CyberWire Daily - A malign AI tool: FraudGPT. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. And a kinetic strike against a cyber target.
Episode Date: July 26, 2023FraudGPT is a chatbot with malign intent. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. Tim Starks from Washington Post's Cybersecurit...y 202 on the White House’s new National Cyber Director nominee. Maria Varmazis speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate, on space systems as critical infrastructure. And a kinetic strike against a cyber target: Ukrainian drones may have hit Fancy Bear’s Moscow digs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/141 Selected reading. FraudGPT: The Villain Avatar of ChatGPT (Netenrich) Stealer Logs & Corporate Access (Flare) Over 400,000 corporate credentials stolen by info-stealing malware (BleepingComputer) The Alarming Rise of Infostealers: How to Detect this Silent Threat (The Hacker News) Conti and Akira: Chained Together (Arctic Wolf) Ukraine-Russia war: Ukraine vows further drone strikes on Moscow and Crimea (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fraud GPT is a chatbot with malign intent.
Stealer logs in the C2C market.
Signs in the blockchain that some Conti alumni are working with the Akira gang.
Tim Starks from the Washington Post Cybersecurity 202 on the White House's new National Cyber Director nominee.
Maria Vermazes speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate on Space Systems as Critical Infrastructure,
and a kinetic strike against a cyber target.
Ukrainian drones may have hit fancy bears Moscow digs.
I'm Dave Fittner with your CyberWire Intel briefing for Wednesday, July 26th, 2023. Another malicious generative AI tool is being sold on the dark web,
according to researchers at Netenrich.
The bot, called FraudGPT, is designed to write malicious code,
craft phishing pages, write scam emails, and more.
The tool launched on July 23rd and is being offered for $200 per month or $1,700 per year.
The researchers note, while organizations can create ChatGPT and other tools with ethical safeguards,
it isn't a difficult feat to reimplement the same technology without those safeguards.
A similar tool called WormGPT launched earlier this month.
A similar tool called WormGPT launched earlier this month.
WormGPT also advertised itself as an ethics-free version of ChatGPT.
An InfoStealer log is simply the full list of credentials harvested from an infected machine,
whether obtained by phishing or some other vector.
In its research report, Stealer Logs and Corporate Access, security firm Flare explains that InfoSteeler malware and its surrounding criminal-to-criminal economy
has developed into a complex ecosystem that's growing at an exponential rate. Flare writes,
The explosive growth rate of InfoSteeler malware represents an ongoing and significant threat to
all organizations. Employees regularly save
credentials on personal devices or access personal resources on organizational devices,
increasing the risk of infection. The report explains driving factors in the info stealer
market by examining over 19.6 million stealer logs. These logs are regularly sold on the dark web after an infection.
By examining the logs, Flare was able to determine that 46.9% or more than 8 million
had access to Gmail credentials, while just over 1.9% had access to business application credentials
like AWS, Salesforce, and GCP. Logs which contained credentials to
financial institutions were sold for almost 7.5 times as much as those with access to consumer
applications. Most Steeler logs are distributed on Telegram via private or public channels,
but Russian Market, a dark web marketplace, is also a popular site to purchase them.
Genesis Market had been a popular clear web online log store until its recent takedown by law enforcement.
It now operates exclusively and at a reduced rate on the dark web.
Flair goes on to outline three tiers of InfoStealer logs for sale.
Tier 1 contains high-value corporate credentials.
Tier 2 holds banking and financial service credentials.
And Tier 3, finally, consists of more run-of-the-mill consumer application credentials.
Credentials seem to be gathered all too often from accounts whose users cross their personal
devices with work devices and save their credentials to their browser for
ease of access. While saving credentials may be easier in the long run, the user is essentially
putting all their access eggs in one basket, allowing crooks who can pick up that basket to
walk away with some pretty valuable items. Researchers at Arctic Wolf Labs, through
blockchain analysis, assess that actors from the recently splintered ransomware group Conti are likely either working with the Akira gang now or were working with Akira and another group at some time. Arctic Wolf Labs has observed cryptocurrency address reuse between threat groups,
indicating the individual controlling the address or wallet has either splintered off from the original group or is working with another group at the same time.
Akira's code shares many similarities with Conti's,
but the presence of what is, after all, widely accessible leaked code isn't conclusive evidence of collaboration.
widely accessible leaked code isn't conclusive evidence of collaboration. However, the reuse of known blockchain addresses can indicate that at least one former member of Conti has joined Akira.
Arctic Wolf says, in at least three separate transactions, Akira threat actors sent the
full amount of their ransom payment to Conti-affiliated addresses. The three transactions
totaled over 600,000 US dollarsS. dollars. The researchers note that
Akira is probably an opportunistic organization and has taken advantage of mostly small or medium
sized businesses who are not employing multi-factor authentication. According to Akira's leak site,
the group has compromised at least 63 organizations since their inception,
with approximately 80% of their
victims being small to medium-sized businesses. Notably, some of the victims have been removed
from the leak site. And finally, according to The Telegraph, Ukrainian drones that hit Moscow on
Monday, which Moscow said did little damage, appear to have struck an office building that houses the GRU's Unit 26165,
an organization responsible for Russian offensive cyber operations.
The unit's activities are best known under their Fancy Bear nickname.
Ukrainian officials said more attacks against Russia could be expected
and derided Russia's ability to defend its own airspace.
Ukraine's Deputy Prime Minister Mikhail Fedorov said,
Today, at night, drones attacked the capital of the Orks and Crimea.
Electronic warfare and air defense are already less able to defend the skies of the occupiers.
So, whether by accident or intention, the kinetic and cyber phases of
the hybrid war seem to have converged this week at a Moscow office high-rise.
Coming up after the break, Tim Starks from The Washington Post's Cybersecurity 202 on the White House's new National Cyber Director nominee.
Maria Vermasas speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate on Space Systems as Critical Infrastructure.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Maria Vermasis is host of the T-Minus podcast right here on the N2K network,
and she recently spoke with Deputy Director of NSA's Cybersecurity Directorate, David Luber.
She files this report.
Thank you so much for joining me today, Dave.
I really appreciate it, and we get to talk about my favorite topic, which is space cybersecurity. So you are the perfect person to start us off with an overview of what is the state
of cybersecurity in space right now? Well, thanks. And cybersecurity in space is one of my favorite
topics as well. And I always think about cybersecurity as a team sport. And as you look
across the U.S. government and our community,
within the Department of Defense, the Space Force, CISA, NIST, and our Defense Industrial Base,
as well as the Department of Commerce, we're all working together when it comes to ensuring that
we have the right cybersecurity for our current and future space systems. And for the National Security Agency,
we focus specifically on the cybersecurity
for our national security systems.
As you might imagine, our military,
our government relies on space
and that capability needs to be secured
to ensure that we can withstand the threats
that come from multiple adversaries.
Could you help me understand maybe the different roles that the U.S. government plays in helping
secure these systems or maybe who specifically is responsible for what? Could you give me a
sense of that, please? Well, first off, as I mentioned, that team sport effort at NSA,
we're responsible for ensuring that the guidance is in place for those key national security systems, even those and in NIST to really help in the areas of commercial
use of space and the commerce of space and to ensure that those systems are also secure.
But collectively together, we work together to ensure that the guidance can be used and consumed
by both the national security systems as well as other U.S. government users and
commercial entities.
Just to give you an example, at NSA, we publish cybersecurity advisories that give insights
into a variety of different threat activities that impact all types of different national
security systems.
But in the case of others, these advisories can also be used
if you're in the commercial segment, if you're in other areas to ensure that you're securing
those systems in a way that would keep an adversary. And when I talk about adversaries,
I think about the adversaries of Russia, the PRC, Iran, North Korea, and even the non-state actors like ransomware actors
from penetrating those key systems. We've also published advisories on how to protect the link
segment, ensuring that the proper use of transec is employed, and even in some of the user segment
areas to ensure that the user segment modems have the right firmware, that they're monitored
just like any other device that would be used on a network.
I'm very curious to get your thoughts on the calls for designating space as a critical
infrastructure.
In your view, would that help move things along in the right direction?
Or what would that materially impact if space were to become designated as critical infrastructure?
What would that materially impact if space were to become designated as critical infrastructure?
Well, first, I'd offer that the White House has not made a decision regarding space as a critical infrastructure. And if called upon by the White House for insights and thoughts on that, obviously NSA would provide input to that decision.
But collectively, I'd offer, too too that the team is already working well
together. And absent any sort of decision, we will continue to focus on how we work together
as a team across the U.S. government, but in particular, that very important partnership
between government and industry. Because I think that's where the power of partnerships really come
together, sharing insights, sharing guidance, and ensuring that we can change as the threat
arena changes as well. Just as we're talking right now, there are new vulnerabilities being
discovered. There are changes that are happening in the cyber ecosystem. So this is not something
that you publish and you're finished. This is something that's continuous that we need to
work together on over time. And as space and commercial space especially continues to grow
at an astounding pace, I'm wondering, are there any maybe emerging technologies that are of interest
that you feel could present great opportunities for perhaps hardening systems or helping move along the maturity of cybersecurity and space systems?
Absolutely.
You know, when I think about any type of system out there today, some of the things that I immediately think about, especially for the space ecosystem, is concepts like implementing zero trust within ground system
segments. It's a different thought process, but really ensuring that zero trust principles
are applied and that we have the indications when one of those threat actors are attempting to gain
access to those systems, or if they are successful because your trust does assume breach, that they have little maneuver space to actually impact the
actual space systems themselves.
I'd also offer that building in cybersecurity from the beginning.
If we look back in time, some of the early space systems didn't necessarily consider
cybersecurity as one of the primary requirements during the acquisition, development, implementation.
So I think it's really important for us to think about how we ensure that cybersecurity is thought about during the actual development within the entire ecosystem that I mentioned earlier.
And then in particular for national security systems, but not just national security systems, the future of cryptography. We need to ensure that we have quantum resistant cryptography for our national security systems and U.S. government systems, as well as commercial systems to ensure that cryptography advances along with the space systems and all that ecosystem that I just
mentioned. And then lastly, I'd say that the complexity of space systems in proliferated
LEO architectures now demand the ability for those systems to be able to communicate
in space from system to system. So different technologies, different applications of cryptography
and zero trust, I think,
are all areas that I think are not only emerging,
but in many cases critical
to ensure that current and future space systems
can be relied on by the national security systems owners.
Dave Luber at NSA,
thank you so much for walking me through this today.
I'm always
fascinated hearing about not only what NSA is doing, but also space cyber, personal passion
of mine. I really appreciate your time and expertise today. It's great to be here today.
Thank you. That's Maria Vermasas from the T-Minus podcast speaking with David Luber,
Deputy Director of NSA's Cybersecurity Directorate. If you've not yet checked out T-Minus,
what are you waiting for? It's a great show. Check it out.
It is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Howdy, Dave.
So your most recent posting here over on the Post's website is titled
White House's Pick for National Cyber Director is Met with Praise and Questions.
Take us through what's going on here,
because it's not exactly straightforward.
Yeah, this has been a somewhat odd sequence of events.
You'll recall that toward the end of last year,
we found out Chris Inglis was leaving
as the very, very first National Cyber Director.
That's that position that has a strategic
and advisory role to the president.
It's kind of the replacement for the cyber czar that used to be existing in the White House. He left one of his deputies, I think
his principal deputy, Kimball Walden, has been serving as an acting director and by pretty much
all accounts, doing an excellent job of it. She'd overseen the rollout of the National Cybersecurity
Strategy. She led the development of the implementation plan.
People were expecting her to get the nomination, but it kept not happening. She took that job in
February. And then me and a colleague, Ellen Nakashima, we both combined on a story last
week that wrote about her being told she was not going to get the job because of personal debt
issues that most people were pretty skeptical should have been or were the real reason for
her not getting the nomination.
So today, or I guess I should say yesterday, the White House announced that Harry Coker,
that's a name that we put in that story last week, was as the favored candidate.
Harry would be the nominee. He's a former NSA CIA official, actually was part of the transition
team for the Biden-Harris administration, Has some cyber experience, but there's some questions about how much
compared to especially Kemba and maybe other potential nominees.
And I think that's where we end up.
People seem to think highly of him overall.
He has support on the Hill from key figures.
So he has support.
Chris Inglis told me that he thought he'd be a good candidate.
I think that gets us up to speed.
It's kind of a long, winding saga so far.
Yeah, I mean, it's interesting to me that Coker seems to have a lot of support.
There's little question that he can come at this from a leadership point of view.
He has all the experience there to lead an agency.
But your reporting, you spoke to some folks who may have some skepticism
when it comes to his knowledge, particularly in the cyber realm. Yeah, so I mean, he certainly
has some of that. He has been at Auburn University at the McCurry Institute as a senior fellow on
cyber. He has advised some cyber companies, but he wasn't necessarily all that explicitly
focused on cyber at the NSA or CIA.
I mean, it was certainly part of what he did, but I don't think people thought of it as the main thing he did.
So if you're looking at someone like him, who, again, like you said, like the people I talked to, even the people who were skeptical of him, praised him as a person, praised him for his leadership, his intelligence.
as far as leadership is intelligence.
Compare him to like a Kimball Walden who had been back at DHS covering cyber,
was there when CISA was being stood up
and was an attorney,
was at Microsoft with the Digital Crimes Unit,
was there for the founding of,
essentially the founding
of the National Cyber Director's Office.
Inglis came in last year
after getting confirmed,
I think it was around June of last year. She joined in June of
last year as well. So we're talking about someone who had a lot of capabilities and a lot of
experience specifically in this job compared to Harry. And that's where he has some skeptics
about whether he should have been the choice, whether he was the best pick for the job.
Yeah. Going back to Kemba Walden, and I have to say I'm a
little surprised we didn't see more from the Biden administration to fight for her getting this job.
It struck everybody as strange because, like I said, everybody pretty much thinks she's done a
good job. I say pretty much because I can't think of anybody who has said she's done a bad job.
I've heard people criticize things like the implementation strategy,
maybe having some issues with it, but,
but nobody said she did a bad job and everybody seems to think she's done a
good job. She's a black woman.
There are not a lot of black women in leadership positions in the Biden
administration. And they prioritize that, you know,
and with like Supreme court nominees and things like that.
So it seems like that would have been a factor for her.
Harry Coker is also black. So it's not as though they're completely abandoning diversity, but black woman
is a different kind of diversity level we're talking about than a black man. And it's confounded
people. This notion that it's an issue of personal debt, to what degree do folks think that is
truly the case?
Nobody that I've talked to or nobody that I've seen react to it publicly seems to think that
that is the authentic explanation. Sure, that was the explanation she was given. I should point out
that Kimba, at some time around the same point that the White House was saying that she's not
going to get the job, she pulled herself back from consideration. So that's something to point out.
First off, if you go back to the
story we wrote last week, you'll see that personnel expert types that we spoke to cannot recall a time
that a nominee was sunk by any personal debt. Maybe questioned about it, but not sunk by it.
And it seems to have come out of nowhere as this issue for her specifically. And I think that's
part of what makes people skeptical about it. Combined with the fact that she was doing a good job, it makes people think there's
something else going on.
Will she stay on with the agency?
Yeah, my understanding is that she's staying on indefinitely as the acting.
But what happens after that, once Harry Coker's nomination advances, I would probably expect
her to leave, but I don't think we have a word on that yet.
All right.
Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.