Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations - Related to weary, google:, over, operations, usa

Fake Reservation Links Prey on Weary Travelers

Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.

A longtime threat group identified as TA558 has ramped up efforts to target the travel and hospitality industries. After a lull in activity, believed tied to COVID-related travel restrictions, the threat group has ramped up campaigns to exploit an uptick in travel and related airline and hotel bookings.

What makes this most recent campaign unique, , is the use of RAR and ISO file attachments linked to messages. ISO and RAR are single compressed files, that if executed, decompress the file and folder data inside of them.

“TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip [RAR] files containing executables,” Proofpoint wrote.

To become infected, the targeted victim would have to be tricked into decompressing the file archive. “The reservation link… led to an ISO file and an embedded batch file. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT,” researchers wrote.

Upgrade Your Itinerary To Malware Infection Status.

Past TA558 campaigns, tracked by Palo Alto Networks (in 2018), Cisco Talos (in 2020 and 2021) and Uptycs (in 2020), have leveraged malicious Microsoft Word document attachments (CVE-2017-11882) or remote template URLs to download and install malware, .

The shift to ISO and RAR files “is likely due to Microsoft’s announcements in late 2021 and early 2022 about disabling macros [VBA and XL4] by default in Office products,” researchers mentioned.

“In 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT. This actor used a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents,” researchers wrote.

Malware payloads of recent campaigns typically include remote access trojans (RATs), that can enable reconnaissance, data theft and distribution of follow-on payloads, Proofpoint mentioned.

Through all their evolutions, though, the goal of the group has always remained the same. The analysts concluded “with medium to high confidence” that TA558 is financially motivated, using stolen data to scale up and steal money. “Its possible compromises could impact both organizations in the travel industry as well as potentially clients who have used them for vacations,” Sherrod DeGrippo, vice president of threat research and detection organizations at Proofpoint, wrote in a statement. “Organizations in these and related industries should be aware of this actor’s activities and take precautions to protect themselves.”.

Since at least 2018, TA558 has primarily targeted organizations in the fields of travel, hospitality, and related industries. Those organizations tend to be located in Latin America, and sometimes in North America or Western Europe.

In their early exploits, the group would leverage vulnerabilities in Microsoft Word’s Equation Editor – for example, CVE-2017-11882, a remote code execution bug. The goal was to download a RAT – most commonly Loda or Revenge RAT – to the target machine.

In 2019 the group expanded its arsenal, with malicious macro-laced Powerpoint attachments and template injections against Office documents. They also expanded to new demographics, utilizing English-language phishing lures for the first time.

Early 2020 was TA558’s most prolific period, as they churned out 25 malicious campaigns in January alone. They predominantly used macro-laden Office documents, or targeted known Office vulnerabilities during this period.

“Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures,” researchers advise.

Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged custo...

Cybersecurity researchers have called attention to a software supply chain attack targeting the Go e...

This week, our news radar demonstrates that every new tech idea comes with its own challenges. A hot AI too...

Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.

"Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat Intelligence Group (GTIG) mentioned in a new research. "At present, they primarily use AI for research, troubleshooting code, and creating and localizing content."

Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion.

Describing Iranian APT actors as the "heaviest people of Gemini," GTIG stated the hacking crew known as APT42, which accounted for more than 30% of Gemini use by hackers from the country, leveraged its tools for crafting phishing campaigns, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes.

APT42, which overlaps with clusters tracked as Charming Kitten and Mint Sandstorm, has a history of orchestrating enhanced social engineering schemes to infiltrate target networks and cloud environments. Last May, Mandiant revealed the threat actor's targeting of Western and Middle Eastern NGOs, media organizations, academia, legal services and activists by posing as journalists and event organizers.

The adversarial collective has also been found to research military and weapons systems, study strategic trends in China's defense industry, and gain a more effective understanding of [website] aerospace systems.

Chinese APT groups were found searching Gemini for ways to conduct reconnaissance, troubleshoot code, and methods to burrow deep into victim networks through techniques like lateral movement, privilege escalation, data exfiltration, and detection evasion.

While Russian APT actors limited their use of Gemini to convert publicly available malware into another coding language and adding encryption layers to existing code, North Korean actors employed Google's AI service to research infrastructure and hosting providers.

"Of note, North Korean actors also used Gemini to draft cover letters and research jobs—activities that would likely support North Korea's efforts to place clandestine IT workers at Western companies," GTIG noted.

"One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs."

The tech giant further noted that it has seen underground forum posts advertising nefarious versions of large language models (LLMs) that are capable of generating responses sans any safety or ethical constraints.

Examples of such tools include WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT, which are explicitly designed to craft personalized phishing emails, generate templates for business email compromise (BEC) attacks, and design fraudulent websites.

Attempts to misuse Gemini have also revolved around research into topical events, and content creation, translation, and localization as part of influence operations mounted by Iran, China, and Russia. In all, APT groups from more than 20 countries used Gemini.

Google, which stated it's "actively deploying defenses" to counter prompt injection attacks, has further emphasized the need for heightened public-private collaboration to raise cyber defenses and disrupt threats, stating "American industry and government need to work together to support our national and economic security."

KuCoin's operator, PEKEN Global Limited, pleaded guilty to operating an unlicensed money-transmitting business and agreed to pay $297 million in penal......

Multiple state-sponsored groups are experimenting with the AI-powered Gemini assistant from Google to increase productivity and to conduct research on......

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service ......

Mizuno USA says hackers stayed in its network for two months

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letters that unknown attackers stole files from its network between August and October 2024.

Headquartered in Peachtree Corners, Georgia, Mizuno USA manufactures and distributes golf, running, baseball, volleyball, softball, swimming, and tennis equipment, apparel, and footwear for North America.

In a Thursday filing with Maine's attorney general, the business noted it detected suspicious activity on its network on November 6, 2024. The investigation found that unknown attackers breached some of its systems and exfiltrated documents containing personal information belonging to an undisclosed number of individuals.

"The investigation determined that certain systems within the network were accessed by an unknown individual and files were copied without authorization periodically between August 21, 2024 and October 29, 2024," Mizuno says in data breach notification letters sent to impacted people.

"Mizuno then undertook a detailed review of the relevant files to determine what information was present and to whom it relates. This review was completed on December 18, 2024, and Mizuno worked as quickly as possible thereafter to provide this notice to potentially impacted individuals."

The information contained in the stolen files varies by impacted individual, and it may include the name, Social Security number, financial account information, driver's license information, and passport number.

The business now offers one year of free credit monitoring and identity protection services to those impacted by the data breach and advises them to monitor their accounts and credit reports for signs of identity theft and fraud.

Breach claimed by BianLian ransomware operation.

While Mizuno has not provided more information on the breach and hasn't replied to several emails sent by BleepingComputer asking for additional details, the BianLian ransomware gang claimed the attack in early November.

In early February 2022, Mizuno USA was also hit by a ransomware attack that caused widespread business disruption, including phone outages, order delays, and website issues.

Mizuno entry on BianLian's leak site (HackManac)​​​.

​The ransomware group noted it had stolen a wide range of sensitive business and customer data, including finance and Human Resources data, contracts and confidential agreements, trade secrets and patents, mailboxes, and internal and external email correspondence.

Since then, the attackers have updated Mizuno's entry on their dark web leak site to add the screenshot of a spreadsheet allegedly containing the enterprise's expenses following the 2022 ransomware attack and screenshots of other documents purportedly stolen from the enterprise's systems last year.

BianLian has targeted private companies and critical infrastructure organizations worldwide since June 2022. Starting January 2023, when Avast released a free decryptor for its ransomware, the gang switched to extortion-only attacks.

Most not long ago, BianLian has added Air Canada, Northern Minerals, and the Boston Children's Health Physicians to its list of victims.

Google showcased it blocked over [website] million policy-violating Android apps from being ......

Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning clients t......

Community Health Center (CHC), a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their pe......