AI-driven BEC attacks surge with new WormGPT tool

SISA Weekly Threat Watch - 24 July 2023

From the use of forged Azure AD tokens to gain unauthorized access to Outlook and the use of the WormGPT tool to orchestrate BEC attacks, to a state-backed APT group breaching JumpCloud and LokiBot malware exploiting Microsoft Word vulnerabilities, security researchers observed a surge in sophisticated cyberattacks over the past week. These recent cyber incidents underscore the increasing complexity and sophistication of cyber threats, urging organizations to prioritize robust defense measures including proactive email verification, advanced endpoint protection, and vigilant employee training.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Hackers breached more than two dozen organizations by creating forged Azure AD tokens

In a recent cyber incident, a skilled hacker named Storm-0558 obtained an inactive Microsoft account (MSA) consumer signing key and cleverly generated Azure AD enterprise and MSA consumer authentication tokens using this key, providing them unrestricted access to Outlook Web Access (OWA) and According to reports, it has been operating since at least August 2021, conducting attacks against Microsoft accounts via OAuth tokens, phishing operations, and credential harvesting.

As per Microsoft, the actor is technically skilled, well-equipped, and extremely knowledgeable about a range of authentication methods and software. Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft. Microsoft has mitigated this activity on its customers’ behalf for Microsoft services.

2. WormGPT – the generative AI tool cybercriminals are using to launch BEC attacks

A new generative AI cybercrime tool dubbed WormGPT has been offered on darknet forums as a mechanism for adversaries to carry out complex phishing and business email compromise (BEC) attacks. The tool presents itself as a Blackhat alternative to GPT models, designed specifically for malicious activities. Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack.

Even more concerning, threat actors are advocating “jailbreaks” for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code. To fortify against AI-driven BEC attacks, organizations should enforce stringent email verification processes, test the efficacy of current email security, and develop extensive training programs aimed at countering BEC attacks, especially those enhanced by AI.

3. JumpCloud discloses breach by state-backed APT hacking group

Directory, identity, and access management solutions provider JumpCloud recently disclosed customer impact following a nation-state cyberattack. While investigating the attack and analyzing logs for signs of malicious activity, JumpCloud discovered the attack vector involved data injection into the commands framework for a small set of customers. The same day, the company force-rotated all admin API keys to protect customers’ organizations and notified them to generate new keys.

JumpCloud has yet to provide any information on the number of customers impacted by the attack and has not linked the APT group behind the breach with a specific state. Organizations are advised to be wary of unsolicited mail and unexpected emails, especially those that call for urgency. Refrain from clicking on links or downloading attachments in emails, especially from unknown sources. Additionally, use hosted email security and antispam protection to block threats that arrive via email.

4. LokiBot malware exploits Microsoft Word vulnerabilities for widespread distribution

A recent LokiBot campaign was uncovered by researchers, exploiting a pair of well-known vulnerabilities present in Microsoft Office documents. Researchers have identified that threat actors exploited two remote code execution vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190, to exploit Microsoft documents with malicious macros. Initially, the attack targeted Word documents affected by CVE-2021-40444, which contained a file named “document.xml.rels” and an MHTML link. The execution of this file triggered the deployment of file exploits for the second vulnerability.

However, in late May, the attackers altered their approach by embedding a VBA script within the Word document. This script generated an INF file to load a DLL file, which, in turn, downloaded a second-stage code injector from a specific URL. The injector utilized various evasion techniques to facilitate the execution of LokiBot malware in the final stage. To mitigate such risks, organizations must prioritize the use of up-to-date software versions, deploy, and maintain advanced endpoint protection solutions and remain vigilant against evolving cybercriminal tactics.

5. Ukraine’s CERT-UA exposes Gamaredon’s rapid data theft methods

The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. Gamaredon often uses phishing messages sent through hijacked messaging accounts to gain initial access before using the information-stealing virus GammaSteel to facilitate data exfiltration within 30 to 50 minutes, according to CERT-UA.

GammaSteel is used to exfiltrate documents with the following extensions: .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb. Typically, the mail contains an archive with an HTM or HTA file within that, when opened, starts the attack sequence. The gang has also been shown to continuously change its strategies, including USB infection techniques for spreading. The threat actor’s usage of Telegram and Telegraph to retrieve the information from the command-and-control (C2) servers, AnyDesk software for interactive remote access, PowerShell scripts for session hijacking to get beyond two-factor authentication (2FA), and other tools is also notable. Organizations are recommended to install endpoint detection and threat response (EDTR) software, avoid using remote desktop applications like AnyDesk, and avoid downloading attachments or clicking links from unsolicited/untrusted emails to minimize the risk of data theft.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider