CyberWire Daily - Bringing AI up right–realizing its potential without its becoming a threat. (And how deepfakes might be an informational fleet-in-being.)
Episode Date: October 30, 2023The Hive ransomware gang may be back, and rebranded. Coinminers exploit AWS IAM credentials. LockBit claims to have obtained sensitive information from Boeing. Ukrainian auxiliaries disrupt Internet s...ervice in Russian-occupied territory, while internet and telecoms are down in Gaza. Deepfakes have an effect even when they're not used. Joe Carrigan explains executive impersonations on social media. Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm, ForAllSecure, discussing spooky zero days and vulnerabilities. And President Biden releases a US Executive Order on artificial intelligence. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/207 Selected reading. New Hunters International ransomware possible rebrand of Hive (BleepingComputer) CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys (Palo Alto Networks Unit 42) Boeing assessing Lockbit hacking gang threat of sensitive data leak (Reuters) Ukrainian hackers disrupt internet providers in Russia-occupied territories (Record) Israel steps up air and ground attacks in Gaza and cuts off the territory's communications (AP News) The Destruction of Gaza’s Internet Is Complete (WIRED) Rocket Alert Apps Warn Israelis of Incoming Attacks While Gaza Is Left in the Dark (WIRED). Elon Musk’s Starlink to help Gaza amid internet blackout (Record) Families of Hostages Kidnapped by Hamas Turn to Phone Pings for Proof of Life (WIRED) Israel Taps Blacklisted Pegasus Maker to Track Hostages in Gaza (Bloomberg) A.I. Muddies Israel-Hamas War in Unexpected Way (New York Times) FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (The White House) Administration Actions on AI (AI.gov) The US Executive Order on artificial intelligence is out. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Hive ransomware gang may be back and rebranded.
Coin miners exploit AWS IAM credentials.
LockBit claims to have obtained sensitive information from Boeing.
Ukrainian auxiliaries disrupt Internet service in Russian-occupied territory
while Internet and telecoms are down in Gaza.
Deep fakes have an effect even when they're not used.
Joe Kerrigan explains executive impersonations on social media.
Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm For All Secure, discussing spooky zero days and vulnerabilities.
And President Biden released a U.S. executive order on artificial intelligence.
I'm Dave Bittner with your CyberWire Intelue the sirens and police whistles, please.
Bleeping Computer reports that a new ransomware-as-a-service operation called Hunters International has surfaced and may represent a rebranding of the Hive ransomware gang.
Hive's ransomware racket was shuttered in January 2023
after their operation was infiltrated and disrupted by the FBI and other law enforcement agencies.
Researchers have found that more than 60% of the code used by Hunters International
overlaps with ransomware used by Hive.
The Hunters group has denied connections to the Hive gang, however,
stating,
All of the Hive source code were sold, including the website and old Golang and C versions, and we are those who purchased them.
Palo Alto Network's Unit 42 is tracking a campaign dubbed ElectraLeak, which is performing automated targeting of exposed identity and access management credentials within public GitHub repositories.
The researchers say,
The threat actor associated with the campaign was able to create multiple AWS Elastic Compute instances
that they used for wide-ranging and long-lasting cryptojacking operations.
We believe these operations have been active for at least two years and are still active today.
Unit 42 adds,
We found that the actor was able to detect and use the exposed IAM credentials
within five minutes of their initial exposure on GitHub.
This finding specifically highlights how threat actors can leverage cloud automation techniques
to achieve their goals of expanding their cryptojacking operations.
The Russian ransomware gang Lockbit claims to have compromised Boeing systems and taken a
tremendous amount of sensitive information from the aerospace firm. Boeing said, according to
Reuters, that it's evaluating the claims. Lockbit says that if it's not paid by November 2nd,
the gang will begin dumping the data publicly. Lockbit says that if it's not paid by November 2nd, the gang will begin dumping the
data publicly. Lockbit said on its leak site, sensitive data was exfiltrated and ready to be
published if Boeing do not contact within the deadline. Citing security researcher Brett Callow,
Security Affairs points out that Lockbit has in the past not distinguished between a company and
a company's vendors, and that from what's known so far past not distinguished between a company and a company's
vendors, and that from what's known so far, this could be a third-party incident, assuming that it
turns out to be anything at all. LockBit claims to have gained access to Boeing data by exploiting
a zero-day, but again, those claims remain uncorroborated. We'll be watching to see how the
story develops, but LockBbit, assuming that they're
not just posturing and beating their chest, seems to be unusually aggressive in this case.
The record reports that the IT army of Ukraine conducted DDoS attacks against three Russian ISPs
operating in Russian-occupied Ukrainian territory. Service was up and down beginning Friday,
with disruptions lasting longest in occupied Crimea.
The IT Army is a true avowed auxiliary service of the Ukrainian government
and not a deniable front group like those Russia has typically marshaled.
In this case, Euromaidan Press notes that the DDoS action was against Russian ISPs
and was reported on the 27th of October by Ukraine's Minister of Digital Transformation.
Internet and mobile telecommunications service in Gaza are largely down, the AP reports. It's in part
a kinetic disruption, with infrastructure knocked out by Israeli airstrikes and artillery preparation,
but some of the shutdown has been done remotely.
Those aspects of the interruption showed, according to the Washington Post, some intermittent easing Sunday.
Service interruptions are inconvenient for Hamas, but the service interruptions are even harder on civilians in Gaza,
who are deprived not
only of news, warnings, and emergency services, but also of means of communicating with family.
Elon Musk promised Saturday to provide Starlink connectivity to internationally recognized
humanitarian organizations operating in the region. It will take some time to deliver the terminals.
Israelis in the region are also seeking proof of life for the more than 200 hostages taken in
Hamas's initial assault, and they're looking in their desperation at such data as cell phone pings.
Bloomberg reports that Israel's government is said to have recruited both NSO Group and Kandiru,
spyware vendors who've both been sanctioned by the U.S., to the war effort, possibly employing them in the search for
hostages. Cyber attacks proper have declined in frequency during the war, but have, according to
Axios, increased their global reach. The Russian hacktivist front group Anonymous Sudan has said it's been working
against Israel, as security scorecard researchers reported, and it's also claimed it's targeting
organizations in Kenya because of Kenya's support of Israel. Two other pro-Palestinian groups,
Dark Storm Team and IROX Team, claimed respectively, again without substantiation, to have hit Snapchat
to punish the U.S. for its support of Israel and various companies in Brazil also to punish
support for Israel. The hacktivists and hacktivist auxiliaries have, for the most part, confined
their operations to DDoS action. Deepfakes have themselves played a negligible role in disinformation campaigns
during the Israel-Hamas war, but their mere possibility has tended to cast doubt on any
evidence that's presented in digital form. The New York Times describes how a potential threat
has had actual effects on the climate of opinion with respect to the current war. So, consumers of information seem to have grown less apt
to receive audio and video as primitive evidence.
In some respects, this may be reassuring.
Perhaps consumers of Internet content are developing healthy critical habits.
But in other respects, it's disturbing.
When all content is suspect, we've taken up residence on the grassy knoll.
So it seems the mere possibility of deepfakes has become the informational equivalent of what
theorists of naval warfare call a fleet in being, that is, a force that need never leave port in
order to have an effect on the war. It's an asymmetric tactic, the kind of thing a weaker force might do to
influence its stronger opponent. And finally, U.S. President Biden this morning issued an
executive order on artificial intelligence. Initially available to the public in the form
of a White House fact sheet, the EO establishes new standards for AI safety and security, protects Americans' privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more.
The closing and more is seriously intended.
The EO is complex and far-reaching, touching on both the risks and opportunities
the family of emerging technologies presents. Many of the provisions of the executive order
have little to do directly with cybersecurity proper, but those that do include a call for
new standards that would promote AI safety and security, development of watermarks for AI-generated
content that would help consumers assess the authenticity of the information therein,
protections against AI-enabled threats to personal privacy, and guidance for government agencies' responsible use of AI.
Interest in regulating or at least guiding the development and use of AI isn't confined to the U.S.
use of AI isn't confined to the U.S. The U.K. is hosting a much-anticipated AI summit this week,
and the United Nations has announced the formation of an AI governance advisory committee.
Be sure to join us this Thursday for our Caveat podcast, where we'll be talking with David Brumley,
cybersecurity professor at Carnegie Mellon and CEO of software security firm For All Secure.
He'll be giving us his perspective on the executive order and its implications.
Coming up after the break, Joe Kerrigan explains executive impersonations on social media. Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm For All Secure, discussing spooky zero days and vulnerabilities.
Stay with us if you dare.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On the eve of Halloween, we thought it might be fun to ponder some of the most spooky exploits out there, the ones that go bump in the night and make cybersecurity experts skin crawl.
For that, I checked in with David Brumley, cybersecurity professor at Carnegie Mellon
and CEO of software security firm For All Secure.
So forgive me for being a little bit on the nose here, but with Halloween looming,
I thought it might be fun to check in with you and talk about some of the scariest and
spookiest cyber criminals and tactics that you have your eye on this year.
What do you got for us here, David?
Well, I think the scariest and the spookiest are what I call zero-click exploits. Have you
heard of those? Yes, yes. But please explain for folks who might not be familiar.
Zero-click exploits are really spooky. What it is, is an attacker can actually exploit an iPhone
just by sending you a message.
You don't have to read it.
You don't have to look at it.
They just send it to you and they break into your phone.
So that's pretty spooky.
I'd say so.
Is this something that has been recognized and patched or are we still dealing with this?
This is something that periodically crops up.
The most recent one was what's called the WebP vulnerability.
WebP is an image format that Google came up with.
It's lossless, meaning it preserves the image details perfectly.
But there was a bug in the implementation,
both on iOS as well as Chrome,
about the last month, actually.
And attackers were using this to break into iPhones.
In fact, that's how we discovered it. We didn't know about the bug, but people were breaking into
people's phones and some great researchers figured it out.
It's an interesting case because I think it speaks to the desire to support legacy file formats, which I think it's safe to say this image format is,
but that can come with some security risks.
It comes with new security risks.
Actually, this is a newer file format, believe it or not.
It's more web-centric.
Okay.
And so you really only see it really in the web context,
but it's something that more and more devices are looking at.
But you're spot on that as we increase the number of formats, it really in the web context, but it's something that more and more devices are looking at. But
you're spot on that as we increase the number of formats, every time you see a new computer,
they boast the latest low-energy Bluetooth or the fastest MP3 decoding or MP4. Each one of those
formats introduce new risks because that software hasn't been as heavily tested.
Yeah. It's also interesting to me because I guess in my mind, I categorize as an image format as
being something that's kind of benign. But this proves that that's not necessarily the case.
I mean, that's what makes it so spooky. I agree with you. You wouldn't think of an image format
as being something that would lead to someone taking over your computer, let alone
not even interacting with it. But things have gotten so advanced, they're so optimized for
being high quality and yet also being small, that they're quite complicated. And that's why bugs
arise. Yeah. What other things do you have your eye on here? What keeps you up at night?
Well, I mean, on the commercial side, it's always these
zero-click exploits, and they pop up maybe two a year or so. So we haven't seen the last. We're
going to continue to see more of them. I think the other thing that keeps me up that's spooky
is just when we look at the world today and how much conflict's going on, the sorts of things
that we've seen in cyber attacks in the past in war.
And one that always comes to mind is actually when Russia attacked the Ukrainian power grid in 2016.
What made that really spooky to me is the Russian operators actually took over the computers and
were moving the mouse around to shut down substations. And of course, the operators were trying like mad to stop it,
but the Russians had taken control of their computers
and the operators could do nothing about it.
So what's so spooky is they were kind of making them watch
as they shut down the grid, right?
You could see the mouse moving on your screen
doing these malicious actions.
And so that sort of thing is pretty spooky to me
where this element of not just
cyber compromise, but almost psychological warfare has been a growing part of the cyber scene.
It's like that old horror movie from when I was a kid, you know, the call is coming from inside
the house, right? It messes with your mind. Absolutely. And of course, I would be remiss not to mention the threat of AI. What AI has done
has made it so easy for attackers to be able to impersonate real people and do it so effectively
that I find myself even looking at messages being like, you know, who is this? Oh, I must know this
person, even though it's some scam. So I think that's one of
the spooky things that unfortunately isn't going away anytime soon. Yeah, you're right. I mean,
it really points to the need for greater scrutiny when we're evaluating these things coming at us.
It used to be that a phishing message was often marked with, you know, bad grammar was a telltale
sign, but I guess those days are gone. Yeah, it's no longer, you know, bad grammar was a telltale sign, but I guess those days are gone.
Yeah, it's no longer, you know, we've been trying to get in touch with you about your car warranty.
It's, hi, David, how are you doing? What's it been like over the last two years? I saw that you,
you know, went to Hawaii for vacation. And that sort of detail really makes me think I know the person and just don't have their phone number in my phone for some reason. But it's just scammers using incredibly advanced algorithms to learn a lot
of information and spam people. Yeah. As we're coming up on the end of this year and looking
forward to the next, any thoughts or words of wisdom for folks out there who are assigned the
task of trying to make us safer? Well, first, I mean, I think everyone needs to take a minute
and be thankful for their IT and security people.
They got an incredibly hard job trying to prevent these attacks
and track down attackers.
And it's also an incredibly thankless job.
It kind of seems like you can only lose.
So I think that's one of the things as we're going forward.
Just make sure you take time to appreciate everything that they do.
The second part of that is, of course, do everything you can yourself to make
sure you're secure. As we're going online and doing holiday shopping and all those booking trips,
you just have to be vigilant that you're not reusing passwords, that your computer's up to date.
All those things that we ask you to do every year, you need to do every year. And it's not
going to be something that we're going to stop asking people to do.
to do every year, you need to do every year. And it's not going to be something that we're going to stop asking people to do. All right. Well, David Brumley is a
cybersecurity professor at Carnegie Mellon and also CEO of the software security firm
For All Secure. David, thanks so much for joining us.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hey there, Joe.
Hi, Dave.
Interesting article came by.
This is from the folks over at Security Boulevard.
This article is written by Sam Bakken
and is titled Addressing Executive and Social Media Impersonation, Protecting Leaders That Lack an Online Presence.
What's going on here, Joe?
So this is talking about a number of people who have been impersonated online.
Yet another reason social media is terrible.
There's no guarantee that the person you're looking at, whose profile you're looking at is actually that person.
There are these verification programs that Facebook has
and Twitter has the get verified or X now, I guess, right?
Yeah.
Don't want to call it Twitter.
They have the get verified fee that's $7 a month,
but that's pretty simple to get around.
Right.
But what if you don't have a social media account?
What if you don't have any footprint with Facebook, which I think would be smart if you were an executive,
right? That that's someplace where you don't, uh, you don't put yourself out there, uh, so that you
don't get attacked that way. I would say that once you get to that level of, of, uh, of importance
for an organization, uh, you walk away from the things that might expose you to certain
risks. I wonder though, is it better to not have a profile or to have a profile that you can say,
hey, this is the official profile of this person, even if it's not active?
That's right. That's a good point. I would, to that side. And I would have some social media person
managing a platform or managing the profile on all the platforms, which I think that's a better
way to do it. But one of the problems is if you don't have an account on these platforms,
how do you report a fraudulent account? You don't have an in with them, right?
Right. Um, now there are companies out there who specialize in helping you to take down
these fraudulent companies or fraudulent profiles. They're companies like Zero Fox and Black Cloak
that do this. That's their business model. Right. And they're good at it. Yeah. They have
relationships with the social media companies. You can set up with these companies alerts that
fire off when someone sets up an impersonation for your
company or your executives or even your managers. And then they will begin the process of taking it
down with the social media company and the social media companies listen to these people.
Right. This article also talks about how
X and LinkedIn are better at taking down fraudulent sites or fraudulent profiles.
Meta, not so much.
Not surprised by that.
Yeah.
They speculate that the reason they're doing that Meta takes longer to take down these accounts is because Meta is focusing on its own verification system and the verification of their...
verification system and the verification of, once they have a verified account, they're going to take care of the verified accounts because, you know, they've put their word behind the verification.
I see. But in order to get the verified account, you have to take a picture of yourself in a mirror
with a government-issued ID. I don't know. I want to give that information to Facebook, to Meta.
Right. I trust them with that. Right. So, yeah, if I were a C-level executive,
I would definitely consider using a company
who specializes in this kind of relationship.
Yeah.
Because you're going to be screaming
into the void by yourself.
Yeah, that's right.
That's right.
They list off some proactive measures
to prevent this sort of impersonation.
Anything catch your eye here?
Well, one of the things they say is what we talked about earlier, and that's setting up an account and keeping
control of it. Yeah. You probably have a social media manager handle that. That way, you don't
have to worry about it. You don't have to worry about the old midnight tweet that comes out when
you're feeling punchy. You don't even have access to it.
That's probably the best thing. Yeah. But do that land grab. Do that land grab. Get out there in
front of it. Also, they have some links to some verification services from these different
providers. So you can actually get verified with companies like Meta, LinkedIn, and Twitter.
Yeah. When can we stop saying Twitter or X, formerly Twitter?
I don't know.
Yeah.
Terrible name.
X is just a bad name.
That's the bottom line as far as I'm concerned.
So it's frustrating because I have to say it a couple times a day.
I have to say X, the platform formerly known as Twitter.
Right.
That's where we are, Joe.
Yeah.
All right.
Well, again, this article is from the folks over at Security Boulevard.
It is Addressing Executive and Social Media Impersonation.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca. And that's the cyber wire for links to all of today's stories check out our daily briefing
at the cyberwire.com don't forget to check out the grumpy old geeks podcast where i contribute
to a regular segment i join jason and brian on their show for a lively discussion of the latest
news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, Thank you. Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was
written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.