Beyond the Headlines to Dive Deeper Under the Cybercriminals
Find stories about the latest threat actor tactics, techniques and procedures from Cybersixgill threat experts every month. Each story gives you details about emerging underground threats, the threat actors involved, and how you can take action to reduce risk. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web.
Stolen ChatGPT credentials flood the dark web market
Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, selling for as little as $5 on the dark web market in addition to being offered for free.
Stolen ChatGPT credentials include usernames, passwords and other personal information associated with accounts. This is problematic because ChatGPT accounts can store sensitive information from queries, including confidential data and intellectual property. In particular, companies are increasingly incorporating ChatGPT into everyday workflows, which means employees can disclose confidential content, including proprietary code. Threat analyst Cybersixgill detected ads for stolen ChatGPT credentials on popular dark web marketplaces, in addition to ads for AI chatbots suspected of being capable of generating malicious content.
What should companies do to protect their employees and critical assets from the unintended risks posed by ChatGPT?
Pro-Russian hackers attack Microsoft platforms, threatening Europe’s banking system
The pro-Russian group of hackers who have been very active crippled several Microsoft platforms, demanding US$1 million to stop the attacks, echoing the collective strategy in the recent Distributed-Denial-of-Service (DDoS) incident targeting Scandinavian Airlines. While Microsoft initially provided an evasive explanation for the outage, it later confirmed that Azure, Outlook, and OneDrive web portals were inaccessible due to a Layer 72 DDoS attack attributed to the hacker group. Our threat experts observe groups bragging about Microsoft attacks underground, as well as allies announcing a new pro-Russian coalition planning to attack Europe’s banking system.
While DDoS attacks have increased since Russia invaded Ukraine in February 2022, the recent turn to blackmail demonstrates the emerging financial dimension of politically motivated incidents. Given these risks, what should organizations do to prepare for more DDoS campaigns launched by pro-Russian gangs, and the possible extortion suits that accompany them?
New malware steals data from browsers and password managers
Advertisements for a new type of information thief appear on Russian-language cybercrime forums. While the thief debuted in April 2023, sales reportedly spiked in June, which could indicate an increase in attacks using malware. The malware allegedly targeted nearly 200 browsers, extensions and password managers, among other applications. Our team of threat researchers observed malware developers touting its features underground, as well as threat actors questioning the abilities of thieves.
Once executed, the thief collects data related to the operating system and hardware, sending screenshots to the attacker’s command-and-control3 (C2) server. Thieves then target specific information stored in various applications, including web browsers. The malware can be rented for $150/month or $390 for four months, with ads posted on popular cybercrime forums compiled by Cybersixgill.
As the emergence of new thieving malware illustrates, data theft tools remain popular underground. Such tools extract sensitive information, including credentials and other valuable data. With powerful user-friendly thieves available underground, what should organizations do to protect against such threats?
A new VMware critical vulnerability was wildly exploited
VMware recently released an advisory regarding the critical remote code execution (RCE) vulnerability (CVE-2023-20877), warning that threat actors are already exploiting weaknesses in attacks. While an update was released to address the command injection vulnerability, two unpatched VMware Aria Operations for Networks3 instances remain highly vulnerable. Ultimately, threat actors can take advantage of CVE-2023-20887 to access networks and inject malicious commands into Aria Operations for Networks, which can lead to data theft, data corruption, or even complete system compromise.
On July 3, 2023, Cybersixgill’s DVE module gave CVE-2023-20887 a severe score (9.23), indicating a threat posed by a flaw in an unpatched system. This score is dynamic and could continue to improve – especially given the existence of a publicly available proof-of-concept (PoC) for CVE published by threat hunters on GitHub. According to data compiled by the Cybersixgill Investigation Portal, CVE-2023-20887 is related to at least one advanced persistent threat (APT). This means the vulnerability is likely being actively exploited by sophisticated threat actors who may be able to bypass traditional security measures.
Our threat experts observe the PoC for this vulnerability circulating underground, and ransomware groups may see this vulnerability as a great opportunity to launch an attack and demand payment in a double-extortion scheme. In light of this, what should companies using VMWare do to thwart the actions of cybercriminals?
Subscribe to Cybersixgill’s Beyond Headlines monthly magazine and get detailed monthly insights from our team of threat researchers on the latest threats and TTPs of threat actors on the deep and dark web. To get the latest updates, Click here.
