Norwegian Cyber Attack, Virustotal Data Leak and AI powered BEC

Norwegian Government Responds to Significant Cyberattack on 12 Departments     

On July 24, 2023, the Department of Security and Service Organization (DSS) reported a cyberattack on the Information and Communications Technology (ICT) platform of 12 Norwegian departments. An unknown actor exploited a previously unknown vulnerability in the software of one of their suppliers. The vulnerability has now been closed, but it is too early to determine who is behind the attack and its extent. As a result of the security measures, employees in the 12 departments no longer have access to DSS's joint services on mobile, including email, but they can still work as usual on their computers at the office or at home. [1] 

The DSS, in collaboration with the National Security Authority and the police, has implemented several measures to manage the attack. The situation is being closely monitored and the government's work continues as usual. The Minister of Municipalities and Districts will inform the  Norwegian Parliaments extended foreign and defense committee about the case. Additional security measures may be necessary and will be evaluated continuously.    

Citrix Urges Immediate Action on Critical Vulnerabilities in NetScaler Products    

Citrix's July 18th security bulletin addresses multiple vulnerabilities discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). [2] The vulnerabilities are critical and affect the following supported versions: 

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297 
  
   
  The vulnerabilities include: 
• CVE-2023-3466: Reflected Cross-Site Scripting (XSS) affecting Citrix ADC and Citrix Gateway.
• CVE-2023-3467: Privilege Escalation to root administrator (nsroot) affecting Citrix ADC and Citrix Gateway.
• CVE-2023-3519: Unauthenticated remote code execution affecting Citrix ADC and Citrix Gateway. 

Citrix has observed exploits of CVE-2023-3519 on unmitigated appliances and strongly urges affected customers to install the relevant updated versions as soon as possible. The bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.  

Google's Virustotal: Data Leak Reveals User Information     

In late June, a file that was never meant to be public surfaced on the internet setting off alarms among the cybersecurity community. [3] The file contained a list of 5,600 names, including employees of the U.S. National Security Agency (NSA) and German intelligence agencies. These individuals had all registered with Virustotal, presumably to use its services for their professional tasks. The fact that such a file exists and was leaked is a stark reminder of the potential risks associated with the use of online platforms, even those designed to enhance security. 

Virustotal, despite being relatively unknown to most regular online users, holds a high level of importance among hacking experts and cybersecurity professionals. Its ability to analyze files and URLs for viruses, worms, trojans, and other kinds of malicious content makes it an invaluable tool in the cybersecurity arsenal. However, the data leak incident underscores the platform's significance in a different light. It highlights the potential risks associated with its use, especially considering the sensitive nature of its user base.   

Adobe Addresses Critical Vulnerabilities in ColdFusion: Security Bulletin APSB23-47     

The Adobe Security Bulletin APSB23-47, published on July 19, 2023, addresses security updates for Adobe ColdFusion versions 2023, 2021, and 2018. These updates aim to resolve critical and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass. Adobe has noted that CVE-2023-38205 has been exploited in limited attacks targeting Adobe ColdFusion. 

The vulnerabilities include: 

• Deserialization of Untrusted Data (CWE-502) leading to Arbitrary code execution (Critical Severity, CVSS base score 9.8, CVE-2023-38204)
• Improper Access Control (CWE-284) leading to Security feature bypass (Critical Severity, CVSS base score 7.5, CVE-2023-38205)
• Improper Access Control (CWE-284) leading to Security feature bypass (Moderate Severity, CVSS base score 5.3, CVE-2023-38206) 

The affected versions are: 

• ColdFusion 2023: Update 2 and earlier versions
• ColdFusion 2021: Update 8 and earlier versions
• ColdFusion 2018: Update 18 and earlier versions 

Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release and applying the security configuration settings as outlined on the ColdFusion Security page. Applying the ColdFusion update without a corresponding JDK update will not secure the server. [4] 

Understanding the Threat of AI-Driven Business Email Compromise Attacks: The Case of WormGPT      

The progression of AI technologies, such as OpenAI’s ChatGPT, has introduced a new vector for BEC attacks. Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack.   

A July report from SlashNext discusses the emerging use of generative AI, specifically OpenAI’s ChatGPT and a cybercrime tool called WormGPT, in Business Email Compromise (BEC) attacks. [5] 

WormGPT is an AI module based on the GPTJ language model, developed in 2021. It presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities. WormGPT was allegedly trained on a diverse array of data sources, particularly concentrating on malware-related data. The tool has features like unlimited character support, chat memory retention, and code formatting capabilities. 

The benefits of using generative AI for BEC attacks include exceptional grammar –a common detrimental mistake among BEC cybercriminals- and a lowered entry threshold, making it an accessible tool for a broader spectrum of cybercriminals. 

To safeguard against AI-driven BEC attacks, the report [5] suggests strategies like BEC-specific training and enhanced email verification measures. Companies should develop extensive, regularly updated training programs aimed at countering BEC attacks, especially those enhanced by AI. Organizations should also enforce stringent email verification processes. 

In conclusion, the growth of AI, while beneficial, brings progressive new attack vectors. Implementing strong preventative measures is crucial.    

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware

Spearphishing Campaign Targets Zimbra Webmail Portals of Government Organizations

Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure

Appendix

[1] “Departementer utsatt for dataangrep,” DSS - Sammen for fellesskapet, Jul. 24, 2023. https://www.dss.dep.no/aktuelle-saker/departementer-utsatt-for-dataangrep/ (accessed Jul. 28, 2023). 

[2] “Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467.” https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 (accessed Jul. 24, 2023). 

[3] M. H. M. R. H. Tanriverdi, “Datenleck bei kritischer Google-Plattform, die bei Hackern beliebt ist,” DER STANDARD, Jul. 17, 2023. https://www.derstandard.de/story/3000000178997/datenleck-bei-kritischer-google-plattform-die-bei-hackern-beliebt-ist (accessed Jul. 24, 2023). 

[4] “Adobe Security Bulletin.” https://helpx.adobe.com/content/help/en/security/products/coldfusion/apsb23-47.html (accessed Jul. 24, 2023). 

[5] “WormGPT - The Generative AI Tool Cybercriminals Are Using to Launch BEC Attacks | SlashNext,” SlashNext |, Jul. 13, 2023. https://slashnext.com/blog/wormgpt-the-generative-ai-tool-cybercriminals-are-using-to-launch-business-email-compromise-attacks/ (accessed Jul. 24, 2023).