BlogNews7TH SEP 2023
AuthorSamir Yawar
4 min read
News

Apple Zero-Day Exploit, AI Abuse and Phishing Kits Dominate Headlines

Twitter
Facebook
WhatsApp
Email
LinkedIn
Apple zero-day exploit, AI abuse and phishing kits are discussed in our latest security news roundup.

It has been a very busy week for cybersecurity researchers. With newly developed AI tools and phishing kits reducing the amount of time it takes to design and deploy cyber attacks, experts are calling for organizations and individuals alike to take steps to secure their digital assets.

Here is a roundup of the most important happenings in the 2nd week of September 2023:

Cybersecurity News Roundup


AI Abuse in Designing Phishing Attacks

People can’t stop gushing over the opportunities that generative AI has brought in transforming the way we work and create new things. However, the larger cybersecurity industry has different thoughts. 

A new report reveals how the abuse of artificial intelligence by cybercriminals is going beyond writing phishing emails. They warn that the misuse of AI tools (such as ChatGPT) may soon drive “a wave of automated and multistage cyberattacks.”

New social engineering techniques are being developed to deliver multistage payloads to unsuspecting targets. Researchers at Darktrace say that there’s a “59% uptick in malicious emails sent to potential victims that encourages them to follow a series of steps before delivering a malicious payload or attempting to harvest sensitive information.”

Nearly more than 50,000 attacks have been detected in July that point to the potential of AI tools to drive multistage payload attacks. These attacks are executed with the help of persuasive text-based communication and quishing, the use of QR codes in phishing attacks.

New Apple Zero-Day Exploit

NSO Group’s commercially available spyware kit Pegasus is back in the news again. 

The discovery of two bugs in Apple iPhones running the latest iOS 16.6 can allow threat actors to install NSO's Pegasus spyware. The malware could be inserted without any interaction from the victim. The exploit chain has been dubbed BLASTPASS.

"The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."Citizen Lab

Citizen Lab researchers were the first to discover these exploits. They say the two zero-day exploits were subsequently fixed by Apple with an emergency security update iOS 16.6.1.

Microsoft Email Accounts Hijacked by New Phishing Tool

Corporate Microsoft 365 accounts have been targeted with a new sophisticated phishing kit designed by the hacking group W3LL.

Security researchers say that this phishing kit is “one of the most efficient and sophisticated tools in its niche.” It works by getting around multifactor authentication by positioning itself between the victim and Microsoft, allowing hackers to intercept session cookies.

Using this phishing kit, “criminals of all skill levels” are making use of business email compromise (BEC) attacks to hijack thousands of Microsoft email accounts. According to recent estimates, the W3LL phishing kit has targeted over 56,000 Office 365 accounts, with at least 8,000 successful attacks so far.

Group-IB says the new phishing tool may have netted $500,000 for W3LL, which has been active since 2017. The kit is being sold for $500 for a three-month subscription.

These sophisticated tools make it easier for threat actors to commit large-scale phishing campaigns.

Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
A phishing kit is a repository of tools and resources used by cybercriminals to create and deploy phishing attacks. It typically includes pre-designed phishing email templates, web page replicas of legitimate websites, and scripts for capturing user credentials or personal information. Phishing kits streamline the process of launching phishing campaigns and increase the chances of successful attacks.