CyberWire Daily - “Better Minecraft” improves gameplay, while also lifting your data. Hallucinations, defamation, and legal malpractice, oh my! Asylum Ambuscade and other wartime notes.
Episode Date: June 9, 2023Barracuda Networks urges replacement of their gear. Fractureiser infects Minecraft mods. ChatGPT sees a court date over hallucinations and defamation. Asylum Ambuscade engages in both crime and espion...age. The US delivers Ukraine Starlink connectivity. DDoS attacks hit the Swiss parliament's website. My conversation with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Our guest is Delilah Schwartz from Cybersixgill discussing how the Dark Web is evolving with new technologies like ChatGPT. And BEC crooks see their day in court. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/111 Selected reading. Barracuda Email Security Gateway Appliance (ESG) Vulnerability (Barracuda) CVE-2023-2868 (MITRE) ACT government falls victim to Barracuda’s ESG vulnerability (CSO Online) CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances (Rapid7) CVE-2023-2868 Detail (National Institute of Standards and Technology) Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware (Bitdefender) New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux (BleepingComputer) IN THE SUPERIOR COURT OF FULTON COUNTY (Superior Court of Fulton County) OpenAI Hit With First Defamation Suit Over ChatGPT Hallucination (Bloomberg Law) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Barracuda Networks urges replacement of their gear.
Fracturizer infects Minecraft mods.
ChatGPT sees a court date over hallucinations and defamation.
Asylum Ombuscade engages in both crime and espionage.
The U.S. delivers Ukraine Starlink connectivity.
DDoS attacks hit the Swiss Parliament's website.
My conversation with Eric Goldstein, Executive Assistant Director for
Cybersecurity at CISA. Our guest is Delilah Schwartz from Cyber6Gill, discussing how the
dark web is evolving with new technologies like ChatGPT. And BEC crooks see their day in court.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, June 9th, 2023. Barracuda Networks is urging customers to immediately replace its email security gateways due to a security vulnerability, CVE-2023-2868.
The company says the vulnerability which has been exploited in the wild existed in a module which initially screens the attachments of incoming emails.
The earliest evidence of exploitation was in October 2022.
CSO reports that the Australian Capital Territory Government has disclosed that it was breached via the flaw. Rapid7 notes that moving from a patch to a need for total device replacement
is fairly stunning, as it insinuates that the attackers have persistence
at a level that requires more than an entire device wipe.
The vulnerability's description says that it stems from an incomplete sanitizing
of tape archive processing.
The description says that the vulnerability stems
from incomplete input validation of a user-supplied.tar file
as it pertains to the names of the files contained within the archive.
This can allow for an attacker to perform a remote execution of system commands.
Minecraft mods were discovered to contain malware called Fracturizer
in a pseudo-supply chain attack. It's described as pseudo because the affected mods are not
advertised as supported media by Minecraft. It's an attack on the modder supply chain.
Bitdefender released a report describing the attack, explaining that several Minecraft mods hosted on popular modding hubs CurseForge and Bucket
contained info-stealing malware, which caused accounts to be compromised
and used to update and publish malware-lined versions of mods and plugins.
As Bleeping Computer reports, several CurseForge and Bucket accounts were compromised and used to inject malicious code into plugins and mods,
which were then adopted by popular mod packs such as Better Minecraft, which has over 4.6 million downloads.
Bleeping Computer further notes that the infected updates were archived, but nonetheless sent out to users to remain undetected for as long as possible.
This attack has a similar ring to it as the recent MoveIt and C3X supply chain attacks,
as the attackers targeted developers upstream of their intended victims. This allows them to reach
a much wider target base than, say, targeting each user on CurseForge and Bucket individually.
Georgia radio host Mark Walters is suing OpenAI LLC for defamation after ChatGPT allegedly
generated an answer that falsely stated that Walters had been sued for fraud and embezzlement,
Bloomberg Law reports. The hallucinated result was generated for a journalist
covering a case unrelated to Walters.
The lawsuit describes ChatGPT's allegations as false and malicious
with intent to injure Walters' reputation
and expose him to public hatred, contempt, or ridicule.
In a separate case, two lawyers are facing potential sanctions
in the Southern District of New York after they used phony legal research generated by ChatGPT,
the Associated Press reports. The lawyer who included the fictitious research in their court
filing apologized, stating that he did not comprehend that ChatGPT could fabricate cases.
that he did not comprehend that ChatGPT could fabricate cases.
ESET reports that a Belarusian threat group, Asylum Ombuskod, active since 2020 at least, has been engaged in what ESET regards as an unusual mixture of cybercrime and cyberespionage.
It's described by ESET as a crimeware group targeting bank customers and cryptocurrency
traders in a variety of regions
that include North America and Europe. Espionage, ESET writes, has also been observed against
government entities in Europe and Central Asia. The group's tools are often developed in script
languages that include AutoHotKey, JavaScript, Lua, and Python, among others.
Proofpoint last year announced its discovery of Asylum Ombuskod's activities against organizations providing aid to Ukrainian refugees and against European governments generally sympathetic
to Ukraine's cause, and that it was primarily an espionage group.
ESET's assessment, however, is that Asylum O Ambuskod is originally and primarily a criminal group.
The espionage in this case now appears to be a side hustle.
The U.S. Department of Defense is buying Starlink connectivity
to bolster the resilience of Ukraine's communications.
Citing concerns about operational security,
the department has declined to provide
details of the starlink support spacex had footed the bill for a while but the pentagon has relieved
the company of that particular loss leader switzerland's parliament came under ddos attacks
wednesday and thursday of this week netsv reports. There's no clear attribution, but coincidentally or not,
the attack followed an announcement that Ukrainian President Zelensky would address the Swiss
lawmakers in a virtual conference next week. And finally, the U.S. attorneys for the Southern
District of Texas and the Southern District of New York have announced that 11 people in several states are now in custody and facing charges of criminal involvement in business email compromise attacks.
All 11 have been charged with conspiracy to commit wire fraud and money laundering.
The U.S. attorneys say that the schemes cost victims millions in losses.
The announcement explains,
the charges stem primarily from business email
compromise schemes. Conspirators allegedly posed as legitimate businesses and fraudulently
diverted money from victim bank accounts into accounts they controlled. According to the
charges, they gained access to business email accounts and spoofed email addresses to deceive
victims into believing they were making legitimate payments.
So, it's a sadly familiar story. The crooks pose as a legitimate business charging for legitimate
services provided, and then inveigle the purchaser of those services into diverting payment to an
account the crooks control. Once the money is there, it's laundered and then gone, baby gone.
and once the money is there, it's laundered and then gone, baby gone.
The alleged crooks operated mostly from Houston and Los Angeles,
but their alleged crimes hit people in a variety of locations,
including Edison Township of Middlesex County, New Jersey.
The collars were the work of the FBI and the Edison Police Department,
so bravo to both of them in a nice example of federal and local partnership.
And to federal and local partnership among the prosecutors as well. The U.S. Attorney for the Southern District of Texas particularly thanks the Middlesex County District Attorney. Well done,
all around.
Coming up after the break, my conversation with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Our guest is Delilah Schwartz from Cyber6Gill, discussing how the dark web is evolving with new technologies like ChatGPT.
Stick around.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Delilah Schwartz is a security strategist from
Israeli cyber intelligence firm Cyber6Gil. I reached out to her for insights on how the
dark web is evolving with new threats from technologies like ChatGPT.
I think on a whole, cyber criminals and criminals in general tend to be the early adopters of new
technology and innovation in general. And that's been the case with this new trend of generative
AI tools like ChatGPT and other similar technologies. As soon as ChatGPT was released
by OpenAI late last year, we immediately saw a massive rush of discourse about this on the
cybercriminal underground across the deep and dark web with malicious threat actors quick to discuss
the various ways that they could abuse these new technologies for their own malicious purposes.
And what are some of the specific things that you see them adopting?
Well, immediately and initially, there was a lot of talk about the get-rich-quick scams,
and that might be through fraudulent work.
It might be through manipulating gaming and gambling scams or other types of online gaming technologies.
We also saw threat actors discussing how to use ChatGPT to create dark web marketplaces
that were able to process cryptocurrency as a form of payment.
And also in the same breath, we heard cyber criminals quickly discuss the ways that they
could use this human language emulation technology to curate
highly articulate spear phishing and phishing emails for social engineering purposes and also
to create malware which I was able to do myself with some very well-worded prompts to chat GPT
though it did have a little caveat at the bottom of the info-stealing malware that it created for me,
that it was for educational purposes only. We've seen a lot of discourse across the forums of the
deep and dark web on how cybercriminals can abuse ChatGPT, in those words, to launch various
different attacks and to automate different parts of the attack chain, whether it be creating
fine-tuning malware,
finding software vulnerabilities in enterprise networks, and various other tactics and
techniques to sort of optimize the existing capabilities of these cybercriminals. That said,
as well, through my own research, I was quick to identify the fact that ChatGPT with the right prompts and the right
cybercriminal guiding those prompts and really fine-tuning the directions given to the model
could actually serve to streamline the entire attack chain, even with ransomware attacks
from pre-ransomware activity and all the way to the very end of the attack chain.
Can we dig into that some? What are some of the elements here that come into play?
So Chat2PT will tell you itself that it is a language model. It's not designed to write
scripts or to fast track any types of the technology production process. But because
it is trained upon such a large corpus of data,
it does have coding expertise. It does know how to create new websites or code for websites.
It can also test for vulnerabilities in software and sort of identify the weak spots
in an enterprise network's attack surface. Using ChatGPT, this sort of accelerates the process for
initial access. So that might be creating, as I did, an info-stealing malware and even the
spear phishing email with the link to download the malware in the first place. It might involve
testing for the vulnerabilities and weak spots in an organization systems. It might also be through
establishing access through various other botnets or other types of compromising. It might be through
compromised credentials and similar other types of access vectors. After that access has been gained,
the pre-ransomware activity, that initial access is granted to those cyber criminals. It can also then support the process of moving laterally, escalating privileges,
getting access, identifying the most valuable systems and data, and then again with the right
guidance. And this requires quite sophisticated cyber criminal expertise to then help to support
and fine-tune the actual malware to drive the ransomware,
and that involves high sophistication in encryption,
cryptography, and all sorts of other very niche cybercriminal expertise.
But again, with ChatGPT, you can really optimize
and accelerate that entire process using the chatbot automation.
It's quite amazing, really.
So to what degree do you think that this is
lowering the barrier of entry for cyber criminals versus, as you say, kind of accelerating the
capabilities of folks who already have some expertise in this field, or perhaps it's both?
It is both. And it's both because the democratization of these generative AI tools,
it's not just that that's contributing to the lower barriers of entry. It's that in tandem
with a multitude of other different factors and trends that we've been noticing across the
underground in recent years. That includes these initial access broker markets, which is where
threat actors buy and sell their initial foothold into a target enterprise's network.
Also through the rise of as-a-service and particularly ransomware
as-a-service where these established sophisticated threat actors
license out their ransomware technology and infrastructure
to less expert affiliates, sort of the novice cyber criminals
to then use and distribute almost as their peddlers
or foot soldiers, which allows them to then scale
their operations.
It's this, the democratisation of AI tools is only one part
of this trend that we've been witnessing in recent years.
It's similar to saying that a 3D printer isn't going
to print for you the entire gun,
but it will print for you the barrel, the trigger, and all the other different components that you
need to make a gun. And if you know how to put it together, or if you've made one part and someone
else's 3D printer has made another part, you put it together, it's in a workable gun that you can
use to then go out on the street and shoot someone.
The same is with this attack chain, in particular, I was speaking about in my report, the ransomware attack chain. Generalized AI tools are not going to allow any cybercriminal to completely curate
the ransomware attack chain from A to Z, but it does allow and enable lesser skilled cybercriminals
to take part in forms of cyber crime
that in the past were only accessible to those with higher levels of expertise.
That allows them to then dip their toes in this world of cyber crime and to be involved
in the wider collaborative effort of an attack, as it quite often is, whereas there's not
usually one cyber criminal that's responsible for every component of an
attack chain. There's a lot of people have their expertise in different fields and it allows these
lesser skilled cybercriminals to take part in the wider cybercrime enterprise and makes even
the novice cybercriminals be involved in very intense and highly damaging attacks.
That's Delilah Schwartz from Cyber6Gil.
There's a lot more to this conversation.
If you want to hear more, head on over to the Cyber Eric Goldstein.
He is Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency.
Eric, welcome back to the show.
I want to focus today on this notion of stopping the threat itself, that particular direction
that you all come to this mission from.
Can we start with some high-level stuff here?
I mean, how do you and your colleagues there at CISA come at it from this direction?
Absolutely, David.
First of all, it's great to be back with you and the team.
One of the biggest challenges that we face in cybersecurity as a community, as a nation, is really stepping back and answering the question, what are adversaries doing on American networks today?
How are they breaking into American networks?
How are they achieving their goals?
Where are they focusing their efforts?
And so many organizations, public and private, have pieces of that puzzle, have the ability to identify their activity targeting certain networks.
And of course, there are cybersecurity companies doing extraordinary work in this space, but none of us have the full tapestry.
Which really makes it hard for us to say, is the problem getting better or getting worse?
And so at CISA, one of our real focus areas is advancing what we call operational visibility,
At CISA, one of our real focus areas is advancing what we call operational visibility, which is our ability to work with the community to really get that broad understanding of what are adversaries focusing on, how are they who have national, even global visibility and sharing those insights. So together, we can make the tapestry be a reality and actually drive investment in the right controls. Can you give us a sense for the spectrum
of the cyber threat landscape that you all are keeping an eye on here?
Absolutely. It really has to be divided, I think, by intent. We see nation-state
adversaries, of course, Russia, China, Iran, among them, who are seeking intrusions for geopolitical
gain to gain some advantage over the United States or our allies. We, of course, have seen
Russian and Chinese actors, in particular, take advantage of geopolitical events, of course, in Russia's case, proximate to the criminal invasion of Ukraine, to target entities around the world, to gain access, even set the stage for the possibility of future malicious acts.
And then, of course, we have actors who are motivated more financially.
financially. The North Korean government is, of course, in this category, as are the myriad of criminal groups, many of which have engaged in ransomware, encryption, or exfiltration across
far too many networks in this country and around the world. But we've seen really across the board
that very few of these intrusions, whether a nation-state trying to achieve strategic gain
or a criminal group seeking financial gain, very
few of these intrusions are using, for example, chains of zero-day vulnerabilities, never
before seen tradecraft.
Most of these intrusions are really using known exploited vulnerabilities, known tradecraft,
misconfigurations, reused credentials.
And so we know that if we can figure out the most common ways that adversaries
are targeting American networks, then we can much more effectively, first of all, detect adversaries,
reduce their dwell time, reduce impact of intrusions, but also drive investment in the
most effective detections and controls to reduce their effectiveness over time and increase their
marginal costs. What about disruption itself, your ability to get out there and interfere with these threat actors?
Yeah, it is such a great question, Dave.
You know, the U.S. government, of course, brings a variety of tools to the table.
And the tool that CISA brings is cyber defense, right?
We are focused on protecting and securing American organizations.
But we work hand in glove with our partners across government
who have the ability to impose disruptive costs on our adversaries,
whether our partners at U.S. Cyber Command or in federal law enforcement,
like the FBI and the U.S. Secret Service.
And one thing we try to do is when we get information
about an intrusion targeting an American network,
share that information really quickly with the permission
of the victim with our partners in government who have those authorities. The idea being that if we
can build this flywheel of defense to offense such that an adversary targeting an American network
sees consequences from their actions, for example, the infrastructure being taken down
hours after their intrusion being
undertaken, well, that also imposes costs. And so our idea is to make America the costliest
possible target in cyberspace, whether through better defense, by turning attacks on America
into actions taken against our adversaries abroad, or by other means, whether financial sanctions or
diplomacy, so our adversaries simply think that American other means, whether financial sanctions or diplomacy. So our
adversaries simply think that American organizations are too hard a target and they do something else
with their time. How about incident response? You know, when something does happen, what role
can CISA play after the fact? There's a few different roles, Dave. The first is we do maintain
an outstanding incident response and threat hunting team that we deploy on both government and private sector networks.
Almost always we are deploying in tandem with a private sector or third-party incident response team.
And we know that, frankly, in this country, most organizations, the vast majority, are going to contact a third-party IR team for their response.
That is absolutely terrific, and we encourage them to do so.
At CISA, our goal really is threefold in incident response.
The first goal is to make sure that if an organization needs help from the government,
we are there to stand ready.
We do a lot of this work with federal agencies and with state and local partners
who might need unique help from the federal government
or this organization that's
being targeted by, for example, a nation-state adversary or experiencing some unique impact.
But the second and third goals are equally important. The second goal is to make sure
that we are gleaning technical information from incident response around the nation,
around the world, that we can rapidly share to safeguard others.
And so in that regard, we work really closely with third-party private sector IR firms to learn what they are learning, and with permission of their customers, glean some of that information
that we can then use to populate our cybersecurity advisories, our information sharing.
And the third, of course, is to understand trends in adversary activity so that when we publish guidance, we publish direction, it is actually informed about what adversaries are doing on American networks and, indeed, networks around the world.
So that if we are saying these controls, these mitigations are most important, that's grounded in reality.
That's grounded in what we are seeing in the incident response space, and we are driving investment towards the right mitigations
that reduce the most risk.
Eric Goldstein is Executive Assistant Director
for Cybersecurity at CISA.
Eric, thanks so much for joining us.
Thanks so much, Dave. Always a pleasure. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Alan West from Akamai.
We're discussing the Dark Frost Enigma, an unexpectedly prevalent botnet author profile.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K
and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical security
teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement
agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and
senior producer Jennifer Ivan. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.