Ok, this is all fun and games until someone messes with things near and dear to my heart. Last week we railed against the patient-harming attacks. Those are awful, and by all accounts are much worse than a lot of cyber events. Heartless, cruel. But this week they hit another vertical I hold near and dear, and this won’t end well for them. C’mon man, attacking Duvel? Are you serious? I’m semi-serious. To prove I can keep things in perspective, let’s learn about Gootloader, Hugging Face issues, and more…

Crime pays…crime doesn’t pay…crime pays…

In a rash of recent events by frequent fliers LockBit and Blackcat/ALPHV, it seems both groups are struggling to hold on to their celebrity mistique. Blackcat was accused of perpetuating the attack against healthcare & pharmaceutical linchpin Change Healthcare. After activities seem to indicate a $22M ransom was paid, the affiliate working with Blackcat to infect Change claims that Blackcat jilted them out of their share. Blackcat responded by taking a page from the rich – that they are going out of business. Some exit scam! And the potentially-Chinese affiliate they worked with has bills to pay – they apparently bought some tools that weren’t cheap!

Almost simultaneously, LockBit is stepping up activity in a desperate bid to remain relevant. While their claims of attacking Fulton County, GA last week seem to have mysteriously evaporated, other targets are being announced, including Fidelity Life Insurance. This seems all rosy for them – but there is a catch. They lost a lot of mystique when they were taken down and trolled by the FBI recently. Desperation may motivate the increased pace and lack of target selection discipline. They can’t make money if affiliates don’t trust them to stay operational.

SEO Targeting by GootLoader a blast for the past!

We get so caught up in social engineering that we forget adversaries still love to lay traps elsewhere for us! In this awesomely detailed report on GootLoader by the folks at The DFIR Report, you should definitely walk through the process they outline, as they have even recorded videos to help demonstrate how the attack plays out. Long story short – this is a crazy complex threat. It gives you an appreciation for just how smart adversaries are. Sort of seems we should respect that and take it seriously!

  • Want to read more? Kroll’s report is a little easier to skim, but can still offer good recommendations and IOCs. Wanna know how SEO poisoning works and who else uses it? MITRE’s ATT&CK has you covered!
  • Wanna get nerdy? Here is the DFIR Report’s original Gootloader post, which offers great prep for the follow-up linked above.

This week in AI

It is going to be very hard to untangle AI and security for a while, folks. We’ve talked about the serious consequences of adversaries weaponizing important developer tools like GitHub. Well, in the AI/ML realm, Hugging Face is pretty key. Folks at JFrog Security reported that malicious code has made it into Hugging Face and is responsible for backdooring user devices. Oh boy.

This comes hot on the heals of reports that custom GPTs are being created for bad things. As if we didn’t see that one coming! I was just talking today to an audience about how phishing emails are getting better with the aid of AI, and along comes this article on OODA Loop‘s Blog.

Things I am keeping an eye on myself

  • Our friends at Cisco’s Talos published a pretty interesting report on a new information stealer called TimberStealer. This one seems to be used by a threat actor with a history of pairing spam & phishing with other infostealers in targeting Mexican financials. Very informative write-up!
  • The Ivanti saga continues, and CISA & their partners worldwide have been giving more dire warnings and alerts. They are now advising critical infrastructure companies look to alternatives and significantly ratchet down on access via Ivanti VPN boxes.
  • I know we covered this last week, but CISA is becoming one of my favorite places to look for insights. This post on SVR tactics as they shift operational focus to the cloud is very informative, and on second read I can’t help but look at it in light of the post I put up earlier this week on Recon Phase stuff. Some cool overlap, it is nice when I stumble on something relevant!
  • I had some questions from a customer audience on how to protect against zero-click installs of Pegasus, and while I don’t yet have all of the answers, I thought it was interesting that they just got slapped by a judge to provide source code. It may be older, but getting more eyes on it can only help us eventually answer those user questions!
  • Lest we forget that Russian’s can be victims too, here is a really interesting report on threat actors that target them. I have to admit though – it is hard to feel sorry for the nation’s cyber woes when they keep this crap up.

Good Reads!

  • I’m finishing that Genghis Kahn book, so my friends can stop hearing be brag about how awesome it is. Seriously though – it is an eye-opener and it is shocking how advanced and progressive they were.
  • This article in Wired on AI image generation has really opened my eyes to a lot of the malicious and ethical concerns around it. I’ll keep mine cartoon-like and PG 😉

I hope you folks have a safe and healthy weekend – let me know what you think and what you’d like to change in these updates!