CyberWire Daily - Cyber phases of two hybrid wars prominently feature influence operations. Rapid Reset is a novel and powerful DDoS vulnerability. Credential phishing resurgent. And a look back at Patch Tuesday.
Episode Date: October 11, 2023Cyber operations in Hamas's war, Cryptocurrency as a source of funding, and Russian hacktivist auxiliaries shifting their focus. Not all influence operations involve disinformation. Rapid Reset is a N...ovel DDoS attack. A resurgent credential phishing campaign. Ann Johnson from Afternoon Cyber Tea speaks with Ram Shankar Siva Kumar and Dr. Hyrum Anderson about the promise, peril, and impact of AI. Our own Rick Howard talks cyber intelligence in the medical vertical with Taylor Lehmann of Google. And a quick look back at Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/194 Selected reading. Hackers make their mark in Israel-Hamas conflict (Axios) Hacktivists take sides in Israel-Palestinian war (Record) Cyberattacks Targeting Israel Are Rising After Hamas Assault (Time) Hacktivists stoke Israel-Gaza conflict online (Reuters) Hackers, some tied to Russia, target Israeli media and government websites (MSN) Hamas Militants Behind Israel Attack Raised Millions in Crypto (Wall Street Journal) Cryptocurrency fueled Hamas' war machine (Quartz) The Israeli police cyber unit, Lahav 433, has frozen the cryptocurrency accounts of Hamas (Odessa Journal) U.S. surging cyber support to Israel (POLITICO Pro) Savvy Israel-linked hacking group reemerges amid Gaza fighting (CyberScoop) Israeli Cyber Companies Rally as Digital, Physical Assaults Continue (Wall Street Journal) Hamas Seeds Violent Videos on Sites With Little Moderation (New York Times) Social media platforms foment disinformation about war in Israel (Record) Hamas terrorists post murder of Israeli grandmother on her Facebook page (The Telegraph) How to limit graphic social media images from the Israel-Hamas war (Washington Post) Briefing: EU Commissioner Asks Musk for Information on “Illegal Content and Disinformation” Spreading on X (The Information) EU warns Elon Musk of 'penalties' for disinformation circulating on X amid Israel-Hamas war (CNN) Hamas Got Around Israel’s Surveillance Prowess by Going Dark (Bloomberg) ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History (SecurityWeek) New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records (BleepingComputer) The largest cyberattack of its kind recently happened. Here’s how. (Washington Post) New technique leads to largest DDoS attacks ever, Google and Amazon say (Record) HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 (Cybersecurity and Infrastructure Security Agency CISA) LinkedIn Smart Links Fuel Credential Phishing Campaign (Cofense) Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business (SecurityWeek) Microsoft's October Patch Tuesday update resolves three zero-days (Computing) Microsoft Releases October 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Patch Tuesday: Code Execution Flaws in Adobe Commerce, Photoshop (SecurityWeek) Citrix Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber operations in Hamas's war,
cryptocurrency as a source of funding, and Russian hacktivist auxiliaries shifting their focus.
Not all influence operations involve disinformation.
Rapid reset is a novel DDoS attack.
A resurgent credential phishing campaign.
Anne Johnson from Afternoon Cyber Tea speaks with Ram Shankar Sivakumar and Dr. Hiram Anderson about the promise, peril, and impact of AI.
Our own Rick Howard talks cyber intelligence in the medical vertical with Taylor Lehman of Google.
And a quick look back at Patch Tuesday.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, October 11th, 2023. HACTIVISTS AND HACTIVIST AUXILIARIES
Who've joined the war Hamas began against Israel Saturday
have claimed widespread and substantial damage to important systems.
But so far, their activities haven't extended much farther
than familiar distributed denial-of- service operations and site defacements.
For example, claims of attacks against electrical power distribution seem to be, for the most part, attention-getting brag.
A non-ghosts compromise of the Red Alert app, designed to send attack warnings to smartphones, seems to be the most consequential of the cyber
operations so far. Most of the hacktivism has been conducted in the interest of Hamas,
but at least one Israeli group, either a front group or a hacktivist auxiliary,
has re-emerged to take a role in the conflict. Predatory Sparrow, known for operations against Iran, has been observed probing Iranian sites and posting warning messages, CyberScoop reports.
The messaging said in Farsi,
Iran has long been Hamas's patron, and it's widely suspected of having provided both planning and logistical
support to the Hamas operation. Many have asked how Hamas achieved operational surprise Saturday.
The reasons are surely complex, but some of the success must be charged to effective operations
security. Hamas evaded Israeli cyber and electronic collection by simply going dark,
as Bloomberg puts it. They stayed off their devices and conducted business face-to-face
in small cells. The most prominent cyber phases of the war so far have been influence operations,
many of them conducted on behalf of Hamas or of serving interests only tangentially related to the war.
An example is the Russian narrative falsely asserting that Ukraine had supplied Hamas.
Other bogus reports appearing online have included posting and mislabeling of old video
and even video from online games as representing breaking events in the war.
Much of the influence doesn't involve disinformation.
The New York Times has an overview of how Hamas has posted,
often to X, the platform formerly known as Twitter,
images of its atrocities against civilian victims in Israel.
These are intended as both expressions of triumph
and as incitement to further atrocities.
X has been widely criticized for its failure to screen, filter, rate, or otherwise effectively moderate content.
Changes to X's content moderation policies have more or less adopted celebrity as standard of newsworthiness
and largely abandoned attempts
to expose coordinated inauthenticity, CNN reports. A European commissioner has written X to warn the
platform that its failures in this respect may constitute a violation of the European Union's
Digital Services Act. Content moderation is always in an uneasy relationship with free expression, but X seems
to many to have slipped in the direction of the inflammatory and the misleading.
The Israeli police cyber unit Lahav 433 has frozen cryptocurrency assets connected to Hamas.
Hamas has been actively soliciting donations in its social media accounts
since attacking Israel on Saturday. Decentralized finance in general, and cryptocurrencies in
particular, have long seen their clearest use case in the transmission of remittances,
and such remittances have been flowing to Hamas for some time. Quartz reports that Bitcoin and Tether have been used to
deliver millions to Hamas, which many governments, including the U.S. government, have formally
designated a terrorist organization. Citing research by Elliptic and BitOK, the Wall Street
Journal reports that tens of millions of dollars in cryptocurrency have been delivered to Hamas,
Palestinian Islamic Jihad, and Hezbollah since 2021. Hamas alone received some $21 million
between 2021 and June of this year. The cryptocurrency accounts were used not only
to raise money but to move funds within the organization. Hamas's attacks against Israeli civilians,
with the horrific casualties they produced and engendered,
have shifted the attention of many hacktivists and hacktivist auxiliaries
from their customary preoccupations,
including Russia's war against Ukraine,
to the new war in the Middle East.
The Guardian, citing research by CyberCX,
reports that early signs
of this involve influence campaigns. The Guardian writes, at least 30 groups ideologically aligned
with Russia, Ukraine, India, Pakistan, and Bangladesh had shifted their messaging on social
media. The Russian auxiliaries can be expected to use the war between Israel and Hamas as a pretext to hit targets they're already interested in.
Kilnet and Anonymous Sudan are the most prominent such groups to have announced their support for Hamas.
Moving away from the Middle East, CISA, the U.S. Cybersecurity and Infrastructure Security Agency, warns that a vulnerability affecting the HTTP2 protocol
is being exploited in the wild
to conduct very large distributed denial-of-service attacks.
The vulnerability is known as Rapid Reset.
Some of the major vendors who've issued patches
or mitigations against Rapid Reset
include Cloudflare, Google, AWS, Nginx, and Microsoft. CISA also recommends
that organizations review the agency's earlier guidance, titled Understanding and Responding
to Distributed Denial of Service Attacks. The attacks are, so far, not attributed to any
particular threat actor, The Washington Post reports, but they've been remarkable for their ability to generate large request floods from relatively modest botnets.
CoFence is tracking a new phishing campaign that's abusing LinkedIn smart links to evade
security measures, bleeping computer reports. Smart links are a LinkedIn sales navigator feature
designed to track engagement for marketing purposes.
CoFence explains, while smart links in phishing campaigns are nothing new,
CoFence identified an anomaly of over 800 emails of various subject themes,
such as financial, document, security, and general notification lures,
reaching users' inboxes across multiple industries
containing over 80 unique LinkedIn smart links.
These links can come from newly created
or previously compromised LinkedIn business accounts.
The goal of the campaign is credential harvesting.
And finally, we wrap up with a quick look
at some of the more significant patches
issued yesterday during October's Patch Tuesday.
Microsoft has issued patches for more than 100 vulnerabilities affecting Windows,
three of which are being exploited in the wild, Security Week reports.
One of the exploited flaws affects WordPad and could allow the disclosure of NTLM hashes.
and could allow the disclosure of NTLM hashes.
Another actively exploited bug impacts Skype for Business and could lead to privilege escalation.
Adobe has patched critical flaws affecting several of its products,
including Adobe Commerce, Magento Open Source, and Photoshop.
Citrix has issued patches for numerous vulnerabilities
affecting Netscaler ADC, Netscaler Gateway, and Citrix Hypervisor.
So, it's a good time to review your systems and upgrade what needs upgrading.
Coming up after the break,
Anne Johnson from the Afternoon Cyber Tea podcast speaks with Ram Shankar Sivakumar and Dr. Hiram Anderson
about the promised peril and impact of AI.
Our own Rick Howard talks cyber intelligence in the medical vertical
with Taylor Lehman of Google.
Stay with us. real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. The CyberWire's Chief Security Officer, Rick Howard,
recently connected with Taylor Lehman of Google
at the MY's 2023 Cybersecurity Conference.
They discussed cyber intelligence in the medical vertical.
Here's their conversation.
A couple of weeks ago, Mandia, now part of Google Cloud,
hosted the MY's Cyber Threat Intelligence Security Conference at the Washington,
D.C. Convention Center. I met with Taylor Lehman, a director in the office of the CISO at Google
Cloud and the Alphabet Enterprise Health Security Officer. Taylor was a busy man at the conference
hosting panels and giving presentations. He spoke with Mustafa Kabeh, who came in as the CSO for a company called UKG to clean up after a ransomware attack and discovered the cascading effect of the software supply chain.
the pandemic was just another CISO in the healthcare vertical, but after was the CISO for a company that produced the COVID-19 vaccine that would potentially save the world.
And wow, what are the security implications of that?
And finally, it brought in the deputy CISOs of three large healthcare companies who focus
on their internal supply chains.
I started out by asking Taylor about the ransomware attack at UKG.
He started that role over a year ago, coming in after a pretty impactful breach that resulted in
their systems going down for about six weeks and, you know, having some interesting sort of
effects on its customers. Interesting in being not like interesting, cool, but interesting, you know, probably unforeseen.
For example, time clocks at hospitals didn't work, right?
Actually, I didn't mention this earlier, but the New York MTA,
the Metro Transit Authority that runs the subways, their time clocks didn't work.
They ended up, their employees ended up suing their employer.
So let me get this right.
They break into a hospital and break into the time clock situation,
and then it affects all the time clocks of that manufacturer?
Is that what happened?
The central services appeared.
Wow.
I don't have all the details,
but the central services running all of that infrastructure
were basically encrypted, taken over by a threat actor
who was, you know, unhappy that they weren't able to.
I'm sure they wanted to do more, but the thing that they could end up doing was taking these clocks and some other systems down, holding
them for ransom, and then, you know, causing these downstream impacts. So Mr. Gavet comes in and he
has to fix this after it's already been done. That's the talk, is how did you even begin to
approach that? That is fascinating. And so what's still going on? And, you know, we go from everywhere from, you know,
recovering from the attack to rebuilding customer trust.
And it's an interesting story.
So the second thing, are you doing a presentation next?
It's called Leadership in Defending the Planet's Healthcare System.
Yeah.
That's you, mano, you, mano on the crowd.
Well, so, yeah, the secret to being good at conferences
is not having slides or doing presentations.
It's more getting other smart people to sit next to
and then be like,
hey,
he's,
you know,
by proxy or whatever,
you know,
this person's like interesting
so therefore I'm interesting.
So that's my whole strategy.
So hopefully the podcast listeners
here won't copy me
because it's mine.
But yeah,
no.
Wait,
the secret is
everybody does that.
Okay,
I'm just saying.
I want to credit.
No, so the talk this afternoon is with Brian Sincero, who's the CISO at Pfizer.
I've known Brian for years. He and I were on the board of the Health ISAC together
pre-pandemic, and we worked on a couple of really interesting healthcare problems.
Anyway, Brian and I are going to be talking about
sort of framing the conversation
starting in like March of 2020.
You know, if you recall what we were all doing,
sheltering in place.
Did something happen?
I don't remember, yeah.
Yeah, so we were all sort of leaving RSA
and the world shut down two weeks after that.
And, you know, basically a month and a half later,
Pfizer was sitting on the sort of first trials
of what would then become the vaccine.
And so, well, it wasn't the first vaccine produced.
It was probably the most sort of globally visible
and impactful vaccine that was created.
And, you know, of course,
Pfizer had a big role to play in that.
So the talk with Brian is really focused on,
like, take me back to that time
where you went from, you know, not saving the world to basically having a medicine
that eventually would. And so how did that change, you know, how you thought about your job? How did
that change about your team and your role and your purpose? And then bring me through, what was it
like? How did you see the attacks and threats change from what they were prior to people knowing you had that capability to then you had it and then the manufacturing and all sort of the downstream things that you had to now think about to basically, you know, get shots into people's arms.
Yeah, that raises the bar a little bit, right?
Because we all think what we do is important, but here's a world-changing thing that your company is trying to do and how do you protect that?
Yeah, there's a few of us in healthcare who think our job is basically to do that.
Yeah.
Like that's what we, that's why we choose this particular industry in this profession.
Amazing.
Because it impacts people's lives.
The last one I'm going to do is called the deep blue end.
What's that one?
Okay.
So that's a, that's a fun one.
I've got the deputy CISOs from GSK, HCA Healthcare, or GSK is Clexa Smith-Klein,
HCA Healthcare, and 3M.
And they all play a really interesting role in the healthcare supply chain.
So 3M, you know, manufacturing, technology, you know, a lot of their equipment runs and automates infrastructure and manufacturing systems that produce drugs.
HCA is basically the largest for-profit health system in the world.
They treated the most patients during COVID out of any health system.
And GlaxoSmithKline is a pharmaceutical company that produces drugs and therapies to treat people.
So the idea with that talk is to how do these three important players in healthcare work together?
What kinds of threats do they uniquely face as a group that you know, as a group that they all face and how do they defend against it?
And it's really a talk about, you know,
how do these groups like innovate
through working with each other
and then with their customers
around solving healthcare problems at scale
when they cross these three sub-sectors.
That's our own Rick Howard
speaking with Taylor Lehman from Google.
Anne Johnson is host of the Afternoon Cyber Tea podcast right here on the Cyber Wire podcast network.
In this excerpt from a recent
episode, she speaks with Ram Shankar Sivakumar and Dr. Hiram Anderson about the promise, peril,
and impact of AI. Today, I am joined by Dr. Hiram Anderson and Ram Shankar Sivakumar,
who are co-authors, and congratulations, guys, but co-authors of the book, Not With a Bug,
but With a Sticker. Hiram is currently CTO at Robust Intelligence
and AI Integrity Platform and Solutions Provider.
Hiram's technical career has focused on security,
having directed research projects
at MIT Lincoln Laboratory,
Sandia National Labs,
FireEye,
and as chief scientist at Endgame
and principal architect
of Trustworthy Machine Learning at
Microsoft. Hiram also co-founded and co-organizes the Conference on Applied Machine Learning and
Information Security, ML Security Evasion Competition, and the ML Model Attribution
Challenge. That's a lot. Ram Shankar is a self-described data cowboy here at Microsoft with his work focusing on the intersection of machine learning and security.
He is the founder of Microsoft's AI Red Team, which brings together an interdisciplinary group of researchers and engineers to proactively attack AI systems and defend them from attacks.
I am really excited to welcome both of you, Hiram and Ram.
Ram, I want to start with you on this question.
You underscore some of the most impressive and important AI-powered advances in business and science and society,
because it's not just about technology, right?
And I'm sure since the book's published, there have been even more groundbreaking discoveries.
Can you help paint the picture of what AI might be able to do for the world?
What massive changes and problems it can help solve?
Absolutely.
For me, as I was working with Hiram on this book,
we think of Tesla and we think about Facebook
and we think about Google as the forefront of folks who are working in AI systems.
And we think of them as, oh, they're the ones who are commonly identified as the AI vanguards.
But for me, it was super surprising to know that Hershey's is using AI
to kind of like identify the ideal number of twists in Twizzlers.
You know, you've got McDonald's kind of using like AI to optimize their supply chain.
So things that you may not think about,
your chicken nuggets is almost powered by AI.
I would like to think so.
But it really is no longer this piece of technology that's only relegated to the people who are creating it, but democratized completely across the board.
And that's really don't understand what the risk is, but we see massive
economic gains around it. And that is a very interesting proposition. Like here's a piece,
here's something that people are still do not know what the consequences are, but has pervaded
everything from the time that I wake up to the time that, you know, from driving my car to work
to kind of like doing my work
and going back home and unbinding with Netflix.
There's like every part of it is touched
by this like transformational technology.
And the question that Hiram and I kind of try to tease out
in the book is, great, this system is now absolutely essential to our world.
What does it mean for an adversary to go after it?
So Hiram, a few pages later in the book, you're quick to point out the peril of AI.
In an excerpt, in AI, we overtrust.
It's important, of course, as AI goes more mainstream that everyone,
from researchers and technologists to everyday people, understands limitations
from what it can and can't do, what it should and shouldn't do. Hiram, can you help unpack
that for our audience? Why is that healthy skepticism about AI so important, and why
should we continue to have skepticism? Yeah, Anne, thanks. And listen, Ram and I both are optimists, especially when it comes to
the utility of AI to make a better world, to make a more convenient world for us. And so when we
talk about an AI we overtrust, I think that the basic thing to remember is that when AI is trained,
it's trained to do one thing pretty good.
And when it does that one thing pretty good, we often ascribe its ability in areas it was never designed to perform well in.
So this is one element of people relying on AI. We rely on it for one thing, an example would be relying on a robot to
give directions, as was in our book. In a normal situation, it turns out that because we gain this
reliance and trust in this certain situation, we tend to overtrust it when we depart from the
normal behavior that the robot was trained to do. So surprisingly, this automation bias that we have
extends to AI in a way that we need to be careful about.
You can subscribe to the Afternoon Cyber Tea podcast wherever you get your podcasts
and on our website, thecyberwire.com.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that
help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K
and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical security
teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.