Intelligence

Intelphreak - 20:00Z June 10th, 2024

Microsoft Recall Will Be Opt-In, Study Shows LLMS Can Exploit “Zero-Day” Vulnerabilities, CJEU Rules Copyright Over IP Privacy, Threat Actors Potentially Compromise Snowflake, Cyber Attacks on Russia & Belarus Companies, Global Operation “Endgame” Disrupts Over 100 Malicious Servers

ResidentGood
· 4 min read
Send by email
Presented By ResidentGood of Infophreak

Precedence: Routine
BLUF: Microsoft Recall Will Be Opt-In, Study Shows LLMS Can Exploit “Zero-Day” Vulnerabilities, CJEU Rules Copyright Over IP Privacy, Threat Actors Potentially Compromise Snowflake, Cyber Attacks on Russia & Belarus Companies, Global Operation “Endgame” Disrupts Over 100 Malicious Servers

BEGIN TEARLINE

[New Tech] Microsoft Recall:

Microsoft recently announced changes to the Recall feature of their Copilot+ products5. Now it will be entirely disabled by default with a clear setup process to enable it. They also introduced some security updates. Recall will require enabling of Windows Hello biometrics and proof of presence in order for the timeline history to be viewed. Finally, the previously unencrypted SQLite database storing the history will now be encrypted.

AC: The original announcement of Microsoft Recall garnered scrutiny as it introduced severe concerns of data privacy & security. The new opt-in model as opposed to default activation is a predictable outcome, and a welcome one. This topic and similar ones will stay in the public eye as device manufacturers adapt to the requirements of mass AI adoption.

[Research] Teams Of LLM Agents Can Exploit N-Day Vulnerabilities:

A paper released by researchers explored using a coordinated team of LLM agents to exploit vulnerabilities that were discovered after the model was trained3. The paper poses an acceleration in the arms race between hackers and pentesters due to the potential for AI to expedite the discovery of vulnerabilities. The paper focused on testing open-source web vulnerabilities.

AC: The research study on LLM agents being able to exploit zero days has interesting security implications for the future use of LLMs. As these tools are used in symphony, they can create vectors for threat actors to compromise systems in unique ways. One of our contributors, SH3LL, noticed that the Zero Days in the paper differ from the traditional idea of a completely unknown Zero-Day Vulnerability. In the study, “Zero-Day Vulnerability” is operationally defined as reproducible web vulnerabilities that could easily be triggered & were discovered after the cutoff date of the model’s training.

[Law] European Union – Top Court Ruling On Anonymity:

The Court of Justice of the EU recently ruled that the indiscriminate retention of user’s IP addresses does not constitute a fundamental violation of privacy rights2. An individual’s propensity for copyright infringement was held to negate their right to privacy regarding their IP address.

AC: The CJEU ruling is a surprising one given the EU’s initiative to protect consumer privacy rights. However, many argue that the storage of IP addresses themselves doesn’t completely negate privacy since they can be spoofed, and VPNs are common today.

[Cybercrime] ShinyHunters Steals Data From Organizations Via Snowflake:

Reports have surfaced of threat actors that have allegedly stolen the data of an unknown number of organizations via a supposed compromise of the cloud data platform Snowflake7. Snowflake has published an advisory on how organizations can investigate if they are at risk, and how to mitigate that risk if unauthorized users have access9.

AC: The impact of the alleged ShinyHunters attack is still yet to be identified, however there is reason to believe more organizations have been affected than those who self-identify. It is advised that any organization who uses Snowflake investigates for unauthorized user access using Snowflake’s article.8

[Cybercrime] Russia & Belarus – Sticky Werewolf Expands Cyber Attacks:

A group known as Sticky Werewolf has carried out more cyber-attacks aimed at a pharmaceutical company, a Russian research institute dealing in microbiology, vaccine development, and the aviation sector4. The initial attack aligns with previous attacks from the group utilizing phishing emails. This current attack utilized a RAR attachment that contained 2 LNK files and a PDF decoy that invites the user to click on the LNK files to gain access to a video conference & agenda. This executes a binary hosted on a WebDAV server, which launches an obfuscated Windows batch script. This runs an AutoIt script that injects the final payload (RATs and Info Stealers).

AC: Sticky Werewolf has a long history of targeting governmental organizations with phishing and RATs. This current attack marks a divergence from past targeting. No national actor has been tied to this group so far.

[Cybercrime] Operation Endgame:

The FBI recently announced Operation Endgame: a multinational coordinated cyber operation by the US, Denmark, France, Germany, the Netherlands, and the UK, with assistance from Europol and Eurojust1. The goal of the operation was to dismantle criminal infrastructure responsible for hundreds of millions of dollars in damages worldwide. Law enforcement in Ukraine, Portugal, Romania, Lithuania, Bulgaria, and Switzerland supported police actions to arrest or interview suspects, conduct searches, and seize or take down servers. Over 100 malware servers were taken down or disrupted. Multiple threat actor groups have been disrupted during the operation (IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot)6.

AC: Finally, we have a tremendous multinational law enforcement effort announced by the FBI. This has been quite a busy year for global law enforcement efforts in ceasing the threats posed by cybercriminals. While the IC3 had received an overall average of around 800,000 complaints each year related to cybercrime, the costs have risen from $6.9 billion in 2021 to $12.5 billion in 202310. Global operations such as Endgame are vital to the security of organizations.

END TEARLINE

Final Analyst Comments:
Thank you for reading the first in a series of weekly open-source intelligence reports. I will be aiming to release them on Monday mornings, but exceptional circumstances could change this. Special reports are subject to be released à la carte as events warrant them. This concludes this week’s Intelphreak report.

Analyst: ResidentGood

END REPORT

If you are interested in anything Cybersecurity, come check out our discord

Sources:

  1. https://www.fbi.gov/news/press-releases/operation-endgame-coordinated-worldwide-lawenforcement-action-against-network-of-cybercriminals
  2. https://www.techdirt.com/2024/06/07/top-eu-court-says-theres-no-right-to-online-anonymitybecause-copyright-is-more-important/
  3. https://arxiv.org/abs/2406.01637
  4. https://thehackernews.com/2024/06/sticky-werewolf-expands-cyber-attack.html
  5. https://thehackernews.com/2024/06/microsoft-revamps-controversial-ai.html
  6. https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcementtakedown
  7. https://www.zerofox.com/blog/shinyhunters-an-insight-into-future-extortion-tactics/
  8. https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
  9. https://www.cisa.gov/news-events/alerts/2024/06/03/snowflake-recommends-customers-take-stepsprevent-unauthorized-access
  10. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

Written by ResidentGood

Cyber Threat Intelligence, Digital Forensics, OSINT

Keep reading