CyberWire Daily - Court puts the ‘spy’ in spyware.
Episode Date: December 23, 2024A federal judge finds NSO Group liable for hacking WhatsApp. China accuses the U.S. government of cyberattacks. The UK’s Operation Destabilise uncovers a vast criminal network. An alleged LockBit de...veloper says he did it for the money. Apache releases a security update for their Tomcat web server. Siemens issues a security advisory for their User Management Component. Italy’s data protection authority fines OpenAI $15.6 million. Researchers demonstrate a method to bypass the latest Wi-Fi security protocol. Apple sends potential spyware victims to a nonprofit for help. Our guest is Sven Krasser, CrowdStrike's Senior Vice President Data Science and Chief Scientist, talking about balancing AI and human intervention. Hackers supersize their McDonald’s delivery orders. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, our guest is Sven Krasser, CrowdStrike's Senior Vice President Data Science and Chief Scientist, talking about balancing AI and human intervention. Selected Reading Judge rules NSO Group is liable for spyware hacks targeting 1,400 WhatsApp user devices (Recorded Future) Chinese cyber center points finger at U.S. over alleged cyberattacks to steal trade secrets (CyberScoop) Inside Operation Destabilise: How a ransomware investigation linked Russian money laundering and street-level drug dealing (Recorded Future) Suspected LockBit dev faces extradition to the US (The Register) Apache fixes remote code execution bypass in Tomcat web server (Bleeping Computer) Siemens Warn of Critical Vulnerability in UMC (GovInfoSecurity) Italy's Privacy Watchdog Fines OpenAI for ChatGPT's Violations in Collecting Users Personal Data (SecurityWeek) WPA3 Network Password Bypassed via MITM Attack & Social Engineering (CyberSecurityNews.com) Apple Warns Users Of iPhone Spyware Attacks—What You Need To Know (Forbes) McDonald’s Delivery App Vulnerability Let Anyone Place an Order for Just $0.01 (CyberSecurityNews.com) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A federal judge finds NSO Group liable for hacking WhatsApp.
China accuses the U.S. government of cyber attacks.
The U.K.'s Operation Destabilize uncovers a vast criminal network.
An alleged LockBit developer says he did it for the money.
Apache releases a security update for their Tomcat web server.
Siemens issues a security advisory for their user management component.
Italy's Data Protection Authority
fines OpenAI $15.6 million.
Researchers demonstrate a method
to bypass the latest Wi-Fi security protocol.
Apple sends potential spyware victims
to a non-profit for help.
Our guest is Sven Kraser,
CrowdStrike's Senior Vice President
of Data Science and Chief Scientist,
talking about balancing AI and human intervention.
And hackers supersize their McDonald's delivery orders.
It's Monday, December 23rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. Great to have you with us, as always.
A federal judge in California has ruled that NSO Group, the developer of Pegasus spyware,
is liable for hacking 1,400 WhatsApp users, including activists, journalists, and diplomats.
This marks the first time the company has been held accountable for its role in spyware abuses.
Meta-owned WhatsApp filed the lawsuit in 2019,
alleging NSO exploited a bug in its platform to install spyware on users' devices.
NSO repeatedly bypassed WhatsApp's security defenses over two years, targeting victims globally.
The court found NSO violated
the Federal Computer Fraud and Abuse Act,
California's Comprehensive Computer Data Access and Fraud Act,
and WhatsApp's Terms of Service.
Judge Phyllis Hamilton criticized NSO
for failing to produce complete Pegasus source code,
a factor in her decision to impose sanctions.
NSO executives admitted in depositions that the company controlled data extraction from hacked devices
and designed Pegasus to circumvent WhatsApp's security measures. Court evidence showed NSO
developed new malware even after WhatsApp sued them. This ruling is seen as a victory for spyware victims,
signaling increased accountability for spyware companies.
Natalia Krapiva of AccessNow hailed the decision,
emphasizing its importance for digital security and human rights.
Damages will be determined in March.
NSO did not comment on the ruling.
WhatsApp and advocates for victims expressed
hope that this decision would deter similar abuses by spyware developers in the future.
China's National Cyber Incident Response Center has accused the U.S. government of cyber attacks
targeting two Chinese tech firms to steal trade secrets. In a public notice, CN Cert claimed a U.S. intelligence agency was responsible,
citing incidents in May 2022 and August 2023.
One attack targeted a high-tech company in China's smart energy sector,
exploiting Microsoft Exchange vulnerabilities to implant backdoors and gain control over company systems.
The second attack infiltrated an advanced material research unit
by exploiting a document management system vulnerability, infecting over 270 hosts with Trojans.
The allegations come amid heightened tensions,
with the U.S. accusing China of cyber espionage and breaches of telecom networks.
CN CERT, which is tied to China's Ministry of Industry and Information Technology,
has escalated claims of U.S. cyber attacks in recent years.
The U.K.'s National Crime Agency recently unveiled Operation Destabilize,
a four-year investigation uncovering an unprecedented
financial chain connecting street-level drug dealing to global money laundering networks.
This effort exposed links between ransomware groups like RYOK and Conti, Russian businesses,
and entities funding espionage and sanctions evasion. The investigation began in 2021 with blockchain analysis of ransomware payments.
It soon expanded to reveal billions laundered through Russian entities Smart and TGR Group,
led by high-profile figures Ekaterina Zanova and George Rossi.
A key breakthrough came in November 2021 with the arrest of cash courier
Fawad Saidi, who had laundered over £15.6 million in a cash-for-crypto scheme tied to Zanova.
The operation uncovered vast networks laundering money for drug cartels,
organized crime, and Russian elites utilizing cryptocurrency to evade detection.
Despite challenges, the NCA tackled both street-level crime and high-level conspiracies,
marking a significant step in combating global financial crime.
Israeli authorities arrested alleged LockBit ransomware developer Rostelev Panev,
a dual Russian-Israeli national, in August 2023 at the request of the United States.
Panev faces 41 charges, including computer-related extortion and conspiracy.
U.S. officials argue Panev developed malware for LockBit,
including tools to bypass antivirus protections and deploy ransomware,
receiving $10,000 monthly payments from LockBit leader Dmitry Koroshev.
LockBit, active since 2020, extorted over $500 million and infected 2,500 victims globally before its disruption in 2024.
Hanev's arrest follows international efforts to
dismantle the gang. Hannev admitted to coding for LockBit from 2019, initially claiming ignorance
of its criminal use, but later acknowledging he continued for the money. Investigators found
LockBit's source code and credentials on his computer, linking him to the operation.
Penev awaits extradition to the U.S. to face charges.
Apache has released a security update addressing a remote race condition, affects multiple Tomcat versions on case-insensitive file systems with default servlet write enabled.
Users should upgrade, and Apache says future updates will enforce safer defaults.
a security advisory for a critical heap-based buffer overflow vulnerability in its user management component, affecting industrial control systems used in manufacturing and
energy sectors.
Exploitation could allow attackers to execute arbitrary code, disrupt operations, exfiltrate
data, or manipulate critical systems.
Affected products include OpCenter Execution Foundation, Somatic PCS Neo, and
SYNEC NMS. Siemens has released patches for some products and advises restricting access to ports
4002 and 4004. Italy's Data Protection Authority fined OpenAI $15.6 million for unlawfully processing personal data to train chat GPT
and lacking transparency with users.
The investigation also found inadequate age verification,
exposing minors to inappropriate content.
OpenAI called the fine disproportionate and plans to appeal,
noting it exceeds their revenue in Italy during the period.
The company agreed to run a public awareness campaign and remains committed to privacy compliance.
The case highlights growing global regulatory scrutiny of AI systems like ChatGPT.
Researchers from the University of the West Indies demonstrated a method to bypass WPA3,
the latest Wi-Fi security protocol, to obtain network passwords.
WPA3 was designed to improve on WPA2 by introducing features like simultaneous authentication of equals to prevent offline attacks.
like simultaneous authentication of equals to prevent offline attacks.
However, the researchers exploited weaknesses in WPA3's transition mode,
which allows compatibility with WPA2 devices.
Using a downgrade attack, they captured the WPA3 handshake,
deauthenticated users, and created a rogue evil twin access point with a captive portal to steal
passwords. The attack, requiring specific conditions and user interactions, highlights
vulnerabilities in networks without protected management frames enabled. The findings stress
the need for user education, proper configuration, and further investigation to strengthen WPA3 against technical exploits and social engineering.
Picture this. You receive a notification from Apple on your iPhone warning that spyware hackers are targeting you.
The alert sounds serious, even alarming, but instead of offering help, Apple points you to a non-profit organization
for support. That's how Apple's spyware notification system works, and it's been
quietly operating since 2021. Designed to warn individuals of highly targeted attacks,
the system has notified users in over 150 countries. These attacks, often linked to
mercenary spyware like Pegasus, target specific
individuals based on who they are or what they do. While the notifications highlight the risk,
Apple doesn't provide direct technical assistance, leaving victims to seek help from organizations
like AccessNow or AmnestyTech for forensic analysis.
For those who suspect spyware, tools like the MiSecure app can scan devices for threats,
offering capabilities comparable to those used by governments.
Still, critics wonder why Apple, a tech giant with vast resources,
redirects users to nonprofits rather than deploying its own expertise.
Apple assures users that these attacks are rare and advises keeping devices updated and rebooting regularly to disrupt potential spyware. Still, the company's hands-off approach raises questions
about responsibility. Why point users elsewhere when the stakes are so high? For now, Apple remains
tight-lipped. Coming up after the break, Sven Kraser from CrowdStrike discusses balancing AI
and human intervention, and hackers supersize their McDonald's delivery orders.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Sven Kraser is Senior Vice President of Data Science
and Chief Scientist at CrowdStrike.
I recently caught up with him to discuss
balancing AI and human intervention.
I would say in the cybersecurity industry that leveraging AI is table stakes right now. Like
that's something that companies just need to take a look at. It is not necessarily an easy feat,
though. And I think one of the challenges is to build resilient and robust AI systems that can learn from human insights and improve over time.
Basically, you need to set up processes and flywheels that result not in just having a great AI model, but in having a process that produces better and better AI models as the threat landscape emerges and evolves and as adversaries adapt.
I'm curious, from your position as a scientist, what was it like to see these tools come along and grow in their prominence?
Yeah, I think there's quite some adjustment in the perception of it.
I remember when I got started with this,
I don't think anybody was really interested in how the sausage was made.
I felt like we're using these very cool algorithms back there in our systems,
and people were more along the lines of,
yeah, just keep me secure. Sounds interesting.
I think that really changed.
I think there is a heightened awareness about the utility of these types of tools.
And I think in the public eye, there is a lot more shared excitement now what these tools can do.
And I think that is good in the sense that more people understand the promise and the importance of these types of technologies.
On the other side, on the flip side of the coin, there's always a risk in trusting too much on just AI technology.
It is not the panacea that really solves all of our problems as the
human species. I think we still need human review, human input, human ground truth to make
the system successful. So that's something that sometimes gets lost in all the enthusiasm and
hype that we're experiencing right now.
So how do you go about balancing those needs? How do you make use of the promise of AI, but also keep the humans in the loop?
I think in our case, that really is naturally evolving around how we set things up at CrowdStrike.
I've been here since day one.
So making this successful play to bring AI technology
and has been something that has been on the forefront of my mind
and the mind of all the other early employees that started here.
So it's not something that we bolted on, but that we
considered as a design objective from the get-go. And I think that that shows in the way how we're
managing our offerings and services. Anytime human analysts are reviewing something for our
managed services offerings, for our incident response offerings.
There's insights that these humans bring to the table about what the adversary has been doing, what the adversary has been attempting.
And we're structuring our internal procedures in such a way that that information becomes
fuel for the AI.
And that's this flywheel
that I was mentioning earlier, right?
Because these parts of the overarching system,
like the human aspect, the AI aspect,
they really feed into each other.
Like the better the AI is flagging abnormalities,
the more efficiently humans can review
and provide insights, right?
And like the more efficiently humans can review and provide insights, right? And like the more insights there are with like firm and grounded review,
the better the AI can be trained to give better results, right?
So we're moving like every day as we're doing our jobs here at CrowdStrike,
we're moving more information, more potential threats from the domain of, like, this looks fishy,
someone needs to take a look at it, into the domain of, we're certain that this is good,
or we're certain that this is bad, right? And that means we're freeing up time for the humans
to take a look at the remaining, like, less suspicious things to see if anything tries to
fly under the radar there. And I think this is really what gets me excited about this technology.
Every day as you do your job, by virtue of how we have set this up,
we can do a better job and we can do better countering the adversary.
When you look at the range of tasks that people are doing in cybersecurity,
are there certain things that are more suited
for assistance from AI and some things that maybe aren't as good a fit?
Yeah, I think there's a lot of work that needs to happen for effective security, right? Like,
if you take this, like, in two parts, right? Like, there's the, the, let's call it traditional predictive AI, there's the generative
AI. The predictive AI, like classifiers that take a look at data and tell you if this data is good
or bad, right? Like those classifiers can work with a lot of input data at very, very high speeds
and in very, very complex scenarios. I like to describe this
as this high-dimensional feature space where lots of records with lots of different dimensions
can be analyzed very, very swiftly at line speed to basically stop the threat in its tracks.
And then there is the generative AI aspect,
like basically conversational systems, say,
or systems that can now work with a lot of unstructured data
and digest the essence out of that.
Those systems, they tend to be a little bit slower
just by virtue of how much more compute is required to pull that off,
so they aren't necessarily working at line speed.
of how much more computers required to pull that off.
So they aren't necessarily working at line speed.
However, they can take a lot of data that previously, say, a human had to review
and reason about that
and point to the important aspects of the data
or provide summaries or assessments.
So it can really accelerate human workflows
by using this generative AI technology.
It can accelerate the human workflow.
And for us, we're always on the clock, right?
Like the time it takes an adversary to move laterally,
like from establishing a B-chat
to basically entrenching itself in a victim network,
like that time has been trending down and down and down.
And since this is a raise and we're on the clock, this is really a technology that can
help the defender in large extents because it makes it very, very easy to review and
reason about large chunks of unstructured information.
What about human intuition? reason about large chunks of unstructured information.
What about human intuition?
Is there still a place for that, where someone just looks at something, looks at some data, reads some research or
something and says to themselves, this just doesn't feel right, and I'm not sure
but I sense that I need to do some digging here.
Yeah, I mean, there's definitely something to it.
And cybersecurity is a battle of human minds
against human minds eventually, right?
Like there's humans that want to steal something,
information, say, from other humans.
And AI is a tool in that game,
but it's still a game of human wit.
So we need to leverage AI
because the adversary certainly is looking
for every edge that they can get.
But I would say there is value in human intuition.
If I can kind of nail it down a little bit with a metaphor,
there's some games that computer systems are very good at
playing these types of games, like, say, chess, for example.
Chess systems are very smart at this point.
Other games, like, let's say, poker,
Very smart at this point.
Like other games, like let's say poker,
they are a lot harder for automated systems to excel in because there's a lot of reading the room,
reading the situation, somebody bluffing,
like looking at contextual cues, right?
So that might be a good metaphor for this concept of intuition
that you're referring to.
Now, that's interesting. So that might be a good matter for this concept of intuition that you're referring to.
That's interesting.
Do you have any advice for folks who are on this journey of trying to dial it in for their own organization, of balancing the AI and the human intervention, of what they should do in terms of best practices to get where they need to be?
I think everybody needs to take a look at how they can leverage this new technology
that is out there with respect to generative AI.
I think traditional AI has been around for quite a while.
And how they can get more value out of their data using traditional AI as well.
So I think that's kind of the call to action, right?
The problems that we're facing,
there are more and more data driven.
We have more and more data that needs to get analyzed.
And that's just something where you need
to bring the right tools to the table, right?
Like when you need to excavate something,
it's great if you have a shovel,
it's better if you have an excavator, right?
So that's really what
we're looking at. That's Sven Kraser, CrowdStrike's Senior Vice President of Data Science and Chief Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, imagine after all your holiday shopping, you are simply famished, and you could get your Big Mac for just a penny.
Sounds like a dream, right?
get your Big Mac for just a penny. Sounds like a dream, right? Well, a researcher discovered that McDonald's McDelivery app in India had a supersized security flaw allowing exactly that.
With clever tinkering, users could manipulate cart prices, hijack orders, and even track delivery
drivers in real time. This wasn't just about cheap burgers. Sensitive data like
driver names and license plates was publicly exposed, and hackers could redirect someone
else's fries straight to their doorstep. It all boiled down to poorly secured APIs
with vulnerabilities like broken object-level authorization allowing for these exploits.
To McDonald's credit, they fixed everything within 90 days
after receiving the hacker's detailed report.
While this ethical hacker enjoyed a bounty instead of fries,
the case underscores the need for stronger cybersecurity in consumer apps.
Let's hope McSecurity gets beefed up worldwide.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Well, friends, it is that time of year.
The N2K Cyber Wire team is getting ready to settle into our long winter's nap.
We will be taking a publishing break starting this Tuesday, December 24th,
through Wednesday, January 1st.
Fret not, while we are out, we've got some fun surprises planned for you in your podcast feeds.
If you've got some downtime or want to pop those AirPods in and not engage in any more family togetherness, head over to your
favorite podcast app and check out our goodies. We will emerge from our nap on January 2nd.
We'll see you then. As we wrap up another incredible year at the Cyber Wire, I want to
take a moment to shine a spotlight on the amazing people
who bring our stories to life every single day.
This podcast is more than just a production.
It's a labor of love, talent, and unwavering dedication,
and none of it would be possible without our phenomenal team.
To Liz Stokes, who produced today's episode,
and so many others with precision and care,
thank you for your
relentless commitment to delivering content
that informs and inspires.
To Trey Hester, our mixer,
your technical expertise and
creative touch make every episode
shine. Elliot Peltzman,
your original music and sound design
give the Cyber Wire its unmistakable
rhythm and soul.
We are endlessly grateful for your
artistry. Jennifer Iben, our executive producer, and Brandon Karp, our executive editor. Your
leadership and vision guide everything we do, keeping us focused on our mission. Simone Petrella,
our president, and Peter Kilpie, our publisher. Your support and belief in this team enable us to grow and excel.
To all of you, thank you for the
hard work, late nights, and countless
moments of collaboration this year.
Here's to the stories we've told,
the challenges we've tackled, and
the milestones we've achieved
together. I'm proud to
be part of our team. I can't wait
for all that lies ahead in the new year.
Happy holidays
and thank you
for making this
Cyber Wire extraordinary.
On behalf of all of us,
Merry Christmas
and Happy Holidays.
I'm Dave Bittner.
We'll see you back here
next year. Thank you.