CyberWire Daily - A Joint Advisory on LockBit. AI chatbots: the grammarians of tomorrow. KillNet makes a deal with the Devil (Sec). The private-sector’s piece in the hybrid war puzzle.
Episode Date: June 14, 2023The Five Eyes, alongside a couple of allies, issue a LockBit advisory. AI aids in proofreading phishing attacks. Anonymous Sudan mounts nuisance-level DDoS attacks against US companies. France alleges... a disinformation campaign conducted by Russian actors. KillNet says it's partnered with the less-well-known Devil Sec. The private cybersecurity industry's effect on the war in Ukraine. Carole Theriault ponders oversharing on social media. Our guest is Duncan Jones from Quantinuum on the threats of Harvest Now, Decrypt Later tactics. And a note on this month’s Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/114 Selected reading. Understanding Ransomware Threat Actors: LockBit (Joint Cybersecurity Advisory) U.S. Measures in Response to the Crisis in Sudan (US Department of State) Generative AI Enables Threat Actors to Create More (and More Sophisticated) Email Attacks (Abnormal Security) France Accuses Russia of Online Disinformation Campaign (Bloomberg) The Private Sector’s Evolving Role in Conflict—From Cyber Assistance to Intelligence (R Street) Microsoft Patches Critical Windows Vulns, Warns of Code Execution Risks (SecurityWeek) Patch Tuesday: Critical Flaws in Adobe Commerce Software (SecurityWeek) Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes (Naked Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Five Eyes, alongside a couple of allies, issue a lock-bit advisory.
AI aids in proofreading phishing attacks.
Anonymous Sudan mounts nuisance-level DDoS attacks against U.S. companies.
France alleges a disinformation campaign conducted by Russian actors.
Killnet says it's partnered with the less well-known Devilsack,
the private cybersecurity
industry's effect
on the war in Ukraine.
Harold Terrio ponders
oversharing on social media.
Our guest is Duncan Jones
from Quantinium
on the threats of
Harvest Now,
Decrypt Later tactics.
And a note on this month's
Patch Tuesday.
I'm Dave Bittner with your CyberWireating agencies in Australia, Canada, France, Germany, New Zealand, the United
Kingdom, and the United States. The document warns of the group's prominence as the most active
ransomware group and ransomware as a service provider of 2022. The advisory gives detailed
and actionable information on how organizations can defend themselves against lock-bit ransomware operators.
Check out the advisory and see how you can apply it.
Abnormal Security warns that attackers continue to abuse generative AI platforms
like ChatGPT to craft convincing phishing emails.
Abnormal has observed numerous types of phishing attacks
that use grammatically correct AI-generated templates.
The researchers observed a targeted BEC attack that was assisted by AI to impersonate vendors,
which are said to be among the most successful persona for attackers.
After all, conversations about invoices and payments are commonplace between vendor and customer,
and they're accustomed to seeing money change hands.
Anonymous Sudan is continuing its DDoS attacks on U.S. companies with a new campaign against
shipper UPS.
Their attack seems to have started around 6 p.m. Eastern time on June 12th and continued
for about two hours.
6 p.m. Eastern Time on June 12th and continued for about two hours. Today, Anonymous Sudan attacked LinkedIn. As of right now, the hacktivists have paused their attack,
claiming they're satisfied with its results. The DDoS efforts are said to be intended to
dissuade the U.S. government from intervening in any way in the current Sudan crisis,
and they follow U.S. Secretary of State Anthony
Blinken's announcement that the U.S. would be imposing visa restrictions and economic sanctions
on Sudan. French authorities report that Russian actors attempted to plant and amplify disinformation
using, in part, spoofed pages misrepresenting themselves as major news outlets.
Bloomberg reports that France's Ministry of Foreign Affairs uncovered a coordinated campaign using fake pages impersonating media outlets like Le Monde, 20 Minutes, and Le Parisien, among others.
Foreign Minister Catherine Colonna condemned the actions in a statement,
saying that they are unworthy of a permanent member of the United Nations Security Council.
She continues, saying that no attempt at manipulation will distract France
from its support for Ukraine in the face of Russia's war of aggression.
Turning to a familiar hacktivist auxiliary acting in the cause of Russia,
we've been reading Killnet's telegram feed.
Killnet's spokesperson Kill Milk announced today that after the group's most recent operational
pause, it will begin cyber actions against Ukraine and NATO. Killnet brings with it a
new partnership with Devilsack, supposedly a Turkey-based ransomware group, which seems to focus on targeting NATO countries, Israel and Ukraine.
DevilSec's Telegram page was created in June 2022,
but began hosting stories of DevilSec's cyber activities only recently on May 26th of 2023.
DevilSec claims to have hacked the Bank of America, offering website data for the low, low price of $5,000.
The group also claims to have stolen 1.5 million Kuwaiti citizenship documents on June 5th.
Devilsack advertises its tools for sale, as well as free downloads of various tools to utilize exploits. The vulnerability is described as a
DOM-based reflected cross-site scripting vulnerability in Elementor's website builder
plugin. This partnership with DevilSec, should it be real, appears to represent a change of pace for
KillNet, which had previously focused on DDoS campaigns. In the moderately unlikely event that DevilSec lives up to its
own hype, the two cooperating groups could become more than just a nuisance if their
partnership is real and lasts long enough to actually be productive. The war in Ukraine has
people recognizing the actions of Western countries as sending ammunition and machines of war,
but what many don't realize
is that private industries have been just as instrumental to the defense of Ukraine
as governmental arms support. Yesterday, the R Street Institute held a conference
to discuss the impact of private cybersecurity firms on the war in Ukraine.
And finally, a quick note about Patch Tuesday, which this month fell yesterday.
Microsoft and Adobe have both issued patches for critical vulnerabilities. Microsoft patched six
critical flaws, none of which appear to have been exploited in the wild, Security Week reports.
Four of these bugs could lead to remote code execution, says Naked Security. Adobe has patched 12 vulnerabilities in Adobe Commerce
that could lead to arbitrary code execution,
security feature bypass, and arbitrary file system read.
Magento Open Source is also affected by these flaws.
As usual, apply the updates per vendor instructions.
Coming up after the break,
Carol Terrio ponders oversharing on social media. Our guest is Duncan Jones from Quantinium
on the threats of Harvest Now decrypt later tactics.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Quantum computers are growing more capable and practical, and with that comes growing concern that what is safely encrypted today could be easily cracked tomorrow, a tactic
sometimes referred to as harvest now, decrypt later.
tomorrow, a tactic sometimes referred to as harvest now, decrypt later. For a reality check on this, I spoke with Duncan Jones, head of quantum cybersecurity at Quantinuum.
We recognize that in the not too distant future, perhaps about 10 years from now,
we could be in a position where quantum computers are able to break some of the encryption systems
that we use today things like rsa for example now the instinctive thought to have about that is
you know i should get myself ready so that in 10 years time i'm safe but what people have begun to
realize is that these attacks can occur retrospectively. And by that I mean
something as simple as this conversation now is being protected by algorithms that will be
vulnerable to attack by a quantum computer. And nothing stops an attacker from recording this
conversation that we're having. It will be an encrypted conversation. So today they can't
break into it and understand what we were talking about. But in 10 years time, they would be able to
do that potentially on a quantum computer. And so this is the idea of hacking now, as in getting
access today to something that is encrypted with a vulnerable algorithm, and then decrypting it in the future
on a quantum computer. And so it kind of addresses that notion that if I encrypt everything at rest,
if the bad guys get a hold of my data, it doesn't matter because it's encrypted. Well,
it may not be a forward-looking thought. Yeah, it violates the idea that simply by encrypting things, you're definitely safe.
Now, there is some nuance here because a lot of times when people think about encryption,
they think about what's living on their hard disk being encrypted,
and if somebody stole the hard disk, their data is safe.
And actually, in that setting, your data probably is safe against a quantum computer
because we use different types of encryption for different use cases.
So what is typically called data at rest encryption,
which would be like the hard disk example,
that tends to use algorithms that are safe against quantum computers,
things like AES,
for which quantum computers will only gain a marginal advantage
versus typical computers.
It's more the data-in-transit use cases that are vulnerable.
So this is when you share something with somebody else around the world.
It doesn't just have to be a conversation like this.
It could be a transmission of data from an in-country agent
back to the intelligence community in their homeland, for example.
So there's some really important sensitive stuff
that moves around the world,
and it's that data that is at risk.
But I agree that most people still think that is perfectly safe today,
but maybe that's not
a correct viewpoint to have. Well, when I've heard folks talk about this, it primarily
is about espionage, as you say, state secrets and that sort of thing. An adversary will
gather up data with the hope that someday in the future, they'll be able to decrypt it.
Should folks be concerned about this? Orpt it. Should folks be concerned about this,
or to what degree should folks be concerned about this
from a pure business point of view?
I think we should be realistic and recognize that
to conduct an attack like this requires significant planning and resources,
and it's not practical for somebody to record the entire encrypted internet emissions
from the United States with a view to decrypting it all later.
So there is clearly going to be some degree of targeting to these attacks.
I do think espionage-type use cases are particularly at risk. But equally, many large organizations share sensitive
information that will still have value in 10 plus years. And so I wouldn't rest easy if I was
in the security team of a major organization. I think those teams should consider themselves potentially at risk as well for
IP theft or for the same motivations that might lead somebody to try to deploy ransomware,
for example, might encourage a more patient attacker to adopt this sort of approach as well.
So I would say governments, intelligence communities, and large organizations should
all be thinking about this.
The typical person on the street or smaller businesses probably don't need to worry about it.
What are your recommendations then for organizations to approach this?
How do they dial in an appropriate amount of concern?
Well, I think this first step many organizations haven't yet taken but do need to take is to assess their risk versus this
threat. It doesn't require wholesale panic, but people do need to pause and reflect on,
do we have data that falls into that category, stuff that is really existential for our business
and would be damaging or super valuable to somebody else if it was uncovered in 10 to 15 years' time.
So that's step one, is just even to consider,
am I in scope for this?
Assuming that you decide that you are,
then there's really now an urgency coming to needing to act.
One of the things that's holding people up at the moment
is that the newer quantum-resistant algorithms that are being standardized right now are not yet standardized.
So I was at RSA last week and listening to a chap from NIST who was confirming their plans to release draft standards this summer and final standards early next year. So it's very close,
but we're not there yet. So I would say that anybody who is nervous that they fall into scope
for this sort of attack, they need to be paying very close attention to the standardization process
and they should probably start experimenting. So if they build their systems themselves,
they need to start experimenting with these algorithms,
trying to build them in, getting ready for that sort of change, because they need to change very soon.
And if they buy in their systems and they rely on things from third parties,
they should now, today, be knocking on the door of those vendors and asking them,
what is their plan for moving to quantum-safe algorithms, what is the timeline,
what is their plan for moving to quantum safe algorithms,
what is the timeline,
and really impressing upon them the urgency that they feel to start protecting their data with quantum safe algorithms.
That's Duncan Jones from Quantinuum. Be honest. Do you tend to overshare on social media?
Lots of us do.
Our UK correspondent, Carol Terrio, looks into this reality.
She files this report.
So there I was perusing cybercrime news when I came across some research
from the University of East Anglia in the UK about why we internet users are so flipping vulnerable
to cybercrime. Now according to this recent study, people tend to disclose more personal information online when asked the same question multiple times.
And the worry is that that leaves us more vulnerable to identity theft and cybercrime.
Now, according to Dr. Piers Fleming, he's the lead researcher at the University of East Anglia School of Psychology,
we're continuously being bombarded with requests for our personal
details. And it's true. Think about it. Comparison sites, travel bookings, insurance, mortgage,
loan applications, subscription requests, dating sites, quizzes, customer surveys. It's endless.
One, it's big money when it comes to advertisers and business partners.
Two, it helps reduce fraud and increase organizational efficiency.
And three, it can unearth trends that can significantly impact a company's bottom line.
And let's be frank, if we are willing to share our personal information for free, why wouldn't these companies capitalize on it?
information for free, why wouldn't these companies capitalize on it? The motivation behind this research from the University of East Anglia was to better understand the reasons why people share a
significant amount of personal information, especially on social media platforms, without
taking adequate measures to protect their account from unauthorized access. And it seems that
according to the university's initial findings,
the repeated requests for personal information from advertisers and marketers
and social media experts are designed to increase our compliance.
So my takeaway here is, well, nothing new really,
but it's a fresh way to look at an old problem.
Don't overshare online, even if you feel
blasé after every darn site online is pounding you with questions. Just think twice and make sure
the information you want to share is being shared with the people you want to have it.
This was Carol Theriault for the Cyber Wire. than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security team supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and
senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand. Our executive editor is Peter Kilby and I'm Dave Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.