One of the latest and most concerning developments is the link between the notorious Scattered Spider cybercrime gang and the Qilin ransomware attacks. This connection, recently highlighted by Microsoft, underscores the growing sophistication and danger posed by these cyber criminals.
Scattered Spider, also known as Octo Tempest, is a cybercrime group that has been active in various malicious activities. They are known for their advanced tactics and persistent efforts to breach security defenses. Their operations have been marked by a high degree of organization and technical prowess, making them a formidable adversary in the cybersecurity world.
“In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns,“ said Microsoft.
Qilin ransomware is a relatively new addition to the arsenal of cyber threats. Ransomware, in general, is a type of malicious software designed to block access to a computer system or data until a ransom is paid.
Qilin ransomware follows this pattern but has enhanced capabilities, making it particularly dangerous. It encrypts files on the victim’s system, rendering them inaccessible, and demands a ransom for the decryption key.
Microsoft’s recent findings have linked Scattered Spider to the deployment of Qilin ransomware in their attacks. This connection is significant for several reasons. Firstly, it indicates that Scattered Spider continuously evolves its tactics and tools to stay ahead of cybersecurity defenses. By incorporating Qilin ransomware into their operations, they have added a potent weapon to their formidable arsenal.
Secondly, this link highlights the increasing collaboration and resource-sharing among cybercriminal groups. The use of Qilin ransomware by Scattered Spider suggests that these groups are not working in isolation but are instead leveraging each other’s tools and techniques to maximize their impact.
The impact of these attacks can be devastating. Ransomware attacks, in general, can lead to significant financial losses, operational disruptions, and reputational damage for the affected organizations. The involvement of a sophisticated group like Scattered Spider only amplifies these risks.
Their ability to breach security defenses and deploy advanced ransomware like Qilin means that no organization is safe from their reach.
In response, Microsoft announced changes to Recall. Initially planned for a broad release on June 18, 2024, it will first be available to Windows Insider Program users. The company assured that Recall would be turned off by default and emphasised its commitment to privacy and security. Despite these assurances, Microsoft declined to comment on claims that the tool posed a security risk.
Recall was showcased during Microsoft's developer conference, with Yusuf Mehdi, Corporate Vice President, highlighting its ability to access virtually anything on a user's PC. Following its debut, the ICO vowed to investigate privacy concerns. On June 13, Microsoft announced updates to Recall, reinforcing its "commitment to responsible AI" and privacy principles.
Adobe Overhauls Terms of Service
Adobe faced a wave of criticism after updating its terms of service, which many users interpreted as allowing the company to use their work for AI training without proper consent. Users were required to agree to a clause granting Adobe a broad licence over their content, leading to suspicions that Adobe was using this content to train generative AI models like Firefly.
Adobe officials, including President David Wadhwani and Chief Trust Officer Dana Rao, denied these claims and clarified that the terms were misinterpreted. They reassured users that their content would not be used for AI training without explicit permission, except for submissions to the Adobe Stock marketplace. The company acknowledged the need for clearer communication and has since updated its terms to explicitly state these protections.
The controversy began with Firefly's release in March 2023, when artists noticed AI-generated imagery mimicking their styles. Users like YouTuber Sasha Yanshin cancelled their Adobe subscriptions in protest. Adobe's Chief Product Officer, Scott Belsky, admitted the wording was unclear and emphasised the importance of trust and transparency.
Meta Faces Scrutiny Over AI Training Practices
Meta, the parent company of Facebook and Instagram, has also been criticised for using user data to train its AI tools. Concerns were raised when Martin Keary, Vice President of Product Design at Muse Group, revealed that Meta planned to use public content from social media for AI training.
Meta responded by assuring users that it only used public content and did not access private messages or information from users under 18. An opt-out form was introduced for EU users, but U.S. users have limited options due to the lack of national privacy laws. Meta emphasised that its latest AI model, Llama 2, was not trained on user data, but users remain concerned about their privacy.
Suspicion arose in May 2023, with users questioning Meta's security policy changes. Meta's official statement to European users clarified its practices, but the opt-out form, available under Privacy Policy settings, remains a complex process. The company can only address user requests if they demonstrate that the AI "has knowledge" of them.
The recent actions by Microsoft, Adobe, and Meta highlight the growing tensions between tech giants and their users over data privacy and AI development. As these companies navigate user concerns and regulatory scrutiny, the debate over how AI tools should handle personal data continues to intensify. The tech industry's future will heavily depend on balancing innovation with ethical considerations and user trust.
“Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software,” said the report.
The modus operandi of this campaign involves luring users to malicious websites. The threat actors create typo-squatted sites that closely mimic legitimate platforms. For instance, users searching for Microsoft Teams might inadvertently land on a fake Microsoft Teams download page. These malicious websites host supposed software installers, enticing users to download and install the application.
However, the catch lies in the content of these fake installers. When users download them, they unknowingly execute the Oyster backdoor. This stealthy piece of malware allows attackers to gain unauthorized access to compromised systems.
Once the backdoor is in place, attackers can engage in hands-on keyboard activity, directly interacting with the compromised system. Furthermore, the Oyster backdoor can deploy additional payloads after execution, potentially leading to further compromise or data exfiltration.
The impact on users who fall victim to this malvertising campaign can be severe. They inadvertently install the Oyster backdoor on their systems, providing attackers with a foothold. From there, attackers can escalate privileges, steal sensitive information, or launch other attacks.
To reduce such risks, users should remain vigilant:
Microsoft discovered a new North Korean threat actor, Moonstone Sleet (formerly Storm-1789), who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique attack methodologies for financial and cyber espionage purposes.
Moonstone Sleet has been detected setting up phony firms and job chances to engage with potential targets, using trojanized copies of legitimate tools, developing a fully complete malicious game, and delivering a new unique ransomware.
Moonstone Sleet is a threat actor behind a series of malicious acts that Microsoft believes is North Korean state-aligned. It employs tried-and-true techniques other North Korean threat actors utilize and novel attack methodologies.
When Microsoft first discovered Moonstone Sleet activity, the actor showed strong similarities to Diamond Sleet, reusing code from known Diamond Sleet malware such as Comebacker and employing well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software.
However, Moonstone Sleet swiftly adopted its own unique infrastructure and attacks. Microsoft has since observed Moonstone Sleet and Diamond Sleet operating concurrently, with Diamond Sleet continuing to use much of its well-known, established tradecraft.
Moonstone Sleet has a diverse collection of operations that serve its financial and cyberespionage goals. These include delivering proprietary ransomware, building a malicious game, establishing bogus firms, and employing IT personnel.
Moonstone Sleet’s emergence highlights the need for organizations to remain vigilant. Here’s why:
Last year, China-backed hackers infiltrated Microsoft Exchange servers, compromising countless accounts. The breach exposed a critical vulnerability, allowing unauthorized access to sensitive information. What compounded the issue was Microsoft’s initial response. The company failed to provide accurate information about the breach, leaving customers in the dark. The Federal Cybersecurity Review Board criticized Microsoft for not rectifying misleading statements promptly.
In its research, Google criticizes Microsoft for failing to accurately characterize a security breach that occurred last year in which China-backed hackers accessed Microsoft Exchange's networks, allowing them to access any Exchange account. Google cites the federal cybersecurity review board's findings that Microsoft customers lacked sufficient information to assess if they were at risk at the time, and Microsoft made a "decision not to correct" comments about the breach that the board found "inaccurate."
Beyond the Exchange breach, Microsoft faced other cybersecurity setbacks. Russian hackers gained access to the company’s source code, raising concerns about the integrity of its software. Additionally, senior leadership’s email accounts were compromised, highlighting vulnerabilities within Microsoft’s infrastructure. These incidents underscore the need for robust security measures and transparency.
Google, a competitor in the tech space, has seized the opportunity to position its Google Workspace as a safer alternative. The company emphasizes its engineering excellence, cutting-edge defenses, and transparent security culture. Google Workspace offers features like advanced threat protection, data loss prevention, and real-time monitoring. While Google’s motives may be partly self-serving, it raises valid points about the importance of proactive security practices.
Microsoft must address its cybersecurity challenges head-on. Transparency, accurate communication, and rapid incident response are critical. Customers deserve timely information to assess their risk and take necessary precautions.
As organizations increasingly rely on cloud services, trust in providers’ security practices becomes paramount. Microsoft’s reputation hinges on its ability to protect both its systems and its customers’ data.
A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.
The attacks typically begin with email bombing, where the target's inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim's IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.
Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.
Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers' server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.
To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees should be trained to recognise tech support scams and instructed to only allow remote access if they initiated the contact with IT support. Suspicious Quick Assist sessions should be immediately disconnected.
The Black Basta ransomware operation emerged after the Conti cybercrime group disbanded two years ago following multiple data breaches. Black Basta began operating as a Ransomware-as-a-Service (RaaS) in April 2022 and has since attacked numerous high-profile targets, including defence contractor Rheinmetall, technology company Capita, Hyundai's European division, and the American Dental Association.
Recent attacks linked to Black Basta include a ransomware incident at U.S. healthcare giant Ascension, which disrupted ambulance services. According to a joint advisory by CISA and the FBI, Black Basta affiliates have breached over 500 organisations across 12 out of 16 critical infrastructure sectors since April 2022, causing data breaches and encryption.
Health-ISAC, an information sharing and analysis centre, has warned of increased attacks against the healthcare sector by Black Basta. Research by Elliptic and Corvus Insurance indicates that the group has extorted at least $100 million in ransom payments from over 90 victims by November 2023.
Microsoft is enhancing Quick Assist to improve transparency and trust between users, including adding warning messages to alert users about potential scams. Rapid7 observed similar scams targeting their customers, with attackers using other remote monitoring tools like AnyDesk.
To prevent such attacks, organisations should block unapproved remote management tools and train staff to recognise and report suspicious calls and messages. Quick Assist should only be used if the interaction was initiated by contacting official support channels.
The recent misuse of Windows Quick Assist in deploying Black Basta ransomware pushes forward the vision for increased vigilance and robust cybersecurity practices to save all our digital assets from such social engineering attacks.
Microsoft has introduced a cutting-edge artificial intelligence (AI) model tailored specifically for the US intelligence community, marking a leap forward in secure intelligence analysis. This state-of-the-art AI model operates entirely offline, mitigating the risks associated with internet connectivity and ensuring the utmost security for classified information.
Unlike traditional AI models that rely on cloud services and internet connectivity, Microsoft's new creation is completely isolated from online networks. Developed over a meticulous 18-month period, the model originated from an AI supercomputer based in Iowa, showcasing Microsoft's dedication to innovation in AI technologies.
Leading the charge is William Chappell, Microsoft’s Chief Technology Officer for Strategic Missions and Technology, who spearheaded the project from inception to completion. Chappell emphasises the model's unprecedented level of isolation, ensuring that sensitive data remains secure within a specialised network accessible solely to authorised government personnel.
This groundbreaking AI model provides a critical advantage to US intelligence agencies, empowering them with the capability to analyse classified information with unparalleled security and efficiency. The model's isolation from the internet minimises the risk of data breaches or cyber threats, addressing concerns that have plagued previous attempts at AI-driven intelligence analysis.
However, despite the promise of heightened security, questions linger regarding the reliability and accuracy of the AI model. Similar AI models have exhibited occasional errors or 'hallucinations,' raising concerns about the integrity of analyses conducted using Microsoft's creation, particularly when dealing with classified data.
Nevertheless, the advent of this internet-free AI model represents a significant milestone in the field of intelligence analysis. Sheetal Patel, Assistant Director of the CIA for the Transnational and Technology Mission Center, stressed upon the competitive advantage this technology provides in the global intelligence infrastructure, positioning the US at the forefront of AI-driven intelligence analysis.
As the intelligence community goes through with this technology, the need for rigorous auditing and oversight becomes cardinal to ensure the model's effectiveness and reliability. While the potential benefits are undeniable, it is essential to address any lingering doubts about the AI model's accuracy and security protocols.
In addition to this advancement, Microsoft continues to push the boundaries of AI research and development. The company's ongoing efforts include the development of MAI-1, its largest in-house AI model yet, boasting an impressive 500 billion parameters. Additionally, Microsoft has released smaller, more accessible chatbots like Phi-3-Mini, signalling its commitment to democratising AI technologies.
All in all, Microsoft's introduction of an internet-free AI model for intelligence analysis marks a new era of secure and efficient information processing for government agencies. While challenges and uncertainties remain, the potential impact of this technology on national security and intelligence operations cannot be overstated. As Microsoft continues to innovate in the field of AI, the future of intelligence analysis looks increasingly promising.