Mar 05, 2024NewsroomMalware / Artificial Intelligence

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.

These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.

“The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September,” the Singapore-headquartered cybersecurity company said in its Hi-Tech Crime Trends 2023/2024 report published last week.

Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below –

• LummaC2 – 70,484 hosts
• Raccoon – 22,468 hosts
• RedLine – 15,970 hosts

“The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs,” Group-IB said.

The development comes as Microsoft and OpenAI revealed that nation-state actors from Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.

Stating that LLMs can be used by adversaries to brainstorm new tradecraft, craft convincing scam and phishing attacks, and improve operational productivity, Group-IB said the technology could also speed up reconnaissance, execute hacking toolkits, and make scammer robocalls.

“In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network,” it noted. “Now, they also focus on devices with access to public AI systems.

“This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code.”

Abuse of valid account credentials by threat actors has emerged as a top access technique, primarily fueled by the easy availability of such information via stealer malware.

“The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” IBM X-Force said.

“Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices.”

Jan 08, 2024NewsroomFinancial Fraud / Cybercrime

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud.

In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium, Germany, the Netherlands, Ukraine, and Europol.

Of the 19 defendants, three have been sentenced to 6.5 years in prison, eight have been awarded jail terms ranging from one year to five years, and one individual has been ordered to serve five years’ probation.

One among them includes Glib Oleksandr Ivanov-Tolpintsev, a Ukrainian national who was sentenced to four years in prison in May 2022 for selling compromised credentials on xDedic and making $82,648 in illegal profits.

Dariy Pankov, described by the DoJ as one of the highest sellers by volume, offered credentials of no less than 35,000 hacked servers located all over the world and obtaining more than $350,000 in illicit proceeds.

The servers were infiltrated using a custom tool named NLBrute that was capable of breaking into protected computers by decrypting login credentials.

Also of note is a Nigerian national named Allen Levinson, who was a “prolific buyer” with a particular interest in purchasing access to U.S.-based Certified Public Accounting firms in order to file bogus tax returns with the U.S. government.

Five others, who have been accused of a conspiracy to commit wire fraud, are pending sentencing.

Alongside these administrators and sellers, two buyers named Olufemi Odedeyi and Oluwaseyi Shodipe have been charged with conspiracy to commit wire fraud and aggravated identity theft. Shodipe has also been charged with making false claims and theft of government funds.

Both individuals are yet to be extradited from the U.K. If convicted, they each face a maximum penalty of 20 years in federal prison.

The marketplace, until its takedown in January 2019, allowed cybercriminals to buy or sell stolen credentials to more than 700,000 hacked computers and servers across the world and personally identifiable information of U.S. residents, such as dates of birth and Social Security numbers.

Alexandru Habasescu and Pavlo Kharmanskyi functioned as the marketplace’s administrators. Habasescu, from Moldova, was the lead developer, while Kharmanskyi, who lived in Ukraine, managed advertising, payments, and customer support to buyers.

“Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included tax fraud and ransomware attacks,” the DoJ said.

Targets of these attacks comprised government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

Dec 18, 2023The Hacker NewsTechnology / Application Security

Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems?

The simple truth is often swept under the rug. While low-code/no-code (LCNC) apps and robotic process automations (RPA) drive efficiency and agility, their dark security side demands scrutiny. LCNC application security emerges as a relatively new frontier, and even seasoned security practitioners and security teams grapple with the dynamic nature and sheer volume of citizen-developed applications. The accelerated pace of LCNC development poses a unique challenge for security professionals, underscoring the need for dedicated efforts and solutions to effectively address the security nuances of low-code development environments.

Digital Transformation: Trading off Security?

One reason security finds itself in the backseat is a common concern that security controls are potential speed bumps in the digital transformation journey. Many citizen developers strive for quick app creation but unknowingly create new risks simultaneously.

The fact is that LCNC apps leave many business applications exposed to the same risks and damage as their traditionally developed counterparts. Ultimately, it takes a closely aligned security solution for LCNC to balance business success, continuity, and security.

As organizations dive headfirst into LCNC and RPA solutions, it’s time to acknowledge that the current AppSec stack is inadequate for safeguarding critical assets and data exposed by LCNC apps. Most organizations are left with manual, cumbersome security for LCNC development.

Unlocking Uniqueness: Security Challenges in LCNC and RPA Environments

While the security challenges and threat vectors in LCNC and RPA environments might appear similar to traditional software development, the devil is in the details. Democratizing software development across a wider audience, the development environments, processes, and participants in LCNC and RPA introduce a transformative shift. This kind of decentralized app creation comes with three main challenges.

First, citizen and automation developers tend to be more prone to unintentional, logical errors that may result in security vulnerabilities. Second, from a visibility point of view, security teams are dealing with a new kind of shadow IT, or to be more precise, Shadow Engineering. Third, security teams have little to no control over the LCNC app life cycle.

Governance, Compliance, Security: A Triple Threat

The three-headed monster haunting CISOs, security architects, and security teams – governance, compliance, and security – is ever more ominous in LCNC and RPA environments. To illustrate, here are some and, of course, not comprehensive examples:

• Governance challenges manifest in outdated versions of applications lurking in production and decommissioned applications, causing immediate concerns.
• Compliance violations, from PII leakage to HIPAA violations, reveal that the regulatory framework for LCNC apps is not as robust as it should be.
• The age-old security concerns of unauthorized data access and default passwords persist, challenging the perception that LCNC platforms offer foolproof protection.

Four Crucial Security Steps

In the ebook “Low-Code/No-Code And Rpa: Rewards And Risk,” security researchers at Nokod Security suggest that a four-step process can and should be introduced to LCNC app development.

1. Discovery – Establishing and maintaining comprehensive visibility over all applications and automations is essential for robust security. An accurate, up-to-date inventory is imperative to overcome blind spots and ensure the proper security and compliance processes.
2. Monitoring – Comprehensive monitoring involves evaluating third-party components, implementing processes to confirm the absence of malicious code, and preventing accidental data leaks. Effectively thwarting the risk of critical data leaks requires a meticulous identification and classification of data usage, ensuring applications and automation systems handle data under their respective classifications. Governance includes proactively monitoring developer activity, particularly scrutinizing modifications made in the production environment post-publication.
3. Act on Violations – Efficient remediation must involve the citizen developer. Use clear communication in accessible language and with the LCNC platform-specific terminology, accompanied by step-by-step remediation guidance. You must bring in the necessary compensating controls when tackling tricky remediation scenarios.
4. Protecting the Apps – Use runtime controls to detect malicious behavior inside your apps and automations or by apps in your domain.

While the steps outlined above provide a foundation, the reality of a growing attack surface, uncovered by the current application security stack, forces a reevaluation. Manual security processes are not scaling enough when organizations churn out dozens of LCNC applications and RPA automations weekly. The efficacy of a manual approach is limited, especially when companies are using several LCNC and RPA platforms. It is time for dedicated security solutions for LCNC application security.

Nokod Security: Pioneering Low-code/no-code App Security

Offering a central security solution, the Nokod Security platform addresses this evolving and complex threat landscape and the uniqueness of the LCNC app development.

The Nokod platform provides a centralized security, governance, and compliance solution for LCNC applications and RPA automations. By managing cybersecurity and compliance risks, Nokod streamlines security throughout the entire lifecycle of LCNC applications.

Key features of Nokod’s enterprise-ready platform include:

• Discovery of all low-code/no-code applications and automations within your organization
• Placement of these applications under specified policies
• Identification of security issues and detection of vulnerabilities
• Auto-remediation and empowerment tools for low-code / no-code / RPA developers
• Enabling enhanced productivity with lean security teams

Conclusion:

In the dynamic landscape of contemporary business technologies, the widespread adoption of low-code/no-code (LCNC) and robotic process automation (RPA) platforms by organizations has ushered in a new era. Despite the surge in innovation, a critical security gap exists. Enterprises must gain comprehensive insights into whether these cutting-edge applications are compliant, free from vulnerabilities, or harbor malicious activities. This expanding attack surface, often unnoticed by current application security measures, poses a considerable risk.

For more timely information about low-code/no-code app security, follow Nokod Security on LinkedIn.

Dec 21, 2023NewsroomDark Web / Cybercrime

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to “tens of thousands of users.”

The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.

Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.

As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.

Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.

“The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics,” the BKA said, adding an investigation into the seized server infrastructure is ongoing.

In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.

The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware’s dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had “unseized” it.