CyberWire Daily - A major supply chain attack is underway. Ms Connor, call your office. Combosquatting. False positives fixed. Tanks don’t work, so Russia tries more cyber. And, sadly. some official hostage-taking.
Episode Date: March 30, 2023The 3CXDesktopApp is under exploitation in a supply chain campaign. An open letter asks for a pause in advanced AI development. All your grammar and usage are belong us. Combosquatting might fool even... the wary. Defender had flagged Zoom and other safe sites as dangerous. Recognizing the importance of OSINT. Matt O'Neill from US Secret Service discussing his agency’s cybersecurity mission. Our guest is Ping Li from Signifydwith a look at online fraud. And the FSB arrests a US journalist. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/61 Selected reading. 3CX DesktopApp Security Alert (3CX) Supply Chain Attack Against 3CXDesktopApp (CISA) Pause Giant AI Experiments: An Open Letter (Future of Life Institute) In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT (WIRED AI chatbots making it harder to spot phishing emails, say experts (the Guardian) The Most Common Combosquatting Keyword Is “Support” (Akamai) False positives in Microsoft Defender. (CyberWire) Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe (Proofpoint) ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine (WeLiveSecurity) Russia Ramping Up Cyberattacks Against Ukraine (VOA) A new age of spying gives Kyiv the upper hand (The Telegraph) Russia arrests Wall Street Journal reporter on spying charge (AP NEWS) Russia detains a Wall Street Journal reporter, accusing him of espionage. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The 3CX desktop app is under exploitation in a supply chain campaign.
An open letter asks for a pause in advanced AI development.
All your grammar and usage are belong us.
Combo squatting might fool even the wary.
Defender had flagged Zoom and other safe sites as dangerous.
Matt O'Neill from the U.S. Secret Service discusses his agency's cybersecurity mission.
Our guest is Ping Li from Signify with a look at online fraud.
And the FSB arrests a U.S. journalist.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 30th, 2023. We begin with a quick note about a fast-developing story.
Many companies' research units are reporting that a vulnerability in the widely used 3CX desktop app
is being exploited in a supply chain campaign that may prove as significant as, for example, the SolarWinds incident.
CISA, the U.S. Cybersecurity and Infrastructure Security
Agency, issued a terse warning this morning, stating, CISA is aware of open-source reports
describing a supply chain attack against 3CX software and their customers. According to the
reports, 3CX desktop app, a voice and video conferencing app, was trojanized, potentially leading to
multi-staged attacks against users employing the vulnerable app. CISA advises users to scan
for indicators of compromise. 3CX early this morning issued its own warning, describing the
steps it's taking to close the vulnerability and offers users mitigations.
We'll be following the situation as it develops with updates posted to our site as they become available.
Elon Musk, Steve Wozniak, and Andrew Yang are all among those who've signed an open letter
urging for a slowdown in the development of AI technology.
The letter warns of the danger that they believe advanced AI poses to humanity.
The letter begins by asserting that powerful AI systems should be developed
only once we're confident that their effects will be positive
and their risks will be manageable.
The letter calls for a pause of at least six months
on the training of AI systems more powerful than GPT-4.
The letter emphasizes that this pause should be used for development of existing AI interfaces
to make them more accurate, safe, interpretable, transparent, robust, aligned, trustworthy, and loyal.
Also considered is a need for AI developers to work with policymakers to implement regulations on AI.
Dark reading reports that even proponents of AI development, like the chief executive of OpenAI,
shared concerns about AI's ability to both spread disinformation and launch cyberattacks.
Critics of the letter wonder if this kind of technological advance can be inhibited by
regulation or persuasion. AI now comes across as less subliterate than your average crook.
The Guardian reports on how cybercriminals can use advanced chatbots to write convincing
phishing emails. Corey Thomas, CEO of Rapid7, told the publication,
Every hacker can now use AI that deals with all misspellings and poor grammar.
The idea that you can rely on looking for bad grammar or spelling in order to spot a phishing attack is no longer the case.
We used to say that you could identify phishing attacks because the emails looked a certain way.
That no longer works.
because the emails looked a certain way.
That no longer works.
Likewise, Max Heinemeyer,
chief product officer at Darktrace,
explained how threat actors can use AI to craft spear phishing emails,
stating,
I can just crawl your social media
and put it to GPT
and it creates a super believable tailored email.
Even if I'm not super knowledgeable
of the English language,
I can craft something that's indistinguishable from human.
Akamai today blogged about cyber-squatting,
domain-squatting and URL misdirection,
which creates a domain name closely related
to an impersonated brand's or organization's domain.
One of the more effective forms of cyber squatting has come to be
combo squatting, which adds a plausible keyword to a domain name. So if you are impersonating the
fictitious Max Ordinate company, you might change their authentic domain of maxordinate.com to
something like maxordinatecustomer.com, a careless recipient of the link,
even if they've been trained to look at the domains,
might well decide it looked legit and click through.
Combo squatting was, in 2022,
the most observed cyber-squatting tactic,
with combo squatting also generating the most DNS queries.
While typo squatting remains in the limelight,
researchers note that combosquatting
appears to be the more effective and prevalent threat. Support was found to be the most common
keyword added to combosquatting domains. Microsoft tweeted yesterday that Microsoft
Defender was erroneously flagging some URLs as malicious. The Register reports that some major services,
such as Zoom and Google, were triggering false positives in Defender. Users were still able to
access the sites, but the Register says that hundreds of false alerts were extremely time
consuming for administrators. Microsoft fixed the problem yesterday afternoon after finding
that the issues were caused by changes to Defender's SafeLinks feature.
Microsoft stated,
We determined that recent additions to the SafeLinks feature resulted in the false alerts, and we subsequently reverted these additions to fix the issue.
Turning to shifts and trends in the hybrid war Russia is waging against Ukraine,
Turning to shifts and trends in the hybrid war Russia is waging against Ukraine,
The Voice of America reviews more comments from Ukrainian officials and experts in allied countries to the effect that Russian cyber operations seem to be rising as Russian offenses fall short.
Russia is preparing for a long war.
Its intelligence services are working to establish persistence in adversary networks,
its hacktivist and criminal auxiliaries are taking the fight to Ukraine's Western sympathizers,
and its attempts to influence opinion continue unabated, both domestically and internationally.
Prominent among the current active Russian threat groups is the APT,
variously known as TA-473,vern and uac 0114 proof point this
morning released a report on the actor's recent efforts they're for the most part running fishing
expeditions proof point says the company's assessment is that the goal of this activity
is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian war.
TA473 is notable for the amount of time and care it expends on reconnaissance of its targets,
and we'll be hearing more about them in the coming weeks.
Tom Tugendhat, the UK's Minister of State for Security, has published an op-ed in
The Telegraph in which he extols the value of open-source intelligence and describes steps
the government is taking toward institutionalizing OSINT collection and analysis. The center of that
push will be the establishment of an open-source intelligence hub.
And finally, in some disturbing news,
Russia's FSB has arrested U.S. journalist Evan Gershkovich,
a reporter for The Wall Street Journal who works from the paper's Moscow bureau, the AP reports.
He was taken into custody in Yucatiran, in the course of trying to obtain classified documents,
the FSB claims. The Wall Street Journal said of the arrest, the Wall Street Journal vehemently denies the allegations from the FSB and seeks the immediate release of our trusted and dedicated
reporter, Evan Gerskovich. We stand in solidarity with Evan and his family. It's hard to see the arrest as anything other than hostage-taking.
We second the journal's wishes for Evan Gerskovich's quick and safe return
and wish his family the best during this difficult time.
Coming up after the break, Matt O'Neill from the U.S. Secret Service discusses his agency's cybersecurity mission.
Our guest is Ping Li from Signified with a look at online fraud.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Online fraud continues to run rampant,
an ongoing cat-and-mouse game between those looking to make a quick dishonest buck
and those trying to protect their business and customers.
Ping Li is VP of Risk Intelligence at Signified,
where they recently shared results of their State of Fraud report.
So there's, I would say, three highlights.
The first one is we have observed
accelerated fraud attacks
and we definitely observed
an increase in scale across the board,
particularly in 2022 holiday season.
I have been in the fraud industry for almost 20 years, and I'd say I have not seen this
type of scale in my career.
And even in the last two months, I mean, not January, February, I still see the pressure,
the fraud pressure is still on.
The fraudsters are still testing and attacking.
And then that's the first one.
The second one is we also see the rise of first-party fraud.
Sometimes we also, people call it friendly fraud, which is not that friendly.
People call it friendly fraud, which is not that friendly.
We have definitely seen an increase of first-party fraud. The customers who are the first party to, say, do return refund abuse,
just lie about the items that they have received,
but saying they have been lost.
So chargeback abuse that we have seen,
as well as promo abuse.
So that's the second trend.
And the third trend that I think as a risk industry,
we have seen the risk professionals
not just say, let's stop the fraud, but we have lots of efforts have put into how do we optimize the business?
How do we help to reduce the frictions of the customers?
And we're innovating.
And I've seen a lot of new innovations across the industry.
innovating. And I've seen a lot of innovations across the industry.
Well, where do we stand today when it comes to the technology that's available for organizations to try to fight these fraud trends?
I'd say majority of the focus is on AI and machine learning. You know, the fraudsters,
they're innovating.
And I think traditionally,
there are lots of rule-based
fraud detections and manual reviews.
But those are all, I'd say,
far outdated with so many data
that are available.
The machine learning,
the machine learning models, the AI learning, the machine learning models,
the AI technology,
I think that's definitely is the trends
and is where the industry
and merchants and risk professionals
are focusing on using.
Are there any particular areas
that these folks are targeting
and any verticals that they
have in their sites?
So, of course, they're targeting
any merchandise
which is
easily resellable
all the way
coming from cell phones,
laptops, electronics
to the apparels like the shoes, high-end shoes,
luxury goods. So anything that can be easily resell, those are all the targets.
So based on the information that you all have gathered here, what are your recommendations?
How should people go about best protecting themselves?
Yes, I would say just like I said earlier, invest in AI and machine learning and use the automation tools to, say, improve your efficiency, improve your performance against the fraud attacks,
and work, I would say, work with the industry, work together
to find ways that having, say, early detection, early warning product or system that can help us to do a detection of anomalies.
And so because sometimes when chargebacks comes in,
when the damage is already done, it's too late for us.
So I think the focus should be on early detection, anomaly detection, and machine learning.
Is there anything particularly new or innovative
that you all are tracking from these fraudsters?
We have seen, definitely we know that fraudsters
are constantly trying to find loopholes,
constantly trying to circumvent our detection,
our defense systems. The trends that I have been seeing that the frosts are doing more of are, I think, APL.
I definitely see account takeover continue to increase.
I think the reason is that a lot of our merchants and e-commerce industry
I think the reason is that a lot of our merchants and e-commerce industry, we're trying to establish customer loyalties.
We encourage people to create accounts so they can receive discounts and promotions.
And so because of that, I think a lot of people are creating their accounts
instead of using a guest checkout.
And that gives an opportunity for fraudsters to really steal people's accounts.
So ATO is one.
And I also have seen Bopas, which is that buy it now and pay, sorry, buy online and pick up in store.
And because the frosted this time, they don't have to, say, provide a delivery address.
Because from Velocity perspective, it will be very suspicious, right?
The same residential houses, you buy a hundred of phones and then send it to the same place.
So I've definitely seen the shift of doing more of purpose.
So I would say I would just call out that too, just for our merchants to be very aware of.
That's Ping Li from Signify. signified. And it is my pleasure to welcome to the studio Matt O'Neill. He is Deputy Special
Agent in Charge of Cyber at the United States Secret Service. Matt, thank you so much for joining us today. Thank you for having me. So I would love to start out with just a little bit
of level setting. I think for most folks, when they think of the Secret Service, the first thing
they think of is, of course, the protection of the president, the folks in the executive branch.
There's a lot more to the organization than that. And I think maybe most folks aren't familiar with what you all do in cyber.
Can you bring us up to date and educate us? What exactly is the mission?
Sure. So the Secret Service was founded in 1865 in the Department of the Treasury.
And we were founded because at that time, a significant amount of currency throughout the country at the end of the Civil War was counterfeit.
And we actually stayed in the Department of the Treasury until 2003. It wasn't when they created the Department of Homeland
Security. It wasn't until 1901 after the assassination of three presidents that we
picked up what is more widely known for one of our responsibilities is physical protection of
the president. Ever since 1865, we've had our hand in protecting the financial infrastructure
of the country. So as fraud trends and attacks on the financial infrastructure have evolved,
so has our agency and organization. So we focus off on specifically financially motivated fraud, in this realm, financially motivated cybercrime.
And so ever since, you know, the late 1980s, as all frauds have become more and more digital
and electronic, so have our investigations. So is there a lot of collaboration that goes on
with your colleagues at the FBI and other agencies who are involved with this sort of thing?
Yes. So one of the key pieces of information that we like to let people know is for the general
public, it doesn't matter to us who you contact, FBI, HSI, IRS, CI, depending on what the
investigation is, or the U.S. Secret Service. We are charged to work collaboratively together
through groups like the NCIJTF and also through our personal
relationships, both in field offices and in headquarters. But we all have sort of concurrent
oversight over any host of fraud types. Explain to me how the organization is set up. You mentioned
field offices. Should that be the primary contact for folks out there who want to
kind of pre-establish their relationship with you all? Yes, we have 43 cyber fraud task forces
around the United States. Each major city probably has a cyber fraud task force near you. I highly
encourage people to reach out to their office and say they want to join their cyber fraud task
force. And then in our headquarters, we have several cyber components.
The first is our cyber intelligence section,
which has been around for about 20 years
and focuses on the most sophisticated,
financially motivated hackers and cyber threat actors.
We also have our global investigative operations center,
which we started about five or six years ago, where we provide investigative, analytical, and logistical support to our field offices.
It's sort of our centralized fusion center, if you will.
And then we also work a lot through the NCFI, which is the National Computer Forensic Institute in Hoover, Alabama.
It's really important for us as an organization to work as closely as we can with state and local partners. So we train
thousands of state and local police officers on everything cyber that you can think of from
dead box forensics, mobile devices, cryptocurrency. And many of those state and locals are part of our
cyber fraud task forces.
So they're a huge force multiplier for us,
recognizing there's no one agency or organization that can tackle cyber by itself.
What are the primary things that have your attention these days?
What sort of things are you focused on?
So we're focused on, through both the cyber fraud task forces and our
GIAC on cryptocurrency investment schemes or confidence schemes. You might see in the news,
people call it pig butchering, not a fan of that term. So I like to just call it crypto confidence
schemes. It's a massive problem. Business email compromise continues to lead every year in the
IC3 reporting, which is
something that we take a look at along with our own metrics to make sure that we're working
the most significant community impact cases. And then the other sort of underreported crime that
we're focused on right now is sextortion. Sextortion is something that isn't just targeting juveniles. We've worked many
investigations supporting victims of grown adults that are executives at major corporations. And
it's a very underreported crime, but it's very personal to us. So we spend a lot of energy on
trying to disrupt and dismantle as many sextortion-related rings as we can.
Is it fair to say that you encourage folks to reach out and, as I said, establish that relationship before they need you to get those lines of communication open?
Without a doubt.
One of the pieces of advice we always give to organizations is establish your contacts with federal law
enforcement before the bad thing happens. And that could be join your cyber fraud task force.
That could be call up your local office and just ask to speak to an investigator
or a special agent. Or we have analysts in all of our field offices as well. Quite honestly,
as I said earlier, we don't care if that contact that you make is with the FBI or us or HSI. It's just critically important that you have those relationships built
in. Go to lunch with that person, get their phone number. Things always happen late at night on a
weekend. So it's not going to be something that, especially when it comes to financial fraud like
business email compromise, where you only have 24 to 36 hours in order to try to recover funds, it's really, really important that those
relationships are established long before the bad day happens. All right. Well, Matt O'Neill is
Deputy Special Agent in Charge for Cyber with the United States Secret Service. Matt, thanks so much
for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Urban and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.