The Good

In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private, and fair in real-world scenarios. Meanwhile, OpenAI disrupted five AI-powered disinformation campaigns from China, Iran, Israel, and Russia targeting public discourse and political outcomes. The White House introduced a framework to protect U.S. workers from AI-related workplace risks, emphasizing health and safety, governance, and upskilling. Similarly, the U.K government issued guidance for securing AI models, focusing on monitoring, testing, and training.

• NIST launched a new program called Assessing Risks and Impacts of AI (ARIA) to help organizations and individuals evaluate and verify the capabilities and impacts of AI technologies in real-world scenarios. The program aims to help determine whether a given AI technology will be valid, reliable, safe, secure, private, and fair once deployed. ARIA expands on NIST's AI Risk Management Framework and will develop new methodologies and metrics to quantify how well an AI system maintains safe functionality within societal contexts.

• OpenAI disrupted five AI-powered disinformation campaigns originating from China, Iran, Israel, and Russia that sought to manipulate public discourse and political outcomes online while obscuring their true identities. The operations used OpenAI's models to generate text, debug code, translate and edit articles, and create the appearance of engagement across social media platforms.

• Europol coordinated an international effort, named Operation Endgame, to neutralize dropper botnet infrastructure for malware strains including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This resulted in the takedown of over 100 servers and the arrest of four key suspects. The 911 S5 botnet-for-hire operation, suspected of hijacking millions of IP addresses for cybercrimes, was successfully shut down by the DOJ, leading to the arrest of its operator. The botnet was linked to 560,000 scam unemployment insurance claims, resulting in over $5.9 billion in losses, as well as other pandemic relief program scams

• Authorities have successfully dismantled several dark web marketplaces offering illicit goods in a coordinated global crackdown known as Operation SpecTor. The operation, led by Europol, involved authorities from the U.S., U.K, Germany, and Australia. Authorities targeted several high-profile dark web markets, seizing servers, arresting key operators, and confiscating vast amounts of illegal goods including drugs, firearms, counterfeit currencies, and stolen data. Significant amounts of cryptocurrency used for dark web transactions were also confiscated.

• The White House unveiled a framework to protect U.S. workers from the risks posed by AI in the workplace, emphasizing the importance of health and safety rights, governance, human oversight, and transparency as organizations adopt emerging technologies. The principles also encourage employers to upskill workers whose jobs are replaced or transitioned due to AI technologies. The AI safety framework is voluntary, similar to other recent AI frameworks and best practices released by the White House.

• The U.K government has published voluntary guidance to help AI developers and vendors secure their AI models. The guidance includes recommendations such as monitoring AI system behavior, performing model testing, and procuring secure software components from verified third-party developers. It also emphasizes the need to ensure the integrity of training data and to provide security training for AI developers.

• The CISA announced a new project called Vulnrichment to address the slowdown in the NIST National Vulnerability Database (NVD). The Vulnrichment project aims to enrich CVE records with key decision points using a SSVC decision tree model. The project has already enriched 1,300 CVEs and will continue to assess and categorize vulnerabilities based on their impact and exploitability.

The Bad

Recently, cybercriminals were found spreading malware via cracked Microsoft Office, Windows, and Hangul Word Processor, using a polished interface to hide .NET malware. Researchers found a zero-day vulnerability (CVE-2024-24919) in Check Point VPNs, allowing unauthorized access to sensitive data. The JAVS courtroom recording software was compromised in a supply chain attack, affecting over 10,000 installations. Additionally, the Kimsuky APT group from North Korea used rogue Facebook accounts to deliver malware through Messenger, targeting individuals in security-related fields.

• Cybercriminals are using cracked versions of Microsoft Office, Windows, and Hangul Word Processor to distribute a malware cocktail to unsuspecting users. The malicious installer has a well-crafted interface that allows users to select the version and language, but in the background, it launches obfuscated .NET malware. The malware contacts Telegram or Mastodon channels to receive a valid download URL, often from Google Drive or GitHub, to fetch additional malware components such as Orcus RAT, XMRig, 3Proxy, PureCrypter, and AntiAV.

• Researchers recently discovered attempts to breach enterprise networks through Check Point VPNs affected by a zero-day vulnerability, CVE-2024-24919. The bug allowed threat actors to access sensitive information from network security gateways. Check Point initially released a hotfix to address password-only logins but later identified the underlying vulnerability. Mnemonic reported seeing attacks exploiting the flaw since April 30.

• Cloudflare disrupted a month-long phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine, using debt-themed lures to deliver PowerShell malware known as COOKBOX. The phishing campaign used Cloudflare Workers, GitHub, and exploited a WinRAR vulnerability to deliver the COOKBOX malware, primarily targeting Ukrainian military entities. Once installed, the COOKBOX variant will make requests to a DDNS domain for command-and-control, awaiting PowerShell cmdlets to be executed.

• CERT-UA uncovered two attack campaigns by threat actor UAC-0006 infecting accountants in Ukraine with SmokeLoader to steal credentials and facilitate unauthorized fund transfers. Distributed via emails, SmokeLoader injects malicious code into explorer.exe and downloads additional malware like TALESHOT and RMS on affected systems. The attackers use ZIP archives containing IMG files to deploy the malware.

• The JAVS courtroom recording software was recently targeted in a supply chain attack where attackers backdoored the installer with malware, allowing them to compromise systems. The compromised software, containing a malicious fffmpeg.exe binary, was distributed to over 10,000 installations in courtrooms, legal offices, correctional facilities, and government agencies worldwide.

• A consumer-grade spyware app, pcTattletale, has been discovered on check-in systems at three Wyndham hotels in the U.S., exposing sensitive data. The spyware, intended for remote monitoring, captured screenshots containing sensitive information like guest names and partial payment card numbers. It was found exposing these screenshots publicly due to a security flaw.

• An unnamed European Ministry of Foreign Affairs and its diplomatic missions in the Middle East fell victim to espionage operations orchestrated by the Turla group. ESET researchers discovered two previously undocumented backdoors, LunarWeb and LunarMail, deployed in the attacks. LunarWeb operates on servers using HTTP(S) for command-and-control communications, while LunarMail, persisting as an Outlook add-in on workstations, communicates via email.

• The Kimsuky APT group, linked to North Korea, has been using rogue Facebook accounts to target victims through Messenger and deliver malware. They impersonated a South Korean public official to connect with key individuals in North Korean and security-related fields. The attack involved sending decoy documents via Messenger, which linked to a malicious file hosted on OneDrive. Upon opening the file, a multi-stage attack chain was initiated, allowing the malware to gather and exfiltrate information to a C2 server.

• The FBI alerted U.S. retail companies against malicious activities by Storm-0539, a hacking group targeting gift card department employees since January 2024. Storm-0539 employs sophisticated phishing kits to bypass MFA, infiltrate accounts, and steal credentials and SSH passwords. They then generate fraudulent gift cards using compromised accounts. The FBI advises corporations to update incident response plans, train employees to recognize phishing, and enforce MFA.

New Threats

Recent cybersecurity developments reveal advanced threats targeting various systems. The new SpiderX ransomware, a successor to Diablo, features faster encryption, offline functionality, and a built-in info-stealer, making it a potent threat to Windows systems. Concurrently, vulnerabilities in three popular WordPress plugins (WP Statistics, WP Meta SEO, and LiteSpeed Cache) are being exploited to inject malicious scripts and backdoors, enabling attackers to create new administrator accounts and monitor infected websites. Additionally, the Sysdig Threat Research Team uncovered LLMjacking, an attack on cloud-hosted LLM services using stolen cloud credentials, allowing attackers to access and monetize LLM models while the cloud account owner bears the cost.

• A new and advanced RaaS called SpiderX has been designed to be a successor to Diablo ransomware, featuring enhanced capabilities such as faster encryption, offline functionality, and a built-in info-stealer. SpiderX ransomware is designed for Windows systems and boasts features such as the ChaCha20-256 encryption algorithm, offline functionality, comprehensive targeting, built-in information stealer, and persistence, making it a highly effective and dangerous tool.
• Vulnerabilities in three popular WordPress plugins are being exploited to inject malicious scripts and backdoors, allowing attackers to create new administrator accounts and monitor infected websites. The exploited bugs include unauthenticated stored cross-site scripting (XSS) vulnerabilities in the WP Statistics (CVE-2024-2194), WP Meta SEO (CVE-2023-6961), and LiteSpeed Cache plugins (CVE-2023-40000), impacting a significant number of active installations.
• The RedTail cryptocurrency miner has evolved to exploit a critical vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls, showcasing new anti-analysis techniques and the use of private crypto-mining pools. The malware spreads through multiple propagation mechanisms, targeting vulnerabilities in various systems such as TP-Link routers, ThinkPHP, and VMWare Workspace ONE Access and Identity Manager. The latest version of RedTail includes encrypted mining configurations to launch the embedded XMRig miner.
• A new ATM malware family, named EU ATM Malware, was advertised in the cybercrime underground. It reportedly threatens Europe's banking industry, claiming to compromise 99% of European ATMs and 60% globally. It purportedly targets machines from major vendors like Diebold Nixdorf and NCR. Experts shared the malware's full automation, simplifying deployment, offering various payment options, and more. The malware's manual operation mode adds to its versatility, heightening concerns.
• A newly discovered vulnerability in the WiFi standard, identified as CVE-2023-52424, enables attackers to execute an SSID Confusion attack on enterprise, mesh, and certain home WiFi networks. This flaw allows attackers to spoof network names and trick victims into connecting to less secure networks, potentially leading to traffic interception and manipulation.
• The Sysdig Threat Research Team has discovered a new attack called LLMjacking, which targets cloud-hosted LLM services using stolen cloud credentials. The attackers breach vulnerable systems, exfiltrate cloud credentials, and access LLM models hosted by cloud providers. They use tools to validate credentials, set up reverse proxy servers, and query logging settings to evade detection. This attack allows them to monetize access to LLMs while the cloud account owner unknowingly bears the cost.
• Microsoft identified a new attack, named Dirty Stream, that affects Android apps. This flaw allows malicious apps to overwrite files in another app's directory, potentially leading to unauthorized code execution and data theft. The vulnerability arises from improper use of Android's content provider system, enabling custom intents to bypass security measures and manipulate data streams between apps. Microsoft found vulnerable apps with over four billion installations, including Xiaomi's File Manager and WPS Office.
• FortiGuard Labs identified a new botnet named Goldoon that targets a decade-old D-Link router vulnerability. Goldoon's propagation involves downloading a file named "dropper" from a specified URL, which then executes and cleans up potentially malicious files across various Linux system architectures. Then, the dropper downloads the botnet payload, establishing a persistent connection with a C2 server.