The nGuard Security Advisory for this week covers several important topics related to cyber security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued warnings that remote desktop tools are being used to breach US federal agencies; ChaptGPT being used to create malicious output; Microsoft is set to block Excel add-ins that have been used for office exploits; and a new malware called “Rhadamanthys” has been discovered that uses Google Ads to redirect users to fake software downloads.
CISA & NSA Warn Remote Desktop Tools Are Being Used to Breach US Federal Agencies
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that financially motivated hackers have compromised federal agencies using legitimate remote desktop software. The hackers used phishing emails to lure victims to a malicious site that impersonated high-profile companies, including Microsoft and Amazon, and prompted the victims to call the hackers who then tricked employees into visiting the malicious domain. This led to the download of legitimate remote access software which the hackers then used in a refund scam to steal money from victims’ bank accounts. CISA also warned that the attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.
nGuard often can obtain remote access to victim’s computers using legitimate remote access tools like TeamViewer. nGuard’s Social Engineering assessment could help prevent these types of attacks by testing an organization’s resistance to phishing and other types of social engineering tactics.
ChaptGPT Malicious Prompt Engineering
OpenAI’s ChatGPT, a large-scale AI-based natural language generator, was released in late 2022 and has demonstrated the potential of AI for both good and bad. ChatGPT is a chatbot that is built on top of OpenAI’s GPT-3 family of large language models. It is designed to respond to prompts with accurate and unbiased answers. However, the concept of ‘prompt engineering’ has been used to manipulate the system and force it to respond in a specific manner desired by the user. This has led to the malicious potential of social engineering. A Finnish security firm recently published an extensive and serious evaluation of prompt engineering against ChatGPT, focusing on the generation of phishing, various types of fraud, and misinformation. They found they were able to quickly create convincing phishing emails that were well written and free of typos and grammatical errors. They also were able to create writing styles to match a given input which could lead to ‘deep fakes’ impersonating someone’s writing style. Last, they were able to make requests that forced ChatGPT to transfer their opinion within the response. The idea of prompt engineering is something still not fully understood but certainly has shown the power of a tool like ChatGPT can have.
nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious ChatGPT attacks by collecting and analyzing log data from various sources, including chatbot interactions. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, nGuard is adding UEBA (User and Entity Behavior Analytics) to its MECC solution. UEBA leverages AI and Machine Learning to help protect against malicious ChatGPT attacks by analyzing user behavior and identifying anomalies that may indicate a security incident. This can include detecting when a user or bot is attempting to access sensitive information or perform unauthorized actions. UEBA can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, UEBA can also help to detect compromised user account and bot impersonation.
Microsoft Set to Block Excel Add-in Used for Office Exploits
Microsoft is set to block XLL files from the internet in a bid to prevent cyber attackers from exploiting the “add-ins” function of Excel to run malicious code on a victim’s computer. An XLL file is an Excel Dynamic Link Library, a type of Microsoft Excel add-in used to extend the functionality of the spreadsheet software. XLL files contain custom functions and macros written in C or C++, and can be used to perform tasks that are not possible with the built-in Excel functions. The feature, set to be released in March, is a response to an increasing use of XLL files by attackers which offer a way to read and write data within spreadsheets, add custom functions and interact with Excel objects across platforms. However, experts have said that the feature may not be effective if users ignore the warning that XLL files could contain malicious code, and attackers are likely to continue to find new ways to compromise systems.
nGuard’s Security Awareness Training services can help with this threat by educating employees on how to identify and avoid phishing attempts, both in the form of emails and websites. The training can cover topics such as how to spot suspicious emails, what to look for in a legitimate and illegitimate website, and how to recognize the signs of a phishing attempt.
Rhadamanthys Malware Using Google Ads to Redirect to Fake Software Downloads
A new malware strain called “Rhadamanthys Stealer” is being spread by redirects from Google Ads that pretend to be download sites for popular remote-workforce software, such as Zoom and AnyDesk. The malware is sold on the dark web as malware-as-a-service and is spread through two methods: carefully crafted phishing sites, and phishing emails with malicious attachments. The malware can steal sensitive data such as browser history and account login credentials, including crypto-wallet information. It is also able to detect if it is running in a controlled environment and will terminate its execution if so. As mentioned earlier in this Advisory, nGuard’s Social Engineering assessment and Security Awareness training can prepare your organization and employees for these types of attacks. Help your organization stay vigilant against the latest attack vectors and keeping up to date by assessing your employees and organization on an annual basis at a minimum.