Brief #4: EU's AI Act, CLOP Ransomware, Fake GitHub Repos

Mandos Brief, Week 24 2023: AI regulation in Europe, CLOP ransomware attacks, the discovery of fake GitHub repositories, the updated GravityRAT and more.

6 min read
mandos brief #4 - week 24 2023


Europe Leads the Charge, Google and MITRE follow: Groundbreaking AI Regulation Takes Effect

The European Union's new Artificial Intelligence Act is a major step in AI regulation, balancing the need to reduce risks while fostering tech innovation. The Act focuses on "high-risk" AI systems - those with potential to greatly impact health, safety, or fundamental rights - which will undergo stringent checks prior to market launch. This approach ensures increased transparency and accountability for AI system providers.

The establishment of a European Artificial Intelligence Board ensures the Act's consistent application across EU member states, while also facilitating the exchange of best practices. This board is a key part of the Act's aim for accountability, especially from major tech companies, and for maintaining ethical AI deployment.

However, striking the right balance to avoid over-regulation is important. Google and MITRE have also suggested AI regulation frameworks, emphasizing risk mitigation without hampering innovation and considering AI-associated threats.

CLOP Ransomware Strikes US Government Agencies

The attack was allegedly carried out by the notorious CLOP ransomware gang, Lace Tempest, which exploited a critical software vulnerability in MOVEit, a file-transfer software developed by Progress Software Corp. The vulnerability allowed remote attackers to gain unauthorized access to the software's database. The cyber criminals exploited this vulnerability to breach two DoE entities, Oak Ridge Associated Universities and a contractor affiliated with the Waste Isolation Pilot Plant (WIPP), a radioactive waste storage facility located around Carlsbad, New Mexico.

Interestingly, the ransomware group has promised to delete all government data, making no ransom demands. This is a departure from the usual modus operandi of ransomware gangs, which typically demand a ransom in exchange for not releasing the stolen data. The reasons behind this unusual behavior remain unclear. The attack has exposed over 2,500 instances of MOVEit Transfer to the public internet as of May 31, with the majority located in the United States. This highlights the widespread impact of the attack and the potential for significant damage.

In the wake of this attack, organizations should reassess their cybersecurity strategies and consider implementing additional measures to protect against future threats. These could include regular software updates, employee training on cybersecurity best practices, and the use of advanced threat detection and response solutions.

Beware of the Wolf in Researcher's Clothing: Fake GitHub Repos Spreading Malware

The malicious actors behind this scheme have gone to great lengths to appear legitimate, creating a network of fake accounts and even impersonating real security researchers. The repositories they've created claim to be exploits for well-known products, such as Discord, Google Chrome, and Microsoft Exchange Server. However, they contain malicious code that downloads and executes a binary on the victim's operating system. This binary is a clear piece of malware, with a high detection rate on VirusTotal.

The threat actors' persistence in maintaining this scheme suggests they believe it will eventually be successful. Security researchers and the broader community must be cautious when downloading code from GitHub or any other open-source platform. It's crucial to review any code before executing it and to avoid using anything that isn't fully understood.

GravityRAT Strikes Again: Android Spyware Targets WhatsApp Backups

The GravityRAT Android trojan, known for its cross-platform capabilities, has evolved with a new ability to exfiltrate WhatsApp backups and receive commands to delete files. This updated version is being distributed through trojanized versions of the legitimate open-source OMEMO Instant Messenger Android app, specifically the BingeChat and Chatico apps. These apps are not available on Google Play but are distributed through rogue websites promoting free messaging services.

The campaign is highly targeted, with potential victims specifically chosen and lured to the malicious website. The group behind the malware, tracked by ESET under the name SpaceCobra, remains unknown. However, there are speculations that the threat actor is based in Pakistan, with recent attacks involving GravityRAT targeting military personnel in India and among the Pakistan Air Force.

Once installed, GravityRAT interacts with its command and control server, exfiltrating the device user's data and waiting for commands to execute. It is capable of exfiltrating call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents. The new capabilities to exfiltrate WhatsApp backups and receive commands to delete files are unique and not typically seen in Android malware, indicating a significant evolution in the malware's functionality.

SMS-Based Location Tracking Is the New Threat to Privacy

This research paper “Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings, reveals a new, privacy-threatening method of location tracking exploiting SMS delivery report timings. The attack can be executed by anyone who knows the victim's phone number and can send them an SMS. This makes it a significant threat to privacy.

The researchers conducted a large-scale study collecting Delivery Report timing measurements across three continents, nine countries, and ten operators to create their training dataset. They sent SMS messages between devices and measured Delivery Reports return times within and across different setups in the US, multiple countries in Europe, and the Middle East.

The researchers used a Multilayer Perceptron (MLP) classifier to perform location classification. The model comprises a stochastic gradient descent solver, softmax and sigmoid activations for multiclass and binary classifications respectively, and three layers with 10, 40, and 10 nodes respectively for the input, hidden, and output layers.

The privacy issues caused by the SMS timing attack have been recognized by GSMA, who are considering several countermeasures, including artificial delays and robust SMS filtering. However, the researchers point out that the attack is hard to mitigate without a significant overhaul of the cellular network specifications.

Share This Post

Check out these related posts

Brief #56: Patch Critical Microsoft Flaw, AI Cybersecurity Market Booms, Outcome-Driven Metrics for CISOs, Cybersecurity Career Progression

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #55: Snowflake Breach, AI-Powered Malware, CISO AI Pressures, Cybersecurity Talent Shortage

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #54: Fortinet Zero-Day, OpenAI AI Safety, Security Leaders Focus on High-Impact, Cybersecurity Skills in Demand

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read