CyberWire Daily - Can connected cars jeopardize national security?
Episode Date: September 23, 2024The US is set to propose a ban on Chinese software and hardware in connected cars. Dell investigates a breach of employee data. Unit 42 uncovers a North Korean PondRAT and a red team tool called Splin...ter. Marko Polo malware targets cryptocurrency influencers, gamers, and developers. An Iranian state-sponsored threat group targets Middle Eastern governments and telecommunications.The alleged Snowflake hacker remains active and at large. German officials quantify fallout from the CrowdStrike incident. Apple’s latest macOS update has led to widespread issues with cybersecurity software and network connectivity. Our guest is Vincenzo Ciancaglini, Senior Threat Researcher from Trend Micro, talking about the uptick in cybercrime driven by the generative AI explosion. Supercharging your graphing calculator. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Vincenzo Ciancaglini, Senior Threat Researcher from Trend Micro, talking about the uptick in cybercrime driven by the generative AI explosion. Read their blog "Surging Hype: An Update on the Rising Abuse of GenAI" here. Selected Reading Exclusive: US to propose ban on Chinese software, hardware in connected vehicles (Reuters) Dell investigates data breach claims after hacker leaks employee info (Bleeping Computer) North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages (Security Affairs) Global infostealer malware operation targets crypto users, gamers (Bleeping Computer) Iranian-Linked Group Facilitates APT Attacks on Middle East Networks (Security Boulevard) Hacker behind Snowflake customer data breaches remains active (CyberScoop) Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool (Palo Alto Networks) Organizations are changing cybersecurity providers in wake of Crowdstrike outage (Help Net Security) Cybersecurity Products Conking Out After macOS Sequoia Update (SecurityWeek) Secret calculator hack brings ChatGPT to the TI-84, enabling easy cheating (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The U.S. is set to propose a ban on Chinese software and hardware in connected cars.
Dell investigates a breach of employee data.
Unit 42 uncovers a North Korean pond rat and a red team tool called Splinter.
Marco Polo malware targets cryptocurrency influencers, gamers, and developers.
An Iranian state-sponsored threat group targets Middle Eastern governments and telecommunications.
The alleged Snowflake hacker remains active and at large.
German officials quantify fallout from the CrowdStrike incident.
Apple's latest macOS update has led to widespread issues with cybersecurity software and network connectivity.
Our guest is Vincenzo Ciacanglini, senior threat researcher from Trend Micro,
talking about the uptick in cybercrime driven by the generative AI explosion.
And supercharging your graphing calculator.
It's Monday, September 23rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Happy Monday, and thank you for joining us here today.
The U.S. Commerce Department is set to propose a ban on Chinese software and hardware in
connected and autonomous vehicles,
citing national security risks, according to sources.
Reuters reports the proposed regulation aims to prevent Chinese-made vehicles
with critical communication or autonomous systems from being imported or sold in the U.S.
This move reflects growing concerns about the data collection practices of Chinese
companies on U.S. drivers and infrastructure, as well as the potential for foreign control
of vehicles connected to the Internet. This proposal is part of the Biden administration's
broader efforts to limit Chinese technology in sensitive industries. Recent actions include raising tariffs on Chinese
electric vehicles, batteries, and minerals. Commerce Secretary Gina Raimondo emphasized
the potential dangers of millions of connected cars being compromised. In February, President
Biden ordered an investigation into whether Chinese vehicle imports pose security risks due to connected
car technology. The new rules would take effect in phases, starting with software in 2027 and
hardware by 2029. The restrictions will target vehicles with Bluetooth, satellite, and wireless
features, including autonomous cars. The proposal allows for public comments before finalization.
Automakers like General Motors, Toyota, and Volkswagen warned that such changes would
require significant time due to the complexity of pre-production testing. The regulation would
also extend to other foreign adversaries such as Russia and is aimed at safeguarding U.S. vehicle
supply chains. Dell is investigating claims of a data breach after a hacker called Grep leaked
information for over 10,000 employees. The hacker alleged that the breach occurred earlier this
month, exposing internal employee and partner details, including unique identifiers, full names, employment status, and internal ID strings.
While only a small sample of the data was shared for free,
the full database is allegedly available for purchase on a hacking forum.
Dell confirmed to Bleeping Computer that their security team is investigating the claims.
This is not the first time GREP has made such allegations,
as they also claimed responsibility for a breach of French IT giant Capgemini earlier in September.
Earlier this year, Dell also faced a breach involving 49 million customer records.
involving 49 million customer records.
Researchers from Palo Alto Network's Unit 42 uncovered a North Korean-linked malware campaign
distributing Pond Rat through poisoned Python packages.
The threat actor, Gleaming Pisces, also known as Citrine Sleet,
previously deployed macOS malware Pool Rat,
and Pond Rat appears to be a lighter variant.
The attackers uploaded malicious packages to the PyPy repository to compromise developer systems, targeting supply chains and their customers.
Gleaming Pisces, active since 2018, is known for sophisticated attacks on the cryptocurrency industry.
is known for sophisticated attacks on the cryptocurrency industry.
Pondrat shares code similarities with Poolrat,
including overlapping structures and encryption keys, linking this campaign to previous AppleJuice operations.
Once installed, the malware runs bash commands to download and execute the rat,
posing a significant detection risk to organizations.
Pondrat's functionality is more limited, but still poses a serious threat.
Additionally, Palo Alto Networks discovered a new post-exploitation Red Team tool called
Splinter using advanced Wildfire's memory scanning tools.
Splinter, developed in Rust, was found on customer systems and is used
for tasks such as executing commands, uploading and downloading files, and gathering information
from cloud services. Although its capabilities are less advanced than tools like Cobalt Strike,
Splinter can still pose a serious threat if misused by criminals. The discovery highlights the growing number of red-teaming tools available,
emphasizing the need for continuous detection and prevention measures.
Recorded Futures' Insect Group has uncovered a massive malware operation
attributed to the cybercriminal group Marco Polo.
The effort spans 30 campaigns targeting various demographics and system platforms.
The group spreads 50 malware payloads, including Amos, Steel C, and Radamanthes,
via malvertising, spear phishing, and brand impersonation.
These campaigns have compromised tens of thousands of devices globally,
leading to significant financial losses and privacy risks.
Marco Polo highlights high-value individuals like cryptocurrency influencers, gamers, and developers using fake job offers and project collaborations to trick victims into downloading malware.
Impersonated brands include Fortnite, Zoom, and RuneScape, among others.
The malware impacts both Windows and macOS systems with tools designed to steal data, including browser info,
crypto wallets, and even Apple keychain passwords.
An Iranian state-sponsored threat group, UNC-1860, is likely linked to Iran's Ministry of
Intelligence and Security and is acting as an initial access broker for cyberattacks targeting
Middle Eastern governments and telecommunications. According to Mandiant researchers, UNC-1860
specializes in deploying backdoors and custom tools that provide persistent
access to high-priority networks. One notable tactic is repurposing a Windows kernel mode driver
from Iranian antivirus software to evade detection. UNC-1860 supports espionage and network attack
operations and shares similarities with other Iranian threat groups like APT-34.
The group uses custom malware controllers, web shells, and droppers,
allowing other Iranian actors to continue exploiting compromised networks.
Their custom coding, including encryption techniques,
aids in bypassing security tools,
posing a significant threat to consumer privacy and business continuity across the region.
A hacker known as Judish, responsible for much of the Snowflake customer data theft earlier this year,
remains active, according to Mandiant's senior threat analyst Austin Larson.
Speaking at the SentinelOne LabsCon security conference,
Larson revealed that Judish continues to target software-as-a-service providers.
The hacker, a 26-year-old software engineer from Ontario, Canada,
allegedly played a key role in the April breach
of up to 165 Snowflake customers using stolen credentials.
While only dozens of companies were extorted, victims include AT&T, Ticketmaster, and Santander.
Judish and Associates have extorted up to $2.7 million. The hacker collaborated with John Binns,
who was arrested after an AT&T data breach and remains in Turkish custody.
Both hackers are part of a cybercriminal network called The Calm, involved in hacking, extortion, and other illegal activities.
A recent survey by Germany's Federal Office for Information Security and Bitcom revealed the impact of a massive worldwide
outage caused by a faulty CrowdStrike update on German companies. Of the 311 companies polled,
62% were directly affected and 48% were indirectly impacted, leading to disruptions in business
operations. On average, it took affected companies 10 hours to fully
resume operations and two days to resolve the issue. The incident highlighted the importance
of emergency preparedness, with 62% of affected companies having an emergency plan, most of which
worked effectively. In response, many companies are enhancing their cybersecurity measures,
In response, many companies are enhancing their cybersecurity measures, including revising IT emergency plans, improving patch management, and implementing zero-trust architecture.
Additionally, 10% of companies are considering changing their cybersecurity providers, and 30% are diversifying their IT security solutions. Apple's macOS 15 Sequoia update has led to widespread issues
with cybersecurity software and network connectivity.
Users reported problems with tools from CrowdStrike, ESET, Microsoft, and Sentinel-1.
CrowdStrike advised customers to avoid updating,
noting Apple was informed of the compatibility problems, but a fix is not expected.
MIT also warned users that CrowdStrike Falcon is unsupported on Sequoia.
ESET acknowledged network issues and recommended updating to supported versions.
Microsoft reported network crashes with its network protection feature, advising against
upgrading for now. The update also disrupted VPN, RDP connections, and web browsers. Security
researchers noted that modifying firewall settings could resolve connectivity problems,
but warned it could increase security risks. Patrick Wardle, the well-known researcher specializing in Apple product security,
stated that several individuals had notified Apple about these issues prior to the release of Mac OS 15 Sequoia,
but Apple chose to ship the update anyway.
Coming up after the break, my conversation with Vincenzo Ciancaglini,
senior threat researcher from Trend Micro.
We're talking about generative AI and cybercrime.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Vincenzo Ciancaglini is Senior Threat Researcher at Trend Micro. I recently sat down with him to
talk about the uptick in cybercrime driven by the generative AI explosion.
So this is the third of a series of reports that we started doing since August 2023, pretty much.
To give you a general context, I work, again, as a senior threat researcher in a team in Trend Micro that is tasked to do technology scouting three to five years in the future.
So we are the ones that are looking at within Trend and how the technology will evolve in the near future.
What would be the social impact of the technology evolution?
And most importantly, what are the criminal application of this evolution?
criminal application of this evolution. So we are, we can safely say that we are a healthy balance of technology
research and cyber crime investigations.
We are also the team that keeps the liaison with law enforcement and so
on, because that grounds us and gives us again, the grounding to understand
where practically are criminal going with technologies and their mindset.
So with that in mind, again, it's been pretty much ever since
ChatGPT got released that we started seeing reports going around about cyber criminals
allegedly developing advanced malware and criminal LLMs and so on. And so we decided basically to look at it for ourselves. And so I sat with my colleague,
David Sancho, and we started looking into underground forums on what were the actual
discussions like done by criminals around everything related to generative AI. And in
these third issues, these third posts of our blog series,
this is where we focus specifically on an underground marketplaces
that finally gave us a glimpse of what services are focusing mostly around deepfakes.
So in the first of the series, we looked at like criminal LLMs, for example,
looking exactly at trying you know, trying
to debunk a little bit what were the claims that criminals were in fact training their own criminal
versions of ChatGPT. We had a second issue where we sort of follow up with that and went a little
more in depth. And in this third one, we finally found what we were the missing piece that we
didn't have before, which was what about DeepFace? Can we finally see deepfake services? And yes, we did. So this
is why we decided to basically come out with these publications. Well, let's talk about that.
What exactly are you seeing when it comes to the availability of deepfakes? So what we've seen very recently, actually, this is kind of weird from our point of view
because deepfake as a technology is not that recent.
We have been talking about it.
The earliest of our publication,
at least from our point of view,
was from 2020,
where we had an investigation,
a publication with Europol and the United Nations.
And deepfake was considered back then to be the crown jewel of generative AI for criminal uses back then.
And even since 2020, so we knew that the technology was there.
We knew it was used by high-level actors.
used by high-level actors.
What we were missing were commercial services that would make DeepFake available to regular people.
So this is what we are finally seeing today.
This is the sort of services that we published in our latest post, which
really covers this, I think there are four or five services that we found for basically sale into this
underground marketplace.
So one being the, let's say that the most out of context is the DeepNude Pro, which
is a service dedicated to, you guess by the name, gets fake nudes of somebody you
might know. You take the picture of somebody, can nudify the victim, even
offering like the abilities to alter their attributes, their physical
attributes and so on. That goes for 150 US dollars for a lifetime subscription.
We found services that are more inclined
to deepfake as a social engineering tools
with different aspects.
So there's one, for example,
that allows you to create 3D avatars.
So this is something that you might want to adopt
when you want to do mass campaigns.
You know, when you want to create that tailored message or where
it's something like, this is a message just for you, Dave, you know, now you can make it with a
video avatar, with an avatar, starting from a regular picture that gives you the 3D model,
where you can set up the lightning, where it comes from, and it can then pretty much follow
either a recorded audio or read out the text.
So that for large-scale attacks would be perfect.
We found tools that allow you to create live deepfakes or recorded ones, again, depending on the tools.
And these go for very low prices.
We are talking about $200 to $400 for lifetime subscriptions, basically.
So how easy is it for someone to find this sort of thing? If I set my sights on becoming a deepfake criminal or using deepfakes in my enterprises,
what's the barrier to entry for me to engage with these companies?
It's most likely a Google search away.
The marketplace that we found,
it's a Telegram marketplace.
So it might a little harder to spot.
But if you have any experience with Telegram,
you'll see that it's really not that difficult.
There is no entrance fee.
There is no
vetting of yourself. You just click on join and you're
joining the channel. And from there, they regularly post
offerings for different services, amongst which
there's also Deepfake. So some of these services act as a Telegram
bot, but this is mostly for the criminal LLMs.
For the DeepNude Pro, DeepFake 3D Pro apps, they are pretty much either online services or application that you can download.
The SwapFace, I believe it acts as an OBS filter, if I recall correctly. So you can literally use it with your own streaming software.
streaming software. So part of what you cover in your report here is looking towards the future of trying to predict what's next. Tell us about that. Where do you suppose we're headed from here?
So for generative AI in general, we believe that it's going to help automate and scale up criminal operations a lot.
Again, if you think about LLMs, really what criminals are doing are the exact same thing that we are doing with regular LLMs, which is increased productivity, get some documentation,
get some development support, and so on.
With the revolution, we can expect them to use them more reliably to scale up basically everything related to social engineering, to writing phishing scripts or writing mass emails that could have more variations in the messages that could be written better than the usual spam emails that you receive.
I can give you an example.
So in this regard specifically, there's this new form of scam called pig butchering.
You might have heard about it. It's particularly specifically popular in Southeast Asia.
And when you think about it, what does this involve? So it involves finding people with a relatively lonely profile that could be
substantive to advances by an interested party.
So you befriend them, you carry on conversation, you pretend to be an interested party.
From there, once you have their interest, you can lure them into trading chat rooms,
right, when they'll see opportunities of trading
on different assets and so on,
up to the point where they'll finally take the leap
and go into a fake investment website,
where they will invest, you know,
with the help of you, the interested party,
a huge amount of money that will ultimately disappear.
When you think about all of these different phases,
you think about like sifting through profiles, looking, you know, analyzing the profiles to find
the lonely one, through animating a conversation, moderating a chat room with fake adverts,
to generating the fake websites. These are all things that LLMs, for example, these are pretty much the earliest demos
of GPT-3 back then. So the tools are there, and they are slowly making their ways to becoming
production tools for criminals. We've seen an article about, I believe it's a provider of
criminal services called QE1 Guarantee,
who, if I recall correctly, was in fact offering services to criminals,
like managing payments and so on, but is starting offering AI services as well. So all the pieces of the puzzles are there for criminals to basically start using LLMs for that very regard.
For deepfake, we are pretty much there.
I would expect criminal,
basically the tools to become more and more available.
Deepfakes still require
a fairly decent computational power
to be, especially to be trained,
but the barrier is becoming lower and lower.
So for deepfakes,
we really expect to become more and more popular
amongst criminals.
And my hope in this regard is that by the time they become popular enough and sophisticated enough,
there will be enough awareness in the victims and the regular folks that they'll pretty much
become the new CGI, something that everybody knows about that can be even used as an excuse so that people will not even fall for it.
That's Vincenzo Ciancaglini from Trend Micro.
You can read their blog, Surging Hype, an update on the rising abuse of Gen AI.
We'll have a link in the show notes. Thank you. to see how a default-deny approach can keep your company safe and compliant.
And finally, when I was in college back around 1990 or so,
one of my roommates was an electrical engineering major.
He told the tale of a clever group of double E majors
who programmed their HP calculators
to use the built-in infrared transmitters and receivers
to enable a local text chat network.
Essentially, anyone in the same room
could send and receive messages from each other.
This was years before wireless protocols like Wi-Fi or Bluetooth became commonplace.
It was a clever hack, and legend has it that it also proved extremely useful
when these old-school hackers found themselves in the same room taking an exam.
Fast forward to today, where YouTube creator Chromalock
shared a video detailing how he modified
a Texas Instruments TI-84 graphing calculator
to connect to the Internet and access OpenAI's ChatGPT,
potentially aiding students in cheating on exams.
Titled, I Made the Ultimate Cheating Device, the video showcases a custom hardware modification
using a Wi-Fi-enabled microcontroller to interface with the calculator.
The device allows users to input problems and receive chat GPT responses on the calculator's
screen.
Chromalock designed the custom circuit board called TI32 and created software to integrate
the calculator with ChatGPT. He encountered several engineering challenges, including voltage
and signal integrity issues, before finalizing the design. The modified calculator can also
download apps like image browsers and cheat sheets, all while remaining undetectable.
While the project highlights technical ingenuity, using such a device during tests would likely be
considered academic dishonesty, and students should be cautious of potential consequences.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in
the show notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the
public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter
about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by
Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella
is our president. Peter Kilby is our publisher. And I'm Dave B executive editor is Brandon Karp. Simone Petrella is our president.
Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.