CyberWire Daily - An AI arms race.
Episode Date: February 15, 2024Microsoft highlights adversaries experiments with AI LLMs. A misconfiguration exposes a decades worth of emails. SentinelOne describes Kryptina ransomware as a service. The European Court of Human Rig...hts rules against backdoors. Senator Wyden calls out a location data broker. GoldFactory steals facial scans to bypass bank security. The Glow fertility app exposes the data of twenty five million users. Qakbot returns. Our Guest Rob Boyce from Accenture talks about tailored extortion. And hacking the airport taxi line leads to prison. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Rob Boyce from Accenture talks about tailored extortion as actors continue to shift to pure data extortion, with old and new tactics. Selected Reading State-backed hackers are experimenting with OpenAI models (Cyberscoop) Staying ahead of threat actors in the age of AI (Microsoft) U.S. Internet Leaked Years of Internal, Customer Emails (Krebs on security) Kryptina RaaS | From Underground Commodity to Open Source Threat  (SentinelOne) Backdoors that let cops decrypt messages violate human rights, EU court says (Arstechnica) A company tracked visits to 600 Planned Parenthood locations for anti-abortion ads, senator says (POLITICO) Cybercriminals are stealing Face ID scans to break into mobile banking accounts (theregister) Fertility tracker Glow fixes bug that exposed users’ personal data (TechCrunch) New Qbot malware variant uses fake Adobe installer popup for evasion (bleepingcomputer) Duo headed to prison for charging cabbies to skip JFK Airport line with Russian hackers' aid (nydailynews) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft highlights adversaries' experiments with AI LLMs.
A misconfiguration exposes a decade's worth of emails.
Sentinel-1 describes Cryptina ransomware as a service.
The European Court of Human Rights rules against backdoors.
Senator Wyden calls out a location data broker.
Gold Factory steals facial scans to bypass bank security.
The Glow Fertility app exposes the data of 25 million users.
QuackBot returns.
Our guest Rob Boyce from Accenture talks about tailored extortion.
And hacking the airport taxi line leads to prison. it's thursday february 15th 2024 i'm dave bittner and this is your cyberwire intel briefing In a study released by Microsoft, researchers have observed advanced threat actors from nations including China, Iran, North Korea, and Russia, experimenting with large language models.
No substantial misuse for carrying out notable cyberattacks has been documented yet,
but this exploration into AI by some of the world's most formidable cyberpowers
raises concerns over potential applications in cyberattacks, disinformation campaigns,
and the creation of sophisticated spear phishing emails.
However, Microsoft's findings in partnership with OpenAI indicate that the direst predictions
about AI exploitation in cyber warfare have not yet come to fruition. The investigation,
which is a joint effort between Microsoft and OpenAI, details activities like the Russian
hacking group FancyBear delving into satellite communications protocols and technologies,
suggesting a preliminary interest in leveraging LLMs for gathering in-depth technical knowledge
possibly to support cyber operations. The report highlights the use of LLMs by Iranian and North
Korean hackers to generate deceptive spear phishing emails designed to direct victims to malicious websites.
For instance, Iranian hackers, identified as Crimson Sandstorm,
create emails impersonating an international development agency
and targeted prominent feminists with a fake website on feminism.
Additionally, the report highlights attempts by hackers from the monitored countries
to employ LLMs for generating and refining malicious scripts and code,
although with mixed success.
A notable example includes the Chinese hacking group Chromium,
which utilized LLMs to enhance scripting for cyber operations,
which utilized LLMs to enhance scripting for cyber operations,
while another group, Sodium, faced limitations due to the model's built-in safeguards against generating harmful code.
Microsoft's report not only provides a snapshot of current LLM usage by state-backed hackers,
but also outlines a set of principles aimed at preventing AI abuse.
These include efforts to identify and disrupt malicious use of LLMs, notifying other AI providers of potential abuses, and maintaining
transparency about threats. We note that Microsoft is a CyberWire partner.
Krebs on Security reports that U.S. Internet Corporation, based in Minnesota, inadvertently exposed over a decade's worth of internal and client emails from its Securance Email Filtering Service, affecting thousands of domains and inboxes, including those of state and local governments.
The security lapse, revealed by cybersecurity firm Hold Security, allowed anyone with Internet access to view these emails in plain text.
The exposure was quickly addressed after Krebs on Security contacted U.S. Internet's CEO, Travis Carter.
However, the company's explanation attributing the issue to a misconfigured Ansible playbook for their IMAP servers did little to clarify how such a significant oversight occurred.
Additionally, Securance's link scrubbing service
was found to be manipulated by hackers to redirect the malicious sites,
further compromising security.
Despite the immediate rectification of the exposed inboxes,
U.S. Internet has yet to publicly acknowledge the breach
or detail the extent of the exposure.
SentinelOne has published research on the Cryptina ransomware-as-a-service offering.
Initially launched as a commercial product on underground forums in December of 2023,
Cryptina has now transitioned to an open-source crimeware project.
Aimed at Linux systems,
Cryptino was designed to be a lightweight,
customizable solution for cybercriminals,
featuring both 32- and 64-bit compatibility
and payment options through Monero and Bitcoin.
Despite initial attempts to sell it,
the creator released the source code publicly,
potentially due to a lack of buyers,
or to gain notoriety
within the cybercriminal community. This shift to open source could significantly impact the
prevalence and diversity of ransomware attacks on Linux systems by lowering entry barriers for
low-skilled attackers and encouraging the development of new variants. Cryptina's
capabilities include file encryption using AES-256 algorithm,
secure deletion of files to hinder recovery, and a web interface for campaign management
and victim communication. The European Court of Human Rights ruled that weakening end-to-end
encryption poses a disproportionate risk to human rights. This decision challenges the European Commission's plans
to mandate back doors for law enforcement in email and messaging services.
The ruling followed a case where Russia demanded Telegram
provide access to encrypted messages to combat terrorism.
Telegram argued it was technically impossible to comply
without compromising all users' privacy.
The European Court of Human Rights agreed, stating that confidentiality in communications
is crucial for private life and correspondence. Privacy advocates argue that creating backdoors
not only risks mass surveillance, but also undermines security for all users by potentially
allowing criminals access. The ECHR's stance
sends a clear message against compromising encryption, emphasizing the need for alternatives
in law enforcement tactics rather than weakening digital security measures.
An investigation by Senator Ron Wyden alleges that online data broker Near Intelligence tracked visits to nearly 600
Planned Parenthood locations across 48 states for a massive anti-abortion ad campaign. This
revelation has raised concerns about the potential use of such data by states to prosecute women
after the Supreme Court's abortion ruling. Wyden has called for investigations by the FTC and SEC into Nier Intelligence.
The company's promotional materials claim to have data on 1.6 billion individuals worldwide.
The campaign's scale, unprecedented in its use of location data for targeting reproductive health clinics,
has sparked criticism and calls for tighter privacy regulations.
health clinics, has sparked criticism and calls for tighter privacy regulations.
Wyden also highlighted concerns about what he says are NIR's misleading claims to investors.
The company filed for bankruptcy last December, and Wyden is urging the FTC to block the sale of the collected data amidst NIR's bankruptcy proceedings.
A Chinese-speaking cybercrime group known as Gold Factory has
launched a sophisticated attack targeting iOS users. Their malware, goldpickaxe.ios,
is designed to steal facial scans to infiltrate and extract money from bank accounts,
focusing primarily on users in Thailand and possibly Vietnam. This malware masquerades as the Thai
government's official digital pensions app, exploiting biometric verification checks to
bypass banking app security measures. Researchers from Group IB highlighted the malware's capability
to collect biometric data, ID documents, intercept SMS, and proxy traffic, making it notably advanced in comparison to its Android counterpart.
The malware's rapid development to circumvent new facial biometric security measures
implemented in Thailand underscores the cybercriminal group's skill and adaptability.
We note that despite reports implying that this is some sort of bypass of Apple's Face ID hardware,
it appears to be more a case of social engineering to convince users to upload photos of their faces.
A vulnerability in the online forum of the fertility tracking app Glow
exposed personal data of approximately 25 million users.
Discovered by security researcher Ovi Lieber,
the bug revealed users' names, age groups, locations,
unique user identifiers, and any uploaded images.
Lieber found the data leakage through Glow's developer API,
which was mistakenly accessible to the public,
and reported the issue to Glow in October.
The company fixed the leak about a week later.
Despite the fix, Glow has not publicly discussed the bug's impact. This incident follows previous
privacy concerns with Glow, including a 2016 Consumer Reports finding of accessible user data
and a 2020 fine from California's Attorney General for inadequate data protection.
California's Attorney General for Inadequate Data Protection.
The QuackBot malware, also known as QBot, has seen new activity with developers experimenting with fresh builds since mid-December. This follows its takedown by law enforcement last August.
The malware, traditionally spread through email campaigns, has been a vector for various malicious
payloads, including ransomware,
affecting over 700,000 systems and causing financial damages of over $58 million.
Despite the disruption of its command and control servers, its spam delivery infrastructure remains
intact, leading to a resurgence. Recent samples observed by Sophos XOps use fake Adobe installers and enhanced obfuscation techniques to evade detection, including checks for antivirus software and virtualized environments.
Coming up after the break, our guest Rob Boyce from Accenture talks about tailored extortion.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert Boyce.
He is Managing Director and Global Lead for Cyber Resilience at Accenture. Rob, welcome back.
Thank you, Dave.
So I know you and your colleagues have been taking a look at this notion of tailored extortion, that some of the threat actors there are really tightening their focus here. What can you share with us today?
What can you share with us today?
Yeah, I just find this is a super interesting evolution to me.
I think we've all seen this evolution from ransomware to data theft to extortion over the last few years. But we're now starting to see, with high velocity, threat actors just going after data and only data.
And then we were always curious, okay, well, what is that actually going to mean?
Because there's the single extortion attempt
against an organization.
But now what we're seeing is these threat actors
using much more tailored extortion tactics
at an individual level.
So as a couple of examples,
we're starting to see,
based on the data that's being stolen,
sometimes it's very personal data.
It could be chats. It could be. We've actually seen in some instances nude photos of executives at organizations
being taken. And now those executives are being held for ransom personally as opposed to the
organization. So it's just putting a little bit more pressure on the payment possibilities for
threat actors based on that data type. We're also seeing trends if threat actors will formally, intentionally go after
and try and find if an organization has a cyber insurance policy.
And if they have a cyber insurance policy,
they're taking the data from that policy and using it to benchmark what their payment would be. So they're
going to go to the maximum allowable within the policy, which I find super interesting.
We always thought there was a correlation between organizations who had cyber insurance and those
who are being targeted. We see that a little less to be true, but we're seeing a huge focus on trying
to find if an organization has a policy and then leveraging the data within
that policy to help with the extortion component as well. When you see this kind of expansion
of extortion into people's personal lives, what does that mean for the organization? I think of
organizations will very often have life insurance policies for their key
executives. Do we have to extend that into people looking at their personal lives and making sure
that there's nothing there that could embarrass the organization? I think the future will tell
a little bit on that one. It's an interesting concept. I actually had not thought about that, of creating additional, almost personal liability insurance for individuals and organizations.
And right now, truthfully, it is mostly executives who are CEOs or executives that are Jewish, as an example, right? people are using to try and target. I think another interesting aspect of this to me is
the victimology. So we haven't really talked about victimology too much, but this has changed
victimology immensely, I believe, in the last year, year and a half, where previously national
critical infrastructure was off limits for the most part, more or less. Again, healthcare,
oil and gas, utilities, et cetera. But this data-only extortion
has opened up everyone being a victim.
So I think we've seen like an 800% increase
in healthcare organizations being targeted
from data extortion, over 300% for oil and gas.
It's been quite a huge leap forward
now that those gates are open for those executives.
We've actually even seen LockBit 3.0.
I'm not sure if you're familiar with this, but they have these affiliate rules for those who want to be a LockBit 3.0 affiliate.
And they had a rule in there where you were not allowed to use, launch a ransomware against healthcare.
But they have changed that.
So now you can do data theft and extortion.
So they've actually changed,
the threat actors are changing the rules
within their programs as well,
which I find super interesting.
Yeah.
I just can't help thinking about
CISOs trying to deal with this sort of thing
and the potentially uncomfortable conversations with leadership and their organizations.
For sure.
And actually, speaking about CISOs, one more interesting point on this extortion
is we're also seeing a change in bug bounty,
how threat actors are approaching bug bounty.
So previously, as you know, they find a bug, they report it,
they hope to get paid by the organization.
But what is happening now is if the organization refuses to pay them,
they will then use that bug actively in the wild.
They will steal data, and then they will publicize the fact
that the company knew about it, and they chose to do nothing.
And so we have seen that happen.
And so when you think
about liabilities for CISOs and the concern about how to protect the personal lives of their
employees, they also have to consider the personal liability for themselves as well when they may
turn down a bug bounty and then it gets used against them publicly. And now that we've seen
what the SolarWinds breach and that attempt, personal liability, CISO, is very concerning for people in these positions.
Well, we saw the recent example where one of the threat actors ratted out an organization to the SEC.
That's new.
No, that's an example.
That's a great example.
It's like you pay me now or you pay fines later. That's your choice. That's the choice they gave them, basically. It's fascinating, honestly, just that the tactics are continuing to evolve just enough to put more and more pressure on either the individual or the organization to pay.
or the organization to pay.
Yeah.
All right.
Well, Robert Boyce is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, thanks so much for joining us.
Thanks, Dave.
Thank you.
So it's a pleasure.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%... Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025. Visit td.com slash dioffer to learn more.
And finally, two individuals from Queens, New York, have been sentenced to prison
after having been convicted of running a sophisticated hacking operation
to manipulate the taxi dispatch system at Kennedy Airport.
Daniel Abeyev, the orchestrator, received a four-year sentence,
while Peter Lehman, responsible for collecting fees, was sentenced to two years.
The duo, in collaboration with Russian hackers, launched their scheme in November of 2019,
utilizing malware introduced via a flash drive to gain unauthorized access to the taxi dispatch system.
This intrusion enabled them to offer line-skipping services to taxi drivers for a $10 fee,
line-skipping services to taxi drivers for a $10 fee, disrupting the airport's orderly queue system and facilitating up to 1,000 fraudulent taxi trips daily. The hacking operation not only
breached the dispatch system's security, but reportedly also resulted in over $3.4 million
in losses to the Port Authority. These guys tried to cook up a cybercriminal express lane,
but their final destination was prison.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and
operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.