CyberWire Daily - Developments in the C2C market. Cyberespionage against Westminster. Notes from Russia’s hybrid war. And don’t take that typo to Timbuktu.
Episode Date: July 17, 2023WormGPT is a new AI threat. TeamTNT seems to be back. Chinese intelligence services actively pursue British MPs. Gamaredon's quick info theft. Russia’s FSB bans Apple devices. The troll farmers of t...he Internet Research Agency may not yet be down for the count. Anonymous Sudan claims a "demonstration" attack against PayPal, with more to come. Carole Theriault looks at popular email lures. My conversation with N2K president Simone Petrella on the White House’s National Cybersecurity Strategy Implementation Plan. And, friends, don’t take this typo to Timbuktu. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/134 Selected reading. WormGPT, an "ethics-free" text generator. (CyberWire) TeamTNT (or someone a lot like them) may be preparing a major campaign. (CyberWire) Chinese government hackers ‘frequently’ targeting MPs, warns new report (Record) Gamaredon hackers start stealing data 30 minutes after a breach (BleepingComputer) Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise (Security Affairs) Armageddon in Ukraine – how one Russia-backed hacking group operates (CyberSecurity Connect) Russian hacking group Armageddon increasingly targets Ukrainian state services (Record) Russia bans officials from using iPhones in U.S. spying row (Apple Insider) Prigozhin's Media Companies May Resume Work As Mutiny Fallout Dissipates, FT Reports (Radio Free Europe | Radio Liberty) Anonymous Sudan claims it hit PayPal with 'warning' DDoS cyberattack (Tech Monitor) Typo leaks millions of US military emails to Mali web operator (Financial Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Worm GPT is a new AI threat.
Team TNT seems to be back.
Chinese intelligence services actively pursue British MPs.
Gamera dons quick info theft.
Russia's FSB bans Apple devices.
The troll farmers of the Internet Research Agency may not yet be down for the count.
Anonymous Sudan claims a demonstration attack against PayPal with more to come.
The Rotario looks at popular email lures.
My conversation with N2K President Simone Petrella on the White House's National Cybersecurity Strategy Implementation Plan.
And friends, don't take this typo to Timbuk2.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, July 17th, 2023. Thank you. had alternative to GPT models designed specifically for malicious activities.
The tool can generate output that legitimate AI models try to prevent,
such as malware code or phishing templates.
SlashNext asked WormGPT to write an email intended to pressure an unsuspecting account manager
into paying a fraudulent invoice.
The researchers state,
The results were unsettling.
Worm GPT produced an email that was not only remarkably persuasive but also strategically
cunning, showcasing its potential for sophisticated phishing and BEC attacks.
In summary, it's similar to ChatGPT but has no ethical boundaries or limitations.
This experiment underscores the significant
threat posed by generative AI technologies like Worm GPT, even in the hands of novice cybercriminals.
So, aren't there safeguards in generative AI to prevent this? Well, yes, in newer ones like
ChatGPT, but Worm GPT was built from older Wild West open source versions that lacked these sorts of safeguards.
Researchers at SentinelOne and Permisso Security released joint reports suggesting that TeamTNT, a threat actor notorious for attacking Amazon Web Services, may be gearing up to attack Microsoft Azure and Google
Cloud Platform. The researchers state, throughout June 2023, an actor behind a cloud credential
stealing campaign has expanded their tooling to target Azure and Google Cloud Platform services.
Previously, this actor focused exclusively on Amazon Web Services credentials.
These campaigns share similarity with tools attributed to the notorious Team TNT cryptojacking crew.
However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use.
Both SentinelOne and Permisso note that the actor has retooled its code to target Azure and Google Cloud Platform.
Additionally, they have made changes to the file hosting as Sentinel-1 explains, stating,
The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns.
Instead, C2 activity relies on a hard-coded username and password combination
that are passed as arguments to the curl command. Aqua Security reported on the early stages of
this incipient campaign. While it seems to be in its development and testing phases,
the campaign could turn into a massive threat targeting cloud infrastructure.
Aqua states,
Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud-native environments. This infrastructure is in early stages of testing and
deployment and is mainly consistent of an aggressive cloud worm designed to deploy on
exposed JupyterLab and Docker APIs in order to deploy tsunami malware,
cloud credentials hijack, resource hijack, and further infestation of the worm.
We strongly believe that Team TNT is behind this new campaign.
And if it materializes, that campaign could be worse than the old-style cryptojacking that used to be Team TNT's stock
and trade. The British Parliament's Intelligence and Security Committee has published a report
outlining China's interest in the UK. The report states, in relation to the cyber approach,
whilst understanding has clearly improved in recent years, China has a highly capable cyber operation, an increasingly
sophisticated cyber espionage. However, this is an area where the known unknowns are concerning.
Work on continuing coverage of its general capabilities must be maintained alongside
further work on Chinese offensive cyber and close proximity technical operations.
on Chinese offensive cyber and close-proximity technical operations.
The report also found that China frequently targeted parliamentarians in their cyber operations.
CERT-UA released an official threat summary of UAC-0010, or commonly Gamerodon or Armegadon.
It's a Russian persistent threat actor operated by the FSB.
Megadon. It's a Russian persistent threat actor operated by the FSB. CERT-UA attributes the success Gameradon has enjoyed to several defectors from Ukraine's SBU who went over to the FSB in
2014. The threat group uses email and messenger apps like Signal, WhatsApp, and Telegram as an
initial attack vector, sending corrupted Microsoft Word documents with malicious
macros to the victim. It then uses an infostealer, GammaSteel, which steals files between 30 and 50
minutes of the initial infection. GammaSteel also works to replicate itself by infecting all
Microsoft documents on the infected computer to propagate the malware when those files themselves are exported.
Gamma Steel also corrupts any USB drive plugged into the computer.
Russia's FSB has banned the use of Apple devices by government officials effective today.
Apple Insider traces the decision to Russian claims that Apple has been colluding with the U.S. National Security Agency
to intercept Russian communications.
Apple has denied any such cooperation with NSA.
It appears that the blackout of Mr. Progozhin's own media properties was both temporary and exaggerated.
One of those properties, the notorious troll farm doing business as the
Internet Research Agency, is among those that have remained in business. Earlier reports to
the contrary. Anonymous Sudan, which its name notwithstanding is a cat's paw for Russian
intelligence services, mounted a brief distributed denial of service attack against PayPal.
mounted a brief distributed denial-of-service attack against PayPal.
Tech Monitor reports that the attack lasted only 30 seconds,
but that anonymous Sudan described it as a demonstration of the ways in which it will use PayPal to attack targets in the United Arab Emirates and the United States.
And finally, spelling counts, don't you know?
Here's one more reason why.
.mil is the U.S. military top-level domain.
.ml belongs to Mali.
If you were trying to reach the sergeant major in Peking,
don't blame him if your email went off to Timbuktu instead.
The Financial Times has the story of how a common typographical error is misrouting a
lot of email. The wayward communications are said to include highly sensitive information,
including diplomatic documents, tax returns, passwords, and the travel details of top officers.
And it's not a new problem either. Despite repeated warnings over a decade, a steady flow of email traffic continues to the.ml domain,
the country identifier for Mali,
as a result of people mistyping.mil,
the suffix to all U.S. military email addresses.
You tell them and you tell them, but what are you going to do?
So, maybe proofread that email address.
Coming up after the break, Carol Terrio looks at popular email lures. My conversation with N2K President Simone Petrella on the White House's National Cybersecurity Strategy Implementation Plan.
Stick around.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show, Simone Petrella. She is the president at N2K. Simone, we recently had the National Cybersecurity Strategy Implementation Plan shared from the White House.
And I'm eager to check in with you on how you feel about this.
The response is, is this what we need?
And is this the right plan at the right moment?
Where do you stand here?
I think, first and foremost, the step of codifying implementation and really tangential actions across federal agencies coming
from the White House is a substantial positive step that builds upon the existing executive
orders and things that had really put cybersecurity on the forefront of the executive priority list,
even preceding this administration. So this really does take
it to the next level. And I think it is a positive step overall. And there are two major fundamental
shifts that the implementation plan calls for, especially when it comes to allocating the roles,
responsibilities, and resources in cyberspace. The first is that it puts a huge onus on federal
sector agencies to really assume a greater share of the burden for mitigating cyber risk,
as well as putting that onus on private sector counterparts. So it shows how federal agencies
can support those private sector counterparts. Both sectors have a lot of work to do.
And the second is that it's increasing the incentives
that exist to kind of favor long-term investments
into cybersecurity,
which I think is really interesting and creative.
One of the things that struck me was how overt it is
in laying out who is responsible for what.
Yeah.
There isn't a lot of ambiguity here.
No, and CISA's got its work cut out for them.
But yes, I think that it was very explicit in pointing out which agency was the lead for each of the individual imperatives and then who are the supporting agencies that would be contributing to it.
And what I think will be most interesting is to see how each of those individual agencies go to implement.
Because if you read each of the recommendations, some of them are quite broad.
They don't necessarily articulate how an agency can accomplish that goal.
So there's a lot of leeway given to the agency to kind of figure it out.
There are five fundamental pillars that they lay out here.
Defending critical infrastructure, disrupting and dismantling threat actors,
shaping market forces to drive security and resilience,
investing in a resilient future,
and forging international partnerships to pursue shared goals.
How do you respond to those five as the top-level items here?
I think that they have the right categories.
Ultimately, it comes down to national security,
and that's where being able to identify
and defend our critical infrastructure,
how we think about the threat actors
that are a threat to those things,
how do we think about the realities of the market forces,
because so much of our interdependence and technology
is actually a result of a private sector market
reliance, whether it be for critical infrastructure, Internet of Things, supply chains, anything
in that regard.
The recognition that this is an effort and investment we need to make now to even give
ourselves a chance to have a more resilient future, I think, is a strong step in that
right direction.
ourselves a chance to have a more resilient future, I think is a strong step in that right direction. And last but not least, we have to at least acknowledge that that can't be done in a
vacuum. We're too reliant, even on those supply chains, to work with international partners and
other countries. And if we don't have clear goals and sort of standards of relationships, none of
that can get accomplished. Seeing what's been laid out here by the White House, what do you think this means
for folks in the workforce development area in terms of, you know, preparing folks to be able to
complete this mission? Well, interestingly enough, and obviously, you know, the workforce issues are
near and dear to our heart, it's probably the least well-defined section within Pillar 4 of the entire
implementation plan. And the onus is put on the Office of the National Cyber Director, again,
to come up with a workforce strategy, which has not been published yet. So TBD. I'm waiting with
bated breath. Right, right. But I guess there's acknowledgement that that is an area that needs to be a focus.
Absolutely. And I think the acknowledgement is inherent not only in this document,
but the fact that the White House has an entire task force that has been tasked with creating a
workforce and education and training strategy at the national level. And that has been true
even before the publication
of the cybersecurity strategy or this implementation plan.
From your point of view, ear on the ground,
has this been getting a positive response?
Are people generally in favor of what's being laid out here?
I think so.
It's interesting because most of the conversations I've had
are with folks who are representatives in the private sector.
And so there's an overarching recognition and knowledge that this strategy has been put out and it's important.
But the most near-term impacts are on the federal agencies that are tasked to actually execute on some of these pillars.
And so I don't think that we are at a point yet where the true effects of what all these agencies put in place are felt.
We're going to have to wait and see what happens when we think about supply chain risk.
Or here's an interesting one to point out, that the DOJ is going to use the False Claims Act to try and go after federal contractors who are deceptive in their cybersecurity practices
and they collect government money.
That's really interesting and potentially scary
if you are in a position to do that kind of work
and get government dollars.
So I think those are the areas you're going to start to see
either the real pain or the real support
from the affected industries that aren't the federal government once these types of things go into effect.
All right. Well, Simone Petrella is president at N2K.
Simone, thank you so much for taking the time for us. Chances are you have received an email warning you, in strong words, that your storage is full.
And unless you log in and fix it, bad things are going to happen.
Carol Terrio looks at these sorts of email lures in this report.
Another day, another scam. This is one that hadn't made it into my echo chamber, perhaps because I'm
not a Microsoft and Hotmail user, but I thought I would share as millions of people out there do
rely on these systems for some of their online needs. But saying that, I think I could be a potential victim
of this type of scam were I unwarned.
You see, I'm one of those people that doesn't clean out the inbox very often,
and I handle a lot of big files.
I also don't clean out my cloud storage very often.
So intermittently I get these warnings that my storage is full.
I'm sure I'm not the only data hoarder out there.
You guys, you know what I'm talking about.
So were I to get a message saying that my cloud was full
and that I needed to log into my account to address the issue,
I might be duped into clicking on the link
because I would be distracted and absent-minded
and I wouldn't be paying
attention. So according to which, those of you with a Microsoft account have five gigs of free
storage space on OneDrive as part of the package. This is where you store items on your account,
including files, photos, attachments, apps. And once you've used up this free storage,
photos, attachments, apps. And once you've used up this free storage, you then either have to delete items to make space or pay for more storage. So if you've received an email warning you that your
storage is full, it is worth double checking that it is legitimate because which have seen scam
emails that try to trick you into giving away personal data through a phishing email impersonating Microsoft. The email includes the following text. Your cloud storage is full. You have reached your
storage limit, but as part of your loyalty program, you can now receive an additional 50 gigs for free
before the files on your cloud drive are deleted. But there is a kind of telltale sign in this scan that the
email address reportedly looks very unlike anything Microsoft would send you. So if you're a Microsoft
user and you hover close to your storage limit, you will receive an email from Microsoft, the
address being microsoft at mail.ondrive.com, telling you how much you're over, buy, and include a link to subscribe to get more storage.
It'll also include links to your email with large attachments,
prompting you to delete them,
as well as links to your OneDrive where you can delete items to free up storage space.
And the thing is, scams like this work in part because we are distracted. So pay attention,
because if you fall for a scam like this, or any scam, and you find that you were duped by an
online miscreant, you may find your bank calls it authorized fraud, which means you may not get
your funds back. This was Carol Theriault for The Cyber Wack.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called The Dark Side with Dave.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire Thank you. of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by
Elliot Peltzman. The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.