AI-Powered ‘BlackMamba’ Keylogging Attack Evades Modern EDR Security Must Read

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

Elizabeth Montalbano
Contributor, Dark Reading

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is “truly polymorphic” in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

“Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns,” the HYAS Labs researchers wrote. “But in practice, this is very rarely the case.”

They tested the attack against an EDR system that was not identified specifically, but characterized as “industry leading,” often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

“MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems,” they wrote. “Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration.”

Moreover, because BlackMamba’s delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.
What This Means for Modern Security

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real,” the researchers wrote in the post. “By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they’re doing everything in their power to detect and prevent malicious activity. However, BlackMamba’s use of AI now demonstrates that “they are not foolproof,” the HYAS Labs researchers noted.

“The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene,” they wrote.

The security landscape will have to evolve alongside attackers’ use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it’s imperative that organizations “remain vigilant, keep their security measures up to date,” they advised, “and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space.”

Article (https://www.darkreading.com/endpoint/ai-blackmamba-keylogging-edr-security?_mc=NL_DR_EDT_DR_weekly_20230309&cid=NL_DR_EDT_DR_weekly_20230309&sp_aid=115492&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=47879)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft Outlook flooded with spam due to broken email filters

By Sergiu Gatlan February 20, 2023 11:58 AM

Do you want to save up to 10 minutes a day? Wholesale pricing is way to inexpensive not to use (Barracuda Mail Filtering) call to set up a account for you clients we already maintain 1000’s of mailboxes with 3rd level support. Your clients do not need to click on bad links

According to reports from an increasing number of Microsoft customers, Outlook inboxes have been flooded with spam emails over the last nine hours because email spam filters are currently broken.

This ongoing issue was confirmed by countless Outlook users who have reported (on social media platforms and the Microsoft Community’s website) that all messages were landing in their inboxes, even those that would have been previously tagged as spam and sent to the junk folder.

“I’ve received 36 spam emails in my inbox the past 2 hours straight. It’s been happening for way too long and it just continues to get worse on an hourly basis,” one user said.

“Seems to have begun happening between 10pm and midnight Eastern time (I have a successful junk mail at 10:04pm, and the first inbox junk mail at 12:17am),” another added.

Some say that even checking the “Only trust email from addresses in my Safe Senders and domains list and Safe mailing lists” in Junk Mail > Filters doesn’t fix this issue, pointing to the webmail service’s filtering being completely broken.

Despite the stream of customer complaints, the Office service status page shows that “everything is up and running.”

Microsoft is yet to share a public statement confirming Outlook users’ reports that spam filters are broken.

While today the spam filtering issue in Outlook seems to be particularly bad and affecting a massive number of customers, this has been going on for months, with some reporting seeing many spam emails landing in their inbox since at least November 2021.

Microsoft didn’t reply to a request for comment when BleepingComputer reached out earlier today.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-flooded-with-spam-due-to-broken-email-filters/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Bitdefender – MDR w/ XDR, unique in the cybersecurity industry

Are you talking about MDR yet? Managed Detection and Response (MDR) is one of the fastest-growing areas of cybersecurity, delivering superior security outcomes to businesses spanning all sizes and industries. Threat intelligence is real people, not automated. Our pricing on this solution is better than the competition, and we offer full partner margins. Need competitive battlecards? Let me know, and I will get that for you.

Need more info…

What the MDR Landscape Will Look Like in 2023

The managed services industry has made a huge impact and is one of the most significant trends coming out of cybersecurity in the last few years. Gartner® predicts that “by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities”, while the MDR industry will hit revenues of $1.9B. You can check out our MDR Threat Assessment to be prepared for what lies ahead in 2023

Bitdefender Named Notable Vendor in the New Forrester Landscape for MDR

The new and exciting Forrester Landscape for MDR, Q1 2023 has just been launched!

Access the full report to discover Bitdefender’s positioning and to read Forrester’s analysis of MDR’s market dynamics and evolution, the business values and core capabilities of MDR, as well as Notable MDR Providers by geography, industry and offering type.

MDR & XDR: A Consolidated Approach to a Fully Managed Threat Detection and Response Program Webinar Watch On Demand Now

XDR – or Extended Detection & Response – entered the cybersecurity lexicon roughly five years ago. According to Gartner, by the end of 2027, XDR will be used by up to 40% of end-user organizations – up from 5% today. Why such strong adoption? Though still an emerging technology, XDR integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components, and because it’s cloud-delivered, XDR can provide organizations faster and more accurate detections.

While today’s technology does a great job of protecting against many threats, they cannot fully protect against advanced attackers purposefully attempting to breach your customers systems.

Let me know what additional information or resources you may need to support your customer conversations. I’m just a phone call or email away.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft: Some WSUS servers might not offer Windows 11 22H2 updates

By Sergiu Gatlan February 14, 2023 03:45 PM

MspPortal Partner leads the Market with Msp’s, Resellers using Security Software Solutions like Bitdefender ( the leader anti-malware protection) and Barracuda Phishing and Spam Filtering On Premise mail servers and O365 and G-suite. We do 3rd level support for all the products we sell we do not outsource tech services out of the country. Protect Your Network and workstations with 2 inexpensive best of breed security solutions

Microsoft says that some WSUS servers upgraded to Windows Server 2022 might fail to push Windows 11, version 22H2 updates released during this month’s Patch Tuesday to endpoints across enterprise environments. Does this surprise you?

This known issue only affects WSUS servers upgraded from Windows Server 2016 or Windows Server 2019.

Microsoft Configuration Manager (part of the Microsoft Endpoint Manager) is not affected by this issue.

“The updates will download to the WSUS server but might not propagate further to client devices. Affected WSUS servers are only those running Windows Server 2022 which have been upgraded from Windows Server 2016 or Windows Server 2019,” Microsoft said.

As Redmond further explains, these problems result from .msu and .wim MIME types being accidentally removed during the upgrade process to Windows Server 2022.

“This issue is caused by the accidental removal of required Unified Update Platform (UUP) MIME types during the upgrade to Windows Server 2022 from a previous version of Windows Server,” the company added.

“This issue might affect security updates or feature updates for Windows 11, version 22H2.”

Microsoft is working on a fix for this known issue and will provide more information with a future update.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-some-wsus-servers-might-not-offer-windows-11-22h2-updates/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft Outlook outage prevents users from sending, receiving emails 2-7-2023

By Sergiu Gatlan February 7, 2023 02:50 AM

I have no clue why folks still use O365 There are better product for less money and no annual payment only monthly
Microsoft is investigating and working on addressing an ongoing outage affecting the company’s Outlook webmail service.

Users report issues while sending, receiving, or searching email through Outlook.com.

Some also report not being able to connect to Outlook.com, seeing 500 Errors when trying to log in, or having their entire accounts wiped and not seeing any emails after connecting.

According to information shared via the company’s Microsoft 365 Status Twitter account, Redmond is performing targeted restarts to portions of the infrastructure impacted by a recent change.

The outage started at around 6 AM UTC on Tuesday and is affecting customers in North America and has spread out to other regions worldwide due to the affected infrastructure.

“Users in additional regions beyond North America may experience some residual impact due to the affected portions of infrastructure in North America,” Microsoft says on its Office service health status page.

“We’ve begun observing gradual improvement from this issue for users located in some of the additional affected regions.

“We’re continuing to perform targeted restart operations on the primarily affected infrastructure in North America in order to restore the availability of the service.”

We’ve confirmed that a recent change is contributing to the cause of impact. We’re working on potential solutions to restore availability of the service. Refer to EX512238 or https://t.co/nEuSQarMf3 for more detailed information.
— Microsoft 365 Status (@MSFT365Status) February 7, 2023

Microsoft also said in an update to its service health site that the current Outlook outage also affects additional functionality, such as the calendar consumed by other services like the Microsoft Teams communication platform.
Today’s outage follows a major five-hour-long incident that impacted Azure and Microsoft 365 worldwide last week and took down multiple services, including Microsoft Teams, Exchange Online, and Outlook.
Redmond revealed in a post-incident report that it was caused by a router IP address change that had led to packet forwarding issues between all routers in its Wide Area Network (WAN).
Update February 07, 10:41 EST: Microsoft says 99.9% of affected services have been restored and is now monitoring for full recovery.
Availability is at 99.9%, with full restoration almost complete. We’re continuing to monitor the environment to ensure full recovery. For more updates, please refer to tEX512238 and TM512245 in the admin center.
— Microsoft 365 Status (@MSFT365Status) February 7, 2023

Update February 07, 11:58 EST: More than 12 hours after the outage started, Microsoft says that the underlying issue behind the outage has been resolved, and all services are now working.

We’ve confirmed that the issue is resolved after an extended period of monitoring. Further details can be found under EX512238 and TM512245 in the admin center.
— Microsoft 365 Status (@MSFT365Status) February 7, 2023

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-outage-prevents-users-from-sending-receiving-emails/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft 365 outage takes down Teams, Exchange Online, Outlook

By Sergiu Gatlan January 25, 2023 04:11 AM

MspPortal Partners Comment: I hate to say this but all companies are a gluten for punishment, Microsoft needs to stay in the Software development space not the hosting environment. There support is one of the worst in the industry, they need to refund dollars for downtime.
There is much better products in the market place.

Microsoft is investigating an ongoing outage impacting multiple Microsoft 365 services after customers have reported experiencing connection issues.

“We’re investigating issues impacting multiple Microsoft 365 services. We’ve identified a potential networking issue and are reviewing telemetry to determine the next troubleshooting steps,” the Microsoft 365 team said in a Twitter thread.

“We’ve isolated the problem to networking configuration issues, and we’re analyzing the best mitigation strategy to address these without causing additional impact.

According to Redmond, users across all regions currently being serviced by the impacted infrastructure may be unable to access the affected Microsoft 365 services.

The list of services impacted by this outage includes Microsoft Teams, Exchange Online, Outlook, SharePoint Online, OneDrive for Business, PowerBi, Microsoft 365 Admin Center, Microsoft Graph, Microsoft Intune, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, as revealed in a service health notification.

We’re investigating issues impacting multiple Microsoft 365 services. More info can be found in the admin center under MO502273.
— Microsoft 365 Status (@MSFT365Status) January 25, 2023

The Azure team shared additional information related to this incident on the Microsoft Azure service status page.

“Starting at 07:05 UTC on 25 January 2023, customers may experience issues with networking connectivity, manifesting as network latency and/or timeouts when attempting to connect to Azure resources in Public Azure regions, as well as other Microsoft services including M365, PowerBI,” the update reads.

“We’ve determined the network connectivity issue is occurring with devices across the Microsoft Wide Area Network (WAN). This impacts connectivity between clients on the internet to Azure, as well as connectivity between services in datacenters, as well as ExpressRoute connections.

“The issue is causing impact in waves, peaking approximately every 30 minutes. We are actively investigating and will share updates as soon as more is known.”

At the moment, some customers also have issues loading the Microsoft Azure status page, which intermittently displays “504 Gateway Time-out” errors.
Azure status page error

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-takes-down-teams-exchange-online-outlook/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Hackers now use Microsoft OneNote attachments to spread malware

By Lawrence AbramsJanuary 21, 2023

Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.

Article (https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

 

Apple Releases Security Updates for Multiple Products

01/24/2023 12:28 PM EST

Original release date: January 24, 2023

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

Safari 16.3
iOS 12.5.7
macOS Monterey 12.6.3
macOS Big Sur 11.7.3
watchOS 9.3
iOS 15.7.3 and iPadOS 15.7.3
iOS 16.3 and iPadOS 16.3
macOS Ventura 13.2

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

LastPass Cops to Massive Breach Including Customer Vault Data

Dec 23 Dark Reading Staff Dark Reading
I hope you are not using Last Pass
Article (https://www.darkreading.com/attacks-breaches/lastpass-massive-breach-including-customer-vault-data)

The follow-on attack from August’s source-code breach could fuel future campaigns against LastPass customers.
Dark Reading Staff Dark Reading

LastPass is a password manager distributed in subscription form as also as a freemium with limited functionality. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones.

LastPass has issued a statement acknowledging that a recent cyberattack has resulted in the theft of customer data, in addition to offering cybercrooks access to encrypted customer vaults.

The attack was a follow-on from a previous breach in August that resulted in the theft of the LastPass source code.

“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the company statement said.

LastPass added that a backup copy of encrypted customer vault data was also stolen, including website usernames, passwords, secure notes, and form-filled data.

The company warns customers to be on the lookout for phishing, credential stuffing, and brute-force attacks as a result of the compromise.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft pushes emergency fix for Windows Server Hyper-V VM issues

Does this really surprise you??
Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-pushes-emergency-fix-for-windows-server-hyper-v-vm-issues/)
By Sergiu Gatlan December 20, 2022 06:05 PM

Microsoft has released emergency out-of-band (OOB) Windows Server updates to address a known issue breaking virtual machine (VM) creation on Hyper-V hosts after installing this month’s Patch Tuesday updates.

The issue affects only VMs managed with the System Center Virtual Machine Manager (SCVMM) and using Software Defined Networking (SDN).

On affected systems, Windows admins see warnings during live migration, SLB Load Balancer or SDN RAS Gateway fails, and experience failures when creating new VMs and attaching Virtual Network Interface Cards (VNICs).

Only Windows Server 2019 and Windows Server 2022 should be impacted after installing December 2022 Patch Tuesday updates (KB5021237 and KB5021249).

To resolve this issue, admins must install the OOB cumulative updates released today for their systems on all affected Hyper-V hosts in their environment.

“You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue,” Microsoft said on Tuesday.
YOU DO ALL THE WORK AND THEY MAKE THE MONEY..You should send Microsoft a bill for your time..clients will not be happy if you bill them

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”