This week, we’re covering a trifecta of cybersecurity incidents. These threats range from face-scanning malware like 'GoldPickaxe' to the exploitation of Google Cloud Run for malware distribution, alongside OpenAI's actions against misuse of its ChatGPT chatbot. Join us as we explore the latest in cybersecurity.

Cybersecurity News Roundup for February 23, 2024

Here are the details regarding the latest cybersecurity news:

A sophisticated new mobile trojan named 'GoldPickaxe' has emerged, designed to manipulate victims into scanning their faces and ID documents, potentially for creating deepfakes facilitating unauthorized banking access. Developed by the Chinese threat group 'GoldFactory,' known for prior malware strains like 'GoldDigger' and 'GoldKefu,' this trojan marks a concerning escalation in cybercriminal tactics.

Security firm Group-IB reports that the trojan, initially observed in the Asia-Pacific region with a focus on Thailand and Vietnam, utilizes social engineering via localized phishing messages to ensnare victims. For iOS users, the trojan cleverly evades security measures by directing victims to TestFlight URLs or coercing them into downloading malicious Mobile Device Management (MDM) profiles.

Once installed, GoldPickaxe operates surreptitiously, capturing faces, intercepting SMS, and proxying network traffic. Although primarily targeting Android devices, the trojan's capabilities on iOS devices highlight evolving threats to mobile security.

Security experts are sounding the alarm on a concerning trend of cybercriminals exploiting Google Cloud Run to disseminate vast quantities of banking trojans such as Astaroth, Mekotio, and Ousaban. Google Cloud Run, designed to simplify the deployment of frontend and backend services without infrastructure management, has inadvertently become a vehicle for malware distribution.

Researchers from Cisco Talos observed a surge in malicious activities leveraging Google Cloud Run, particularly since September 2023, when Brazilian threat actors initiated campaigns using MSI installer files to deploy malware payloads. 

These attacks typically commence with phishing emails, often in Spanish, masquerading as legitimate correspondence from financial entities or government agencies. The emails contain links redirecting victims to malicious web services hosted on Google Cloud Run, or deliver payloads via MSI files. Once executed, the trojans establish persistence on the victim's system, enabling the theft of sensitive financial data.

In a statement to BleepingComputer, Google has acknowledged the issue, saying:

OpenAI has taken decisive action against state-sponsored threat groups hailing from Iran, North Korea, China, and Russia, by removing their accounts utilizing the ChatGPT artificial intelligence chatbot for malicious purposes. This move comes after collaboration with Microsoft's Threat Intelligence team, which provided crucial insights into the nefarious activities.

According to reports, the threat actors from various groups exploited ChatGPT for a range of activities, including reconnaissance, social engineering, and troubleshooting, rather than directly developing malware. These groups utilized the AI chatbot to enhance their strategic and operational capabilities in fields such as military research, cyber operations, and intelligence gathering.

In response to these incidents, OpenAI emphasizes its commitment to continually refining its security measures to stay ahead of emerging threats. As the landscape of cyber warfare evolves, collaboration and proactive defense strategies remain essential in safeguarding against malicious exploitation of AI technologies.