CyberWire Daily - A credential dump hits the online underground.
Episode Date: January 18, 2024A massive credential dump hits the online underground. CISA and the FBI issue joint guidance on drones. TensorFlow frameworks are prone to misconfigurations. Swiss federal agencies are targets of nuis...ance DDoS. Cybercriminals hit vulnerable Docker servers. Quarkslab identifies PixieFAIL in UEFI implementations. Google patches Chrome zero-day. The Bigpanzi botnet infects smart TVs. Proofpoint notes the return of TA866. In our Threat Vector segment, David Moulton dives into the evolving world of AI in cybersecurity with Kyle Wilhoit, director of threat research at Unit 42. And we are shocked- SHOCKED! - to learn that Facebook is tracking us. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest This segment of Threat Vector dives into the evolving world of AI in cybersecurity with Kyle Wilhoit, director of threat research at Unit 42. This thought-provoking discussion, hosted by David Moulton, director of thought leadership at Unit 42, ffocuses on the current state and future trends of AI in cyberthreats. Discover how AI is reshaping the landscape of cyberattacks, the role of generative AI in threat actor tactics, and the challenges of attribution in AI-driven cyberattacks. Visit Unit 42 by Palo Alto Networks to learn more. Check out the Threat Vector podcast and follow it on your favorite podcast app. Selected Reading Researcher uncovers one of the biggest password dumps in recent history (Ars Technica) Troy Hunt: Inside the Massive Naz.API Credential Stuffing List (Troy Hunt) Feds warn China-made drones pose risk to US critical infrastructure (SC Media) TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks (The Hacker News) Swiss Government Reports Nuisance-Level DDoS Disruptions (Data Breach Today) Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners (HACKREAD) PixieFail: Nine flaws in UEFI open-source reference implementation (Security Affairs) Update Chrome! Google patches actively exploited zero-day vulnerability (Malwarebytes) Cybercrime crew infects 172,000 smart TVs and set-top boxes (Risky Biz News) Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware (Google Threat Analysis Group) Security Brief: TA866 Returns with a Large Email Campaign (Proofpoint) Each Facebook User Is Monitored by Thousands of Companies (Consumer Reports) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A massive credential dump hits the online underground.
CISA and the FBI issue joint guidance on drones.
TensorFlow frameworks are prone to misconfigurations.
Swiss federal agencies are targets of nuisance DDoS.
Cyber criminals hit vulnerable Docker servers.
Quark's lab identifies pixel fail in UEFI implementations.
Google patches a Chrome Zero day.
The Big Pansy botnet infects smart TVs,
Proofpoint notes the return of TA866,
in our Threat Vector segment,
David Moulton dives into the evolving world of AI
and cybersecurity with Kyle Wilhoyt,
Director of Threat Research at Unit 42.
And we are shocked, shocked,
to learn that Facebook is tracking us.
It's Thursday, January 18th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us today. It is good to have you here. Troy Hunt, the operator of the
breach notification service Have I Been Pwned? reports a significant data breach involving about 71 million unique
credentials. The data has been circulating on the internet for at least four months
and was posted on a well-known underground market known for the sale of compromised credentials.
Typically, Troy Hunt doesn't pay much attention to these sorts of dumps because they're usually
just repurposed and repackaged
data from earlier breaches. However, this particular breach was different. It contained
nearly 25 million passwords that had never been leaked before. The breach compromised 319 files
totaling 104 gigabytes and included nearly 71 million unique email addresses.
The breach seems to be the result of Steeler malware,
which captures credentials from compromised machines. The passwords in this breach appeared in plain text.
This is unusual, since account credentials taken in website breaches
are almost always cryptographically hashed.
Most of the exposed credentials were weak
and would easily fall to a simple password dictionary attack.
Hunt confirmed the authenticity of the dataset
by contacting people at some of the listed emails
who confirmed that the credentials listed were indeed accurate.
Hunt noted that in addition to the Steeler malware,
a large percentage of the passwords in this breach
came from credential stuffing.
The FBI and the Cybersecurity and Infrastructure Security Agency
have warned about the risks of using China-made drones
in critical U.S. infrastructure sectors.
In a joint guidance, they highlighted the dangers of sensitive information exposure
due to China's laws that allow government access to data held by Chinese companies,
including drone manufacturers.
The agencies noted that prominent Chinese drone manufacturers,
deemed as Chinese military companies by the Department of Defense,
are under the purview of these laws.
The widespread use of these drones in key U.S. sectors poses national security concerns,
including unauthorized system and data access. The agencies recommend procuring drones adhering
to secure-by-design principles, preferably U.S.-made, and provide suggestions for mitigating
security risks associated with industrial drones. Researchers at Praetorian discovered critical
misconfigurations in the open-source TensorFlow machine learning framework's continuous integration
and continuous delivery systems. These vulnerabilities could potentially allow
attackers to orchestrate supply chain attacks. Attackers could compromise TensorFlow's build agents via malicious pull
requests, enabling them to upload harmful releases to TensorFlow's GitHub repository,
gain remote code execution, and access a GitHub personal access token. TensorFlow uses GitHub
actions for its software build and deployment pipeline, where self-hosted runners execute jobs.
software build and deployment pipeline, where self-hosted runners execute jobs.
GitHub's documentation advises using self-hosted runners only with private repositories,
as public repository forks can run dangerous code on these runners.
Praetorian identified TensorFlow workflows executed on non-ephimeral, self-hosted runners with extensive write permissions,
posing risks of persistent
access and code injection into the TensorFlow repository. After responsible disclosure in
August of 2023, the project maintainers addressed these issues by December 2023,
requiring approval for all fork pull requests and restricting GitHub token permissions to read-only for self-hosted
runner workflows.
Multiple federal agencies in Switzerland experienced distributed denial-of-service attacks, causing
temporary unavailability of their public-facing websites.
The nuisance attacks, claimed by the Russian hacktivist group NoName05716 were intended as a form of psychological warfare rather than data theft,
flooding websites with overwhelming requests.
Swiss authorities had previously warned about potential attacks,
coinciding with Ukrainian President Zelensky's visit to the World Economic Forum in Davos.
The Swiss National Cyber Security Center quickly detected and mitigated the
attacks. Cyber criminals have launched a new campaign targeting vulnerable Docker servers,
deploying two containers, an XMRigMiner and the NineHitsViewer application, as identified by
Cato Security Researchers. This marks the first known instance of malware
using the 9Hits traffic exchange viewer as a payload.
9Hits allows members to earn credits by visiting websites,
which the attackers exploit for gain.
The 9Hits app, a headless Chrome application,
is employed to visit various websites, including adult content,
without a visible user interface.
Interestingly, the attackers have disabled the app's ability to visit crypto-related sites.
This campaign is a reminder of the importance of Docker host security,
as it can significantly drain CPU resources and disrupt legitimate workloads on compromised hosts.
and disrupt legitimate workloads on compromised hosts.
Researchers at Quark's lab identified nine vulnerabilities,
collectively named PixieFail,
on the IPv6 network protocol stack of EDK2,
a part of TianoCore's UEFI open-source reference implementation.
UEFI, Unified Extensible Firmware Interface, is crucial for booting computer
hardware and interfacing with the operating system. Pixie fail vulnerabilities could lead
to remote code execution, sensitive information leakage, DDoS attacks, and network session
hijacking. Google has released an update for Chrome which includes four security fixes,
including one for a zero-day vulnerability that has reportedly already been exploited.
Please update appropriately.
Meanwhile, Google's threat analysis group has discovered that the Russian threat group Cold River,
known for targeting high-profile individuals in NGOs and NATO countries,
has expanded its tactics to include malware. Cold River previously
focused on credential phishing, but now deploys the Spica backdoor malware via seemingly benign
but encrypted PDF documents. When targets report an inability to read these documents,
they're offered a decryption utility, which is actually a malware installation.
Spica, which is written in Rust, allows various malicious activities,
including command execution and data theft.
The cybercrime group BigPansy, active since 2015,
has reportedly infected at least 172,000 smart TVs and set-top boxes,
mainly targeting Spanish and Portuguese-speaking users in Latin America.
Chinese security firm Quy An Jin identified that BigPansy built its botnet using social engineering,
distributing apps for pirated content viewing and enhanced TV experiences, along with back-doored firmware updates. These methods integrate devices into the big pansy botnet, enabling DDoS attacks.
While 172,000 infections were tracked weekly after commandeering two command and control domains,
the estimated total number of infected devices is believed to be in the millions.
Most infected devices are Android-based smart TVs or ECOS-operated
set-top boxes, predominantly located in Brazil. Big Pansy, also known as Pandora, is one of
the few modern botnets targeting smart TVs and set-top boxes for DDoS attacks, distinguishing
it from other groups like Ares, The Lemon Group, and Badbox, which focus on ad fraud.
Researchers at Proofpoint observed the return of threat actor TA-866 in a large-volume email
campaign targeting North America following a nine-month hiatus. The campaign, which began
about a week ago, involved invoice-themed emails with PDF attachments containing OneDrive URLs.
These URLs initiated a complex infection chain leading to WasabiSeed and Screenshotter malware.
The attack chain included a PDF, OneDrive URL, JavaScript file, and MSI files executing
WasabiSeed VBS scripts and screenshotter components, which
captured and sent desktop screenshots to a command-and-control server.
TA866, known for both crimeware and cyber espionage, appears to be financially motivated
in this campaign.
Proofpoint assesses that TA866 is a sophisticated and organized actor capable of large-scale attacks using custom tools.
The campaign's timing coincides with other threat actors' return after end-of-year breaks,
indicating an overall increase in threat landscape activity.
Coming up after the break, in our Threat Vector segment,
David Moulton dives into the evolving world of AI and cybersecurity with Kyle Wilhoyt, Director of Threat Research at Unit 42.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
David Moulton is host of the Threat Vector segment.
In today's edition, he speaks with Kyle Wilhoyt, Director of Threat Research at Unit 42,
about the evolving world of AI in cybersecurity.
Welcome to Unit 42's Threat Vector, where we share unique threat intelligence insights,
new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to
safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42.
Today I'm talking with Kyle Wilhoyt about artificial intelligence.
Kyle's the director of threat research for Uniforty2.
He's also an author and Black Hat US Review board member.
Kyle, thanks for joining me on Threat Vector today.
Can you give our audience a quick snapshot of what you do at Unit 42?
I help run research efforts into cybercrime, cybercrime-related elements,
as well as nation-state espionage groups performing targeted attacks.
And briefly, where does your role intersect with AI?
Yeah, so quite a bit.
You know, artificial intelligence has been used or generative AI has been used for
quite some time at this point. But within Unit 42 specifically, my focal point is specifically
looking into the threat landscape and trying to understand how generative AI is being leveraged
by criminals, by threat actors, etc. Kyle, how has the role of artificial intelligence evolved
in recent years in the context of cyber attacks?
And what are the key ways attackers are utilizing AI to their advantage?
So from that perspective, first, I want to kind of start out by saying I haven't really and we haven't really seen a dramatic shift in the threat landscape due to quote unquote generative AI.
There's a lot of fear, uncertainty and doubt circulating kind of about the threat of AI. There's a lot of fear, uncertainty, and doubt circulating kind of about the threat of AI.
And we're just not seeing the needle shift significantly in terms of the threat landscape
due to this technology. We're not seeing jailbroken LLMs as an example being used for
the wholesale creation of malware, just as a simple example. In terms of impact, however,
we are observing some restricted effects, particularly the domain of jailbroken LLMs.
observing some restricted effects, particularly the domain of jailbroken LLMs. So LLMs recently have gotten a lot of attention,
specifically WormGPT, FraudGPT, EvilGPT, and several others.
And all of these fall into a category of language models crafted to enhance
basically an attacker's arsenal, basically trying to simplify the attacks that they're conducting.
Through our testing, however, we've identified marginal
scenarios where these tools might
actually prove to be advantageous but their functionality remains largely controlled or
gatekept so for instance direct generation of malicious code is off the table but these llms
can likely produce generic or rudimentary code for straightforward tasks such as utilizing smb
to transfer files between hosts but But ultimately, from our perspective,
these jailbroken LLMs really aren't pushing that needle like I mentioned before.
We're just not seeing them really impact the threat landscape in its entirety
just based on their limited functionality.
Most people have heard of Worm GPT, Fraud GPT.
What are these and what threats do they pose?
So kind of what I mentioned before, these are examples of what we call jailbroken models.
In the context of LLMs, jailbreaking refers to engineering of prompts to exploit model biases
and ultimately generate outputs that may align with kind of what their intended purpose was.
One popular jailbreak that we're examining that we've researched over time here within Unit 42
is something called Do Anything Now or Dan, which is a fictional AI chatbot.
And many of these jailbroken models that we witnessed being leveraged by criminals, etc.,
is really just using a modified version of the Do Anything kind of chatbot. But DAN uses a method
ultimately to jailbreak LLMs to convince the LLM that it's basically using an alter ego,
forcing it to give back some
limited and or in some cases, sensitive information. From our perspective, we've analyzed over 11
different jailbroken models. And out of those, it seems like almost all of them are leveraging to
some degree, this type of mechanism to actually jailbreak that model using a format of Dan or a
similarity or something similar to Dan to actually jailbreak that. using a format of DAN or a similarity or something similar to DAN to actually jailbreak that.
So a single jailbreak prompt may not work for OIA models.
That's kind of important to mention.
So from our perspective, we're seeing a lot of jailbreak enthusiasts
constantly experimenting with new prompts to ultimately try to push the limits
of these models to see if they can bypass.
So yeah, from my perspective, and as I mentioned before,
our analysis of these models are really only incrementally supporting a Threat Anchors
toolbox and really only benefits from rudimentary code generation and realistically more accurate
social engineering, text generation, those types of things. Kyle, thanks for sharing with us your insights into the impact that AI is having on the threat landscape.
In spite of a lot of hype about how attackers are supposedly using AI, it's intriguing that the impact so far remains somewhat limited.
the impact so far remains somewhat limited. And I think that your predictions that AI will be used to automate and streamline attacks, making them more efficient and harder to detect rings true.
If you'd like to hear the rest of our conversation, subscribe to the Threat Vector podcast.
We'll be back on the Cyber Wire daily in two weeks. In the meantime, stay secure, stay vigilant.
Goodbye for now.
secure, stay vigilant. Goodbye for now. That's David Moulton and Kyle Wilhoit from Palo Alto Network's Unit 42. Don't forget to check out the Threat Vector podcast right here on the
Cyber Wire Network and wherever you get your podcasts. Thank you. partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And finally, you know that feeling when you're pretty confident that something is bad,
but having the data laid bare in front of you just drives it home?
This is one of those stories.
A study from Consumer Reports, utilizing data shared by 709 volunteers,
revealed extensive online surveillance by Facebook.
Sure, tell us something we didn't already know.
The volunteers' data, gathered from their Facebook archives
showed that over 186,000 companies sent information about them to Facebook.
On average, each participant's data was shared by 2,230 companies,
with some reaching over 7,000.
The study highlights server-to-server tracking,
where personal data is transferred directly from a company's servers to Meta's servers,
a method often hidden from users.
Meta defends its practices, offering transparency tools to users.
However, consumer reports found issues with these tools, such as unclear data provider identities and companies ignoring
opt-out requests. The data tracks user interactions outside Meta's platforms,
including website visits, physical store visits, and purchases. Meta's tracking pixel and server-to-server
tracking capture these interactions, but again, users cannot monitor server-to-server traffic.
actions, but again, users cannot monitor server-to-server traffic. Consumer Reports suggests policy changes including data minimization, expanding authorized agents' powers, increasing
ad transparency, and improving data readability in Meta's tools. The burden, however, remains on
users to protect their privacy, underscoring the need for a national digital privacy law.
For now, consumers have limited options.
Meta spokesperson Emil Vazquez reiterated the company's commitment
to investing in data minimization technologies.
I don't know.
How many times have we heard, your privacy is important to us?
privacy is important to us. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public
and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic
Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to Thank you.