Skip to content
CybersecuritytechnologyLinux

Weekly Security Roundup: Artificial Intelligence Spam, SAP Vulnerabilities, and Ivanti Security Issues

AI Innovations Expand into Spamming Domain: LLM Technology Now Crafts Unique, Hard-to-Detect Spam Messages. The Predictable Evolution Cannot Be Stopped.

 and  Administrator
3 min read
Artificial Intelligence is finding innovative applications, even in undesirable domains such as...
Artificial Intelligence is finding innovative applications, even in undesirable domains such as spamming. Indeed, it was only a matter of time before spammers leveraged LLM capabilities to create distinct, unregistered messages.

Weekly Security Roundup: Artificial Intelligence Spam, SAP Vulnerabilities, and Ivanti Security Issues

In the realm of artificial intelligence, it's hard to escape the looming presence of spam – even in its most covert forms. Case in point: AkiraBot, a Python-designed spamming tool that's getting quite the buzz these days.

AkiraBot is a cunning chap, equipped with Large Language Models (LLMs) and SmartProxy services. The former is used to trick systems into thinking it's a human interacts, while the latter permits it to dance around IP-based detection.

These noble technologies, when harnessed together, enable AkiraBot to slip through the cracks of CAPTCHAs and post shifty SEO ads on websites across the web. It's a sneaky strategy scored by AkiraBot's clever use of LLMs to generate texts that can engage in human-like interactions, and SmartProxy to disguise its IP address changes, carving a path for it to post a massive volume of ads without faltering.

Just a heads up, AkiraBot has been spotted attempting to trick over 400,000 websites, with around 80,000 successfully nabbed in the net. So if you sensed a suspicious web form acting suspiciously, this might be the culprit you're dealing with.

Moving on, it's time to delve into an intriguing bit of Internet skullduggery. You might remember March as the month that saw a sharp uptick in EC2 attacks. Symptomatic of this "attack" are requests ending in, a pattern aiming to exploit websites vulnerable to a Server Side Request Forgery (SSRF).

The IP address at play here is particularly piquing, given that it's none other than Amazon EC2's Instance Metadata Service (IMDSv1) location. Worry not, dear reader, for version 1 of this service doesn't sport authentication, meaning a successful SSRF can leak sensitive info like AWS credentials. The solution for this one is a no-brainer: simply upgrade the affected instance to IMDSv2, which, ya know, has all the fancy authentication features you'd expect.

Next up is an Anvil Secure report by Tao Sauvage, detailing the discovery of vulnerable setuid binaries found in SAP Linux images. Setuid is an outdated tactic used to grant unprivileged users temporary elevated privileges, like that of , which needs raw socket access for special ICMP packets.

In the case of SAP's Linux images, several custom setuid binaries caught Tao's eye. One such binary, notably permits specifying the output file for a debug trace. This presents an easy Denial of Service (DoS) risk, as oddball locations can alter the system's state in undesirable ways. But can it grant root access? Funny you should ask. For that, Tao harnessed another time-honored technique: symbolic links.

By linking the file to a local malicious file, Tao managed to trick the binary into clobbering its own configuration file. Voila – root access to an SAP system.

Google jumped into the cybersecurity spotlight with their stress on bringing easy end-to-end encryption to business Gmail accounts. Except, it's not really end-to-end encryption in the traditional sense. Instead, Google's using the key access control list (KACL), a method where both sender and receiver request a symmetric key from the server to encrypt and decrypt the message respectively.

So, is this end-to-end encryption? Technically, yes. Coz the server never has the key needed to decrypt the message. But also no, coz the server does have the key needed. It's a compromise, but a necessary one, given the headaches related to maintaining asymmetric encryption schemes.

Speaking of compromises, February saw the emergence of an active exploitation of Ivanti Connect Secure boxes thanks to an n-day exploit. This buffer overflow has been patched by Ivanti since February, but it's been discovered that a Chinese group named Silk Typhoon has figured out Remote Code Execution with this vulnerability and used it to deploy malware on these systems.

Lastly, a quick rundown of other noteworthy cybersecurity tidbits:

  • WordPress Sites Under Fire: Approximately 100,000 WordPress sites are grappling with an authentication bypass issue tied to the Ottokit plugin.
  • Legacy Gigacenter Devices Exposed: These devices expose a TR-069 service, doing so on port 6998. command injection can be carried out when entering commands into the service, paving the way for Remote Code Execution attacks.
  • Langflow AI Workflow Tool Exploit: This vulnerability grants bypassing authentication through an API endpoint, laying the groundwork for Python execution. Update to version 1.3.0 to stay safe.

AkiraBot's sneaky strategy extends beyond AI-driven spamming; it also delves into the realm of data-and-cloud-computing with its use of Linux systems, leveraging SmartProxy not only for IP address disguise but also to post ads on various platforms.

Moreover, Google's business Gmail end-to-end encryption implementation involves the use of technology like key access control list (KACL) which, while considered end-to-end encryption in some sense, raises questions about its true effectiveness in maintaining privacy and security, compared to traditional methods.

Read also:

    Related

    Latest