Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Virtual Machines. Show all posts

The Future of AI: Labour Replacement or Collaboration?

 


In a recent interview with CNBC at the World Economic Forum in Davos, Mustafa Suleyman, co-founder and CEO of Inflection AI, expressed his views on artificial intelligence (AI). Suleyman, who left Google in 2022, highlighted that while AI is an incredible technology, it has the potential to replace jobs in the long term.

Suleyman stressed upon the need to carefully consider how we integrate AI tools, as he believes they are fundamentally labour-replacing over many decades. However, he acknowledged the immediate benefits of AI, explaining that it makes existing processes much more efficient, leading to cost savings for businesses. Additionally, he pointed out that AI enables new possibilities, describing these tools as creative, empathetic, and more human-like than traditional relational databases.

Inflection AI, Suleyman's current venture, has developed an AI chatbot providing advice and support to users. The chatbot showcases AI's ability to augment human capabilities and enhance productivity in various applications.

One key concern surrounding AI, as highlighted by Stanford University professor Erik Brynjolfsson at the World Economic Forum, is the fear of job obsolescence. Some worry that AI's capabilities in tasks like writing and coding might replace human jobs. Brynjolfsson suggested that companies using AI to outright replace workers may not be making the wisest choice. He proposed a more strategic approach, where AI complements human workers, recognizing that some tasks are better suited for humans, while others can be efficiently handled by machines.

Since the launch of OpenAI's ChatGPT in November 2022, the technology has generated considerable hype. The past year has seen an increased awareness of AI and its potential impact on various industries.

As businesses integrate AI into their operations, there is a growing need to educate the workforce and the public on the nuances of this technology. AI, in simple terms, refers to computer systems that can perform tasks that typically require human intelligence. These tasks range from problem-solving and decision-making to creative endeavours.

Mustafa Suleyman's perspective on AI highlights its dual role – as a cost-saving tool in the short term and a potential job-replacing force in the long term. Balancing these aspects requires careful consideration and strategic planning.

Erik Brynjolfsson's advice to companies emphasises the importance of collaboration between humans and AI. Instead of viewing AI as a threat, companies should explore ways to leverage AI to enhance human capabilities and overall productivity.

The future of AI lies in how we go about its integration into our lives and workplaces. The key is to strike a balance that maximises the benefits of efficiency and productivity while preserving the unique skills and contributions of human workers. As AI continues to evolve, staying informed and fostering collaboration will be crucial for a harmonious coexistence between humans and machines.



Hackers Utilise Azure Serial Console to Get Unauthorized Access to Virtual Machines

 

Mandiant has identified a financially driven cybergroup known as 'UNC3944' that is utilizing phishing and SIM swapping attacks to compromise Microsoft Azure admin credentials and get access to virtual machines. The attackers then use the Azure Serial Console to install remote management software and Azure Extensions for stealthy surveillance. 

As stated by Mandiant, UNC3944 has been active since at least May 2022, and their campaign tries to collect data from victims by leveraging Microsoft's cloud computing service. Previously, UNC3944 was credited with developing the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkits for terminating security applications.

To sign their kernel drivers, the threat actors used stolen Microsoft hardware developer accounts.
The initial access to the Azure administrator's account is made with stolen credentials obtained by SMS phishing, a frequent UNC3944 method.

The attackers then impersonate the administrator when calling help desk agents in order to deceive them into delivering a multi-factor reset code to the target's phone number via SMS.  However, because the attacker had previously SIM-swapped and copied the administrator's number to their device, they obtained the 2FA token without the victim being aware of the breach.

Mandiant is still investigating how the hackers carry out the SIM-changing part of their operation. Previous examples, however, have demonstrated that having the target's phone number and cooperating with dishonest telecom staff is sufficient to permit illegal number porting.

Once the attackers have gained access to the targeted organization's Azure infrastructure, they use their administrator credentials to gather information, alter existing Azure accounts, and create new ones as needed.  In the following attack phase, UNC3944 employs Azure Extensions to conduct surveillance and intelligence gathering, disguise its harmful operations as seemingly innocuous daily routines, and blend in with normal activity.

Azure Extensions are "add-on" features and services that may be added to an Azure Virtual Machine (VM) to help increase capabilities, automate operations, and so on.
These extensions are secretive and less suspicious because they are executed within the VM and are often utilized for legal purposes.

In this instance, the threat actor took advantage of built-in Azure diagnostic extensions such as "CollectGuestLogs," which was utilized to collect log files from the compromised endpoint.  
UNC3944 then employs Azure Serial Console to acquire administrator console access to VMs and execute commands via a command prompt via the serial port.

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," explains Mandiant's report.

Mandiant discovered that the intruders use the command "whoami" to identify the presently logged-in user and obtain enough information to continue the exploitation. The reports appendix has more information on how to analyze logs for Azure Serial Console. The threat actors then use PowerShell to extend their persistence on the VM and install a slew of commercially accessible remote administrator tools that aren't mentioned in the report.

"To maintain presence on the VM, the attacker often deploys multiple commercially available remote administration tools via PowerShell," reads Mandiant's report.

"The advantage of using these tools is that they're legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms."
UNC3944's next move is to establish a reverse SSH tunnel to their C2 server in order to maintain covert and persistent access via a secure channel while bypassing network limits and security constraints.

The attacker configures the reverse tunnel with port forwarding, allowing the attacker to log in directly to the Azure VM through Remote Desktop. Any inbound connection to distant machine port 12345, for example, would be routed to local host port 3389 (distant Desktop Protocol Service Port).

Finally, the attackers utilize the credentials of a compromised user account to log in to the compromised Azure VM using the reverse shell, only then proceeding to increase their authority within the penetrated environment while stealing data.

Mandiant's attack demonstrates UNC3944's strong awareness of the Azure ecosystem and how it may use built-in capabilities to avoid detection. The risk is increased when this technical knowledge is combined with high-level social engineering abilities that assist the attackers in SIM changing.

At the same time, organizations that adopt insufficient security solutions, such as SMS-based multi-factor authentication, provide possibilities for these sophisticated threat actors due to a lack of understanding of cloud technology.

Metaverse: Billions Spent In The Virtual Land Grab

 

A sum of almost $2 billion was spent on the virtual land over the past year, according to research from metaverse analysts DappRadar. Digital real estate and digital plots of land are being purchased by individuals like Snoop Dogg and corporate investors like Samsung Electronics and PwC for a variety of reasons, but many of them believe that its value will rise over time. 
The virtual land is being sold via online platforms like Decentraland and Voxels (formerly Cryptovoxels), which many people consider as a primal version of metaverse – a virtual world, where the online users can live, work and play. 

Moreover, businesses and investors are building digital shops and event spaces on the virtual land they purchased in the metaverse, which often allows visitors to make purchases via cryptocurrencies. 

However, we are yet years away from the metaverse emerging as a sole immersive space online for people to live, play and work. So, is spending large sums for the land grabbing one huge gamble? 

‘Exhibiting my own work’ 


With the giant red Mohican and a permanent cigarette, the avatar of artist Angie Taylor does not quite resemble a typical land mogul. Nonetheless, she is among the growing group of people, who are laying claim to the new virtual worlds. 

“I bought my first metaverse parcel in July 2020 and paid about £1,500. I bought it for exhibiting my own work, but also for running metaverse events that would promote my art and also other people's art," she says. 

These plots, owned by Angie are about the size of a small family house (if one compares them to the size of her avatar). The tallest of them all stretches up over three floors and even comprises a roof terrace with a white-and-black-striped road crossing, and a pink taxi permanently driving back and forth just for fun. 

But one can sense the reality of the scale of this world from the air. 

"Hold down the F key and you can fly up to take a look at my neighborhood," Angie explains. Above her gallery, one can see thousands of identical boxes of land stretching to the horizon. 

Voxels is one of the many virtual worlds that identify as metaverses. People frequently refer to "the metaverse" as if there were just one, which is confusing. Companies are selling land and experiences in their own versions until one platform begins to dominate or these disparate worlds join together. 

According to DappRadar, $1.93 billion worth of cryptocurrency has been spent in order to purchase virtual lands in the past year alone, with $22m of that spent on about 3,000 parcels of land in Voxels. 

Among the many luxury fashion brands, Philipp Plein as well owns a virtual plot about the size of four football pitches, which it hopes will eventually contain a metaverse store and gallery. 

With fashion industries being most interested in taking the opportunity and risks in regards to the metaverse, Amsterdam-based digital-only fashion house, ‘The Fabricant’ only makes clothing for the avatars, designing collections and bespoke garments for users of Decentraland, Sandbox, and other crypto metaverses. 

The company just raised $14m in funding from investors betting on the idea that many of us will soon be living part of our lives in the metaverse. But since crypto metaverses are generally sparsely populated and only really used when events are held, and even then only thousands, and not millions, of people attend. Consequently, it is not certain if and when it will happen.

Misconfiguration Identified in Google Cloud Platform

 

A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

AvosLocker Ransomware New Variant Targets Linux Systems and ESXi Servers

 

AvosLocker ransomware gang has added AvosLinux in its arsenal for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. However, there are no details available regarding the targeted company or institutions, it is alleged that at least one victim received a $1 million ransom demand. 

A few months ago, the AvosLocker gang was also spotted advertising its latest ransomware variations, Windows Avos2 and AvosLinux, while alerting affiliates against attacking post-soviet/CIS targets. "Out new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance & high amount of encryption compared to its competitors," the gang said.

Upon installation on a Linux system, AvosLocker terminates ESXi machines on the server using the following command: esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’ 

Once it starts operating on a compromised device, the ransomware will append the .avoslinux extension to all encrypted files. It also leaves ransom notes asking victims not to shut down the computer to avoid file damage and to visit the TOR site that includes the information about paying the ransom. 

The AvosLocker ransomware-as-a-service was first identified during the summer of 2021 and its attacks surged between November and December. In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode for easier device management and more efficient resource usage. 

By targeting virtual machines, ransomware authors also benefit from easier and faster encryption of multiple servers with a single command. Since October 2021, Hive ransomware has been encrypting Linux and FreeBSD systems with new malware variants, only months after cybersecurity researchers uncovered a REvil ransomware Linux encryptor targeting VMware ESXi virtual machines.

According to Emsisoft CTO Fabian Wosar, multiple ransomware operators including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have also designed and used their own Linux encryptors. "The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar explained. 

HelloKitty and BlackMatter ransomware Linux variants were also identified in the wild by security experts in July and August, further validating Wosar's statement. The Snatch and PureLocker ransomware operations have also been observed using Linux encryptors in the past.