Overview:
- Phish Tale of the Week
- Lowering the Bar: AI’s Role in Helping Novice Hackers Create Sophisticated Malware
- CrowdStrike Apologizes for Global System Crash, Unveils New Update Controls
- How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Microsoft. The message tells us that we need to sign in to complete our multi-factor authentication because it will expire today. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this link:
- The first warning sign for this email is the sender’s email address. While the messaging tells you they are Microsoft, the sender tells a different story: “nhts20to@nhtschool.co.uk” is very clearly not a Microsoft alert bot like they want you to believe. Companies that send out alerts through email like this always have a dedicated email address from the trusted domain, in our case it would be microsoft.com, that the alerts send from.
- The second warning signs in this email is the messaging. This message tries to create a sense of fear and urgency in order to get you to take action by using language such as “To continue accessing.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all emails/texts before following a link or other attachment sent through email or SMS.
- The final warning sign for this email is the wording. This particular phishing email seems dead-set on convincing us that the link they want us to click on is “very secure,” naming the link button “Secure Link,” and urging us to “scan the Secure QR code,” even the sender is called SecurityMessage Center. All of these factors point towards the above being a phishing email, and a very simple and unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
- Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
- Do not give out personal or company information over the internet.
- Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Lowering the Bar: AI’s Role in Helping Novice Hackers Create Sophisticated Malware
The widespread adoption of artificial intelligence (AI) by software developers has led to significant improvements in productivity, particularly in areas such as code generation. Unfortunately, hackers and malware creators have also begun to exploit this same technology—resulting in a surge of AI-generated malicious code. Recent reports indicate that several real-world malware attacks have involved the use of AI, raising alarm among cybersecurity experts.
One notable example of this trend was reported by HP, who recently intercepted an email campaign involving malware delivered by a dropper believed to have been created with AI assistance. This marks a significant milestone—indicating that AI-generated malware is not only a possibility but is already evolving in real-world attacks. Although current AI involvement seems to be concentrated on creating droppers, experts predict that AI will soon be responsible for generating entirely new malware strains.
In June 2024, HP discovered a phishing email that used a common “invoice” lure and contained an encrypted HTML attachment. This method—known as HTML smuggling—is designed to evade detection. Although HTML smuggling is not new, the level of encryption used in this case caught the attention of HP’s research team. Typically, attackers send a pre-encrypted file, but in this instance, the AES decryption key was embedded directly within the attachment’s JavaScript. This unusual feature prompted further investigation by the team, led by Patrick Schlapfer.
Once the attachment was decrypted, it imitated a legitimate website but secretly deployed a VBScript dropper that installed the infostealer known as AsyncRAT. The dropper performed several actions, such as modifying Registry variables, placing a JavaScript file into the user’s directory, scheduling it as a task, and launching a PowerShell script that ultimately delivered the AsyncRAT payload. While the overall attack pattern was familiar, the structure and comments found in the VBScript set this attack apart.
What made this dropper unique was its organized layout, complete with comments explaining the purpose of each command. Schlapfer noted that malware typically avoids such transparency—scripts are usually obfuscated, with no helpful instructions. Furthermore, the script was written in French, which suggested that AI might have been used to generate it. To test their hypothesis, HP’s team generated a similar script using an AI language model, and the results closely matched the malicious script, supporting the theory of AI involvement.
Despite this breakthrough, some aspects of the attack remained puzzling. The script was not obfuscated, and the comments were left in place. One theory is that the attacker was a novice who relied on AI-generated code without fully understanding it—or realizing how to conceal their tracks.
Alex Holland, a principal threat researcher at HP, pointed out that this incident illustrates how AI is lowering the entry barrier for new cybercriminals. The attack required minimal resources—AsyncRAT is free, HTML smuggling requires limited expertise, and the infrastructure consisted of a single command-and-control (C&C) server. The malware itself was unsophisticated, with no obfuscation, leading to the conclusion that a newcomer was behind it.
This raises a troubling question: if inexperienced hackers are already using AI to generate malware, how are more seasoned cybercriminals employing this technology? Skilled adversaries could be deploying AI-generated malware that leaves no telltale signs of AI involvement, making these attacks far more difficult to trace. Such scenarios may already be occurring, but without obvious indicators like comments or a lack of obfuscation, these attacks could go unnoticed.
While AI-generated malware is still in its early stages, the implications are concerning. The attack discussed here was relatively basic, but it highlights the potential for AI to significantly improve the efficiency of malware creation. In the hands of a skilled hacker, AI could streamline the development of more sophisticated attacks—possibly leading to a surge in low-effort but highly effective malware campaigns.
As AI continues to advance, cybercriminals are likely to refine their techniques, creating new challenges for cybersecurity professionals. For individuals and organizations, vigilance will be key. It’s important to keep antivirus tools up to date, avoid downloads from unknown sources, and maintain strong security practices to mitigate the growing threat posed by AI-generated malware.
To read more about this article, click here.
CrowdStrike Apologizes for Global System Crash, Unveils New Update Controls
CrowdStrike has introduced a series of changes aimed at preventing another widespread failure like the one caused by its July 2024 software update. The update led to a global IT disruption, impacting millions of Microsoft Windows devices. Adam Meyers, senior vice president at CrowdStrike, appeared before the U.S. House of Representatives’ Cybersecurity subcommittee to outline the company’s efforts to ensure such an event doesn’t happen again.
Meyers apologized for the disruption, which occurred after a configuration update to CrowdStrike’s Falcon Sensor software led to system crashes, particularly in Windows environments. The outage affected several industries, including airlines, healthcare, and financial services. Delta Air Lines, which was especially hard hit, had to cancel 7,000 flights and reported losses of $500 million as a result. Meyers clarified that the incident was not the result of any external cyberattack or artificial intelligence malfunction, but rather an internal issue within the company’s software configuration.
The root of the problem lay in a new threat detection configuration that didn’t work well with the Falcon sensor’s rules engine. This mismatch caused the sensors to malfunction, leading to global system crashes. To prevent this from happening again, CrowdStrike has revised its update process. The company will now deploy updates gradually in a controlled environment, allowing them to detect and address issues before they affect a wider group of users.
A key part of this strategy involves releasing updates in stages, referred to as “rings of deployment.” This phased approach ensures that any potential issues can be identified and corrected early on. Additionally, the company has implemented stricter validation checks to make sure that the configurations sent to sensors align with predefined rules and expectations, minimizing the chance of future conflicts.
CrowdStrike has also strengthened its testing protocols. Software engineers are now required to conduct broader and more thorough tests, checking every aspect of the configuration process to catch potential problems before updates are distributed. Customers will also have more flexibility in managing how and when updates are applied to their systems, reducing the risk of unexpected disruptions.
Another measure introduced is a series of real-time checks within the system. These checks ensure that the data being processed meets the system’s requirements, helping to prevent errors from escalating into larger problems.
The July outage has also spurred changes at Microsoft, prompting the company to reconsider how security software interacts with the Windows kernel. As a result, Microsoft is planning to include new capabilities in future versions of Windows, particularly in Windows 11, that will allow security software vendors to operate outside of kernel mode. This shift aims to improve stability and reduce the likelihood of critical failures caused by third-party software.
While detailed information on these new capabilities is not yet available, the collaboration between Microsoft and companies like CrowdStrike points to an increased focus on system reliability and security in future Windows updates.
CrowdStrike’s revamped approach is aimed at regaining customer trust and preventing future disruptions of this scale. With tighter controls and more thorough testing procedures in place, along with ongoing collaboration with Microsoft, the cybersecurity industry could see a significant reduction in system failures tied to software updates.
To read more about this article, click here.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
