Karl Sigler, Senior Security Research Manager, SpiderLabs Threat Intelligence, conducted a series of briefings in Washington, D.C., to federal officials on April 12-13, giving an update on what Trustwave SpiderLabs researchers are finding with the Russia-Ukraine War, ChatGPT, and current phishing trends.
During his time in Washington, Sigler spoke with the U.S. Senate Armed Services Committee, Department of Homeland Security/TSA, Senate staffers, and other departments.
The meetings on the Hill were not open to the public but were part of Trustwave’s on-going effort to engage with the federal government and share our expertise to further the public/private partnership that is part of President Joe Biden’s cybersecurity initiative. For a preview of what Sigler shared on the Hill, read on and check out our SpiderLabs blog for additional research.
The Russia-Ukraine War has brought untold suffering to the region and is the first major conflict to include a cyber component. The war has also allowed the collection of more than a year's worth of telemetry and trends in the first public cyberwarfare associated with a physical conflict.
Trustwave SpiderLabs Research has so far tracked many against Ukraine in 2022. Russian attacks have aimed to undermine public confidence in the local authorities and at spreading panic to bolster Russia's efforts on the battlefield. Over time, SpiderLabs has seen the attacks becoming more specific/targeted and there are likely many attacks occurring with no public awareness.
Sigler singled out one incident that included a malware attack on Ukraine's troop monitoring system. It involved a phishing attack that compromised a Ukrainian Ministry of Defense employee account, which resulted in the threat actor distributing messages from that account about the need to update certificates in that troop monitoring system.
In this attack, an email had an attached PDF that appeared to be from local police but contained a link to a malicious ZIP file. To make the ZIP file look legitimate it simulated a certificate installation process, but actually only installed the file-stealing malware RomCom (RAT), FateGrab, and StealDeal.
Recently, there has been an interesting sidebar to Russian activity. A threat group calling itself Anonymous Sudan has appeared. Anonymous Sudan claims to be a Muslim hacking collective that launches Distributed Denial of Service (DDoS) in retaliation for anti-Muslim activity.
The first sign of the group's presence came on January 18, 2023, when it created a Telegram channel where it took credit for attacks targeting Swedish and Dutch businesses, purportedly in response to the burning of the Quran in those countries.
However, within a week of launch, Anonymous Sudan publicly aligned itself with the Russian group Killnet and also throwing doubt on Anonymous Sudan's actual ties, its Telegram posts are primarily in Russian or English, and all targets support Ukraine in its fight against Russia. This activity indicates a very strong possibility that Anonymous Sudan is, in fact a sub-group of the Pro-Russian threat actor group Killnet.
Ukraine has not been sitting still on the cyberwarfare front. The most active pro-Ukrainian group has been the I.T. Army of Ukraine which has launched Distributed Denial of Service and other attacks against Russian targets.
Rostelcom, the largest ISP in Russia, released the following stats in 2022 regarding cyberattacks.
Sigler helped define ChatGPT's current state of capabilities, noting it was just released in November 2022 but has already had a major impact in several industries, including cybersecurity.
He told the federal officials that even though artificial intelligence software such as ChatGPT is in its infancy, it is getting better by the hour and eventually will be a game changer in ways we haven't even thought about. The improvements being made are on an exponential curve.
After some foundation setting discussing AI in general, andGPT-3 (Generative Pre-trained Transformer v3) more specifically, Sigler focused on the better known ChatGPT. ChatGPT is a smaller, specialized version of GPT-3 optimized for natural language processing by its creators for conversational tasks.
Currently, ChatGPT is being used for many positive purposes, including customer service functions, handling customer feedback, as a personal assistant, story construction, translation services, and legal activities.
However, threat actors also quickly figured out how to use ChatGPT for nefarious purposes. While many have focused on ChatGPT’s capability to write malicious code like exploits and malware, ChatGPT’s real strength is with different language tasks. Because of this it has found a home with attackers helping with social engineering tasks associated with conducting spearphishing and BEC attacks. Its ability to translate languages and develop text gives a threat actor the ability to fine-tune social engineering or a talk track so it sounds natural to the target.
Security pros have also taken to ChatGPT, using it for log analysis, SIEM event curation, malware analysis, and help with network detection. The one massive caveat not well discussed is that all interaction with ChatGPT is saved to the AI’s cloud for additional training. This presents a potential risk to privacy and users or explorers testing ChatGPT should never enter anything that they don’t want made public.
In addition to how ChatGPT impacts phishing, Sigler told federal officials that phishing remains the most common way to achieve a foothold in internal networks. Additionally, because phishing involves taking advantage of human naivete and carelessness, threat actors are increasing their focus on social engineering as a threat vector.
Trustwave SpiderLabs researchers noted how quickly attackers are adapting to specific security measures that were put in place to counter email-based threats.
One of the most common attack methods is via macros in Word, Excel, or other Microsoft Office documents. These are typically delivered as attachments in malicious emails. So, in 2022 Microsoft started blocking the execution of macros in documents, except in MS Publisher and MS OneNote. However, instead of stopping or deterring such attacks, threat actors began using these documents in their phishing attacks.
Recently, in March 2023, SpiderLabs discovered a malicious Publisher file embedded with a novel family of infostealer malware that the team named Rilide. The Ekipa RAT and Aurora are used to download and install Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
Rilide malware is a browser plugin that mimics legitimate Google Drive extensions. As a component of the webbrowser, it enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.
Trustwave also found phishing attacks using the Interplanetary File System (IPFS), which is a distributed P2P file-sharing system. The use of IPFS was spotted by Trustwave early last summer when the team observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days, and it is evident that IPFS is increasingly becoming a popular platform for phishing websites. Since IPFS is peer-to-peer, threat actors can post malware and other malicious files into that cloud with little fear of that content being taken down.
Sigler is a 20-year information security veteran responsible for research and analysis of current vulnerabilities, malware, and threat trends at Trustwave. In addition to maintaining the Threat Intelligence program, Sigler and his team manage IDS/IPS signature development, serve as a liaison with Microsoft MAPP, and coordinate the Trustwave's Responsible Vulnerability Disclosure program.