top of page

Cyber Threat Intelligence Summary 01 - 07 November 2024 TLP: CLEAR




This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.


For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.com



Contents









Executive Summary


Microsoft Warns of Major Credential Theft by Chinese Threat Actors Via Covert Network Attacks

Since August 2023, Microsoft has tracked covert credential theft by CovertNetwork-1658, a Chinese-linked botnet using SOHO routers for password spray attacks. Linked to Storm-0940, this method evades detection through low login attempts per day.


The attack, likely part of a broader Chinese state campaign, showed methodical patience and advanced tradecraft, using low-volume login attempts from distributed SOHO IPs to evade detection and steal credentials. The scale and sophistication highlight the need for enhanced defences against persistent threats to government and business sectors.


ChatGPT-4o Can be used for Autonomous Voice Based Scams

DocuSign's Envelopes API Abused to send Realistic Fake Invoices


 


Microsoft Warns of Major Credential Theft by Chinese Threat Actors Via Covert Network Attacks




Since August 2023, Microsoft has been tracking credential-stealing attacks facilitated by highly evasive password spray tactics. These attacks are attributed to a network of compromised devices known as “CovertNetwork-1658” (also called xlogin or Quad7), which has successfully infiltrated multiple customer accounts. CovertNetwork-1658 comprises compromised small office and home office (SOHO) routers, primarily TP-Link devices, leveraged by Chinese threat actors for password spray attacks.

Elemendar CTI Analyst comment: Microsoft has attributed this latest to Storm-0940, a Chinese state-sponsored group. Active since at least 2021, Storm-0940 employs TTPs like brute-force attacks and exploits vulnerable network services to access organisations, primarily in North America and Europe, including government and defence sectors. Attacks using this TTP have been previously observed and linked to APT40 (aka Kryptonite Panda, GINGHAM TYPHOON and Leviathan). APT40 is a Chinese state sponsored threat actor  and has been active since at least 2011, conducting espionage against government organisations and verticals in the US and Australia. APT40 was associated with a series of attacks that targeted more than 250 000 Microsoft Exchange servers through ProxyLogon vulnerabilities. Their campaigns also included exploiting vulnerabilities in widely used software like WinRAR. Comment Ends.

By making a small number of login attempts per account each day, the threat actor gains unauthorised access while remaining difficult to detect. However, the campaign scale is extensive, with Microsoft stating that CovertNetwork-1658 has compromised up to 8000 devices, 20% of which are actively used for password spraying.


Post-compromise activity on these routers involves attackers downloading binaries (such as Telnet and xlogin) to establish a backdoor, which enables command control over TCP port 7777 and initiates a SOCKS5 proxy server for obfuscating the origin of the password spray attempts. The threat actors rotate IP addresses every 90 days, further obfuscating tracking and containment.



Fig. 1: Steps taken to prepare the router for password spray operations (source: Microsoft)

Microsoft has seen CovertNetwork-1658 submit small numbers of sign-in attempts across multiple accounts within target organisations, often only once per account daily, making it hard to identify the suspicious behaviour through typical login failure monitoring.


Elemendar CTI Analyst comment: In July and August 2024, cybersecurity firms Sekoia and Team Cymru released reports detailing CovertNetwork-1658 activities. This exposure led to a sharp decline in the network's usage, but recent observations indicate that CovertNetwork-1658 may be acquiring new infrastructure with altered configurations to avoid detection. Data from Censys.IO shows a drop in active nodes but also hints at recent reactivations, suggesting that the network is evolving to sustain its operations. Comment Ends.

The immediate transfer of compromised credentials from CovertNetwork-1658 to threat actors like Storm-0940 suggests a close operational relationship. Once Storm-0940 gains access to a compromised environment, the group performs lateral movement using credential-dumping tools, deploys remote access trojans (RATs), and targets network devices to maintain persistence. Additionally, Storm-0940 has been observed attempting data exfiltration as part of its objectives.


To counter these activities, Microsoft advises increased monitoring of SOHO device logs, using advanced threat detection techniques to identify low-volume attacks, and implementing robust password policies.


Elemendar Intelligence Assessment: This attack was conducted by a methodical threat actor who demonstrated patience in gaining access and persistence around the network. The low number of daily login attempts, to avoid raising suspicion, suggests a knowledge of tradecraft associated with other Chinese APTs. Using the network’s distributed nature, numerous SOHO IP addresses and a low-volume attack approach, enables the threat actor to circumvent traditional security solutions, thereby improving their chances of successful credential theft.


Primarily, Chinese APTs conduct attacks against government departments or businesses to understand how a specific or multiple functions within these entities work, achieve persistence within national infrastructure for future operations or conduct espionage. Given the widespread use of Microsoft OS across governments and verticals, this attack is likely to be part of a larger campaign conducted by the Chinese state.


The scale and sophistication of these attacks underscore the importance of enhanced defences, as Chinese threat actors continue to employ innovative, evasive techniques to infiltrate organisations across all sectors, both government and business. This attack vector is almost certain not to change and as such, presents an ongoing and active threat. Assessment Ends.


 

ChatGPT-4o Can be used for Autonomous Voice Based Scams




Researchers from the University of Illinois Urbana-Champaign (UIUC), have demonstrated that OpenAI’s latest voice-capable model, ChatGPT-4o, can be exploited for financial scams, despite the company’s built-in safeguards.


ChatGPT-4o, part of OpenAI's advanced chatbot line, integrates multiple modalities (text, voice, and vision) and has features designed to block harmful or malicious content. However, the study shows that these protections can be bypassed, and ChatGPT-4o may still be vulnerable to certain types of financial abuse.


Voice-based scams are a significant financial threat globally, and AI-driven technologies, especially those involving voice generation, amplify the risk by enabling impersonation and manipulation on a larger scale. In their experiments, the UIUC researchers simulated various scams using ChatGPT-4o, including bank transfers, crypto theft, and credential theft from services like Gmail and social media platforms. Through manual testing, they played the role of naïve victims to observe whether these scams could successfully be executed via voice interactions with the model. The researchers found that the AI could perform a series of complex actions on real websites, including navigating pages, entering data, and managing two-factor authentication codes.



Fig.2: Diagram depicting voice scammer agent (source: UIUC)


ChatGPT-4o generally avoids processing sensitive data, but the researchers used “jailbreaking” techniques—prompt manipulations that trick the model into bypassing its built-in safeguards—to achieve their goals. For instance, they confirmed successful bank transactions on real sites, though without testing the AI's persuasion ability. Their findings indicate that scams leveraging ChatGPT-4o achieved moderate success rates, with credential theft from Gmail proving the most successful (60%), while crypto transfers and Instagram credential theft had a 40% success rate.


Elemendar CTI Analyst comment: Previous Elemendar CTI reporting (see Elemendar CTI Summary 25-31 October 2024) has reported on “jailbreaking” ChatGPT, where a security researcher exploited CVE-2024-41110 by encoding instructions in hex, bypassing GPT-4o's filters. Comment Ends.

One notable aspect of the study was the cost-effectiveness of these scams. A successful bank transfer scam costs about $2.51 (USD) to execute, while simpler credential theft costs as little as $0.75 (USD).

OpenAI responded to the findings, acknowledging the need for robust safety improvements in their models. The company highlighted its new model, ChatGPT-4o1-preview, which is currently in development and integrates enhanced reasoning capabilities and superior safeguards against malicious manipulation. According to OpenAI, this model resists adversarial prompts more effectively, scoring 84% in jailbreak safety evaluations compared to ChatGPT-4o’s 22%. Additionally, o1-preview scores significantly higher in broader safety evaluations (93% versus ChatGPT-4o’s 71%).


These safety-focused improvements are intended to limit the chatbot’s susceptibility to abuse while retaining its helpfulness and creative output. OpenAI also stated that studies like the UIUC research help the company to strengthen its defences against misuse. The company aims to restrict voice impersonation capabilities by limiting voice generation to pre-approved voices.



Elemendar Intelligence Assessment: While ChatGPT-4o’s newer iterations are expected to phase out older, less secure versions, the potential for malicious use is almost certain to remain and is highly likely to continue to be a credible threat for all verticals, especially as other voice-enabled AI tools become accessible.


Accessibility, coupled with low operational costs lower the bar for less experienced threat actors to exploit AI technology for nefarious purposes. This is likely to mean that more attacks will be observed affecting all verticals. Assessment Ends.



 

DocuSign's Envelopes API Abused to send Realistic Fake Invoices



According to a report released by cybersecurity company Wallarm, threat actors are increasingly exploiting DocuSign’s APIs to send highly convincing fake invoices that evade detection by users and security tools.


Elemendar CTI Analyst comment: Threat actors have created paid DocuSign accounts to customise templates and directly access DocuSign’s API. Through this, they send large volumes of fraudulent invoices, sometimes including accurate product pricing or additional charges, like activation fees, to enhance authenticity. Recipients who e-sign these documents unknowingly authorise payments, which the threat actors can later request directly from the organisation's finance team. Comment Ends

Because these invoices are sent through DocuSign’s official platform, they appear legitimate to email services, bypassing typical anti-spam and phishing filters, and creating significant detection challenges.



Fig.3: Fraudulent invoice sent via DocuSign, using Norton's branding and layout (source: Wallarm)

Attackers also automate these scams by leveraging DocuSign’s Envelopes API, allowing them to deploy fraudulent invoices at scale with minimal manual effort. DocuSign’s API environment, while useful for legitimate businesses, offers threat actors a tool for conducting widespread and scalable attacks by customising invoices to match targeted brands.


Elemendar Intelligence Assessment: Unlike traditional phishing, which preys on the naivety of the victim for success through spoof emails and malicious links, this attack vector utilises legitimate DocuSign accounts to impersonate reputable brands, making fraudulent invoices appear authentic, removing suspicion about the origin and intent.


Exploitation of trusted systems is a well known TTP for threat actors and this attack represents a new vector of this attack type. This trend is highly likely to continue, targeting all verticals that use e-payment methods such as Docusign. Assessment Ends.


 


Annex A: References



Microsoft Warns of Major Credential Theft by Chinese Threat Actors Via Covert Network Attacks













ChatGPT-4o Can be used for Autonomous Voice Based Scams






DocuSign's Envelopes API Abused to send Realistic Fake Invoices




 


Annex B: STIX Entities


Microsoft Warns of Major Credential Theft by Chinese Threat Actors Via Covert Network Attacks


Mitre ATT&CK TTPs

ID

Name

Tactic 

Description

T1593.003

Code Repositories

Reconnaissance

Adversaries may gather information from code repositories to find useful data about targets.

T1550

Use Alternate Authentication Material

Defence Evasion, Credential Access

Adversaries may use alternate material, like certificates, for authentication to access resources.

T1589.001

Credentials

Collection

Adversaries may obtain credentials like usernames and passwords to facilitate access to systems.

T1556.004

Network Device Authentication

Credential Access

Adversaries may target network device authentication for gaining unauthorised access.

T1205.001

Port Knocking

Defence Evasion

A technique where adversaries hide open ports until they receive a specific set of network traffic.

T1205

Traffic Signalling

Defence Evasion

Adversaries use traffic signalling to communicate or identify command-and-control servers.

T1584.008

Network Devices

Resource Development

Adversaries may acquire or compromise network devices to facilitate further operations.

T1110.003

Password Spraying

Credential Access

A brute-force attack technique where adversaries try common passwords across many accounts.

T1211

Exploitation for Defence Evasion

Defence Evasion

Adversaries exploit vulnerabilities to evade defences or escalate privileges on systems.


ChatGPT-4o Can be used for Autonomous Voice Based Scam


Mitre ATT&CK TTPs


ID

Name

Tactic 

Description

T1534

Stage 

Capabilities

Internal Spearphishing

Uses internal channels to phish employees and obtain credentials or prompt malicious actions.

T1078

Valid 

Accounts

Credential Access, Persistence, Defence Evasion

Uses legitimate credentials to access systems, helping evade detection by blending with normal activity.


DocuSign's Envelopes API Abused to send Realistic Fake Invoices


Mitre ATT&CK TTPs


ID

Name

Tactic 

Description

T1566

Phishing

Initial Access

Uses deceptive messages to trick users into revealing credentials or executing malicious links.

T1598

Phishing for Information

Collection

Attempts to gather sensitive information via phishing without necessarily delivering malware.

T1190

Exploit Public-Facing Application

Initial Access

Exploits vulnerabilities in publicly accessible applications to gain access to a network.



 

Probability Language


This document uses probability language based on assessment. Further information can be found in the image below: 



Feedback


We welcome your feedback, this ensures we meet your needs.

Please contact our CTI Director at : CTI@elemendar.ai

Acknowledgements

Authored by Paul Montgomery, CTI Director Elemendar




1 Comment

Rated 0 out of 5 stars.
No ratings yet

Add a rating
Guest
Nov 10
Rated 5 out of 5 stars.

amazing thanks!!!!!!!

Like
bottom of page