CyberWire Daily - Apple issues an emergency patch. Aerospace sector under attack. DPRK spearsphishes security researchers. Notes from the hybrid war, including Starlink’s judgments on jus in bello.
Episode Date: September 8, 2023Apple issues emergency patches. "Multiple nation-state actors" target the aerospace sector. The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack against Russia...n naval units last year. The International Criminal Court will prosecute cyber war crimes. Operation KleptoCapture extends to professional service providers. Malek Ben Salem of Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliott Champion from CSC on how cybercriminals are taking advantage of the Threads platform. And congratulations to the SINET 16. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/172 Selected reading. BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild (The Citizen Lab) Apple issues software updates after spyware discoveries (Washington Post) Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061) (Help Net Security) CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA (Cybersecurity and Infrastructure Security Agency CISA) Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Cybersecurity and Infrastructure Security Agency CISA) AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Tenable®) CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities (The Hacker News) Active North Korean campaign targeting security researchers (Google) Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers (SecurityWeek) Musk 'switched off Starlink in Ukraine over nuclear fears' (Computing) CNN Exclusive: 'How am I in this war?': New Musk biography offers fresh details about the billionaire's Ukraine dilemma | CNN Politics (CNN) Ukraine, US Intelligence Suggest Russia Cyber Efforts Evolving, Growing (Voice of America) The International Criminal Court Will Now Prosecute Cyberwar Crimes (WIRED) Technology Will Not Exceed Our Humanity (Digital Front Lines) Justice Department’s Oligarch Hunters Widen Scope to Include Facilitators (Wall Street Journal) Apple issues emergency patches. APTs target aerospace sector. DPRK targets security researchers. New BEC phishing kit. Notes from the hybrid war. ICC will prosecute cyber war crimes. SINET 16 announced. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Apple issues emergency patches.
Multiple nation-state actors target the aerospace sector.
The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack
against Russian naval units last year. The International Criminal Court will prosecute
cyber war crimes. Operation KleptoCapture extends to professional service providers.
Malek Ben-Salem from Accenture ponders the long-term reliability of LLM-powered applications.
Our guest is Elliot Champion from CSC on how cybercriminals are taking advantage of the Threads platform.
And congratulations to the Cynet 16.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, September 8th, 2023. Yesterday, Apple issued three emergency patches for a vulnerability that could be exploited to install spyware.
The company said in its advisories, a maliciously crafted attachment may result in arbitrary code execution.
Apple is aware of a report that this issue may
have been actively exploited. The report of active exploitation came from the University of Toronto's
Citizen Lab, which found evidence that NSO Group's Pegasus spyware was being installed in vulnerable
devices through a zero-click exploit the lab calls BlastPass. The attacks used passkit attachments sent as iMessage images.
These carried the malicious payload.
The patches will protect users against BlastPass, so will enabling Apple's lockdown mode on the device.
Citizen Lab found BlastPass on a device used by a Washington, D.C.-based civil society organization with international offices.
Both Apple and Citizen Lab characterized this threat as mercenary spyware.
That is, it's spyware sold to a variety of actors, especially government security services,
without having any essential political motivation or governmental connections.
They're pure hired guns like the
Magnificent Seven, only not as nice or as discriminating. Several nation-state actors
exploited two vulnerabilities to attack an organization in the aeronautical sector,
according to a joint advisory released yesterday by CISA, the FBI, and U.S. Cyber Command's Cyber National Mission Force. The threat actors
gained access via vulnerabilities in Zoho Manage Engine Service Desk Plus and FortaOS SSL VPN.
The joint advisory includes an extensive description of the threat activity,
advice on detection, and recommendations for mitigating risk.
Patches for both exploits have been available since early this year.
The advisory notes, CISA and co-sealers identified an array of threat actor activity
to include overlapping TTPs across multiple APT actors.
Per the activity conducted, APT actors often scan Internet-facing devices
for vulnerabilities that can be easily
exploited. Firewall, VPNs, and other edge network infrastructure continue to be of interest to
malicious cyber actors. None of the agencies involved in the joint advisory have identified
the threat actors involved in exploiting the two vulnerabilities. It's not clear whether the
multiple APT actors represent different states or simply different agencies of the two vulnerabilities. It's not clear whether the multiple ABT actors represent
different states or simply different agencies of the same state. Google's threat analysis group
warns that a North Korean threat actor has been targeting security researchers with at least one
zero day for the past several weeks. Google notified the affected vendor and the zero day
is in the process of being patched.
The threat analysis group observed that, similar to the previous campaign TAG reported on,
North Korean threat actors used social media sites like X, formerly Twitter, to build rapport with their targets.
In one case, they carried on a months-long conversation attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted
messaging app such as Signal, WhatsApp, or Wire. Once a relationship was developed with a targeted
researcher, the threat actors sent a malicious file that contained at least one zero-day
in a popular software package.
It's a common approach, spearfishing with preparatory catfishing,
and this time the poachers are after the gamekeepers.
The Washington Post, citing a new biography of Elon Musk by Walter Isaacson,
reports that Mr. Musk directed SpaceX to interrupt local service to Ukraine in the Black Sea region
with a view to interfering with a submarine drone attack against Russian targets last year.
He relented in the face of appeals and protests by Ukrainian and U.S. officials,
but his actions reveal ambivalence about the war and about SpaceX's part in this and other conflicts.
According to Isaacson, Musk asked,
how am I in this war? Starlink was not meant to be involved in wars. It was so people can watch
Netflix and chill and get online for school and do peaceful things, not drone strikes. Mr. Musk
is said to have feared that Ukrainian attacks would provoke Russian escalation, including escalation to nuclear war.
Mr. Musk himself tweeted, or perhaps we should say X'd, an explanation that if SpaceX had continued Starlink service to Ukraine during an operation that might have sunk a significant fraction of the Black Sea fleet, he himself would have been complicit in a major act
of war. One might sympathize with a desire to stay out of a war, but the question is a complicated
one. Here's a follow-on question. Does prevention of an attack on a naval unit render one responsible
for the missiles that naval units subsequently fired at cities? Speaking at the 14th annual Billington Cybersecurity Summit
in Washington, D.C. this week, Ukrainian and U.S. officials cautioned against thinking that
Russian cyber operations were a diminishing threat. In fact, they said, Russian activity
in cyberspace was picking up. Ilya Vituik, head of cybersecurity for the Security Service of Ukraine,
Ilya Vituik, head of cybersecurity for the Security Service of Ukraine, said that Ukrainian resilience was high.
But the problem, the Voice of America quotes him as saying, is that our counterpart, Russia, our enemy, is constantly also evolving and searching for new ways to attack.
The operators, Vituik said, aren't enthusiasts or script kiddies, but rather fully employed nine-to-fivers working directly for the Russian security and intelligence services. The U.S. Deputy Director of Central
Intelligence David Cohen dismissed Russian denials of hostile action in cyberspace
and said that Moscow was increasing both its capabilities and efforts in that domain.
He said, this is a pitched battle every day. He also
observed that the cyber war wasn't one-sided and that the Russians have been on the receiving end
of a fair amount of cyber attacks being directed at them from a range of private sector actors.
There have been attacks on the Russian government, some hack and leak attacks.
There have been information space attacks on the TV and radio broadcasts.
So there's much back and forth, but it's still worth noting none of the devastating
bolt-from-the-blue attacks that were widely expected, especially from the Russian side.
The International Criminal Court, the ICC, confirmed to Wired that it now intends to
prosecute cyber war crimes. An ICC representative said,
the office considers that in appropriate circumstances, conduct in cyberspace may
potentially amount to war crimes, crimes against humanity, genocide, and or the crime of aggression,
and that such conduct may potentially be prosecuted before the court where the case is sufficiently grave.
ICC Prosecutor Kareem Khan explained the rationale for bringing cyberwar crimes into the court's jurisdiction
in an essay titled Technology Will Not Exceed Our Humanity, published in Foreign Policy Analytics.
He wrote,
Cyberwarfare does not play out in the abstract.
Rather, it can have a profound impact on people's lives. Attempts to impact critical infrastructure, such as medical facilities
or control systems for power generation, may result in immediate consequences for many,
particularly the most vulnerable. Consequently, as part of its investigations, my office will
collect and review evidence of such conduct.
We are likewise mindful of the misuse of the Internet to amplify hate speech and disinformation,
which may facilitate or even directly lead to the occurrence of atrocities.
Kahn notes that cyberspace is commonly perceived as an ambiguous gray zone,
where serious harm can be worked while the actors remain below a threshold that would generally be recognized as war.
The ICC is interested in clarifying that ambiguity.
The ICC doesn't explicitly mention Russia or indeed any other actor,
but Wired reviews the many reasons for thinking that Russian activity is likely to provide the first cases.
The GRU's role in pre-invasion attacks against Ukraine's power grid
and in the NotPetya pseudo-ransomware incident
are cited as examples of indiscriminate cyber warfare that may be construed as criminal.
The U.S. Justice Department is expanding investigations under Operation KleptoCapture
from its original targets,
Russian oligarchs whose activities sustain Russia's war against Ukraine,
to include professional service providers, lawyers, accountants, and other facilitators who've helped the oligarchs evade sanctions.
The operation's inaugural director, Andrew Adams, who retired to private practice in July,
inaugurated director Andrew Adams, who retired to private practice in July,
told the Wall Street and long-term, probably a worthwhile project.
And finally, Cynet has announced the 2013 winners of its annual Cynet 16,
a program that selects 16 promising cybersecurity startups.
You'll find a full list of the winners in the CyberWire's daily news briefing today.
Check them out.
We'll just observe that the CynET 16 winners have, for years,
achieved a remarkable record of technical innovation and business success.
Our congratulations to all 16 of the young companies honored today.
Coming up after the break, Malek Ben-Salem from Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliot Champion from CSC on how cybercriminals are taking advantage of the Threads platform.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
When Meta launched their Threads platform to great notice and fanfare,
it was inevitable that Crooks would be there to take advantage of the excitement.
Elliot Champion is Global Product Director for Brand Protection and Anti-Fraud at Enterprise
Domain Registrar CSC. He and his colleagues have been tracking fraud attempts related to the Threads platform.
I think Threads is really interesting because Threads in many ways is a continuation of what
we've already seen from Meta in the past, but we're also seeing underlying technologies as
we move into the future. Threads is a way of being able to maximize all of your potential reach to all of your different followers across the online space.
Unfortunately, that's also being taken up by ad actors and those using it to send various different threats to organizations and people across the internet.
And I know you and your colleagues at CSC have been tracking this.
What are some of the things that you all are looking at?
Yep. So I think it's a really good time to talk about it as well,
because they're actually just releasing the browser version of Threads.
It was previously just an app.
So we were all using the app to search and research.
So we looked from June to July, and we looked at the top 25 interbrand list. That's where
we were looking at all of the brands that you and I know and love and interact with every day.
And we were looking for different types of threats and abuse types that are there.
What we found was that 84% of those brands had multiple different types of attacks,
ranging from brand, fraud, URL,
and other different redirect threats. So typically, the traditional cases that many people
probably know would be the brand attacks. So we have trademark infringements, copyrights,
impersonations in some sort of way. They're indistinguishable from an official account.
Then you then have fraud attacks. Those
are phishing, where they're aiming to collect data, information, or access. And then finally,
what's really interesting is also then how these networks interconnect with each other. So then
how these then extend out into the domain name ecosystem through redirects or shortened URLs.
ecosystem through redirects or shortened URLs.
You know, whenever something new like this pops up and captures the public's imagination,
the scammers aren't very far behind. Are we seeing the run-of-the-mill kinds of things here,
or is there something specific about threads that makes it particularly attractive?
I think what it's new, and I think a lot of bad actors are going to,
as you say, always use the new innovations,
the new tools that are at their disposal.
And we are seeing the typical sets of different types of attacks, as I said,
the typical brand fraud attacks, phishing attacks.
What we've seen though is that
they've really jumped into that space
and tried to take hold of all of the kind of green space that's there to be able to be taken,
all the profiles, the posts, any opportunity that they possibly can to take all of those.
So we've seen a real push into official accounts.
And then from those official accounts, they've been taken up by the bad actors rather than the legitimate organizations.
rather than the legitimate organizations.
So for folks who are tasked with defending their organizations against these sorts of things,
what are your recommendations?
So really, I would suggest looking at a number of different ways of routinely monitoring and enforcing and making sure that you're looking for a variety of different types of attacks that are on these platforms.
Social networks is really interesting. You see a typical life cycle of social networks where
there's a new popular one, and there's really no easy way of being able to get things taken down.
The good thing about meta and threads is that they already have a really good,
solid IPR portal already there. So it's responsive, easy to use.
Any brand owner can sign up for that.
And then that allows you to be able to do effective takedowns
across ads, commerce, accounts, and various other posts.
So from a brand and security perspective, it's a good platform.
That's a really interesting point because people go
to threads to consume the content that is there rather than you know
bringing it in-house yeah absolutely and i think that also ties into a lot of the broader implications
that threads has as well as its underlying technology you know threads is going to be
different because of what meta wants it to be they do not want it to be a because of what Meta wants it to be. They do not want it to be a copy of Instagram or
Facebook. Their plans are to use a completely different underlying protocol for the future
of Web3. It's interesting too, as you mentioned, that I suppose Threads has an advantage here with
all of the existing infrastructure and the lessons that Meta has learned along the way.
Yeah, absolutely. And it's a really straightforward way of being able to get these things down.
You can imagine as a brand team or a security team, you find these cases, these attacks that
you know are being weaponized through these platforms. You want to make sure that you can
get them down as quickly as possible. And as I say, through the typical lifecycle of a network,
you'll typically see a new platform that will come in.
They don't have these procedures in place.
Why would they not have these procedures in place?
Well, it's not really their first priority.
Their priority is to grow and to gather as much attention as they possibly can,
as many users and activity as possible.
But the good thing about threads
is that they're essentially extending out
their Meta's IPR portal.
And as I say, that's really responsive, easy to use.
We find them as a really helpful partner
in being able to remove content quickly.
Can we touch just quickly
on the notion of brand protection itself?
What sort of things should organizations be focused on here?
Yeah, I think it's really important that people look at various different types of monitoring enforcement strategies.
We covered monitoring earlier, making sure you're covering the domain name space, social media, and others.
But it's also really important to make sure that you have effective enforcement strategies in place.
Takedowns are as much an art as a science.
You want to look at lots of different ways that you can take down an individual website.
That could be at the ISP level, the registrar level.
You could be looking at the individual registrant information, unless that's under privacy protection.
You want to find a way of being able to neutralize
these various different threats very quickly.
That's Elliot Champion from CSC.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Malek Bensalem.
She is the Managing Director for Security and Emerging Technology at Accenture.
Malek, it's great to have you back.
We've been tracking these LLM-powered
applications, and certainly they've captured lots of people's imagination. But I've seen stories
that there may be issues with the long-term reliability of them, sort of collapsing under
their own recursive weight, if you will. You've had your eye on this, haven't you?
recursive wait, if you will. You've had your eye on this, haven't you?
Yes, absolutely. I think there's a lot of excitement about the use of LLMs and leveraging them for potential or various use cases within enterprises.
And a lot of focus has been on the accuracy of the output of these LLM models.
the accuracy of the output of these LLM models.
And less focus has been given to how reliable they are over time.
Most recently, there has been research published around the performance of certain GPT-XX models.
And the research has shown that the performance of those models have drifted, you know, between back in March and, you know, later in the year.
So the ability to recognize prime numbers or the ability to, you know, come up with safe answers for certain questions has significantly changed.
And in some cases for the better and in other cases for the worse. But as my clients are designing and thinking about use cases
for deploying these LLM models as part of larger applications,
they need to think through and plan and design for monitoring the capability
of these models over time or the output of these models over time.
That is something that we have been used to when using machine learning models, machine
learning applications, we're used to this concept of concept drift, right?
Where the evolution of data may invalidate the data model over time.
And therefore, we need to retrain the model or so over time if the performance degrades.
the model or so over time if the performance degrades.
Now, with these LLM models, most clients are consuming them from third-party vendors.
They don't have the control over those models.
They cannot retrain them.
But at the very least, they need to pay attention to their performance over time. They need to recognize that it will change.
And if it changes, what that means is,
if you're building an application around this LLM model,
you may need to change the prompts that you're feeding to that model,
that you're sending to that model in order to get the right output.
So you need to be aware of those changes.
The changes may not be changes to the model's capabilities themselves.
I think some researchers noted this,
that the capability of the LLM or large language model may not change,
but its behavior changes because of fine-tuning the model to certain tasks. But for the end user, for my clients
who have no control over the underlying model, that's the same. It doesn't matter if the
capability is changing or the behavior is changing. The end result is the same. And therefore,
they need, number one, to monitor for that change and have processes in place to update their
applications, to retest their applications, to change the prompts they're feeding to those
models if needed in order to continue to get the benefit of the use of those models over time.
Yeah, it's really fascinating, isn't it?
I mean, we talk about these being kind of black boxes.
Folks aren't exactly sure how it's working under the hood,
but we know it works.
But I guess the point you're making
is that people have to factor that into their risk model
that there's some variability here.
Absolutely, absolutely. They need to factor that into that risk model, that there's some variability here. Absolutely. Absolutely.
They need to factor that into that risk model.
They need to factor it into their application development model
and application maintenance model, if you will.
There needs to be a focus on application maintenance as well.
I can't help thinking, you know, since this is new technology, is it in its
toddler phase? Is it in its teenager phase? And I think about my own kids as teenagers, you know,
I could ask them the same question and on any given day could get a different answer depending
on their mood. Very good point. I like the analogy. Yeah. Yeah. yeah yeah all right well it's certainly uh interesting
stuff and something to keep an eye on malek ben salem thank you for joining us thanks for having Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Reese Baldwin from Casada. We're discussing their work No Honor Among Thieves, unpacking a new open-bullet malware campaign.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire Thank you. music by Elliot Keltzman. The show was written by our editorial staff. Our executive editor is
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.