Each month, Cybersixgill’s threat experts provide insights into the latest tactics, techniques, and procedures employed by cybercriminals. Their reports shed light on emerging threats from the underground, detailing the actors involved and offering guidance on risk mitigation strategies. Regular updates on vulnerabilities, ransomware, and malware trends from the deep and dark web are also part of their findings.
Surge in Stolen ChatGPT Credentials on Dark Web
In a notable trend over the past year, approximately 100,000 stolen ChatGPT credentials have surfaced on underground marketplaces, with prices dipping as low as $5, and some even being offered at no cost. This cache includes usernames, passwords, and sensitive personal information linked to user accounts. The implications are significant, given that ChatGPT often holds confidential data derived from user queries, including proprietary information crucial to many businesses.
As organizations increasingly integrate ChatGPT into their workflows, there is a heightened risk that employees may unintentionally expose sensitive content, such as classified corporate data. Cybersixgill’s analysis has revealed multiple postings for these stolen credentials on popular dark web forums, alongside ads for an AI chatbot capable of generating malicious content. Businesses need to implement robust security measures to safeguard against these evolving risks associated with AI tools.
Pro-Russian Hacktivists Target Microsoft Platforms
A prominent pro-Russian hacktivist group has recently launched an attack on several Microsoft platforms, demanding a ransom of $1 million to cease hostilities. This incident resonated with a prior Distributed Denial of Service (DDoS) attack targeting Scandinavian Airlines. Initially, Microsoft offered vague justifications for the outages, but later confirmed that the inaccessibility of services like Azure, Outlook, and OneDrive was due to DDoS attacks attributed to this hacktivist collective.
Our threat experts monitored the group boasting about their successful campaign on underground channels, noting an ally’s announcement about a new coalition aimed at destabilizing the European banking system. The uptick in DDoS incidents since the onset of the Ukraine conflict in early 2022, combined with the group’s shift toward extortion, indicates a disturbing trend in politically motivated cybercrime. Organizations must prepare for the possibility of future DDoS campaigns and associated ransom demands.
Emergence of New Malware Targeting Browsers and Password Managers
A newly identified information-stealing malware is gaining traction on Russian cybercrime forums, showing increased sale activity since its debut in April 2023. This malware is designed to compromise nearly 200 different browsers, extensions, and password managers, significantly amplifying the threat landscape for individuals and businesses alike. The malware’s developers have been actively marketing its features, while also responding to inquiries regarding its capabilities.
Upon execution, the malware gathers detailed information about the infected system and transmits screenshots back to its command-and-control servers. It specifically targets valuable data stored across various applications, including web browsers. The service can be rented for a monthly fee of $150, or $390 for four months, revealing the lucrative market for such tools on underground platforms. Organizations must remain vigilant and deploy defensive measures against these persistent threats.
Critical VMware Vulnerability Under Attack
VMware has recently issued an advisory regarding a critical remote code execution vulnerability (CVE-2023-20877), which threat actors are already exploiting in active attacks. Despite the release of an update to address a related command injection issue, two instances of VMware’s Aria Operations for Networks remain unpatched and vulnerable. If successfully leveraged, this flaw could empower adversaries to access networks and inject malicious commands, risking data integrity and system security.
As of early July 2023, Cybersixgill’s DVE module deemed this vulnerability severe, assigning it a score of 9.23, marking it as a significant risk for unpatched systems. This score may escalate further in light of a publicly accessible proof-of-concept (PoC) posted on GitHub, which heightens concerns about its exploitation by advanced persistent threat (APT) actors who typically evade standard security measures. Our threat experts have observed this PoC circulating in underground forums, suggesting it could be a target for ransomware groups seeking to launch double extortion attacks.
To stay informed about the evolving landscape of cybersecurity threats, consider subscribing to Cybersixgill’s Beyond the Headlines, a monthly publication offering in-depth insights from our threat research team on the latest trends and tactics employed by cybercriminals operating within the deep and dark web. For ongoing updates, click here.
