Guardian Hacker – GPT

We have Cyber Sentinel – CISO GPT and Compliance Guardian GPT, which deals with the compliance aspects of cybersecurity.

Cyber Sentinel – CISO GPT: https://chat.openai.com/g/g-D6ez5SODg-cyber-sentinel-ciso-gpt

Compliance Guardian – GPT : https://chat.openai.com/g/g-0O865OIxV-compliance-guardian

We have released Guardian Hacker, a GPT around Security Engineering, Security Architecture, DevSecOps, Red team/ Tiger team knowledge in how to protect your organization better.

Guardian Hacker GPT – https://chat.openai.com/g/g-Pt7oZWwQW-guardian-hacker

Linkedin Post: https://www.linkedin.com/pulse/guardian-hacker-gpt-cisomarketplace-774yc/

Question 1

What are the latest hacking groups and what types of attacks are they utilizing to breach companies?

Response:

The current landscape of cybersecurity threats involves a range of sophisticated hacking groups employing diverse attack methodologies to breach companies. Here’s an overview of the latest hacking groups and the types of attacks they are utilizing:

  1. Gamaredon: This group has been particularly active and evolving in its attack methods. They have demonstrated rapid data exfiltration capabilities, capable of transmitting sensitive information within an hour of initial compromise​​.
  2. Ransomware Groups: The rise in ransomware attacks continues to be a significant threat. Groups like Lockbit, Lazarus, Black Basta, Hive, and Conti are notable for their activities. These groups often encrypt an organization’s data and demand a ransom for its release​​​​.
  3. Anonymous Sudan: Engaging in politically motivated hacktivism, this group has targeted Swedish and Danish organizations and critical infrastructure with denial-of-service attacks under the banners #OpSweden and #OpDenmark​​.
  4. Konni: This group uses phishing attacks, leveraging Russian-language Microsoft Word documents to deliver malware that harvests sensitive information from Windows hosts. Konni is linked with the North Korean cluster known as Kimsuky or APT43​​.

In addition to these groups, various sophisticated hacking techniques have been identified in 2023:

  • SaaS Phishing: Hackers are using SaaS-based phishing to steal login credentials by hijacking legitimate software and creating credential-stealing pages that mimic legitimate login pages​​.
  • Malware like Snake Keylogger: This code records a user’s keystrokes to collect login data, making it a significant threat due to its stealthy nature​​.
  • Malware-Infected Documents in Communication Platforms: Hackers are dropping malware-infected documents into Microsoft Team chats, exploiting the increasing reliance on communication platforms​​.
  • Exploitation of AI Chatbots: Vulnerabilities in AI chatbots, like ChatGPT, are being exploited by hackers to execute effective cyber-attacks​​.
  • QRishing: A newer form of phishing where QR codes in advertisements are replaced with malicious ones to steal data​​.
  • Smishing: Similar to phishing, but these fake messages are sent to mobile phones instead of email addresses​​.
  • Developer Account Hacking: As businesses increasingly work with developers, the risk of hackers targeting developer accounts rises​​.
  • Drone Hacking: As drone technology becomes more prevalent in business operations, they become attractive targets for hackers​​.
  • IoT Device Hacking: With a 98% increase in attacks on IoT devices in 2022, the targeting of poorly secured IoT devices remains a major concern​​.

Each of these groups and techniques highlights the evolving nature of cyber threats, necessitating constant vigilance and adaptation in cybersecurity strategies.

Question 2

Can you give us some information in how Volt Typhoon was utilizing Lobins to breach through companies and bypass EDR?

Response:

Volt Typhoon, identified as a state-sponsored Chinese Advanced Persistent Threat (APT) group, has been actively targeting critical infrastructure organizations in the United States and Asia since mid-2021. Their main focus is on cyber espionage campaigns, and they have shown a particular proficiency in using Living Off The Land Binaries (LOLBins) to evade detection and remain undetected within their target’s networks​​​​.

Their attack methodology typically involves the following steps:

  1. Initial Access: Volt Typhoon primarily gains initial access through compromised valid accounts. They also exploit vulnerabilities in public-facing applications and devices, such as Fortinet FortiGuard, ManageEngine ADSelfService Plus CVE-2021-40539, and FatPipe CVE-2021-27860. Once inside, they use the privileges of the compromised devices to extract credentials and authenticate to other devices on the network​​​​.
  2. Execution: They use tools like Windows Management Instrumentation for discovery, credential dumping, and command execution. Additionally, they utilize PowerShell and Windows Command Shell to execute malicious commands on compromised hosts​​​​.
  3. Persistence: For maintaining persistent access, Volt Typhoon deploys backdoor web shells, which appear to be derivatives of the Awen webshell, featuring AES-encrypted or base64-encoded communication capabilities for command and control (C2)​​.
  4. Defense Evasion: To hide their presence, they selectively remove Windows Event Logs, system logs, and other evidence of their malicious activity​​.
  5. Credential Access: They focus on gathering credentials from victims’ networks, which aids in navigating and executing commands without raising alerts. Techniques include extracting the ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies​​.
  6. Discovery: Volt Typhoon conducts network reconnaissance to discover users, hosts, and services, information which is then used in data exfiltration and lateral movement​​​​.
  7. Data Exfiltration: They have been observed dumping information from local web browser applications and staging collected data in password-protected archives for exfiltration​​.
  8. Command and Control (C2): Volt Typhoon typically signs in with valid credentials, blending in with normal network activity. They route traffic through compromised small office and home office (SOHO) network equipment like routers, firewalls, and VPN hardware. Additionally, they use custom versions of open-source tools like Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy​​.

Their methods are sophisticated, focusing on stealth and hands-on-keyboard activity. They rarely use malware in their post-compromise activity, relying instead on living-off-the-land commands to find information, discover additional devices, and exfiltrate data. This approach makes it challenging for traditional Endpoint Detection and Response (EDR) solutions to detect their activities, as they blend in with legitimate operations​​.

Volt Typhoon’s techniques exemplify the increasing sophistication of APT groups in bypassing conventional cybersecurity defenses, emphasizing the need for organizations to adopt multi-layered security strategies and remain vigilant against evolving threats.

Question 3

Can you give us a breakdown in how MGM and Caesar Casinos got breached and how much was extorted?

Response:

The breaches of MGM and Caesars casinos were significant cyberattacks that resulted in substantial data theft and financial impacts.

MGM Resorts Cyberattack:

  1. Extent of the Breach: MGM Resorts confirmed that hackers stole an unspecified amount of customers’ personal information during a September cyberattack. The data included names, contact information, gender, dates of birth, and driver license numbers. For some customers, Social Security numbers and passport details were also accessed​​.
  2. Financial Impact: The attack is estimated to cost MGM around $100 million. This includes a reduction in third-quarter profit and around $10 million in one-time expenses related to the cyberattack, mainly on technology consulting services, legal fees, and expenses of other third-party advisors​​.
  3. Ransom Demand: MGM Resorts reportedly did not pay the attackers’ ransom demand, the amount of which is not yet known. The company expects its cyber insurance policy to be sufficient to cover the financial impact, but the full scope of the costs and impacts has not been determined​​.
  4. Operational Disruption: The cyberattack caused widespread disruption across MGM’s properties, shutting down ATMs and slot machines and pulling the company’s website and online booking systems offline. While the company claimed that the attack had been fully contained and operations had returned to normal, some services were still not operational at the time of reporting​​.

Caesars Entertainment Cyberattack:

  1. Data Theft: Caesars Entertainment reported that hackers stole a significant amount of customer data in a recent cyberattack. The data included driver license numbers and Social Security numbers of many loyalty program members​​.
  2. Ransom Payment: Caesars reportedly paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data. The company took steps to ensure the stolen data was deleted by the unauthorized actor, although this could not be guaranteed​​.
  3. Method of Attack: The breach resulted from a social engineering attack on an IT vendor used by Caesars. The attack was thought to be carried out by the Scattered Spider group, known for using social engineering to gain access to large corporate networks​​.
  4. Group’s Involvement: The Scattered Spider group, also known as UNC3944, was identified as one of the most disruptive hacking outfits in the United States, with effective social engineering tactics. They were known to reach out to target organization’s information security teams by phone, pretending to be an employee needing a password reset​​​​.

Both the MGM and Caesars breaches highlight the growing sophistication and scale of cyberattacks on major corporations, underscoring the critical need for robust cybersecurity measures and continuous vigilance against social engineering tactics.

Leave a Reply