.

CISA and partners encourage organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Black Basta and other ransomware incidents. For more information, see StopRansomware.gov and the #StopRansomware Guide.

From Bruce Schneier

Using Legitimate GitHub URLs for Malware

[2024.04.22] Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Long Article on GM Spying on Its Cars’ Drivers

[2024.04.26] Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them — and then sold that data to insurance companies.

How Criminals Are Using Generative AI

[2024.05.09] There’s a new report on how criminals are using generative AI tools:

Key Takeaways:

• Adoption rates of AI technologies among criminals lag behind the rates of their industry counterparts because of the evolving nature of cybercrime.
• Compared to last year, criminals seem to have abandoned any attempt at training real criminal large language models (LLMs). Instead, they are jailbreaking existing ones.
• We are finally seeing the emergence of actual criminal deepfake services, with some bypassing user verification used in financial services.