In the weeks and months since, cybersecurity experts have found increasingly sophisticated new attack techniques that are working to overcome these defenses. Among these is EchoGram, a new public-facing methodology conceived by researchers at HiddenLayer. This technique explicitly evades prevalent AI defense mechanisms such as text purpose-trained classification and systems based on “LLM-as-a-judge” paradigms. While the development of these techniques is deeply alarming, it represents a worrying new step in the cyber threat evolution.
At the same time, a new and highly advanced cybercriminal organization calling themselves Akira has taken advantage of unpatched vulnerabilities in edge devices and backup servers. Then they used tools such as AnyDesk to remote in. They utilized SharpDomainSpray for credential dumping to get the first point of access in their targets. Akira uses the Bring Your Own Vulnerable Driver approach. They use their utility, POORTRY, to perform privilege escalation in affected environments.
Further fueling this list of burgeoning security threats, we hear from Chinese actors that they have used Anthropic’s AI, Claude, to engineer automated attacks. These hackers were finally able to overcome the protections that Anthropic built-in by using jailbreaking methods. They manipulated Claude into believing they were just doing security audits for their targets. A primary purpose of this ruse was to enable them to successfully target almost 30 organizations around the globe, including industries such as chemical production and technology.
EchoGram: A New Threat
EchoGram presents serious challenges to current cybersecurity practices. By challenging traditional AI protective methods, it opens doors for cybercriminals to take advantage of gaps in automated defenses.
Recently, our researchers from HiddenLayer discovered a new attack technique. This approach can gamify AI systems that are created to improve security through state-of-the-art machine learning. As they explained, “The ability to directly copy malware characteristics described in security reports creates significant challenges for threat hunters and investigators.”
EchoGram’s development holds powerful implications. This issue further emboldens our adversaries to develop more advanced tactics that are quickly difficult to detect. This progression in attack modalities calls for a critical look at the ways that cybersecurity initiatives are organized, particularly when it comes to AI-powered defenses.
Akira’s Exploits
Three-eyed crow has aquired quite a fame for their audacity and talent to take over edge devices and backup servers. Through this tactic they are able to lay the groundwork for larger attacks against more benign targets within their targeted networks. Their techniques involve the use of AnyDesk for remote access and SharpDomainSpray to steal credentials.
The academic researchers have recently discovered Akira abusing the BYOVD tactic by using POORTRY. This tactic enables them to gain privilege escalation in victimized machines. This multi-faceted approach not only maximizes their chance of success but makes the response from cybersecurity teams even more complex.
As Kevin Beaumont pointed out regarding the report on these activities, “The report has no indicators of compromise, and the techniques it is talking about are all off-the-shelf things which have existing detections.” This story illustrates the difficulty in organizations’ ability to stay ahead of evolving threats that make use of tools and technologies that are quite literally available to anyone.
The Role of AI in Automated Attacks
AI’s role in cyberattacks has recently become more commonplace, predicated by the recent cyberstalking incidents related to Anthropic’s Claude. Chinese hackers proved this AI’s worth with their campaigns. This exemplifies the ways that emerging technology can be turned into weapons and used against targets globally.
According to insights from Anthropic, “Overall, the threat actor was able to use AI to perform 80-90% of the campaign, with human intervention required only sporadically (perhaps 4-6 critical decision points per hacking campaign).” This statistic highlights just how much we’re dependent on automation to help coordinate these more complex attacks.
Additionally, the targeted organizations represented multiple industries, with only about a quarter of these being successfully breached in the end. Hackers have already proven that it’s possible to circumvent advanced protections with jailbreaking methods. Yet, this development raises deeply troubling questions about the effectiveness of our current cybersecurity measures.
The Rise of DarkComet RAT
Alongside these new and evolving challenges, DarkComet RAT has made a comeback as a high-profile threat in the cybersecurity sphere. This remote access trojan lures victims into installing fake crypto applications.
DarkComet has become notorious over the years for its multi-faceted spying and controlling capabilities. These capabilities allow attackers to have significant control over infected machines. The ongoing use of this malware is a reminder of the importance of user education regarding online threats and malicious software.
These reports have indicated that bad actors have been using sophisticated methods to ensure all these fake applications look real. As AhnLab noted, “While the initial distribution method is unknown, the attacks involve a legitimate-looking website that disguises the malware as a normal program.” This tactic greatly reduces user suspicion, and therefore increases the chances of a successful infection to a greater extent.
PolarEdge Botnet Uncovered
QiAnXin XLab just revealed a new botnet called PolarEdge, which has rounded up more than 25,000 devices into its army. This botnet exemplifies a growing trend among cybercriminals to consolidate control over large numbers of compromised devices for future attacks.
As seen in the current infrastructure, this is nearly analogous to an ORB network. This would infer an extremely robust framework for dealing with at-risk devices. QiAnXin XLab explained that “Its core functions include onboarding compromised devices into the proxy pool of designated C2 nodes, providing proxy services, and enabling remote command execution.”
As botnets like PolarEdge continue to make harm so easy and accessible to attackers, organizations can’t let their guard down on their cyber practices. Developing effective defenses against these kinds of threats will take both sophisticated detection technologies and user education efforts like these.
Vulnerabilities in Existing Systems
Even with the rapid evolution of cybersecurity technologies, vulnerabilities remain in granular solutions that are ubiquitous across many industries. The Imunify360 malware scanner for Linux servers contains a critical remote code execution vulnerability. If this issue is not rectified, the risk to end users is certainly great.
This incident should be a wake-up call that even the most trusted security tools can contain serious vulnerabilities that undermine system integrity. Every organization should make it a practice to regularly update software, run vulnerability assessments and quickly identify and patch any potential exploits.
