CyberWire Daily - Cybercriminals target London drugs.
Episode Date: May 24, 2024LockBit drops 300 gigabytes of data from London Drugs. Video software used in courtrooms worldwide contains a backdoor. Google patches another Chrome zero-day. The EU seeks collaboration between resea...rch universities and intelligence agencies. Atlas Lion targets retailers with gift card scams. Researchers explore an Apple reappearing photo bug. Hackers access a Japanese solar power grid. Congress floats a bill to enhance cyber workforce diversity. Ben Yelin joins us with a groundbreaking legal case involving AI generated CSAM. Whistling past the expired domain graveyard. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, co host of our Caveat podcast and Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, discusses "FBI Arrests Man For Generating AI Child Sexual Abuse Imagery." Selected Reading Hackers release corporate data stolen from London Drugs, company says (The Star) Crooks plant backdoor in software used by courtrooms around the world (Ars Technica) Google fixes eighth actively exploited Chrome zero-day this year (Bleeping Computer) EU wants universities to work with intelligence agencies to protect their research (The Record) US retailers under attack by gift card-thieving cyber gang (Help Net Security) Apple wasn’t storing deleted iOS photos in iCloud after all (Bleeping Computer) Hijack of monitoring devices highlights cyber threat to solar power infrastructure (CSO Online) New Diverse Cybersecurity Workforce bill to promote inclusivity, provide CISA with millions for outreach (Industrial Cyber) When privacy expires: how I got access to tons of sensitive citizen data after buying cheap domains (INTI) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. LockBit drops 300 gigabytes of data from London drugs.
Video software used in courtrooms worldwide contains a backdoor.
Google patches another Chrome Zero Day.
The EU seeks collaboration between research universities and intelligence agencies.
Atlas Lion targets retailers with gift card scams.
Researchers explore an Apple reappearing photo bug.
Hackers access a Japanese solar power grid.
Congress floats a bill to enhance cyber workforce diversity.
Ben Yellen joins us with a groundbreaking legal case involving AI-generated CSAM and whistling past the expired domain graveyard.
It's Friday, May 24th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
So happy Friday, everybody, and thank you for joining us.
Last month, cybercriminals stole files from London Drugs' head office
and have now released some data after the company refused to pay a ransom.
The Richmond, British Columbia-based retailer said the files might contain employee information
and is offering affected staff credit monitoring and identity theft protection.
The hacking group LockBit claimed responsibility, releasing over 300 gigabytes of data.
London Drugs, which shut down its stores temporarily,
stated there's no evidence customer data was compromised.
LockBit, described as the world's most harmful cybercrime group,
has been disrupted by international law enforcement efforts, but it remains active.
A software update for JAWS Viewer 8, used by over 10,000 courtrooms worldwide,
contained a hidden backdoor, researchers from Rapid7 reported. The software, part of the JAWS Suite 8,
helps courtrooms record, playback, and manage audio and video from proceedings. The malicious
update, available on the Justice AV Solutions website, allowed persistent communication with
a command and control server, stealing passwords and system information. Users of version 8.3.7 are at high
risk and should re-image affected systems and reset credentials. The update was digitally signed
by Vanguard Tech Limited instead of the legitimate Justice AV Solutions. JAVS confirmed the breach,
removed the malicious version, and assured that current downloads are safe.
which removed the malicious version and assured that current downloads are safe.
Google has released an emergency security update for Chrome to fix the eighth zero-day vulnerability of the year.
This high-severity type confusion flaw affects Chrome's V8 JavaScript engine
and is being actively exploited.
Google advises users to update Chrome to the latest version.
EU member states recommend that Europe's leading research universities collaborate more with
intelligence agencies to secure their research from hostile states. This follows increased
concerns over espionage, particularly from China. The recommendation aims to address research
security risks from
international cooperation, focusing on critical areas like advanced semiconductors, AI, quantum
technologies, and biotech. Key proposals include facilitating information exchange between research
organizations and intelligence services, and increasing political focus on intellectual property theft. The UK is considering
security vetting for key researchers by MI5, while the US has a similar program through the
National Counterintelligence and Security Center. The recommendations come amid heightened threats
from Russia following its invasion of Ukraine. Earlier this month, the FBI warned about Storm 0539,
also known as Atlas Lion,
a Morocco-based cybercriminal group targeting retailers with fraudulent gift cards.
Microsoft detailed the group's tactics,
highlighting their strong reconnaissance skills,
cloud environment exploitation, and cost-effective operations.
Storm 0539 uses fake non-profits for discounted cloud services, free trials, and compromised
WordPress domains for phishing. They gather employees' contact details from public information,
send phishing messages, and redirect victims to credential-stealing pages.
They then use stolen credentials for multi-factor authentication
and move laterally through networks to create and redeem fraudulent gift cards.
The group's activity increased by 30% in recent months,
targeting large retailers, luxury brands, and fast food chains.
Security researchers discovered that a bug in Apple's iOS, not iCloud, caused deleted
images to reappear on devices after the iOS 17.5 update. Despite widespread user reports,
Apple has remained silent on the issue, leading to privacy concerns. The bug affecting images deleted months or years ago was fixed in iOS 17.5.1
released on Monday. Analysts at Synactive identified changes in the photo library services
function that re-indexed old files, causing them to reappear. This finding reassures users that
Apple isn't indefinitely storing deleted files in iCloud, but highlights that deleted files can persist locally until overwritten.
Apple has not responded to inquiries about the bug or the researchers' findings.
Japanese media reported a significant cyberattack on the solar power grid infrastructure, marking what might be the first publicly confirmed
incident of its kind.
Malicious actors hijacked 800 SolarView compact remote monitoring devices manufactured by
industrial control electronics company Contech at various solar power generation facilities.
The cyber criminals used these compromised devices to engage in bank account
thefts. They were after compute power. The hacker group responsible for the attack is likely Hacker
CN, also known as Arsenal Depository. South Korean security firm S2W identified Hacker CN
as a group potentially based in China or Russia. This group was previously linked to
hacktivist attacks targeting Japanese infrastructure, particularly after the Japanese
government released contaminated water from the Fukushima nuclear power plant under an operation
termed Operation Japan. Though the exploitation of these remote monitoring devices did not threaten
power system operations,
experts caution that such intrusions could be more dangerous if highly capable adversaries gained access. Two U.S. House representatives introduced the Diverse Cybersecurity Workforce
Act to create a program within CISA that encourages underrepresented communities to pursue cybersecurity careers. Sponsored by Representatives Haley Stevens and Chantel Brown, the bill mandates
CISA to expand education and outreach activities, promoting cybersecurity to diverse groups.
The program will target disadvantaged communities, minorities, women, people with disabilities, veterans, and more. The bill
authorizes $20 million annually through 2030 and requires CISA to report on the program's efficacy.
The aim is to fill cybersecurity jobs and enhance national security by diversifying the workforce.
This aligns with the updated National Cybersecurity Strategy Implementation Plan.
Coming up after the break, Ben Yellen joins us with a groundbreaking legal case involving AI-generated CSAM.
Stay with us. We could go skating. Too icy. We could book a vacation. Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hey, Ben.
Good to be with you again, Dave.
Interesting story you gathered up here from the folks over at 404 Media.
What do we got here today?
So first of all, I highly recommend 404 Media as a source for the topics we cover on Caveat.
Yeah.
I've gotten a lot of really useful information from them.
And this is a story by Samantha Cole.
Okay.
The FBI has arrested a man, a Wisconsin man,
for generating AI child sexual abuse imagery.
So he used a generative AI system, stable diffusion,
where you give it a text prompt, some type of text prompt,
and it generates an image
through the use of artificial intelligence.
This individual created thousands of these realistic images.
It depicted some very awful things.
Sure.
That certainly qualified as CSAM.
And he's being charged with a couple of things.
One, he distributed the images to a minor,
which is illegal under federal law. That was a real 15-year-old boy, I believe,
with whom he distributed these images. And then he distributed the images over the internet,
therefore engaging in interstate commerce, which brings this case under federal jurisdiction.
The reason this case is so interesting is because the Justice Department
is treating this AI-generated child pornography,
or CSAM,
as if it were simply child pornography or CSAM.
In the words of Deputy Attorney General Lisa Monaco,
technology may change,
but our commitment to protecting children will not.
The Justice Department will aggressively pursue
those who produce and distribute CSAM, no matter how that material was created. but our commitment to protecting children will not. The Justice Department will aggressively pursue those
who produce and distribute CSAM
no matter how that material was created.
CSAM generated by AI is still CSAM.
It's going to be an interesting novel case
because there aren't actual children
being depicted in these images.
Right, so where's the harm?
Right.
I think the theory from the FBI, and this has been
shown in other cases as well, relating to things like deep fakes or adults portraying minors,
is that this will create a market or a demand for child pornography and will end up resulting
in the abuse of children. And I think you could see how that is a pretty persuasive
argument. I certainly think the more images that get sent around, the bigger the community gets of
people who are interested in these images. At least there's the demand for it and therefore
the potential that real images are going to be created. But I think this is something that has
not yet been tested in our federal court system. So we're going to get created. But I think this is something that has not yet been tested
in our federal court system.
So we're going to get some type of new precedent here
as to whether AI-generated images are considered identical
to traditional CSAM, so to speak, in the eyes of the law.
And I think that's very unclear at this point.
We'll have to see how each side briefs this and which way the court comes down.
What about the potential liability of the folks at Stable Diffusion?
Do they have any vulnerability here for being the...
I mean, theoretically, those images existed on their servers.
They were custodians of those images, however briefly.
Yeah, my impression is that this would all be immunized under Section 230 of the Communications Decency Act.
So Section 230 allows these platforms to be immune from lawsuits for any decisions they make to restrict content on their sites as a way to incentivize both creativity and
to not punish these companies for making good faith efforts to restrict information. So I think
they would have a very robust Section 230 response if they were involved in a lawsuit here,
or criminal charges for that matter. I certainly think from a moral perspective, they should look at why their guardrails failed.
Right.
We were talking about on our podcast, what was the prompt here?
What was the text prompt?
And how did that get through these guardrails?
How did it trick the system?
And are these guardrails not robust enough?
I think those are questions that Stable Diffusion is going to have to answer, but I don't think it's going to result in a lawsuit because of Section 230.
How does this play out from here? Are we on a typical long timescale for this to wind its way
through the legal system? It is a bit of an extended timescale. So this individual is in
federal custody pending a detention hearing that's going to happen this week. Presumably, he'll be released from detention
if he can make bail.
And then we'll have preliminary hearings
and eventually a trial on this.
But it's a longer timeline.
I'm guessing probably at least a year
until we get a federal trial
and then we're going to have appeals,
especially if he's convicted.
Right.
I guess only if he's convicted. So. I guess only if he's convicted.
So, yeah, I think that there's certainly the potential for this to drag out
over an extended period of time.
To what degree is this about the sharing of these images?
In other words, suppose this person had generated these images for their own use,
had not shared them with anyone. suppose this person had generated these images for their own use,
had not shared them with anyone.
I guess what I'm getting at is we've always thought about CSAM imagery,
the ultimate reason that we fight against it is to protect children from these horrible crimes and the things that people do to them.
But if there's no child involved,
and it's just someone for their own, are we straying into thought crimes if there's no sharing?
Not the way the law sees it. I mean, the indictment is for producing, distributing,
and possessing AI-generated images of minors engaged in sexually explicit content. So,
you are criminalizing the distribution, but also the production,
meaning that he created them,
presumably for the purpose of distributing them.
And then even possessing images,
CSAM images as a crime.
Now, the way we define possession,
I think tries to weed out purely accidental cases
where somebody enters the wrong prompt
and an AI system hallucinates and generates an inappropriate image.
I don't think that would qualify as possession.
Generally, you have to download something or save it onto a hard drive,
save it onto...
Yeah, to show intent.
Exactly.
Okay.
But you certainly are showing intent if you're producing the images
and are continuously distributing them.
I think that shows an intent to possess them.
So I don't think there's that much of a distinction here.
I think you're criminalizing the possession
just as much as you're criminalizing the distribution.
Okay.
All right.
Well, I mean, it's an interesting inflection point, isn't it?
Yeah, it really is.
I mean, this case is full of, frankly, disturbing facts.
It's dark stuff, but I think the potential here to get a legal resolution to this really novel issue,
I think, is something that will require us to pay attention as this case moves forward.
All right.
Well, Ben Yellen, thanks so much for joining us.
Thank you. Staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And finally, as you likely well know, domain names are leased.
If no one renews them, they go up for sale.
This raised an eyebrow for one curious investigator in Belgium.
Inti de Soucalaire wondered about the fate of old cloud accounts tied to these expired domains.
He set off to investigate if old cloud accounts could be revived.
First on the agenda, find companies and institutions whose emails vanish due to bankruptcy,
mergers, or rebranding. This was a breeze, as these changes are usually publicized.
Even more concerning, many expired domains belong to Belgian social welfare institutions.
expired domains belong to Belgian social welfare institutions. To save the day and the sensitive data, he bought 107 domains for a total of 850 euros. Suddenly, his inbox was filled with emails,
including password reset links for cloud accounts, revealing access to a treasure
trove of sensitive information, justice information, payment reminders, and health details.
This investigation shines a light on the ghostly dangers
lurking in the digital graveyard of expired domains.
The lessons learned are clear.
Expired domains can still harbor sensitive data,
posing significant cybersecurity risks.
Proper domain lifecycle management and secure decommissioning
are essential to prevent these digital hauntings.
Implementing robust measures
like two-factor authentication
can safeguard against unauthorized access.
As our investigator's adventure shows,
vigilance is crucial in ensuring our digital past
doesn't come back to haunt us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with John DiMaggio,
Chief Security Strategist at AnalystOne.
We're sharing his work, Ransomware Diaries, Volume 5, Unmasking Lockbit. That's Research
Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback helps
us ensure we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or
send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design by Elliot
Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.