WEEKLY TOP TEN: March 18, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Google’s Gemini AI Susceptible to LLM Threat
The popularity of AI platforms has exploded recently, with one of the most popular uses being for writing and content creation. Typically, as popularity increases, so does potential malicious use. Researchers at HiddenLayer have identified three vulnerabilities with Google’s Gemini large language model (LLM). The first vulnerability leaks the system prompts. The second vulnerability makes the model generate false information. The final vulnerability identified could cause Gemini to leak information. - Flaws in ChatGPT Extensions Allow Access to Sensitive Data
Sticking with AI, this time, the research team at Salt Labs identified three vulnerabilities with ChatGPT plugins. The first vulnerability was found in ChatGPT’s code approval process, allowing the installation of malicious plugins that gave access to user accounts. The second vulnerability was in PluginLab, which didn’t authenticate user accounts. The Salt Labs team discovered OAuth redirection manipulation as the final vulnerability. - Ivanti 1-Day Bug Exploited Within Hours
A command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways was rated 9.1 out of 10 on the CVSS scale (CVE-2024-21887). This vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on a compromise appliance. Within just one day of the release of the POC exploit, a previously hidden threat actor by the name of Magnet Goblin (as per CheckPoint) had malware capable of exploiting it. - Cybercriminals Deploying Trojans via AWS and GitHub
Researchers at Fortinet FortiGuard Labs have identified a new phishing campaign delivering remote access trojans. The malware, a malicious JAR file, is stored on public services. If the user’s payment information is verified via the aforementioned phishing campaign, the JAR file is downloaded. The trojan then downloads information-stealing and keylogger modules from the same public services from which the initial JAR file is retrieved. - Healthcare’s Ransomware Epidemic
The healthcare sector contains a gold mine of information, which poses an ideal target for adversaries. The industry has a very low tolerance for disruption and a strong incentive to settle attacks as quickly as possible; lives may depend on it. According to an FBI report, there were 249 ransomware cases against the healthcare industry in 2023—more than twice as many as against the financial services industry.
Many different devices are found within a single institute, including patient devices (71% of which were found to have no endpoint protection), although these are unlikely to be targeted. Medical devices were found to be running end-of-life or unsupported operating systems, with many of the unsupported devices being unmanaged. - Document Publishing Sites Leveraged for Credential and Session Token Theft
The research team over at Cisco Talos has observed the use of legitimate DDP sites for phishing, credential theft, and session token theft. Deploying phishing lures on these sites increases the likelihood of a successful attack due to their reputation and their absence from block lists. - Ransomware Attacks on SMBs Increasing.
Sophos has identified increased attacks against small and midsize businesses (SMBs), with the most common attacks coming from infostealers, ransomware, and business email compromise (BEC). The team at Sophos explains that the primary reason behind this is a lack of resources, with SMBs typically having underinvested and inexperienced cybersecurity teams. - Ransomware “Talent” Surges to Akira After LockBit’s Demise
When the National Crime Agency oversaw a joint operation to shut down LockBit’s operations, it garnered international attention. However, the individuals once involved with LockBit have reportedly moved to Akira. The Akira ransomware group was first identified in March 2023 and has been known to target companies based in North America. The group was initially affiliated with the now-defunct Conti ransomware gang and can now seemingly add LockBit to the list. - SVG Files Abused in Emerging Campaigns
It’s not unusual for adversaries to abuse different image file formats (JPEG and PNG) to deliver payloads, utilizing steganography to hide said payloads. However, researchers have identified recent campaigns abusing Scalable Vector Graphics (SVG) files. The use of this file format is far from new, with the initial use of SVG files identified as far back as 2015. Two recent campaigns have been identified using AutoSmuggle to deliver XWorm RAT, which is ongoing, and Agent Tesla, which lasted until February. - Stanford University Suffers from Ransomware Attack
Stanford University recently confirmed a ransomware attack that resulted in the theft of 27,000 people’s private data. In May 2023, the university’s networks were compromised, and the threat actors continued to exist until September. The company attested that no other networks were compromised and that the Stanford Department of Public Safety was the sole target of the breach. Stanford has not named its attackers, but the threat actor Akira claimed responsibility.