Termite ransomware breaches linked to ClickFix CastleRAT attacks

What Happened

In a recent surge of cyberattacks, ransomware threat actors tracked as Velvet Tempest have been using the ClickFix technique and legitimate Windows utilities to deploy malware and backdoors. This group, also known as DEV-0504, has been involved in devastating ransomware attacks for at least five years, including the deployment of Ryuk, REvil, Conti, BlackMatter, and LockBit strains.

Meanwhile, Microsoft has reported that hackers are increasingly abusing artificial intelligence (AI) in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack. AI is being used for reconnaissance, phishing, infrastructure development, malware creation, and post-compromise activity.

Why It Matters

The escalating use of AI in cyberattacks highlights the need for organizations to adopt more sophisticated security measures. The US government's new cybersecurity strategy, which emphasizes offensive operations and deregulation, has sparked debate among experts. While some argue that this approach will help disrupt adversaries, others raise concerns about the potential risks and unintended consequences.

What Experts Say

> "By moving the usual 'deterrence' part to the top and focusing on offense, which is usually only lightly referred to in past unclassified strategies, the administration has greatly emphasized that pillar, which will clearly get it the most attention in the short term." — Ari Schwartz, managing director of cybersecurity services and policy at Venable LLP

Key Facts

• Who: Velvet Tempest (DEV-0504) ransomware group
• What: Using ClickFix technique and AI-driven attacks
• When: Observed between February 3 and 16
• Where: Targeted a non-profit organization in the US
• Impact: Deployed malware and backdoors, highlighting the need for advanced security measures

New Tactics and Techniques

Threat actors are continuously evolving their tactics to evade detection. In a recent campaign, ClickFix attackers used a new tactic to trick employees into installing malware. Instead of asking victims to copy and paste a malicious command into the Run dialog, they prompted them to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly. This tactic evades defenses looking for unusual run commands and bypasses security awareness training.

The Role of AI in Cybersecurity

As AI becomes increasingly prevalent in cyberattacks, organizations must adopt AI-native security solutions to stay ahead of the threats. Cylake's platform, for example, analyzes security data locally and identifies potential attacks without relying on cloud services.

What Comes Next

As the cybersecurity landscape continues to evolve, organizations must prioritize advanced security measures, including AI-native solutions, to protect against increasingly sophisticated threats. The US government's new cybersecurity strategy will likely have significant implications for the industry, and experts will be watching closely to see how it plays out.