CyberWire Daily - Defending America against China's ominous onslaught.
Episode Date: February 1, 2024Directors Wray and Easterly warn congress of threats from Chinese hackers. Myanmar authorities extradite pig butchering suspects. Automation remains a challenge. Snyk Security Labs plugs holes in “L...eaky Vessels.” Pegasus spyware targets human rights groups in Jordan. Subtle-paws scratch at Ukrainian military personnel. White Phoenix brings your ransomed files back from the ashes. In today’s Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, speaks with MDR Senior Manager Oded Awaskar, about how AI might change the world of security operations and threat-hunting. A wee lil trick for bypassing Chat GPT guardrails. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In today’s segment of Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, speaks with Oded Awaskar, an MDR Senior Manager, about threat-hunting and how AI and ML might change the world of security operations and threat-hunting. Tune in to Palo Alto Networks’ biweekly Threat Vector podcast on our network for the full conversation. If you are interested to learn more about Unit 42 World-Renowned threat hunters, visit https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting and https://www.paloaltonetworks.com/unit42/respond/managed-detection-response In coming episodes, David will discuss the impact of the SEC Cyber Rules with Jacqueline Wudyka and share a conversation with Sam Rubin, Global Head of Operations for Unit 42, about his testimony at the Congressional hearing on the growing threat of ransomware. Selected Reading Wray warns Chinese hackers are aiming to 'wreak havoc' on U.S. critical infrastructure (NPR) FBI director warns Chinese hackers aim to 'wreak havoc' on U.S. critical infrastructure (NBC News) Opening Statement by CISA Director Jen Easterly (CISA on YouTube) FBI issues dramatic public warning: Chinese hackers are preparing to 'wreak havoc' on the US (CNN on YouTube) CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday (Bleeping Computer) iPhone Under Attack: U.S. Government Issues 21 Days To Comply Warning (Forbes) Why Are Cybersecurity Automation Projects Failing? (Security Week) Crime bosses behind Myanmar cyber ‘fraud dens’ handed over to Chinese government (The Record) Leaky Vessels: Docker and runc Container Breakout Vulnerabilities (Snyk) At Least 30 Journalists, Lawyers and Activists Hacked With Pegasus in Jordan, Forensic Probe Finds (SecurityWeek) Online ransomware decryptor helps recover partially encrypted files (Bleeping Computer) Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor (Securonix) OpenAI's GPT-4 safety systems broken by Scots Gaelic (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Directors Ray and Easterly warn Congress of threats from Chinese hackers,
Myanmar authorities extradite pig-butchering suspects.
Automation remains a challenge.
Sneak security labs plugs holes in leaky vessels.
Pegasus spyware targets human rights groups in Jordan.
Subtle paws scratch at Ukrainian military personnel.
White Phoenix brings your ransom files back from the ashes.
In today's Threat Vector, host David Moulton,
Director of Thought Leadership at Uni42,
speaks with MDR Senior Manager Oded Owazkar
about how AI might change the world of security operations and threat hunting.
And a wee little trick for bypassing chat GPT guardrails.
It's Thursday, February 1st, 2024. I'm Dave Bittner, and It is great to have you with us. Yesterday,
FBI Director Christopher Wray and CISA Director Jen Easterly both testified before the House Select Committee on the Chinese Communist Party. FBI Director Wray highlighted the threat posed by Chinese hackers to American
critical infrastructure. He emphasized that China's hackers are targeting essential services
like water treatment plants, pipelines, and power grids, preparing to cause significant
disruption in the U.S. if necessary.
He stressed the seriousness of the threat to national security, pointing out that China's
cyber activities extend beyond military and political targets, indicating a strategy that
includes potential attacks on civilian infrastructure. The CCP's dangerous actions, China's multi-pronged assault on our national and economic security, make it the defining threat of our generation.
CISA Director Jen Easterly echoed Director Wray's concerns. in Chinese targeting of U.S. critical infrastructure. In particular, we've seen Chinese cyber actors,
including those known as Volt Typhoon,
burrowing deep into our critical infrastructure
to enable destructive attacks
in the event of a major crisis or conflict.
This is a world where a major crisis
halfway across the planet
could well endanger the lives of Americans here at home.
Through the disruption of our pipelines, the severing of our telecommunications,
the pollution of our water facilities, the crippling of our transportation modes,
all to ensure that they can incite societal panic and chaos
and to deter our ability to marshal military might and civilian will.
Joining me is my N2K colleague, our executive producer, Brandon Karp, who is a former naval
officer who spent several years working at Cyber Command, working on things that are very relevant
to this story that perhaps he is not at liberty to discuss. But Brandon, you certainly have expertise in this area.
So I'm very interested in your thoughts
on the commentary that we see here
from both Directors Wray and Easterly.
Yeah, well, and thanks for having me on this morning, Dave.
So the consideration when looking at this testimony
just yesterday from Directors W Ray and Easterly is the significance
in some of their messaging about Volt Typhoon and the objectives, more than anything, from
the Chinese government in these operations. Typically, what we're seeing from the Chinese
government in cyberspace has been espionage-driven, so collecting information from government,
from corporations. It's a very specific type of threat activity.
This activity from Volt Typhoon looks very different.
And directors Ray and Easterly are pretty clear
with what the intent is behind this activity,
which is this is preparing the battle space.
This type of activity is fully driven
by a desire to have a strategic advantage in the event of armed conflict with the United States.
This is pretty major, and it's something that our industry but also our nation needs to pay attention to.
Hence the clarity, I would say, of the testimony yesterday.
What's the balance here?
Because I think it's very easy for a statement like this
to come across as kind of breathless, you know, that everybody panic, they're going to turn off
the lights and we won't have water anymore. How do we balance the severity or the seriousness of
something like this with appropriate action? Right. Well, it starts with just making the
world aware that we are watching and that we
are aware as a government and as cybersecurity professionals and as an industry of what these
threat actors are doing. That is a strategic win, just making them aware that we see them,
that we know what they are doing, that we are watching them. So that is part of the response
in and of itself is just the messaging that we're
seeing. Now, I would say, while the testimony was intense, I wouldn't call it breathless. I think
that they're bringing to the fore some very serious concerns. For example, in May of 2023,
when CISA released information about one of the biggest fault typhoon campaigns that they discovered in areas such as Guam that was preparing the battle space
against critical infrastructure in Guam.
Well, when you look at that region of the world,
that is a very important strategic region
for our military operations.
In the event of China going after Taiwan,
our military response, by and large,
will be staged in Guam, as well as a few other
critical bases in that region of the world. So it's clear that China is positioning themselves
in a way to respond to us, in a way to have a strategic advantage in the physical world.
So when balancing our response, right, and, you know, the potential fears of breathlessness about the actual risks here,
I think it's just important for us to recognize the risks that we have in these systems,
that our defenders need to be paying attention, that China is willing to target civilian infrastructure.
They are preparing—Volt Typhoon is looking at, you mentioned the water systems,
other critical infrastructure sectors like the energy sector, oil and natural gas.
The fact that they are in those networks, that they are preparing those networks for
potential future conflict means that the Chinese government is willing to target those systems.
So it's just, we need to think about what that means for our own defensive posture,
what that means for our own operations.
And we can't just say, well, it won't happen.
We can't just say, we'll be okay.
We'll figure out a way around it.
We need to prepare ahead of time now and not leave ourselves open to these types of vulnerabilities.
So it's a big call to action for our broader community in terms of the response we need to take to take this risk seriously.
And that's what it is.
It's a core risk to our national security.
Brandon Karpf is executive producer here at N2K and also a former naval officer who spent quite a number of years at Cyber Command.
Brandon, thanks so much for joining us.
Yeah, thanks, Dave.
Brandon, thanks so much for joining us.
Yeah, thanks, Dave.
Staying with CISA for the moment, the agency has issued an urgent directive for U.S. federal agencies to disconnect Avanti Connect Secure and Policy Secure VPN appliances by Saturday in response to the exploitation of multiple vulnerabilities in these devices.
Avanti has patched some software versions and provided mitigation instructions for unpatched devices.
They also advised a factory reset
before patching to remove any attacker's persistence.
Over 22,000 Avanti ICS VPNs are exposed online,
with about 390 hacked devices detected on January 31st.
CISA has also given federal agencies 21 days to mitigate
a critical vulnerability affecting devices running certain OS versions on Apple devices.
Authorities in Myanmar have extradited 10 suspects to China for their involvement in
organized cyber fraud, including leaders of three major crime families. These arrests follow China's
increased efforts to dismantle cyber fraud operations along its border, particularly in
the Kokang region of Myanmar. The suspects were part of criminal groups conducting large-scale
telecommunications and network fraud, including what's come to be known as pig butchering,
the specific targeting of high-value victims.
This handover marks a significant step in bilateral cooperation against cybercrime in the region,
which had become a center for various illicit activities, including forced labor in scam operations.
Despite these efforts, experts warn of the potential shift of these criminal activities to other regions in Myanmar.
Security Week shares an interesting editorial from Threat Quotient's Mark Solomon,
examining the challenges cybersecurity teams face when integrating automation.
In Solomon's view, the cybersecurity industry is rapidly evolving with complex threats,
necessitating sophisticated security solutions
incorporating automation, AI, and machine learning. However, the rapid pace and regulatory demands are
overwhelming organizations, leading to high stress and burnout among cybersecurity professionals,
particularly CISOs. Despite recognizing the importance of cybersecurity automation,
Despite recognizing the importance of cybersecurity automation, many organizations face challenges in adoption, integration, and dissatisfaction with early solutions.
He says different roles within the industry have varied perceptions of automation's importance and its impact on efficiency and compliance.
A key focus now is on improving employee well-being through automation, reducing repetitive tasks, and allowing for more meaningful work. Despite challenges, cybersecurity automation remains a strategic
priority, with a shift toward low-code AI-enhanced platforms expected to improve outcomes and provide
stronger ROI, especially in areas like threat detection and response.
Why? Especially in areas like threat detection and response.
Snyk Security Labs researcher Rory McNamara discovered four Leaky Vessels vulnerabilities
in core container infrastructure components,
which could enable attackers to escape from a container
and gain unauthorized access to the host operating system.
This access might lead to the compromise of sensitive data and further attacks. The team
responsibly disclosed these vulnerabilities, with Docker subsequently forwarding one to the
open-source Run-C security group. The vulnerabilities impact common container engine components and
build tools. Snyk advises users to promptly update their systems with fixes from providers like Docker, Kubernetes, and cloud container services.
Access Now, a digital rights group, reported that Israeli-made Pegasus spyware was used to hack at least 30 people in Jordan,
including journalists, activists, and lawyers, from early 2020 to November 2022.
from early 2020 to November 2022.
The victims, identified by organizations like Human Rights Watch and Amnesty International,
were primarily targeted for their role in human rights and political activism.
Although the Jordanian government has not commented and wasn't directly accused by Access Now,
the University of Toronto's Citizen Lab suggested that the spyware operators might be
linked to the Jordanian government. The NSO group, which developed Pegasus, claims it sells only to
vetted agencies for combating terrorism and serious crime. However, there have been multiple
instances of the spyware's misuse for politically motivated surveillance worldwide. The U.S.
for politically motivated surveillance worldwide. The U.S. blacklisted NSO group in 2021 following concerns about spyware abuse.
Half of the targeted individuals in Jordan were journalists or media workers,
with some experiencing repeated hacks.
The Securonics Threat Research Team has identified a campaign targeting Ukraine
using a new PowerShell-based backdoor, Subtle Pause, which evades detection by infecting USB drives.
Likely linked to the Shuckworm group, the campaign targets Ukrainian military personnel and starts with victims executing a malicious shortcut file, leading to the execution of the subtle pause backdoor. The attack leverages
compressed files, possibly distributed via phishing emails, containing references to Ukrainian cities
and military terms. The subtle pause backdoor operates through registry manipulation and
establishes persistence on the victim's machine. It also includes a command and control mechanism
that retrieves the C2 server address through various methods,
including DNS queries and standard HTTP requests.
The backdoor is designed to spread through removable media
and employs stealth techniques like Base64 encoding
and random sleep intervals for obfuscation.
Securonix recommends caution
when downloading files from unknown sources and advises monitoring malware staging directories
and deploying additional process-level logging. Some good news in the fight against ransomware.
CyberArk has introduced an online version of WhitePhoenix, an open-source decryptor designed to counter ransomware
using intermittent encryption.
Originally available as a Python project on GitHub,
the online tool caters to users unfamiliar with coding,
offering a simple file upload and recovery process
for file types like PDFs, Word, Excel, Zips, and PowerPoint
with a 10-megMB file size limit.
Intermittent encryption used by ransomware groups such as Black Cat and Darkbit
partially encrypts files, speeding up the attack but leaving some unencrypted data.
White Phoenix leverages this by reconstructing text from these unencrypted sections.
While the tool might not fully restore systems or work with all file types,
it offers a viable option for recovering important files
when other decryptors are unavailable.
For handling sensitive data,
CyberArk recommends using the GitHub version locally
instead of uploading files to their servers.
Coming up after the break, Threat Vector host David Moulton speaks with MDR Senior Manager Oded Awazkar
about how AI might change the world of security operations.
Stay with us. Do you know the status of your compliance controls
right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
David Moulton is the host of the Threat Vector podcast right here on the CyberWire podcast network.
He's also director of thought leadership at Palo Alto Network's Unit 42.
In today's segment, he speaks with MDR Senior Manager Oded Awazkar about how AI might change the world of security operations and threat hunting.
Welcome to Unit 42's Threat Vector on the CyberWire Daily, where we share an interesting moment from our Threat Vector podcast.
Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership at Una 42.
Today, I'm sharing a segment from a conversation with Oded Awaskar, a senior manager with Una 42 focused on threat hunting as part of our MDR service.
Oded has decades of experience and an incredible energy and passion for the work he leads.
Here's part of our conversation.
All right, Oded, let's hop right into it.
Threat hunting and incident response, that's the topic that we're going to get into.
Can you talk about that sort of high pressurepressure, high-stakes environment and
where threat hunting's value really
shows up?
So when an IR case
is being launched
and kicked off, I think that one of the best,
one of the biggest challenges
that we have
is we need to get the scoping right away.
I mean, we're getting to an environment,
the customer's telling us something bad has happened.
Sometimes they know what happened, sometimes they don't.
But for sure, they don't know the entire scoping.
Like how far in the threat actor is actually is.
How much grip do they have on the environment?
I mean, is it too late in a way?
I mean, do we have some time?
How much time do we have
to make sure that we don't have to
burn the entire environment
and build everything from scratch?
Our main goal
is to first understand exactly
what are the assets
that the threat factor has managed
to take control of.
And we're using a lot of hypothesis and pre, I would say,
pre-written queries to help us with these type of questions.
Like, when has this started?
What is the scope?
What are the assets that are affected?
What are the users that are affected?
And this helps not only us as a threat hunting and an incident response team,
but it's also very, very important to communicate to our customers, right? Because
all they care about is how long is it going to be taking to make sure that the threat actor is out?
And also, how long is it going to be taking us to getting back to full business, right?
long is it going to be taking us to getting back to full business, right?
So one of the topics that seems like it's got a lot of heat behind it right now is AI and ML.
How do those technologies contribute to threat hunting?
Yeah, it's probably going to be changing the world in a couple of years.
And threat hunting is not different.
And MDR is not different.
years. And threat hunting is not different and MDR is not
different. I mean,
the ability to take a machine
that is
constantly taking the same
decisions over and over again
is not prone to
any prejudice or anything
else is going to be huge in the
security
world in general.
If we are going to be able to harness
the machine's capability
in order to not only create the hypothesis for us,
but also do the iterations of creating the query,
running it against the dataset,
reviewing the results and doing over and over again,
and then only hand to
us the end query and the leads that are considered by it to be a true positive, that's going
to be huge in this specific world.
Because essentially that means that threat hunting is going to be assisting AI and ML
heavily in order to just feed to the machine the hypothesis
and then the machine does everything on their own.
I'm really, really excited about how threat hunting,
security operation, MDR is going to be looking in,
let's say, three years from now.
I think we're probably going to see big changes
in this specific environment.
Odette, wrap it up for us, for our listeners.
What's the most important thing
that you want them to remember from this conversation?
I want you to remember that threat hunting is an art.
And when you're conducting threat hunts,
most of the times it's not going to be yielding
into some very interesting or outstanding results. It's not.
Most of the work is finding a needle in the haystack and finding that needle takes time.
So when you speak to your threat hunting team and your managed threat hunting team,
don't always try to focus on what are the outstanding things that they have
found. Because sometimes when they find the small, so to speak, things, those are the actual things
that are going to be eliminating the outstanding thing from reaching to your environment.
Odad, this conversation has been really rich for me.
I hope for our listening audience it has been as well.
Thank you for having me. It was a pleasure.
Thanks for listening to this segment of Threat Vector from Unit 42.
To learn more about Unit 42's world-renowned threat hunters,
check out the links in the show notes.
And to hear the entire episode, subscribe to the Threat Vector podcast on CyberWire, Spotify, or Apple Podcasts.
In upcoming episodes of Threat Vector, I'll be discussing the impacts of the SEC cyber rules with Unit 42's Jacqueline Wadaika.
And a conversation with Unit 42's Global Head of Operations, Sam Rubin, about his testimony at the congressional hearing on the growing threat of ransomware.
We'll be back on the Cyber Wire Daily in two weeks.
In the meantime, stay secure, stay vigilant.
Goodbye for now.
Be sure to check out the Threat Vector podcast right here on the Cyber Wire podcast network.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
compliant. With TD Direct Investing, new and existing clients could get 1% cash back. Great, that's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And finally, researchers from Brown University discovered that OpenAI's GPT-4 can be tricked into bypassing its safety guardrails by translating prompts into rare languages like Scots Gaelic.
but by using Google Translate to switch the prompts to less common languages,
the researchers found they could circumvent these restrictions in about 79% of cases.
This method was less effective for more commonly used languages.
The study involved translating 520 harmful English prompts into these lesser used languages,
then back into English, and comparing the success rate against the same prompts in English, which were blocked 99% of the time. The translated prompts successfully
bypassed safety mechanisms designed to prevent responses related to terrorism, financial crime,
and misinformation, although GPT-4 sometimes generated nonsensical responses.
The findings indicate a potential risk in language models' ability to handle low-resource languages
and suggest the need for developers to include these languages in safety evaluations.
OpenAI acknowledged the research but has not specified any actions in response.
I checked in with our Gaelic dialects desk, but all they sent back was a note with the
phrase, you cannot shove your granny off a bus, which I'm told is a humorous and lighthearted
reminder that you should respect your elders. Our slogan is, if it's no Scottish, it's crap!
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.