Elephant0991

Summary:

• Generative AI is being used by cybercriminals to create more convincing and personalized phishing emails for Business Email Compromise (BEC) attacks.
• This technology allows attackers to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack.
• One such tool is WormGPT, which is a blackhat alternative to GPT models, designed specifically for malicious activities.
• WormGPT can create emails that are not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.

The use of generative AI for BEC attacks has two main advantages:

1. Exceptional grammar: Generative AI can create emails with impeccable grammar, making them seem legitimate and reducing the likelihood of being flagged as suspicious.
2. Lowered entry threshold: The use of generative AI democratises the execution of sophisticated BEC attacks. Even attackers with limited skills can use this technology, making it an accessible tool for a broader spectrum of cybercriminals.

To safeguard against AI-driven BEC attacks, organizations should implement the following measures:

1. BEC-specific training: Companies should develop extensive, regularly updated training programs aimed at countering BEC attacks, especially those enhanced by AI.
2. Enhanced email verification measures: Organizations should enforce stringent email verification processes.

Summary

• A zero-day vulnerability (CVE-2023-36884) is being exploited in the wild to target those with an interest in Ukraine.
• The vulnerability allows attackers to execute malicious code on a victim's computer by tricking them into opening a specially crafted Microsoft Office document.
• The attacks are being carried out by a group known as Storm-0978, which is also known for distributing trojanized versions of popular software and launching ransomware attacks.
• Microsoft recommends that organizations use Microsoft Defender for Office 365 or the Block all Office applications from creating child processes attack surface reduction rule to protect themselves from this vulnerability.
• Organizations can also consider blocking outbound SMB traffic.

Other details

• The phishing campaign that is being used to deliver the malicious Office documents is targeting defense and government entities in Europe and North America.
• The bait used in the phishing emails is related to the Ukrainian World Congress, a non-profit organization of Ukrainian public organizations in diaspora.
• Once a victim opens the malicious Office document, the attacker can execute arbitrary code on their computer.
• The attacker can then use this code to steal data, install malware, or take control of the victim's computer.

Microsoft's CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Other recommendation:

• You could also consider blocking outbound SMB traffic.