AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create refined, individualized campaigns.
Protecting data and systems from this democratization of phishing abilities gives a new challenge for the defenders.
Zscalerβs Phishing Report 2024 is based on an analysis of more than 2 billion phishing reports that occurred in 2023 and provides insights into future trends, current campaigns, prime targets within various regions/industries/brands as well as threat actors using AI.
This report demonstrates the need for constant alertness and zero trust security against an evolving phishing landscape, with examples reflecting how AI is now being used to enhance such activities.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Top Phishing Trends And Targets
Phishing surged 58.2% in 2023 as threat actors leveraged AI for sophisticated social engineering like voice/deepfake phishing.
Adversary-in-the-middle and emerging browser-in-the-browser attacks persisted.Β
The top targeted countries were:-
US
UK
India
Canada
Germany
Top targeted countries (Source – Zscaler)
Besides this, Finance and insurance faced 27.8% of attacks (a 393% year-over-year increase), the highest percentage across industries.
Industries targeted most (Source – Zscaler)
While Microsoft remained the most impersonated brand at 43.1% of phishing attempts. AI amplified reach and deception of phishing campaigns across multiple vectors.
However, there is a swap since, as it increases productivity, generative AI also serves as a two-edged sword by enabling even inexperienced threat actors to become the skilled social engineers that they are.
AI performs reconnaissance tasks automatically, personalizes email and communications to eliminate mistakes, and creates attractive phishing pages that are indistinguishable from genuine ones.
The report presented ChatGPT generating a login page for phishing within 10 prompts and includes warning signs to look out for.
Emerging sophisticated approaches include voice phishing (vishing) supported by AI and deepfake impersonation in the name of social engineering.
Phishing has grown worse due to generative AI because it allows quicker and more accurate attacks at multiple phases.
There is a global increase in the adoption of advanced AI-driven voice impersonation for vishing campaigns, which has caused great financial damage in some instances.
One of the biggest challenges related to AI cyber threats is deep fake phishing that perfectly copies facial appearances, voice,s and gestures.Β
The capability of AI-driven vishing and deepfake impersonation to be very sophisticated poses significant emergent challenges that strong organizational defenses must fulfil.
Mitigations
Here below, we have mentioned all the mitigations recommended by the researchers:-
Use AI-powered phishing prevention solutions that offer several capabilities, such as Browser Isolation, to combat AI-driven threats effectively.
Implement a Zero Trust architecture to prevent traditional and AI-driven phishing attacks at multiple stages.
Prevent compromise by inspecting TLS/SSL at scale.
Eliminate lateral movement by enabling direct user-to-application connections and implementing AI-powered app segmentation.
Detect and shut down compromised users and insider threats using inline inspection.
Prevent data loss by inspecting data in-motion and at-rest.
Adopt foundational security best practices to enhance overall resilience to phishing attacks.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.
The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.
The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor.Β
MySQL2 FlawVulnerability
According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week.Β
The user can utilize this library to establish a connection with their database and execute queries with it.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This particular scenario also applies to a threat actor, providing them with server-level access.
Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible.Β
This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.
However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.
Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.
The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.
However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.
Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.
The severity for this vulnerability was given as 6.5 (Medium).
Another vulnerability mentioned by the researcher was associated with cache poisoning.
This cache poisoning can be exploited even in stricter application configurations.Β
Cache Poisoning
The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.
The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.
Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.
The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.β
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.
This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany, Egypt, the U.K., Poland, the Philippines, Norway, and Japan.
The threat actor behind this ongoing campaign has been identified as “CoralRaider, ” whose Tactics, Techniques, and Procedures (TTPs) overlap with the current campaign.Β
The threat actor’s previous campaigns, which included using a Windows Shortcut file, identical PowerShell Decryptor and Payload download scripts, and FoDHelper techniques for bypassing UAC (User Access Control) on the victim machine, are similar.
CoralRaider Hacker Evade Antivirus
The threat actor hosted the download of files like the malicious HTA (HTML Application) file and the payload on a Content Delivery Network (CDN) Cache domain.
This is done as a means of evading detection from security products.
A new PowerShell command-line argument was found inside the LNK file, which was used to evade antivirus products and download the final payload onto the victim’s machine.
The PowerShell scripts used in this campaign were observed to have similarities with the CoralRaider threat groupβs Rotbot campaign.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Multi-Stage Infection Chain
The infection chain starts with a victim opening a malicious shortcut embedded inside a ZIP file. This ZIP file is downloaded via drive-by download techniques or phishing emails.
This shortcut file contains an embedded PowerShell command running a malicious HTA file on the Attacker-controlled CDN domain.
Attack flow chain (Source: Talos Intelligence)
This malicious HTA file executes an embedded JavaScript which decodes and runs a PowerShell decrypter script which decrypts another embedded PowerShell Loader script that runs on the victim machine’s memory.
Following this, the downloader script executes multiple functions for downloading and running one of the infostealer malware (Cryptbot, LummaC2, or Rhadamanthys).
In addition, this loader script also evades detections and bypasses User Access Control (UAC).
PowerShell script inside the LNK file (Source: Talos Intelligence)
This loader script also drops a batch script onto the victim’s temporary folder and also writes its contents.
This batch script will also include the PowerShell command to add the “ProgramData” folder to the Windows Defender Exclusion.
The Use Of LoLBin – FodHelper.exe
This new campaign also uses Living-off-the-land binary techniques as the dropped batch script is executed using “FoDHelper.exe” and also uses Programmatic identifiers (ProgIDs) registry keys to bypass UAC controls.
The FoDHelper has elevated privileges if certain registry keys have commands assigned.
First Batch script (Source: Talos Intelligence)
After doing so, the loader script also downloads the payload “X1xDd.exe” and saves it in the ” C: ProgramData” folder, which is not detected due to the addition of the ProgramData folder to the exclusion list in Windows Defender.
However, the PowerShell loader also overwrites the dropped batch script with new instructions.
Second Batch Script (Source: Talos Intelligence)
The new instructions include the commands to run the newly downloaded payload information stealer with the Windows start command.
Additionally, this step follows a similar pattern of using the FoDHelper to run the batch script.
Selection Of Payload With Requirement
All three infostealer malware, LummaC2, Cryptbot, and Rhadamanthys, have their own merits and demerits.
These info stealers can harvest multiple sensitive information such as system data, browser data, credentials, cryptocurrency wallets, and financial information.
CryptBot
First found in 2019, the CryptBot targets Windows systems designed to steal sensitive information from affected computers.
The new variant of Cryptbot has been distributed since January 2024 and is packed with VMProtect V2.0.3-2.13.Β
This new variant also has password manager application databases and authenticator application information in an attempt to steal cryptocurrency wallets that have two-factor authentication enabled.
As an added advantage, Cryptbot Stealer also scans the victim’s machine for database file extensions for targeted applications to harvest credentials.
The threat actor is also observed using a new variant of LummaC2 malware, modified by the threat actor.
This malware seems to have been obfuscated by the threat actor with a custom algorithm. Moreover, the threat actor has set up over nine C2 servers, to which the malware connects one by one.Β
All of these servers use a different key to encrypt the C2 domains.
The exfiltration of information is similar to the previous versions of LummaC2 malware but has added the exfiltration of discord credentials from the victim.
Rhadamanthys
This infostealer malware has been sold on underground forums since September 2022.
This malware seems to be evolving until now, with newer versions coming out every now and then. The latest version, V0.6.0, was released on February 15, 2024.Β
The threat actor has been using a Python executable file as a loader to execute this Rhadamanthys malware, which is done in two stages.
The first stage uses a simple Python script, and the second stage uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process.
Rhadamanthys sold on Underground Forums (Source: Talos Intelligence)
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021.
This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh
Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver malware called SSLoad.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
“SSLoad is designed to stealthily infiltrate systems, gather sensitive
This malicious software is specifically designed to infiltrate Android systems, stealing confidential data and compromising user privacy.
What is Spyroid RAT?
Spyroid RAT is a sophisticated malware that targets Android devices.
Once installed, it grants cybercriminals unauthorized access to the device.
This access allows them to steal sensitive information such as login credentials, financial data, and personal messages.
The Trojan operates silently, making it difficult for users to detect its presence until it’s too late.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
The impact of Spyroid on users is severe.
By gaining access to personal and financial information, attackers can commit identity theft, drain bank accounts, and even lock users out of their own devices.
Spyroid’s stealthy nature means it can linger on infected devices for a long time, leading to prolonged exposure and increased damage.
As per a recent tweet from ThreatMon, Spyroid RAT has been identified as malware that targets Android users intending to steal sensitive and confidential data.
Spyroid RAT is a RAT that targets Android devices. Spyroid RAT is claimed to offer a range of tools such as application management, a keylogger for both online and offline recording, various social media account thieves, permission manager,β¦ pic.twitter.com/WSw1UwdcON
Recent reports have highlighted several incidents where Spyroid was used in targeted attacks.
These attacks often begin with phishing schemes or malicious downloads.
Once the RAT is installed, the device can be controlled completely.
In some cases, users have reported significant financial losses and breaches of personal data.
To protect against Spyroid and other similar malware, Android users are advised to take several precautionary measures:
Ensure your device is protected by reliable antivirus software, which detects and removes malicious applications.
Keep your device’s operating system and applications updated.
Software updates often include security patches that protect against new threats.
Download from Trusted Sources
Only download apps from reputable sources such as the Google Play Store.
Avoid downloading apps from unknown websites or links in unsolicited emails.
Be cautious about the permissions you grant to applications. If an app requests access to sensitive data or functions that seem unnecessary, consider it a red flag.
Enable two-factor authentication (2FA) on your accounts to add an extra layer of security and make it harder for attackers to gain unauthorized access.
The emergence of Spyroid RAT is a stark reminder of the ongoing threats facing Android users.
By staying informed and adhering to best security practices, users can significantly reduce their risk of being victimized by malicious software.
Everyone must remain vigilant and proactive in protecting their digital lives.
Free Webinar: Mastering Web Application and API Protection/WAF ROI Analysis - Book Your Spot
Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites sending user data to a controversial Chinese advertising technology vendor, Yeahmobi.
This discovery raises significant concerns about privacy and the integrity of data handling by public sector organizations.
Data Collection Methods
Silent Push’s investigation began with implementing three core ad tech standardsβads.txt, app-ads.txt, and sellers.jsonβinto their data collection practices.
These standards are crucial for transparency in digital advertising, providing clear information about which companies are authorized to sell or resell ad inventory.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
By utilizing a custom query language, SPQL, Silent Push was able to identify unique ad account IDs linked to the advertising vendors on public websites.
Their analysis revealed that 18 UK public organizations, including local councils like Havant Borough Council, South Gloucestershire Council, and the Met Office, have been using services provided by Yeahmobi to serve advertisements on their domains.
An example of banner advertising seen at the bottom of the homepage @ https://lancashire.gov.uk/
Notably, Yeahmobi has previously been flagged by Google for malicious practices related to ad fraud and attribution abuse.
The involvement of Yeahmobi, a company previously blacklisted for malicious SDKs (Software Development Kits), in handling data from UK government websites poses serious privacy concerns.
The exact volume and nature of the collected data remain unclear, but the potential for misuse or unauthorized access to sensitive information cannot be ignored.
This situation is particularly alarming given the public’s trust in government platforms to safeguard their personal information.
UK Government Response
As of now, the UK government has not issued a formal response to these findings.
The revelation that local council websites, which are not prohibited from engaging in programmatic advertising, have partnered with a questionable foreign entity demands urgent attention and action.
Figure 2Example of banner advertising seen on the βPublic Healthβ page of https://lancashire.gov.uk/
It is imperative for public sector organizations to ensure compliance with national data protection laws and uphold the highest standards of transparency and security in their digital operations.
Chinese Ad Vendors Involved
Yeahmobi, the Chinese ad vendor at the center of this controversy, has a checkered past, including being implicated in ad fraud and the use of malicious software.
Despite these issues, Yeahmobi has managed to infiltrate the digital advertising space on UK government websites, prompting questions about these public organizations’ oversight and due diligence processes.
The findings by Silent Push serve as a crucial wake-up call for the UK public sector to reevaluate its digital advertising partnerships and prioritize the privacy and security of citizen data.
As the situation develops, it will be essential to monitor any governmental actions taken to address these serious concerns and ensure that similar risks are mitigated.
Free Webinar: Mastering Web Application and API Protection/WAF ROI Analysis - Book Your Spot
Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users’ keystrokes to nefarious actors.
The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security
Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.
In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration.Β
The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage.Β
The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.
Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations.Β
Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them.Β
Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.
There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage.Β
Ransom Payments by Quarter
Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies.
The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.
This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments.Β
All Ransomware Payment Resolution Rates
According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains.
Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase.
Market Share of the Ransomware Attacks
Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.
Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708).Β
Ransomware Attack Vectors
Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic.Β
Percentage of cases vs Observed Traffic
Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.
Ransomware Impacted Companies by Size (Employee Count)
In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.
IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure software market player.
This potential acquisition is part of IBM’s transformation into a hybrid cloud and AI-focused enterprise.
Potential Acquisition Details
Sources close to the matter indicate that IBM could soon reach an agreement to acquire San Francisco-based HashiCorp.
While the discussions are advanced, there remains a possibility that the talks could fall through without resulting in a deal.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
The acquisition would likely command a premium over HashiCorp’s current market valuation if successful.
As of the latest trading session, HashiCorp’s market capitalization is approximately $4.9 billion, reflecting a 4% increase in its stock price since the beginning of the year.
According to the Wall Street Journal report, the acquisition by IBM would mark a significant premium on this value, acknowledging HashiCorp’s strategic importance and its robust performance in the market.
HashiCorp’s Strategic Value
HashiCorp is renowned for its innovative software solutions that facilitate cloud infrastructure setup for companies.
It has established partnerships with numerous technology giants, including Cisco, Datadog, and RedHat, which is owned by IBM.
This existing relationship between HashiCorp and IBM’s subsidiary could provide a smoother integration of technologies and corporate cultures.
IBM’s Strategic Transformation
Under the leadership of CEO Arvind Krishna, IBM has been aggressively pursuing a transformation into a hybrid cloud and AI powerhouse.
This strategy has been marked by significant acquisitions and divestitures, including the purchase of Apptio for approximately $5 billion last June, which enhanced IBM’s automation capabilities, and the sale of the Weather Company assets to Francisco Partners.
Krishna’s focus on key technology areas such as quantum computing and blockchain highlights IBM’s commitment to remaining at the forefront of technological innovation.
The acquisition of HashiCorp would represent a strategic, albeit relatively small, expansion for IBM, which currently has a market capitalization of around $170 billion.
This move comes when mergers and acquisitions in the tech sector appear to be slowing down, as evidenced by Salesforce’s recent withdrawal from negotiations to acquire Informatica.
IBM’s potential acquisition of HashiCorp could significantly enhance its capabilities in cloud infrastructure, further solidifying its position as a leader in the hybrid cloud and AI sectors.
As the tech world watches closely, the outcome of these negotiations could have far-reaching implications for the competitive dynamics within the cloud services market.
Free Webinar: Mastering Web Application and API Protection/WAF ROI Analysis - Book Your Spot
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)