Powering Up with Conversational AI

11038613659?profile=RESIZE_400xOur friends from SentinelOne shared some great AI insights from last week’s RSAC 2023.  RSAC yet again provided plenty of cutting-edge information as vendors across the cybersecurity space made announcements and revealed new features, services, and products designed to help defenders keep their enterprises safe.[1]

Among these, SentinelOne’s Purple AI is set to be a game-changer as it brings LLM-powered conversational AI to the Singularity platform, allowing threat hunters to replace complex, structured query language with simple questions, from the specific to the vague.  “Am I infected with SmoothOperator?”; “Which endpoints are exposed to Log4J?”; and “What are the most suspicious events in my environment in the last 24 hours?”

11038614280?profile=RESIZE_710x

The AI returns results along with identified behavior and recommendations for further action.  Coupled with XDR to unite a business’ diverse data sources, AI can help threat-hunting teams overcome the major challenges of threat hunting: time and skill level. With many SOC teams struggling with alert fatigue and a skills shortage, PurpleAI will provide a much-needed tonic for the troops.

RSAC 2023 also saw SentinelOne announce an exclusive partnership with CNAP specialists Wiz.  Combining SentinelOne’s Cloud Workload Protection with Wiz’s Cloud Native Application Platform is expected to bring huge benefits to enterprise customers needing to manage and secure cloud infrastructure.  For more on what happened at RSAC this week, see our dedicated posts on Days 123, and 4.

PaperCut Vulnerability Leveraged to Deliver Ransomware - PaperCut servers with known vulnerabilities CVE-2023-27350 and CVE-2023-27351 are being exploited to deliver Cl0p and LockBit ransomware, it was discovered this week. Print management software is widely used in enterprises to monitor and control printing tasks.

The vulnerabilities may have been weaponized as early as 13 April, five days prior to the first reported suspicious activity linked to the exploitation of unpatched PaperCut servers.  The vulnerabilities in PaperCut NG and MF products expose the servers to unauthenticated, remote code execution attacks and can also allow unauthorized attackers to steal credentials and PII.

11038615277?profile=RESIZE_400x

In one in-the-wild case, attackers compromised a target with PowerShell scripts to deliver LockBit ransomware.  Meanwhile, Microsoft reported that a Cl0p-affiliated ransomware gang was conducting multi-stage attacks on vulnerable PaperCut servers that begin with PowerShell delivering a TrueBot payload and then use Cobalt Strike for lateral movement and data exfiltration.

Organizations deploying PaperCut are urged to ensure that all instances are updated as a matter of urgency.

RTM Locker Ransomware Targets Virtual Machine Servers - Recent weeks have seen several examples of how threat actors continue to explore new opportunities for compromise and seek new targets to exploit.  In this regard, we’ve seen LockBit experimenting with macOS ransomware and an increase in payloads targeting Linux, which is widely used in servers and devices common in the enterprise, from routers and printers to IoT ‘smart’ appliances and security cameras.

The latest development is a variant of the RTM Locker ransomware that specifically targets Linux, NAS, and, significantly, virtual machines on VMware ESXi hosts.  ESXi servers have become increasingly popular with the rise of cloud computing and cloud infrastructure to deploy and manage enterprise-level virtual computers, making them attractive targets for threat actors.

The new variant of RTM Locker is said to be based on the leaked Babuk ransomware source code.  On execution, it kills all running VM clients on the ESXi host and begins encrypting files.  Locked files are appended with a .RTM extension and a ransom note entitled !!!Warning!!! is dropped on the compromised server.  The ransomware uses asymmetric encryption, meaning decryption is only possible with possession of the private key held by an attacker.

11038615684?profile=RESIZE_710x

Source: Uptycs

The hardcoded ransomware note shows that the victims must install the encrypted chat client Tox to negotiate ransom payments.  Exactly how active the RTM group is now open to debate, but the developers have been seen advertising for affiliates in darknet forums with English, Russian, and Chinese translations.

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com 

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941    
Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989    

 

[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-17-4/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!