<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

01.17.23

Corvus Threat Intel

AI Helps Cybercriminals, Control Web Panel Vulnerability, Exploits of Unpatched Microsoft Exchange

AI helps cybercriminals, critical vulnerability in control web panel, and unpatched Microsoft Exchange still exploited.


AI Lowers the Bar for Cybercriminals 

Modern machine learning models are making cybercrime easier. A recent report by WithSecure demonstrates how simple it can be to generate complex and convincing phishing emails using a popular new language model called GPT-3. Gone are the days of the Nigerian Prince emails that became easier to spot and avoid over time. OpenAI’s ChatGPT takes detailed input from a user and produces complex output. For example, a convincing email thread between your CEO and another company that culminates in a request for you to quickly transfer money. ChatGPT has even been shown to be adept at writing complicated code, including malware based on user prompts. In a separate report by CheckPoint Research, the authors detail that popular underground cybercrime forums are already abuzz with talk of the endless possibilities of GPT for crafting malicious code. In one example, a user showed how ChatGPT had written functioning Python code for a “stealer” program that would search for certain file types on a victim’s machine and upload copies to a server.

Why This Matters 

As with any technological innovation, machine learning models can be used for good as well as evil. However, although there will undoubtedly be abuses of the technology, the core principles of good cyber practices won’t change. Convincing phishing emails may be easier for attackers to create, but modern MFA can still protect against unauthorized access. While you can’t stop how criminals will use ChatGPT, your organization can still ensure good cyber hygiene.

Additional Information: 


Critical Vulnerability in Control Web Panel Being Exploited

A critical security flaw has been discovered in CentOS Control Web Panel 7 (CWP), a common interface for web hosting. The security flaw (CVE-2022-44877) allows a remote, unauthenticated attacker to perform arbitrary code execution. Successful exploits allow attackers to gain full control over unpatched systems and Corvus has observed similar vulnerabilities lead to ransomware events. Cybercriminals are already taking advantage of this flaw and exploiting unpatched victims. Since exploit code is already available, all an attacker needs to do is scan for CWP instances in order to find targets. Corvus notified all impacted  policyholders and provided remediation guidance to mitigate the risk.

Why This Matters

This vulnerability has a wide impact and is trivial to exploit, with proof-of-concept already available. All a threat actor needs to do is scan for targets. This makes the situation urgent for affected organizations. Ensure a regular patching cadence to avoid being an easy target.

Additional Information:

PLAY and Cuba Ransomware Gangs Exploiting Unpatched Microsoft Exchange Servers

At least two ransomware gangs are exploiting recent vulnerabilities in unpatched Microsoft Exchange servers. Relative newcomer to ransomware, PLAY, and veteran group, Cuba, are both reportedly gaining access to victims using recent vulnerabilities discovered in 2022. Cuba was previously known to heavily target Microsoft Exchange servers vulnerable to ProxyShell, a string of vulnerabilities from 2021. Now the group is deploying exploits against companies who haven’t patched Exchange Servers for ProxyNotShell, a vulnerability more recently discovered in the past several months. Fortunately there is a security update available which will prevent ransomware groups like PLAY and Cuba from gaining access.

Why This Matters

This may be the start of a renewed wave of ransomware attacks, though it may not rise to levels seen with previous Microsoft Exchange vulnerabilities. Flaws such as ProxyShell and ProxyLogon were the precursor to a large number of ransomware attacks throughout most of 2021. If your organization is running Microsoft Exchange, it’s critical that the latest security updates are installed.

Additional Information:


This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.