Stay Alert

AI-Powered ‘BlackMamba’ Keylogging Attack Evades Modern EDR Security Must Read

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

Elizabeth Montalbano
Contributor, Dark Reading

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is “truly polymorphic” in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

“Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns,” the HYAS Labs researchers wrote. “But in practice, this is very rarely the case.”

They tested the attack against an EDR system that was not identified specifically, but characterized as “industry leading,” often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

“MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems,” they wrote. “Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration.”

Moreover, because BlackMamba’s delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.
What This Means for Modern Security

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real,” the researchers wrote in the post. “By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they’re doing everything in their power to detect and prevent malicious activity. However, BlackMamba’s use of AI now demonstrates that “they are not foolproof,” the HYAS Labs researchers noted.

“The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene,” they wrote.

The security landscape will have to evolve alongside attackers’ use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it’s imperative that organizations “remain vigilant, keep their security measures up to date,” they advised, “and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space.”

Article (https://www.darkreading.com/endpoint/ai-blackmamba-keylogging-edr-security?_mc=NL_DR_EDT_DR_weekly_20230309&cid=NL_DR_EDT_DR_weekly_20230309&sp_aid=115492&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=47879)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft Outlook flooded with spam due to broken email filters

By Sergiu Gatlan February 20, 2023 11:58 AM

Do you want to save up to 10 minutes a day? Wholesale pricing is way to inexpensive not to use (Barracuda Mail Filtering) call to set up a account for you clients we already maintain 1000’s of mailboxes with 3rd level support. Your clients do not need to click on bad links

According to reports from an increasing number of Microsoft customers, Outlook inboxes have been flooded with spam emails over the last nine hours because email spam filters are currently broken.

This ongoing issue was confirmed by countless Outlook users who have reported (on social media platforms and the Microsoft Community’s website) that all messages were landing in their inboxes, even those that would have been previously tagged as spam and sent to the junk folder.

“I’ve received 36 spam emails in my inbox the past 2 hours straight. It’s been happening for way too long and it just continues to get worse on an hourly basis,” one user said.

“Seems to have begun happening between 10pm and midnight Eastern time (I have a successful junk mail at 10:04pm, and the first inbox junk mail at 12:17am),” another added.

Some say that even checking the “Only trust email from addresses in my Safe Senders and domains list and Safe mailing lists” in Junk Mail > Filters doesn’t fix this issue, pointing to the webmail service’s filtering being completely broken.

Despite the stream of customer complaints, the Office service status page shows that “everything is up and running.”

Microsoft is yet to share a public statement confirming Outlook users’ reports that spam filters are broken.

While today the spam filtering issue in Outlook seems to be particularly bad and affecting a massive number of customers, this has been going on for months, with some reporting seeing many spam emails landing in their inbox since at least November 2021.

Microsoft didn’t reply to a request for comment when BleepingComputer reached out earlier today.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-flooded-with-spam-due-to-broken-email-filters/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Bitdefender – MDR w/ XDR, unique in the cybersecurity industry

Are you talking about MDR yet? Managed Detection and Response (MDR) is one of the fastest-growing areas of cybersecurity, delivering superior security outcomes to businesses spanning all sizes and industries. Threat intelligence is real people, not automated. Our pricing on this solution is better than the competition, and we offer full partner margins. Need competitive battlecards? Let me know, and I will get that for you.

Need more info…

What the MDR Landscape Will Look Like in 2023

The managed services industry has made a huge impact and is one of the most significant trends coming out of cybersecurity in the last few years. Gartner® predicts that “by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities”, while the MDR industry will hit revenues of $1.9B. You can check out our MDR Threat Assessment to be prepared for what lies ahead in 2023

Bitdefender Named Notable Vendor in the New Forrester Landscape for MDR

The new and exciting Forrester Landscape for MDR, Q1 2023 has just been launched!

Access the full report to discover Bitdefender’s positioning and to read Forrester’s analysis of MDR’s market dynamics and evolution, the business values and core capabilities of MDR, as well as Notable MDR Providers by geography, industry and offering type.

MDR & XDR: A Consolidated Approach to a Fully Managed Threat Detection and Response Program Webinar Watch On Demand Now

XDR – or Extended Detection & Response – entered the cybersecurity lexicon roughly five years ago. According to Gartner, by the end of 2027, XDR will be used by up to 40% of end-user organizations – up from 5% today. Why such strong adoption? Though still an emerging technology, XDR integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components, and because it’s cloud-delivered, XDR can provide organizations faster and more accurate detections.

While today’s technology does a great job of protecting against many threats, they cannot fully protect against advanced attackers purposefully attempting to breach your customers systems.

Let me know what additional information or resources you may need to support your customer conversations. I’m just a phone call or email away.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft: Some WSUS servers might not offer Windows 11 22H2 updates

By Sergiu Gatlan February 14, 2023 03:45 PM

MspPortal Partner leads the Market with Msp’s, Resellers using Security Software Solutions like Bitdefender ( the leader anti-malware protection) and Barracuda Phishing and Spam Filtering On Premise mail servers and O365 and G-suite. We do 3rd level support for all the products we sell we do not outsource tech services out of the country. Protect Your Network and workstations with 2 inexpensive best of breed security solutions

Microsoft says that some WSUS servers upgraded to Windows Server 2022 might fail to push Windows 11, version 22H2 updates released during this month’s Patch Tuesday to endpoints across enterprise environments. Does this surprise you?

This known issue only affects WSUS servers upgraded from Windows Server 2016 or Windows Server 2019.

Microsoft Configuration Manager (part of the Microsoft Endpoint Manager) is not affected by this issue.

“The updates will download to the WSUS server but might not propagate further to client devices. Affected WSUS servers are only those running Windows Server 2022 which have been upgraded from Windows Server 2016 or Windows Server 2019,” Microsoft said.

As Redmond further explains, these problems result from .msu and .wim MIME types being accidentally removed during the upgrade process to Windows Server 2022.

“This issue is caused by the accidental removal of required Unified Update Platform (UUP) MIME types during the upgrade to Windows Server 2022 from a previous version of Windows Server,” the company added.

“This issue might affect security updates or feature updates for Windows 11, version 22H2.”

Microsoft is working on a fix for this known issue and will provide more information with a future update.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-some-wsus-servers-might-not-offer-windows-11-22h2-updates/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft 365 outage takes down Teams, Exchange Online, Outlook

By Sergiu Gatlan January 25, 2023 04:11 AM

MspPortal Partners Comment: I hate to say this but all companies are a gluten for punishment, Microsoft needs to stay in the Software development space not the hosting environment. There support is one of the worst in the industry, they need to refund dollars for downtime.
There is much better products in the market place.

Microsoft is investigating an ongoing outage impacting multiple Microsoft 365 services after customers have reported experiencing connection issues.

“We’re investigating issues impacting multiple Microsoft 365 services. We’ve identified a potential networking issue and are reviewing telemetry to determine the next troubleshooting steps,” the Microsoft 365 team said in a Twitter thread.

“We’ve isolated the problem to networking configuration issues, and we’re analyzing the best mitigation strategy to address these without causing additional impact.

According to Redmond, users across all regions currently being serviced by the impacted infrastructure may be unable to access the affected Microsoft 365 services.

The list of services impacted by this outage includes Microsoft Teams, Exchange Online, Outlook, SharePoint Online, OneDrive for Business, PowerBi, Microsoft 365 Admin Center, Microsoft Graph, Microsoft Intune, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, as revealed in a service health notification.

We’re investigating issues impacting multiple Microsoft 365 services. More info can be found in the admin center under MO502273.
— Microsoft 365 Status (@MSFT365Status) January 25, 2023

The Azure team shared additional information related to this incident on the Microsoft Azure service status page.

“Starting at 07:05 UTC on 25 January 2023, customers may experience issues with networking connectivity, manifesting as network latency and/or timeouts when attempting to connect to Azure resources in Public Azure regions, as well as other Microsoft services including M365, PowerBI,” the update reads.

“We’ve determined the network connectivity issue is occurring with devices across the Microsoft Wide Area Network (WAN). This impacts connectivity between clients on the internet to Azure, as well as connectivity between services in datacenters, as well as ExpressRoute connections.

“The issue is causing impact in waves, peaking approximately every 30 minutes. We are actively investigating and will share updates as soon as more is known.”

At the moment, some customers also have issues loading the Microsoft Azure status page, which intermittently displays “504 Gateway Time-out” errors.
Azure status page error

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-takes-down-teams-exchange-online-outlook/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Vulnerabilities could transform antivirus, EDR systems to data wipers

 

By Bill Toulas December 9, 2022 12:00 PM
Link (https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/)

Security systems by Palo Alto Networks, Bitdefender, are not vulnerable to the new attack. Not all product are the same

A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.

Wipers are a special type of destructive malware that purposely erases or corrupts data on compromised systems and attempts to make it so that victims cannot recover the data.

SafeBreach researcher Or Yair came up with the idea to exploit existing security tools on a targeted system to make the attacks more stealthy and remove the need for a threat actor to be a privileged user to conduct destructive attacks.

Also, abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.
Triggering the (wrong) deletion

Antivirus and EDR security software constantly scan a computer’s filesystem for malicious files, and when malware is detected, attempt to quarantine or delete them.

Furthermore, with real-time protection enabled, as a file is created, it is automatically scanned to determine if it is malicious and, if so, deleted/quarantined.

“There are two main events when an EDR deletes a malicious file. First, the EDR identifies a file as malicious and then it deletes the file,” explained Yair in his report.

“If I could do something between these two events, using a junction, I might be able to point the EDR towards a different path. These are called time-of-check to time-of-use (TOCTOU) vulnerabilities.

Yair’s idea was to create a C:\temp\Windows\System32\drivers folder and store the Mimikatz program in the folder as ndis.sys.

As Mimikatz is detected by most EDR platforms, including Microsoft Defender, the plan was for it to be detected as malicious on creation. However, before the EDR could delete the file, the researcher would quickly delete the C:\Temp folder and create a Windows Junction from C:\Temp to C:\Windows.

The hope was that the EDR would attempt to delete the ndis.sys file, which due to the junction, is now pointing to the legitimate C:\Windows\system32\drivers\ndis.sys file.
This didn’t work because some EDRs prevented further access to a file, including deletion, after it was detected as malicious. In other cases, EDRs detected the deletion of the malicious file, so the software dismissed the pending wiping action.

The solution was to create the malicious file, hold its handle by keeping it open, and not define what other processes are allowed to write/delete it so that EDRs and AVs detecting it can’t wipe it.

After the detection was triggered and having no rights to delete the file, the security tools prompted the researcher to approve a system reboot that would release the handle, freeing the malicious file for deletion.
The file deletion command, in this case, is written under the PendingFileRenameOperations Registry registry value, which will cause it to be deleted during the reboot.

However, when deleting the files in this value, Windows deletes the files while “blindly” following junctions.

“But what’s surprising about this default Windows feature is that once it reboots, Windows starts deleting all the paths and blindly follows junctions,” warned Yair.

Hence, by implementing the following five-step process, Yair could delete files in a directory he didn’t have modification privileges.

Create a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
Delete the C:\temp directory
Create a junction C:\temp → C:\
Reboot when prompted.
Aikido features exploits for vulnerabilities found in Microsoft Defender, Defender for Endpoint, and SentinelOne EDR because they were the easiest to implement on the wiper tool.

Yair reported the flaws to all vulnerable vendors between July and August 2022, and they have all released fixes by now.

The vulnerability IDs assigned by the vendors for this issue are CVE-2022-37971 (Microsoft), CVE-2022-45797 (Trend Micro), and CVE-2022-4173 (Avast and AVG).

The fixed versions are:

Microsoft Malware Protection Engine: 1.1.19700.2 or later
TrendMicro Apex One: Hotfix 23573 & Patch_b11136 or later
Avast & AVG Antivirus: 22.10 or later

All users of the above products are recommended to apply the security updates as soon as possible to mitigate the severe risk of having their files wiped by malware mimicking the Aikido wiper functionality.

Security systems by CrowdStrike, Palo Alto Networks, McAfee, Bitdefender, and Cylance are not vulnerable to the new attack. Meanwhile, all impacted vendors already issued patches to address the vulnerability.

 

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Axcient

“Where Service and Technical Skills Count”

Microsoft shares workaround for ongoing Outlook login issues

Microsoft shares workaround for ongoing Outlook login issues (What New)

By Sergiu Gatlan October 28, 2022 02:57 PM

Microsoft is working on a fix for ongoing sign-in issues affecting some Outlook for Microsoft 365 customers and preventing them from accessing their accounts.

The login problems impact users trying to sign in to Outlook using their Outlook.com accounts or those who have already added the accounts to their Outlook profiles.

Instead of logging in, the users will see the following error messages asking them to use a work or school account: “You can’t sign in here with a personal account. Use your work or school account instead.”

While Microsoft says that the Outlook Team is working on a solution for this known issue, an official workaround is available for those who want to access their accounts until a fix rolls out.

“To work around the issue, you can turn off Support Diagnostics, which turns off the option to submit an In App ticket using Help and then selecting Contact Support. The bug is related to how Outlook is authenticating for the diagnostics in some situations,” Microsoft said.
To disable support diagnostics in Outlook and prevent it from communicating client information on failure to support services, you have to enable the DisableSupportDiagnostics policy setting.

“This policy setting determines if Outlook can communicate client information on failure to support services with the intent of diagnosing the issue or making the information available to support to help with the diagnosis/resolution of the issue and/or provide contextual error messaging to the user,” according to the Group Policy Administrative Templates Catalog.

Last week, Redmond said it was working to resolve another bug that might prevent users from configuring Exchange Online mailboxes in Outlook for Windows.

In early October, the company began rolling out a fix for another issue known since August that’s causing Outlook for Microsoft 365 to freeze and crash after launch.

Microsoft has also recently addressed a bug that triggered Outlook email client crashes when reading emails containing tables like Uber receipt emails.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workaround-for-ongoing-outlook-login-issues/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Google fixes seventh Chrome zero-day exploited in attacks this year

By Bill Toulas October 28, 2022 07:34 AM

I have warned more folks get off this browser (Use Firefox with duckduckgo.com)

Google has released an emergency security update for the Chrome desktop web browser to address a single vulnerability known to be exploited in attacks.

The high-severity flaw (CVE-2022-3723) is a type confusion bug in the Chrome V8 Javascript engine discovered and reported to Google by analysts at Avast.

“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” highlights the notice.

The company doesn’t provide many details about the vulnerability for security reasons, allowing Chrome’s user base enough time to update the web browser to version 107.0.5304.87/88, which addresses the problem.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google says.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

In general, type confusion vulnerabilities occur when the program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access.

By accessing memory regions that shouldn’t be reachable from the context of the application, an attacker could read sensitive information of other apps, cause crashes, or execute arbitrary code.

Google does not clarify the level of activity involving the exploit that exists in the wild, so whether attacks using CVE-2022-3723 are widespread or limited is not known at this time.

Chrome users can update their browser by opening Settings → About Chrome → Wait for the download to finish → Restart the program.

Article (https://www.bleepingcomputer.com/news/security/google-fixes-seventh-chrome-zero-day-exploited-in-attacks-this-year/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Apple Releases Security Updates for Multiple Products

10/26/2022 12:42 PM EDT

Original release date: October 26, 2022

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

• Safari 16.1
• iOS 16.1 and iPadOS 16
• macOS Big Sur 11.7.1
• macOS Monterey 12.6.1
• macOS Ventura 13
• tvOS 16.1
• watchOS 9.1

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Venus Ransomware targets publicly exposed Remote Desktop services Affect Microsoft Office products

By Lawrence Abrams October 16, 2022 11:12 AM
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol.

Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.
How Venus encrypts Windows devices

When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:
wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg. Venus.

Article ( https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”