The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the past month, ThreatLabz analyzed CryptNet ransomware, examined the Pikabot trojan, explored AI/ML’s role in cybersecurity, and how ThreatLabz leverages AI/ML to keep global organizations protected from advanced and evolving threats.
CryptNet ransomware analyzed
ThreatLabz has been monitoring CryptNet, a new ransomware group, since it began advertising in underground forums in April 2023. The group behind CryptNet offers ransomware-as-a-service(RaaS), and claims to perform double extortion attacks. As of this writing, the group’s data leak site names two victims. In addition to advertising RaaS, the CryptNet group is actively recruiting affiliates to assist with breaching organizations.
The CryptNet ransomware code is written in .NET, and obfuscated with .NET Reactor. The file encryption is done with 256-bit AES in CBC mode and 2048-bit RSA. During analysis, ThreatLabz discovered that CryptNet shares striking similarities with Chaos ransomware, in its code, encryption methods, and capabilities. In fact, CryptNet looks like the latest variant of Chaos, named Yashma, but with improved file encryption.
Read our comparative breakdown of CryptNet and Yashma
Zscaler Zero Trust Exchange Coverage: Zscaler Posture Control, Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.
Deconstructing Pikabot
ThreatLabz has been tracking Pikabot, a new malware trojan that first appeared in early 2023. The trojan has two components; a loader and a core module. The loader module runs several anti-analysis tests, terminating the infection process if they fail. If successful, the loader will decrypt and inject the core module onto the target system.
The core module has multiple malicious capabilities like command execution, payload injection, anti-analysis checks (including a “sleep” function), persistence mechanism, and extensive C&C support.
Pikabot demonstrates a wide array of anti-analysis techniques in addition to offering standard backdoor capabilities. It has been observed distributing Cobalt Strike and shows indicators of possibly being linked with Qakbot with some commonalities in the distribution, design, and campaign identifiers.
Read the full analysis of Pikabot
Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.
AI/ML is second nature to Zscaler and ThreatLabz - Deepen Desai
Artificial intelligence and machine learning (AI/ML) is a hot topic right now, especially in the tech industry. I was recently interviewed at RSA on ThreatLabz research into advanced, AI-enabled, phishing campaigns. By analyzing threat traffic in the Zscaler cloud, we observed a nearly 47% increase in phishing attempts targeting enterprise users since last year. These attacks are noteworthy because they offer attackers an initial foothold into an environment. Access established by a successful phishing attack can be exploited to deliver more severe cyber threats or sold to other threat groups.
With AI/ML, and publicly available tools like ChatGPT, writing a convincing phishing email is simpler. Large language models like ChatGPT can also empower threat actors by helping them craft believable communications. While the benefits AI/ML offers low-skilled threat actors makes up the majority of news coverage, the capabilities it gives experienced threat actors is more concerning.
Veteran threat actors are using AI-assisted vishing and smishing techniques to carry out business email compromise attacks. For example, threat groups may use AI/ML to falsify the voice of a company executive to leave an employee a partial voice message that suddenly cuts off. This “dropped call” is followed up by a text message from the attacker, where the “executive” explains that they are having connectivity problems. Once the victim is convinced that they are communicating with an executive, the attackers ask them to approve money transfers or perform other actions.
While the vast potential of large language models like ChatGPT have captured people’s imaginations, AI/ML is nothing new to our security team. Zscaler is a cloud-native platform, which gives it considerable computational resources for powering AI-driven security measures. We use the predictive capabilities of ML to examine anomalous activities, detect threats, and block attacks. We maximize platform performance by using AI for capacity planning, root cause analysis, and examining usage patterns.
Furthermore, Zscaler has innovative capabilities that allow enterprises to control the exposure of their data to LLMs such as ChatGPT, allowing organizations to securely embrace Generative AI. Responding to concerns voiced across the industry, Zscaler recently created intelligent access controls that block, caution, or isolate access to numerous generative AI/ML tools. For ChatGPT specifically, our controls allow users to create granular data protection policies, inspect SSL traffic, and prevent data leakage to AI chatbots.
I mention this to reiterate that AI/ML is not a tool exclusively used by threat actors. Zscaler and the ThreatLabz team have been using AI/ML proactively, for defensive purposes, for years. We are also continuing to innovate and evolve our AI/ML capabilities. For example, we have developed a ThreatLabz hypergraph-based system that allows us to extract actionable indicators and detect zero day threats significantly earlier than traditional methods.
We are also refining our GPT-4 powered natural language interface to expedite and simplify threat investigation, pivoting, and analysis processes. It can use interactions with SOC analysts to assist in building and refining ML models that recommend prompts for future investigations. The combination of our hypergraph technology and the insights and the interactions facilitated by generative AI will take threat detection and response to a whole new level.
ThreatLabz AI/ML capabilities in action
Zscaler's security team leverages world class automation powered by AI/ML to continuously track and detect evolving threats. Our security and AI/ML experts have worked closely over past several years to create multidimensional features and ML models that detect a variety of threats including:
- Phishing
- Malware
- Anomalies
- C&C beaconing activity
The wealth of signals the Zscaler platform generates with insights from 7000+ global organizations helps us continuously improve our ML-models and overall detection efficacy. Let me share a recent example involving the post-exploitation tool CobaltStrike, which is heavily abused by several threat actors (including nation states).
CobaltStrike C&C blocked at a Technology industry organization
ThreatLabz ML C&C model was able to detect and block a highly customized CobaltStrike beaconing activity that used a malleable C2 profile. This threat tactic had previously remained undetected for over a month (source: VirusTotal).
Upon further investigation, this indicator was found to be a part of an infection chain consisting of MalSpam leading to Malicious PDF, Password protected zip, Downloader script, Qakbot and finally, Cobalt Strike.
This is one example of several ways Zscaler uses advanced technology to give our customers the strongest protection available. While the media focuses on ways AI/ML can benefit threat actors, you can rest assured that the ThreatLabz team is working twice as hard to put AI/ML to work defending you.
Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.
About ThreatLabz
ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 7300+ customers, securing over 300 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next:
New top-level domains: Overblown or undermining our security?