New ransomware group FunkSec using AI to develop malware
(TLP: CLEAR) Recent reporting sheds light on the FunkSec ransomware group, a ransomware collective that emerged in late 2024 claiming to have racked up over 85 ransomware victims in December 2024, surpassing all other ransomware groups during that time period. However, recording indicates that deeper analysis suggests their cyber exploits may be exaggerated, as many of their leaked datasets are recycled from previous hacktivist campaigns. Presenting themselves as a Ransomware-as-a-Service (RaaS) operation, FunkSec offers custom ransomware tools written in Rust, employing RSA and AES encryption. Despite their rapid iteration, inefficiencies and redundancies in their code suggest the ransomware was created by an inexperienced developer, likely based in Algeria. Their rapid development cycles are enabled by AI-assisted tools, which enhance their capabilities despite their limited technical expertise. FunkSec delivers its malware through phishing sites and GitHub repositories disguised as cracked software, further expanding its reach. In addition to ransomware services, ransomware, the group offers an arsenal of additional tools, such as a custom DDoS tool, HVNC servers for stealthy remote access, and password-scraping utilities, enhancing their operational versatility. The group operates under aliases like Scorpion and El Farado, whose overlapping responsibilities and poor operational security have exposed vulnerabilities in their activities. For instance, Scorpion inadvertently revealed their connection to Algeria through metadata embedded in shared screenshots. Following Scorpion’s ban from cybercrime forums, El Farado emerged as the leading figure, actively promoting FunkSec’s campaigns and hosting stolen data leaks on their .onion site. FunkSec’s motivations straddle the line between political hacktivism and financial crime. While publicly supporting causes such as the “Free Palestine” movement, their actions clearly align with cybercriminal objectives, with victims primarily located in India and the United States.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomware-group-powered-by-ai/
OpenAI’s ChatGPT crawler can be tricked into DDoSing sites
(TLP: CLEAR) Microsoft shared a recent security write-up exposing a vulnerability in OpenAI’s ChatGPT crawler that potentially enabled threat actors to initiate Distributed Denial of Service (DDoS) attacks on targeted websites. According to the write-up, by sending a single HTTP POST request to the ChatGPT API’s /backend-api/attributions endpoint, an attacker can prompt the ChatGPT crawler to flood a specified website with numerous requests. This occurs because the API does not adequately verify if multiple hyperlinks in the urls parameter point to the same resource, nor does it limit the number of hyperlinks processed per request. Consequently, a single API call can generate thousands of requests to a target site, potentially overwhelming its servers and causing service disruptions. Security researchers later advised administrators to monitor traffic patterns and implement appropriate safeguards to mitigate potential DDoS attacks originating from this vulnerability. Given OpenAI’s growing role in AI-driven web interactions, this bug highlights the broader risks associated with unchecked AI crawlers and the need for stronger API security governance. Despite the severity of this vulnerability, OpenAI has yet to acknowledge or address the issue.
(TLP: CLEAR) Comments: The recent discovery of a vulnerability in OpenAI’s ChatGPT web crawler highlights a significant security risk, particularly in the realm of DDoS attack amplification attacks. By manipulating the /backend-api/attributions endpoint, threat actors can trigger an uncontrolled number of HTTP requests to a target website. This occurs due to inadequate input validation, lack of rate limiting, and an absence of duplicate URL detection, making it possible for a single API call to generate thousands of requests.
(TLP: CLEAR) Recommended best practices/regulations: PCI- OWASP API Top 10, API9:2023 “Improper Inventory Management”:
- Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.
- Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.
- Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.
- Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.
- Make API documentation available only to those authorized to use the API.
- Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.
- Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.
- When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version.
(TLP: CLEAR) Vercara: Vercara’s Vercara UltraAPI Bot Manager detects and prevents sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses, and organizations. Native, policy-based response options ensure that detected attacks are blocked in real-time without reliance on a third-party WAF or other security components.
Vercara UltraDDoS Protect can accept traffic in an always-on or on-demand mode with DNS and API-based integration options that can adapt to your existing technology stack and operational practices. UltraDDoS Protect also includes a variety of options to automate detection to mitigation so that DDoS attacks can be thwarted immediately or within seconds.
Source: https://www.theregister.com/2025/01/19/openais_chatgpt_crawler_vulnerability/
Python-based malware powers RansomHub ransomware to exploit network flaws
(TLP: CLEAR) Back on January 15, 2025, security researchers reported on a recently discovered Python-based malware shell used by threat actors to compromise and gain persistent access to targeted systems in order to deploy RansomHub ransomware. Earlier variants of RansomHub were first documented last year in February 2024. According to recent reporting, the latest upgrade displays a variety of enhancements, from evasive techniques such as obfuscation via PyObfuscate[.]com, to deployment through Remote Desktop Protocol (RDP) for lateral movement. Some indicators of compromise (IoCs) could also be identified such as command-and-control (C2) infrastructure, scheduled task names and unique filenames. These refinements primarily enhance evasion techniques while preserving core functionality. Furthermore, the initial access and installation sequence followed a structured methodology: deploying the backdoor into a target directory by exploiting SocGholish (FakeUpdate) infections, installing Python and required libraries, configuring a proxy script, and finally establishing persistence through scheduled tasks. This approach remained consistent across both the initially infected hosts and those compromised during lateral movement, ensuring the backdoor’s continued operation across the targeted environment. The proxy script in question functions as a reverse proxy, establishing a SOCKS5-like tunnelling mechanism to facilitate stealthy lateral movement within the compromised network. It the connects to a hardcoded C2 IP address, efficiently proxying traffic through a TCP tunnel to maintain covert communication. The script is meticulously crafted, showcasing polished code and robust error handling, strongly suggesting the involvement of AI-assisted development.
(TLP: CLEAR) Comments: The aforementioned findings surrounding this Python-based malware shell highlight the increasing sophistication of modern ransomware campaigns. The integration of obfuscation techniques, such as those provided by PyObfuscate[.]com, coupled with the use of RDP for lateral movement, demonstrates a calculated focus on stealth and evasion. Additionally, the malware’s ability to function as a SOCKS5-like proxy for tunnelling traffic, combined with its robust error handling and polished code, underscores a concerning growing trend and the likely use of AI-assisted development in malware creation. This development not only enhances the operational capabilities of the malware but also increases the barriers for detection and mitigation.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://thehackernews.com/2025/01/python-based-malware-powers-ransomhub.html
Italy subjected to pro-Russian DDoS attacks anew
(TLP: CLEAR) Recent reporting has highlighted Italy’s recent experience of a series of coordinated Distributed Denial-of-Service (DDoS) attacks targeting key governmental and financial institutions. According to reporting, the pro-Russian hacktivist group NoName057(16) claimed responsibility for these attacks, citing Italy’s continued support for Ukraine as the provocation. Among the affected entities were the Foreign Affairs and Infrastructure and Transport ministries, the Air Force, the Navy, major banks such as Intesa Sanpaolo and Monte dei Paschi di Siena, public transport companies Amt and Atac, and the financial markets regulator Consob. The attacks led to temporary disruptions of online services, though critical operations, including air travel, remained unaffected. Italy’s National Cybersecurity Agency (ACN) responded promptly, mitigating the impact within hours. This incident underscores the persistent cyber threats faced by nations supporting Ukraine and highlights the need for robust cybersecurity measures to protect critical infrastructure.
(TLP: CLEAR) Comments: The DDoS attacks on Italy’s critical institutions by pro-Russian hacktivist group NoName057(16) illustrate the ongoing weaponization of cyber operations in geopolitical conflicts, particularly against nations supporting Ukraine. While Italy’s National Cybersecurity Agency (ACN) demonstrated resilience by rapidly mitigating the attacks, the incident underscores the vulnerabilities in critical infrastructure and the persistent threat from ideologically driven actors. Proactive measures such as advanced DDoS mitigation strategies, enhanced threat intelligence sharing across allied nations, and coordinated incident response frameworks are vital to reducing the impact of such attacks.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://www.scworld.com/brief/italy-subjected-to-pro-russian-ddos-attacks-anew
Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes
(TLP: CLEAR) Recent intelligence reporting reveals a highly sophisticated malvertising campaign targeting Google Ads users, where threat actors craft deceptive advertisements that impersonate legitimate Google Ads. Once clicked, these ads redirect victims to fraudulent login pages hosted on Google Sites, designed specifically to harvest user credentials and two-factor authentication (2FA) codes in real time via WebSocket connections. The harvested information is immediately transmitted to attacker-controlled servers, enabling cybercriminals to compromise accounts, escalate privileges by adding new administrators, and hijack advertising budgets to fuel further malicious campaigns. Additionally, a key tactic exploited in this operation leverages a loophole in Google Ads policies, which permits the display URL to differ from the final landing page, provided the domains remain the same. This allowed attackers to host phishing pages on sites.google[.]com while displaying ads.google[.]com as the display URL, making the deception far more convincing. Further investigation indicates that the threat actors behind this campaign are likely Portuguese speakers operating out of Brazil, as indicated by their use of .pt top-level domains in phishing infrastructure.
(TLP: CLEAR) Comments: The aforementioned development reflects a broader trend of cybercriminals weaponizing platforms like YouTube and SoundCloud to distribute malware-laced links disguised as pirated software installers. These deceptive downloads act as delivery mechanisms for multiple malware families, including Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer, all engineered to steal credentials, exfiltrate sensitive data, and establish persistent access to compromised systems.
(TLP: CLEAR) Recommended best practices/regulations: WASP Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:
- Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
- Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
- Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
- Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Source: https://thehackernews.com/2025/01/google-ads-users-targeted-in.html