The November 2023 cybercrime update highlights the rise of AI-powered crime tools, ongoing ransomware campaigns, and wiper campaigns tied to the Israel-Hamas conflict. It details FraudGPT and WolfGPT offerings, notable attacks on ICBC and the Toronto Public Library, and the emergence of destructive wipers known as Bibi. #FraudGPT #ALPHV
Keypoints
- AI-powered crime tools (FraudGPT, WolfGPT) are expanding in capability and price, lowering entry barriers for criminals.
- FraudGPT integrates with an expanding CVE database to tailor attacks against known software vulnerabilities.
- Ransomware activity remains high, impacting financial, education, and public-sector targets (e.g., ICBC by LockBit; Toronto Public Library by Black Basta; JAE by ALPHV).
- Ransomed.VC appears to be winding down, with arrest rumors and ongoing private project interest via Telegram.
- Destructive wipers, dubbed “Bibi,” are targeting Israel with Linux and Windows variants, designed to overwrite data and hinder recovery.
- Threat landscape trends emphasize AI-enabled crime and the need for proactive, AI-powered defense solutions.
MITRE Techniques
- [T1566.001] Phishing – “Generate scam emails, identify malicious code, and uncover leaks and vulnerabilities in seconds” in FraudGPT. – “Generate scam emails, identify malicious code, and uncover leaks and vulnerabilities in seconds”
- [T1595] Active Scanning – FraudGPT’s CVE database integration to check target vulnerability and tailor operations. – “integrates with an expanding CVE database. This allows attackers to check whether targets are vulnerable to any known software bugs, allowing them to tailor their operation via simple text-based prompts.”
- [T1588] Acquire Capabilities – WolfGPT and similar tools enable generation of malware and ransomware. – “Generation of malware and ransomware”
- [T1485] Data Destruction – Israel-Hamas wipers overwrite victim data on both Linux and Windows. – “The malware … overwrite the victims data, with no possibility of recovery.”
- [T1490] Inhibit System Recovery – Wiper variants delete system VSS backups to hinder recovery. – “hinder attempts at recovery through deletion of the system VSS backups.”
- [T1486] Data Encrypted for Impact – Ransomware-style extortion observed in ICBC attack by LockBit. – “extorted by LockBit” and the note on the attack on ICBC
Indicators of Compromise
- [Hash] SHA-1 – 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf (VirusTotal) – Wiper-related artifact referenced in visuals
- [Hash] SHA-1 – 27e28737415e9d6a45b5afb03c7b33038df8f800, 44f2e8860e2935e900446dc5dea31508c71701ff, and 48bc39011e06931b319d873a4d2a0cff5b119cdf – Suspected wiper hashes cited in Israeli CERT context
- [Hash] SHA-1 – 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf – Additional artifact noted in the Bibi wiper discussion