CyberWire Daily - Fortunes of commerce in Silicon Valley; fortunes of war on the banks of the Dnipro.
Episode Date: November 20, 2023Leadership turmoil at OpenAI. Citrix Bleed vulnerability implicated in ransomware attacks. QakBot seems to have a successor. The FSB deploys LitterDrifter in cyberespionage against Ukraine. Russian se...curity firm says China and North Korea are the source of most cyberattacks against Russia. Privateers and auxiliaries engage targets of opportunity. Ann Johnson from Afternoon Cyber Tea talks about leading edge cyber innovation with Nadav Zafrir. And alleged war crimes may include cyber operations conducted in support of other, conventional, kinetic war crimes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/221 Selected reading. OpenAI announces leadership transition (OpenAI) A statement from Microsoft Chairman and CEO Satya Nadella (The Official Microsoft Blog) A timeline of Sam Altman’s ouster from OpenAI and Microsoft appointment (Reuters) Sam Altman leaves OpenAI: Everything you need to know (Computing) OpenAI Employees Threaten to Quit Unless Board Resigns (Wall Street Journal) Sam Altman to Join Microsoft Following OpenAI Ouster (Wall Street Journal) Dozens of Staffers Quit OpenAI After Sutskever Says Altman Won’t Return (The Information) AI to accelerate your security defenses (IBM) OpenAI’s Board Set Back the Promise of Artificial Intelligence (The Information) A New AI Lexicon: Existential Risk (AI Now) Hackers Are Exploiting a Flaw in Citrix Software Despite Fix (Bloomberg) Medusa ransomware gang claims Toyota Financial Services hack (Security Affairs) CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack (SecurityWeek) Yamaha and WellLife Network confirm cyber incidents after ransomware gang claims attacks (Record) Are DarkGate and PikaBot the New QakBot? (Cofense) Decrypting Danger: Check Point Research deep-dive into cyber espionage tactics by Russian-origin attackers targeting Ukrainian entities (Check Point Blog) Malware Spotlight - Into the Trash: Analyzing LitterDrifter (Check Point Research) Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine (Security Affairs) Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks (The Hacker News) Remarks by Assistant Secretary Graham Steele at the Federal Insurance Office and NYU Stern Volatility and Risk Institute Conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response (U.S. Department of the Treasury) Russian analysts point finger at China, North Korea over cyber activity (Record) How Pro-Ukrainian Hackers Have Undermined Russia's War Every Step Of The Way (WorldCrunch) Ukraine says it has evidence of 109,000 Russian war crimes (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Leadership turmoil at OpenAI.
Citrix bleed vulnerability implicated in ransomware attacks. CACbot seems to have a successor. Thank you. engaged targets of opportunity. Anne Johnson from the Afternoon Cyber Tea podcast talks about leaving edge cyber innovation
with Nadav Safir.
And alleged war crimes may include cyber operations
conducted in support of other conventional kinetic war crimes.
I'm Trey Hester filling in for Dave Bittner with your CyberWire Intel briefing for Monday, November 20th, 2023.
OpenAI CEO Sam Altman was dismissed by the company's board on Friday,
with the board stating that Altman, quote,
was not consistently candid with his communications with the board,
hindering its ability to exercise its responsibilities, end quote.
It was a failure to communicate and not, according to an internal memo Axios saw,
a case of malfeasance.
The company's co-founder and president, Greg Brockman, also quit in response to the move.
OpenAI is the artificial intelligence research organization that developed ChatGPT.
Ars Technica and others report that Microsoft, a significant investor in the not-for-profit AI firm,
and therefore in its for-profit subsidiary, OpenAI Global LLC, was surprised and upset by Altman's firing.
Rumors circulated over the weekend that Altman and Brockman were planning to launch a new AI
venture. An investor-led and employee-driven attempt to negotiate Altman's return to the
company failed yesterday. The final decision to move on from Altman has not ended the controversy,
however. The Wall Street Journal reports this morning that more than 500 OpenAI employees
have signed a letter to the board demanding its resignation,
and they say they'll quit if the present board stays in place.
Among those having second thoughts about the leadership change
is chief scientist Ilya Setskever.
He's also a board member who played a central role in Altman's firing.
Setskever tweeted this morning, quote,
I deeply regret my participation in the board's actions. Sutzkever tweeted this morning, quote, I deeply regret my participation
in the board's actions. I never intended to harm OpenAI. I love everything we've built together,
and I will do everything I can to reunite the company, end quote. Late last night, Reuters
reported that Altman had been hired by Microsoft. Microsoft CEO Satya Nadella said on X, formerly
Twitter, quote, we're extremely excited to share the news that Sam Altman and Greg Brockman,
together with colleagues, will be joining Microsoft to lead a new advanced AI research team.
We look forward to moving quickly to provide them the resources needed for their success.
End quote.
Meanwhile, after a brief period in which CTO Meera Maradi served in the role,
OpenAI has appointed Emmett Shear, former head of Twitch,
as interim CEO. Shear says he'll open an investigation into Altman's firing.
What are the cybersecurity angles of this? Mainly, they reside in current concern over
the promise and menace of artificial intelligence with respect to information security, regulation,
and influence operations. OpenAI and its ChatGPT product have for months been
prominently discussed for their potential cybersecurity applications for both offense
and defense. Trend Micro has a brief appreciation of the threats AI enables. AI has attracted
widespread scrutiny with respect to the potential it represents for the large-scale creation
and dissemination of disinformation. We note in full disclosure that Microsoft is a CyberWire partner.
Threat actors continue to exploit the Citrix bleed vulnerability CVE-2023-4966
affecting NetScaler ADC and NetScaler Gateway Security Week reports.
Citrix issued patches for the flaw on October 10th,
although it was exploited as a
zero-day beforehand. TechCrunch says that the vulnerability has been used in attacks against
Boeing, the Industrial and Commercial Bank of China, against Boeing, the Industrial and Commercial
Bank of China, DP World Logistics, and law firm Allen & Overy, all of which were hit by the
lock-bit ransomware gang. Security Week notes that the flaw may have also been exploited
in a Medusa locker attack against Toyota Financial Services Europe and Africa last week.
Researchers at CoFence described a large malware phishing operation
that began distributing DarkGate in September and Peekabot in October.
The researchers believe the campaign is a successor to the CackBot operation,
which was shuttered by U.S. law enforcement in August of 2023. The new campaign that is delivering DarkGate and Peekabot
follows the same tactics that have been used in CACBOT phishing campaigns. These include
hijacked email threads as the initial infection, URLs with unique patterns that limit user access,
and an infection chain nearly identical to what we have seen with the CACBOT delivery. The malware families also follow suit to what we expect CACBOT affiliates to use.
Gamerodon, also called Shuckworm, Actinium, and Primitive Bear, is the Russian threat group whose
member is Ukraine's SSU, has identified as FSB agents working from occupied Crimea. It had a
long-standing interest in Ukrainian targets,
and that remains its focus, but it's also begun to show up globally in operations against the U.S.,
Vietnam, Chile, Poland, Germany, and Hong Kong. The threat group is deploying a new VBS written
worm called Litter Drifter, which spreads through infected USB drives, establishes persistence in
affected systems, and communicates with a flexible
command-and-control infrastructure. Most of the litter drifter infestations observed have been
found in Ukrainian systems, and it seems likely that its appearance in other countries is a
secondary effect of its worm functionality. As Checkpoint observes, worms can and do spread
beyond their initial targets, and that may well be the case here. Litterdrifter isn't particularly advanced or sophisticated, but it's well-constructed and effectively deployed.
This is consistent with the FSB's record of deploying attacks that are good enough.
The security service is interested in effects and not art. Lockbit, the well-known ransomware
gang that operates with Russian permission and effectively as a Russian privateer,
claims to have compromised networks at Belgium's Sabina Engineering, a company involved in supplying F-16s to Ukraine's air force. The Telegraph reports that LockBit has threatened
to release sensitive data taken in the attack if their ransomware isn't paid by November 26th.
Sabina says it's investigating the incident and is confident that flight safety will be unaffected.
Ukrainian hacktivist auxiliaries, which have tended to work closely with the country's intelligence services,
have maintained pressure on Russian corporations.
Solar, a Russian cybersecurity firm wholly owned by Ross Telecom, Russia's largest digital services provider,
said at SOC Forum 2023 in Moscow last week that most of the cyberattacks hitting Russia
originated from China and North Korea. The record reports that Solars said the incidents represent
cyber espionage, the work of advanced persistent threats seeking to collect data from the
telecommunications and government services sectors. It's surprising to see China and North Korea
identified as the principal current cyber threats to Russia.
Solar's report contrasted sharply with the familiar government line enunciated at the conference by Peter Byelov,
deputy head of Russia's National Coordination Center for Computer Incidents.
Mr. Byelov described the principal threats as emanating from the same Western countries who are supporting and supplying Ukraine.
And finally, there may be some movement
towards bringing cyber warfare into the framework of international criminal law. Ukrainian investigators
say, Politico reports, that they've collected evidence of about 109,000 Russian war crimes.
Most of them by far fall into similar categories of violations of the laws of armed conflict,
mistreatment of prisoners and civilians, massacres of noncombatants,
and so on, but some of them represent novel crimes allegedly committed in cyberspace.
The cybercrimes are largely connected with kinetic war crimes. Cyber operations,
in support of other war crimes, especially attacks against prohibited targets. Thus,
if, say, intelligence developed through cyber operations was developed for the purpose of
targeting a hospital or a school or a funeral, such collection might itself be criminal.
Coming up after the break, Anne Johnson from the Afternoon Cyber Tea podcast talks about leading-edge cyber innovation with Nadav Zafir.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Anne Johnson from the Afternoon Cyber Tea podcast
talks about leading-edge cyber innovation with Nadav Safir.
Today, I am joined by my good friend and colleague, Nadav Safir. Today, I am joined by my good friend and colleague, Nadav Safir.
Nadav is the co-founder of company building venture firm, Teammate, and managing partner
of the Teammate platform. Prior to founding Teammate, Nadav served as commander of Unit 8200,
Israel's elite military technology unit, where he established the Israeli Defense Forces Cyber Command.
Unit 8200 is recognized as the informal talent incubator for the nation's renowned tech industry.
Welcome to Afternoon Cyber, Tina Dov. Hey, Anne. Good to be with you. Thanks for having me.
I love the history. I've been reading a book called Ancient Tombs and Lost Lives or something
like that from National Geographic,
which is talking about the history of civilizations that we have lost and all of the things that we're
learning about communication skills and tooling, et cetera, but the centuries that it took, right,
to get to where we are today. And then you think about just what's happened since the invention of
the personal computer and the smartphone and how fast we're moving.
And now you have AI.
So it takes me to thinking about like my daughter's generation.
What is the world going to look like when she's my age?
How fast are we going to be moving?
And to your point, are the adversaries going to have the ability because they're unconstrained and well-funded to move faster than we're able to move, not just in cyber, but in things like, you know, securing food supplies or predictability of climate change and orderly migration of civilizations,
right? This next 50 years is going to be really, really constructed by what we can do with things
like generative AI. It's going to be interesting to watch. Absolutely. And, you know, I think that
the adversaries will have the upper hand in the
short term. I think that in the mid to long term, I think this will, for the most part, be a very
positive. I'm talking from a cyber perspective now, you know, it's beyond me to go into other
aspects of this. But yeah, it's exciting. And yeah, I mean, it's just this acceleration. I think that
if there's a silver lining when you think about long term, right, so there's a race to a powerful AI between different groups and companies, but also nation states.
and the sophistication of the algorithms and the efficiency of your storage capability,
et cetera, your access to data, which totalitarian countries may have an advantage over because there's no privacy issues.
However, I think that we've come to a point of acceleration and to a point of possibilities
where one thing which is going to be in very high demand is imagination.
And this is where I think the West and liberal democracies actually have a big advantage.
And I hope that will enable us to have the upper hand both for liberal democracies versus
totalitarianism and also for on cyber defense eventually, because the moral fabric of this also makes a difference.
It absolutely does. And that brings us when you're talking about liberal democracies and you're talking about the world that we live in today,
it brings us a little bit to regulation because, you know, we've embraced the thesis that there has to be regulation around responsible AI, privacy, data, etc.
regulation around responsible AI, privacy, data, etc. But regulation can also feel burdensome,
right, to CISOs and other technology leaders and when governments are not as well informed and they're producing regulation that may not deal with the realities of today.
So, Team8 recently published this report on regulation. Can you tell our audience
what some of the top findings were? And also, what are some of the recommendations to make sure we do it right?
Yeah, for sure. I mean, so look, I mean, I think the report on behalf of teammates in the village that basically commend the White House Office of the National Cyber Director on its approach to cybersecurity regulation.
And, you know, in the request for information and cybersecurity regulatory, I think the report underscores the significance of adopting something
which is more holistic and agile.
And generally speaking, it gives sort of a substantial attention
to the CISO community, their concern, and their role in enhancing cybersecurity.
And to the best of my understanding on the report that we put out
and the fact that we're able to talk to the people
that are actually writing the regulation makes a difference. And at the end of the day, we're
looking to harmonize regulations among different regulatory bodies, you know, at least in the
United States. We're looking to engage all stakeholders, including technology providers
that will shape this strategy. And more than anything else, we believe
that they need to embrace an agile regulation. That's Nadav Safir speaking with Anne Johnson
from the Afternoon Cyber Tea podcast.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.