Traditional malware increasingly takes advantage of ChatGPT for attacks

Read Time:23 Second

Traditional malware techniques are increasingly taking advantage of interest in ChatGPT and other generative AI programs, according to a Palo Alto Networks report on malware trends.

“Between November 2022-April 2023, we noticed a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT,” according to the latest Network Threat Trends Research Report from Unit 42, the threat research arm of Palo Alto Networks.

To read this article in full, please click here

Read More

ChatGPT creates mutating malware that evades detection by EDR

Read Time:23 Second

A global sensation since its initial release at the end of last year, ChatGPT‘s popularity among consumers and IT professionals alike has stirred up cybersecurity nightmares about how it  can be used to exploit system vulnerabilities. A key problem, cybersecurity experts have demonstrated, is the ability of ChatGPT and other large language models (LLMs) to generate polymorphic, or mutating, code to evade endpoint detection and response (EDR) systems.

To read this article in full, please click here

Read More

Service Rents Email Addresses for Account Signups

Read Time:5 Minute, 7 Second

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.

The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”

“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”

As a customer of this service, you don’t get full access to the email inboxes you are renting. Rather, you configure your botnet or spam machine to make an automated application programming interface (API) call to the Kopeechka service, which responds with a working email address at an email provider of your choosing.

Once you’ve entered the supplied email address into the new account registration page at some website or service, you tell Kopeechka which service or website you’re expecting an account confirmation link from, and they will then forward any new messages matching that description to your Kopeechka account panel.

Ensuring that customers cannot control inboxes rented through the service means that Kopeechka can rent the same email address to multiple customers (at least until that email address has been used to register accounts at most of the major online services).

Kopeechka also has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.

Kopeechka means “penny” in Russian, which is generous verbiage (and coinage) for a service that charges a tiny fraction of a penny for access to account confirmation links. Their pricing fluctuates slightly based on which email provider you choose, but a form on the service’s homepage says a single confirmation message from apple.com to outlook.com costs .07 rubles, which is currently equal to about $0.00087 dollars.

The pricing for Kopeechka works out to about a fraction of a penny per confirmation message.

“Emails can be uploaded to us for sale, and you will receive a percentage of purchases %,” the service explains. “You upload 1 mailbox of a certain domain, discuss percentage with our technical support (it depends on the liquidity of the domain and the number of downloaded emails).”

We don’t have to look very far for examples of Kopeechka in action. In May, KrebsOnSecurity interviewed a Russian spammer named “Quotpw who was mass-registering accounts on the social media network Mastodon in order to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms.

Much of the fodder for that story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput told KrebsOnSecurity that his team was forced to temporarily halt all new registrations for these communities last month after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet (which has since been released as open source) contained an API call to Kopeechka’s service.

“It allows them to pool many bot-created or compromised emails at various providers and offer them to cyber criminals,” Chaput said of Kopeechka. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”

It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless of course that person already happens to run a botnet and has access to ridiculous numbers of email credentials. And in that sense, this service is genius: It essentially offers scammers a new way to wring extra income from resources that are already plentiful for them.

One final note about Quotpw and the spam botnet that ravaged Chaput’s Mastodon servers last month: Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote cryptocurrency scams.

The crypto scam affiliate program “Project Impulse,” advertising in 2021.

Launched in 2020, websites under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.

Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a series of phony website reputation services called ScamDoc that purport to check the trustworthiness and authenticity of various sites. Trend Notes that these ScamDoc sites routinely gave high trust ratings to a variety of cryptocurrency scam and casino websites.

“We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.

The ScamDoc fake reputation websites, which were apparently used to help make fake crypto investment platforms look more trustworthy. Image: Trend Micro.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

Read More

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution

Read Time:34 Second

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

php-8.2.7-2.fc38

Read Time:2 Minute, 10 Second

FEDORA-2023-2455981016

Packages in this update:

php-8.2.7-2.fc38

Update description:

PHP version 8.2.7 (08 Jun 2023)

Core:

Fixed bug GH-11152 (Unable to alias namespaces containing reserved class names). (ilutov)
Fixed bug GH-9068 (Conditional jump or move depends on uninitialised value(s)). (nielsdos)
Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves the array in an invalid state). (Bob)
Fixed bug GH-11063 (Compilation error on old GCC versions). (ingamedeo)
Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash). (Bob)

Date:

Fixed bug GH-11281 (DateTimeZone::getName() does not include seconds in offset). (nielsdos)

Exif:

Fixed bug GH-10834 (exif_read_data() cannot read smaller stream wrapper chunk sizes). (nielsdos)

FPM:

Fixed bug GH-10461 (PHP-FPM segfault due to after free usage of child->ev_std(out|err)). (Jakub Zelenka)
Fixed bug php#64539 (FPM status page: query_string not properly JSON encoded). (Jakub Zelenka)
Fixed memory leak for invalid primary script file handle. (Jakub Zelenka)

Hash:

Fixed bug GH-11180 (hash_file() appears to be restricted to 3 arguments). (nielsdos)

LibXML:

Fixed bug GH-11160 (Few tests failed building with new libxml 2.11.0). (nielsdos)

MBString:

Fix bug GH-11217 (Segfault in mb_strrpos / mb_strripos when using negative offset and ASCII encoding). (ilutov)

Opcache:

Fixed bug GH-11134 (Incorrect match default branch optimization). (ilutov)
Fixed too wide OR and AND range inference. (nielsdos)
Fixed missing class redeclaration error with OPcache enabled. (ilutov)
Fixed bug GH-11245 (In some specific cases SWITCH with one default statement will cause segfault). (nielsdos)

PCNTL:

Fixed maximum argument count of pcntl_forkx(). (nielsdos)

PGSQL:

Fixed parameter parsing of pg_lo_export(). (kocsismate)

Phar:

Fixed bug GH-11099 (Generating phar.php during cross-compile can’t be done). (peter279k)

Soap:

Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla)
Fixed bug GH-8426 (make test fail while soap extension build). (nielsdos)

SPL:

Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)). (nielsdos)

Standard:

Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for source file). (ilutov)
Fixed bug GH-11274 (POST/PATCH request switches to GET after a HTTP 308 redirect). (nielsdos)

Streams:

Fixed bug GH-10031 ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted irregularly for last chunk of data). (nielsdos)
Fixed bug GH-11175 (Stream Socket Timeout). (nielsdos)
Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client). (nielsdos)

Read More