February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs

February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.

In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.

Ransomware Reporting and Underreporting

February 2024 has seen several impactful ransomware attacks reported, including:

Actor Targeted Industry
LockBit Medical
BackMyData Medical
Black Basta Automotive
Cactus Manufacturing

Concerns remain, however, that many ransomware incidents are unreported. Particularly in cases where an organization is experiencing its first cybercrime incident, there may be a tendency to believe that disclosing the breach may be more damaging than paying the attackers.

For any organization feeling that pressure, it is worth reviewing advice from the NCSC about why transparency matters to victims. It is also worth reviewing Google’s journey from victim to major contributor to cyber safety: the formation of its Project Zero initiative and Threat Analysis Group were direct consequences of its experience of a cyber attack from a Chinese APT.

In a statement on January 31st, CISA Director Jan Easterly told a House Select Committee that “Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security”. Easterly stressed, and we couldn’t agree more, that business leaders must treat cyber risks as core business risks and recognize that “managing them is a matter of both good governance and fundamental national security”.

Software Products Under Active Exploitation

Improving the design of software products such that exploitable flaws become “a shocking anomaly” was also part of Easterly’s vision for a safer cyber future.

February saw a trend in attacks leveraging enterprise tools for remote, authenticated access, aka RMMs (Remote Monitoring and Management). Both APT groups and ‘lower tier’ crimeware actors continue to exploit vulnerabilities in Ivanti’s Connect Secure and Policy Secure products.

ConnectWise’s ScreenConnect has also been targeted for mass exploitation thanks to multiple RCE flaws that are trivial to exploit. In addition, alarm was raised this month after a response to a breach at AnyDesk found evidence of compromised production systems.

CVEs and updates that organizations are prioritizing include:

Ivanti Connect Secure CVE-2024-21893
ConnectWise ScreenConnect CVE-2024-1708
ConnectWise ScreenConnect CVE-2024-1709
AnyDesk Recommended update to 7.0.15 and 8.0.8

Emerging Trends and Tactics

AI continues to push the boundaries of cybersecurity for both attackers and defenders. On top of LLM chat assistants and natural language image generators comes Sora, the first generative AI model that can create realistic video – currently up to 60 seconds – from text prompts. According to OpenAI, “Sora is capable of generating entire videos all at once or extending generated videos to make them longer.”

The potential for deep fakes in an election year is one obvious area of concern, but the wider implications of a text-to-video service are perhaps even greater. OpenAI says it is building tools to help detect misleading content as well as reject prompts that violate usage policies, but based on the rapid proliferation of ‘evil ChatGPTs’ (see WormGPT, DarkGPT, and Predator AI for examples) that may be no more than a sticking plaster solution. Sora is still in beta but is currently available to red teamers to help assess the potential risks such a service could cause.

February also saw OpenAI, in conjunction with Microsoft, report on the malicious use of AI by state-affiliated threat actors. Groups associated with four different nations were discovered to be trying to leverage OpenAI for harmful purpose:

China  Charcoal Typhoon / Salmon Typhoon
Iran Crimson Sandstorm
North Korea Emerald Sleet
Russia Forest Blizzard

The use of AI by threat actors largely revolves around improving productivity and automating existing tasks that are labor intensive, such as generating social engineering content. To date, it has not been used to produce novel attacks. However, we are still very much in the early stages of understanding the capabilities of this new technology.

The fact that it is already being leveraged by both state-sponsored actors and financially-motivated cybercriminals emphasizes the need for defenders to keep pace with AI’s evolution.

We encourage defenders to review SentinelOne’s recommendations for Safe, Secure, and Trustworthy AI. For specific TTPs related to artificial intelligence systems, see the new MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework.

Law Enforcement & Policy | Significant Actions

The U.S government in February announced a Visa Restriction policy for individuals involved in the misuse of commercial spyware. The policy covers not only the use of spyware, but also anyone “believed to facilitate or derive financial benefit from the misuse of commercial spyware” and “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware”.

The move reflects mounting concerns about the rise of private sector offensive actors (aka hack-for-hire groups) and the safety of mobile devices.

Coordinated action by U.S. and U.K. law enforcement to disrupt LockBit operations generated plenty of headlines in the third week of February, but early signs are that the group is not down and out yet. On February 24, 2024, LockBit released a series of statements concerning the disruption.

The group claimed the FBI was unable to compromise all of their infrastructure, allowing the group to reestablish and maintain primary operations. The statements included functional links to a blog site and data portals to support their claims that the ransomware operator was still in business.

LockBit’s disruption may yet turn out to be temporary, following the trend set by direct actions against Hive, ALPHV and others.

lockbit fbi response
Excerpt of LockBit’s February 24, 2024 ‘Statement’

In further signs of an escalating, policy-driven offensive to tackle cybercrime, the United States Department of State has offered a ten million dollar bounty for information relating to Hive ransomware operators and co-conspirators. On February 9th, the U.S. Department of Justice disclosed the dismantling of Warzone RAT, the seizure of supporting data and infrastructure, and the filing of charges against key players tied to the operation.

Conclusion

Coordinated action by the U.S. and other governments is certainly having an impact on cybercriminals’ operations, but there are still more threat actors out there than anyone can count, and there’s a long way to go in this battle to capture, thwart and discourage digital attackers.

February’s quick takeaway for busy readers: patch before a breach occurs, and report it when it does.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.