Read monthly stories from Cybersixgill’s threat experts on the latest threat actor tactics, techniques, and procedures. Each story details a new underground threat, the attackers involved, and how you can act to mitigate the risks. Learn about top vulnerabilities and see the latest ransomware and malware trends from the deep and dark web.
Stolen ChatGPT Credentials Flood Dark Web Markets
Over the past year, 100,000 stolen ChatGPT credentials were promoted on underground sites, offered for free, and sold on dark web marketplaces for as little as $5.
Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with your account. This is problematic because ChatGPT accounts may store sensitive information from queries, including sensitive data and intellectual property. Specifically, businesses are increasingly incorporating his ChatGPT into their daily workflows. This means that employees may disclose confidential content, including proprietary code. In addition to ads for AI chatbots that can allegedly generate malicious content, Cybersixgill threat analysts have detected ads for stolen ChatGPT credentials on a popular dark web marketplace.
What should businesses do to protect their employees and critical assets from the unintended risks posed by ChatGPT?
Click here to read more
Pro-Russian hacktivists attack Microsoft platform, threaten European banking system
A highly active pro-Russian hacktivist group took multiple Microsoft platforms offline and demanded US$1 million to stop the attacks, including a recent distributed denial of service (DDoS) targeting Scandinavian Airlines. It reflects the group’s strategy in the case. Microsoft initially provided an evasive explanation for the outage, but later confirmed that a Layer 72 DDoS attack by a hacktivist group had rendered the web portals for Azure, Outlook, and OneDrive inaccessible. Our threat experts announce the formation of a new pro-Russian coalition whose allies plan attacks on European banking systems, in addition to the group boasting of underground Microsoft attacks. I observed what was happening.
DDoS attacks have intensified since Russia invaded Ukraine in February 2022, but the recent move to hacktivist threats marks the emergence of a financial dimension to politically motivated incidents. With these risks in mind, what should organizations do to prepare for further DDoS attacks by pro-Russian gangs and possible extortion claims that follow?
Click here to read more
New malware steals data from browsers and password managers
A Russian-language cybercrime forum shows ads for a new type of information thief. The stealer debuted in his April 2023, but sales were reported to spike in June, which may indicate an increase in attacks using malware. The malware is said to target nearly 200 browsers, extensions, password managers and other applications. Our threat research team observed threat actors questioning the stealer’s capabilities, in addition to malware developers promoting its capabilities underground.
When the stealer runs, it collects data related to the operating system and hardware and sends screenshots to the attacker’s command and control 3 (C2) server. Stealers then target specific information stored in various applications, including web browsers. The malware can be rented for $150/month or $390 for 4 months and is advertised on popular cybercrime forums curated by Cybersixgill.
Data thieves are still popular in the underground, as evidenced by the emergence of new stealing malware. Such tools extract sensitive information including credentials and other valuable data. With powerful and user-friendly stealers readily available in the underground, what should organizations do to protect against such threats?
Click here to read more
New Critical VMware Vulnerability Exploited in the wild
VMware recently released an advisory related to a critical remote code execution (RCE) vulnerability (CVE-2023-20877), warning that attackers have already exploited the attack flaw. Although updates have been released to address the command injection vulnerability, two unpatched instances of VMware’s Aria Operations for Networks3 are still highly vulnerable. Ultimately, an attacker could leverage his CVE-2023-20887 to gain network access and inject malicious commands into Aria Operations for Networks, resulting in data theft, data corruption, It can even lead to complete system compromise.
As of July 3, 2023, Cybersixgill’s DVE module assigned CVE-2023-20887 a harsh score (9.23), indicating the threat posed by the flaw to unpatched systems. This score is dynamic and may continue to rise, especially given the existence of publicly available proofs of concept (PoCs) for CVEs published by threat hunters on GitHub. According to data collected by the Cybersixgill Investigative Portal, CVE-2023-20887 is associated with at least one Advanced Persistent Threat (APT). This means that this vulnerability is likely being actively exploited by sophisticated attackers who can bypass traditional security measures.
Our threat experts have observed an underground PoC of this vulnerability. Ransomware groups may see this vulnerability as an opportunity to launch attacks and demand payment in a double extortion scheme. With this in mind, what should businesses using VMWare do to stop cybercriminals?
Click here to read more
Subscribe to Cybersixgill’s monthly Beyond the Headlines magazine to receive detailed insights from our threat research team each month on the latest threats and attacker TTPs in the deep dark web. Click here to get the latest updates.
