CyberWire Daily - High stakes for high tech: California's AI safety regulations take center stage.
Episode Date: August 30, 2024AI regulations move forward in California. DDoS attacks are on the rise. CISA releases a joint Cybersecurity Advisory on the RansomHub ransomware. A persistent malware campaign has been targeting Ro...blox developers. Two European men are indicted for orchestrating a widespread “swatting” campaign. Critical vulnerabilities in an enterprise network monitoring solution could lead to system compromise. An Ohio judge issues a restraining order against a cybersecurity expert following a ransomware attack. Our guest is Dr. Zulfikar Ramzan, Chief Scientist at Aura, sharing his take on AI's growing role with online criminals. Admiral Hopper's lost lecture is lost no more. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Dr. Zulfikar Ramzan, Chief Scientist at Aura, sharing his take on the RockYou2024 breach and AI's growing role with online criminals. Selected Reading California Advances Landmark Legislation to Regulate Large AI Models (SecurityWeek) Radware Report Surfaces Increasing Waves of DDoS Attacks (Security Boulevard) CISA and Partners Release Advisory on RansomHub Ransomware (CISA) Year-Long Malware Campaign Exploits NPM to Attack Roblox Developers (HackRead) 2 Men From Europe Charged With 'Swatting' Plot Targeting Former US President and Members of Congress (SecurityWeek) Critical Flaws in Progress Software WhatsUp Gold Expose Systems to Full Compromise (SecurityWeek) Ahead of mandatory rules, CISA unveils new cyber incident reporting portal (Federal News Network) Franklin County judge grants city request to suppress cyber expert's efforts to warn public (The Columbus Dispatch) Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published (Schneier on Security) Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (Part One, 1982) (YouTube) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
AI regulations move forward in California.
DDoS attacks are on the rise.
CISA releases a joint cybersecurity advisory on the ransom hub ransomware.
A persistent malware campaign has been targeting Roblox developers.
Two European men are indicted for orchestrating a widespread swatting campaign.
Critical vulnerabilities in an enterprise network monitoring solution could lead to system compromise. An Ohio judge issues a restraining order against a cybersecurity expert
following a ransomware attack. Our guest is Dr. Zulfiqar Ramzan, chief scientist at Aura,
sharing his take on AI's growing role with online criminals.
And Admiral Hopper's lost lecture is lost no more.
It's Friday, August 30th, 2024.
I'm Dave Bittner, and this is thank you for joining us here today. California's efforts
to establish groundbreaking safety regulations for large-scale AI systems advanced this week,
with a proposal passing a key vote in the Assembly.
The bill, authored by Senator Scott Weiner, aims to mitigate risks associated with AI,
such as the potential for catastrophic misuse,
by requiring companies to test their models and disclose safety protocols.
Despite fierce opposition from major tech firms
like OpenAI, Google, and Meta, as well as some lawmakers, the measure narrowly passed and now
awaits a final Senate vote before reaching Governor Gavin Newsom. The bill, which targets
AI systems requiring over $100 million in data for training represents a light-touch approach, according to Weiner.
Supporters argue it's a necessary step to prevent AI-related disasters,
while critics contend it's based on unrealistic fears and could stifle innovation.
The outcome of this legislation could set a precedent for AI regulation across the U.S.
this legislation could set a precedent for AI regulation across the U.S.
A report by Radware highlights a significant rise in distributed denial-of-service attacks,
with some lasting up to 100 hours over six days. Notably, a recent web DDoS attack campaign involved 10 waves, each lasting 4 to 20 hours, peaking at 4.7 million requests per second.
The first quarter of 2024 saw a 137% increase in DDoS attacks, with new methods like HTTP2
Rapid Reset contributing to this surge. Attackers are increasingly using cloud infrastructure,
such as Telegram, to launch attacks,
avoiding reliance on compromised IoT devices.
Most attacks targeted organizations in Europe,
the Middle East, and Africa due to regional conflicts and events like the Paris 2024 Olympics.
Additionally, malicious DNS queries
and web application attacks have surged,
while bad bot transactions rose by 61% year over year.
CISA, in collaboration with the FBI, the MSI SAC, and HHS,
has released a joint cybersecurity advisory on the ransom hub ransomware,
formerly known as Cyclops and Knight.
The advisory provides indicators of compromise,
tactics, techniques, and procedures, and detection methods related to RansomHub,
identified through recent FBI investigations. RansomHub, a ransomware-as-a-service variant,
has attracted affiliates from other major ransomware groups like LockBit and Alpha.
affiliates from other major ransomware groups like Lockbit and Alpha. CISA urges network defenders to review the advisory and implement the recommended mitigations.
Additionally, CISA has launched the CISA Services Portal, a streamlined platform for reporting
cyber incidents as it prepares for new mandatory reporting requirements under the upcoming Cyber Incident Reporting
for Critical Infrastructure Act, CIRCIA.
The portal offers enhanced features,
including the ability to save, update, and share reports
and integrates with login.gov credentials.
While incident reporting is currently voluntary,
CIRCIA will soon require organizations
in critical infrastructure sectors
to report major cyber incidents within 72 hours. CISA is upgrading its technology and expanding
its workforce to handle the expected increase in incident reports, aiming to make the process as
efficient and non-burdensome as possible for affected organizations. A persistent malware campaign has been targeting Roblox developers
through malicious NPM packages, according to a report from Checkmarks.
Since August 2023, attackers have been publishing packages
that mimic the popular NoBlocks.js library
to steal sensitive data and compromise systems. Despite multiple takedowns,
new malicious packages continue to appear. The attackers use techniques like brand jacking,
combo squatting, and star jacking to create the illusion of legitimacy.
The malware's capabilities include Discord token theft, system persistence, and deploying additional
payloads like Quasar RAT.
The malicious code, hidden in the postinstall.js file, is heavily obfuscated and automatically
executes when the package is installed.
The malware manipulates the Windows registry to ensure it runs consistently and exfiltrates
sensitive data to the attackers via a Discord webhook.
Despite efforts to remove these packages, the attacker's GitHub repository remains active, posing an ongoing threat.
Developers are advised to verify package authenticity to avoid such attacks.
attacks. Two European men, Tomas Zabo from Romania and Nemanja Radovanovic from Serbia,
were indicted for orchestrating a widespread swatting campaign that targeted around 100 people,
including a former U.S. president, members of Congress, and other public officials.
The campaign, which spanned from December 2020 through January 2024,
involved making fake emergency calls to prompt aggressive police response at the victims' homes.
The swatting calls included threats of mass shootings, bombings, and other violent acts.
Szabo and Radovanowicz used various techniques to appear legitimate and coordinated their attacks through online chat groups.
They're charged with conspiracy and numerous counts of making threats.
The FBI reported a surge in swatting calls,
some linked to court cases against former President Donald Trump.
U.S. officials are expected to seek the extradition of both men to face trial.
Critical vulnerabilities in Progress Software's What's Up Gold, an enterprise network monitoring solution, could lead to system compromise. The software, essential for monitoring cloud and
on-premise infrastructure, has over 1,200 instances accessible online, many potentially affected by a severe
flaw with a CVSS score of 9.8. The vulnerability allows remote code execution due to improper
input validation in the getFileWithoutZip method. Although a patch was released in May with version 23.1.3 and another in August with version 24.0.0, upgrading requires
a manual process that may deter some administrators. The vulnerability has not been exploited yet,
but the availability of proof-of-concept code makes it crucial for administrators to update
to the latest version to avoid potential exploitation. Progress Software strongly advises upgrading to protect systems from unauthorized access and other risks.
A judge in Franklin County, Ohio, has issued a temporary restraining order
against cybersecurity expert David L. Ross, Jr.,
who's been revealing the impact of a ransomware attack on Columbus
City government. Ross, also known as Connor Goodwolf, alerted the public that sensitive
information, including social security numbers and details about crime victims and police officers,
was stolen and posted online after the city refused to pay a ransom.
stolen and posted online after the city refused to pay a ransom.
The order prohibits Ross from accessing or sharing these files.
Ross argues that the city is trying to deflect blame for its own mishandling of the breach, while the city claims the order is necessary to protect public safety.
Despite the restraining order, Ross plans to pursue legal action,
claiming his First Amendment rights are being infringed.
The situation has led to multiple lawsuits against the city for failing to protect personal data.
Coming up after the break, Dr. Zulfiqar Ramzan, chief scientist at ARA, shares his take on AI's growing role with online criminals.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Dr. Zulfikar Ramzan is chief scientist at Aura. I recently spoke with him about his take on AI's
growing role with online criminals. The short of it is that Rocky 2024 is, at this point, the largest
single password compilation leak in history, comprising about 10 billion unique plain text
passwords. It is not a unique file on its own. It's got a long history,
dating back actually to about 2009, I believe. There was a website called RockYou, and that
particular website was compromised by a SQL injection attack that led to about 32 million
or so passwords getting compromised. And then based on that initial compromise, people have
essentially kept adding to this one file and added more and more passwords.
And most notably, in 2021, there was a file called RockU 2021, which contained about, I think, 8.4 billion passwords.
And so this latest incarnation of RockU is now 2024, contains an additional 1.6 billion passwords, getting us to about roughly 10 billion passwords.
And that's kind of the gist of it.
I guess it's not surprising that someone out there would be keeping a running tally of all of the accumulated passwords that have been vacuumed up over the years.
But what is the real-world significance of this sort of assembly of all of these passwords?
For a scammer, what it basically entails is having access to a wide variety of passwords
makes it easy to mount various kinds of attacks.
The most notable attack is credential stuffing.
That basically entails a scammer using tools and techniques for taking these large collections of passwords and essentially trying to brute force access to different accounts
and different services using those passwords.
And so what they'll try to do is they'll say,
if I can get this password for you,
can I try this password on different sites
until I finally find something that matches or works?
The tools and techniques for doing that
fall under the concept of credential stuffing,
which is probably the single most relevant attack implication of these types of attacks.
In general, though, once you have access to passwords, you can start to do things like
dictionary attacks on other password lists.
For example, if I can get a list of hash passwords for a compromised site, I can essentially
cross-reference that list of hash passwords against the ROCU list to see if
there are any matches. And that would require me essentially computing hashes in one direction to
identify similarities or exact matches. And if that happens, then I can go ahead and use those
passwords and try to log in as you. And so in general, it just increases the exposure for the
average person when it comes to their protection on various websites and services.
You know, we've all been sort of captivated
by this revolution we've seen in AI.
Does having those sorts of AI tools
make a password cache like this even more valuable?
Certainly. I think one thing we are seeing with AI
is the increase of automation
and improving the way these attacks have taken place. Now, having said that, I mean, the reality
is that threat actors have been using automation for decades. They've been using automation in the
context of coming up with new malware samples that don't fit under the paradigms of signatures
of previous types of detection capabilities. We have seen the use of AI for doing automated attack creation, for identifying vulnerabilities,
et cetera.
But in general, those areas of AI applications have been, in many cases, preceded by a long
history of automation tools in these areas.
What I think right now is really unique with the use of AI in the concept of attacks is
in areas like misinformation, so things like deepfakes.
That comes up over and over again.
Social engineering historically has been the single most common vector for being able to get through and get past the defenses of organizations.
And deepfakes in particular only up the ante, make it a lot more tricky and difficult for the average person to navigate correctly.
Is this presenting opportunities, this AI revolution? I mean, for consumers themselves,
we hear about how the bad guys are making use of these tools. I mean, this is something you
and your colleagues are working on as well, right? To bring this to the protection side of the equation.
Absolutely. I mean, we have been laser focused on the application of AI in the context of defense in cybersecurity. This area, by the way, is again, not new. The first applications of AI
that I was involved with date back to about 2010 in production environments,
protecting millions of people. But in many cases, what we've seen is that trying to solve
the vast panoply of cybersecurity problems manually,
trying to keep up with the latest threats and variations on these threats
is impossible to do if you're approaching the problem manually.
And historically, that's how we approached it.
We would look for different kinds of threats.
We'd identify their characteristics.
We'd develop signatures for those threats.
And then we would look for those signatures or variations on those signatures
in the real world to prevent people from getting and becoming victims. Nowadays, as we all know,
the number of threat variations has gotten so high, the number of different creative endeavors
that attackers have engaged in have gotten so complex and so intricate that trying to solve these problems using manual methods has really taken its toll.
It no longer is the right way to approach the problem.
It is good for certain parts of the problem space, but the overall broader part of that
problem space, that long tail, if you will, has to be attacked using more sophisticated
techniques.
And AI is a powerful tool in this regard.
So it's not just a situation where we're trying to apply AI just because it's a buzzword. It genuinely is the right tool for being able to do classification of behavior and transactions to identify whether or not those are malicious. And that's been a central focus for us.
Our key areas have been, however, applying AI in a much more horizontal fashion, not just looking at AI for point solutions in cybersecurity, but really building a holistic digital safety capability for families, cutting across all the things people care about from secure networking to secure transactions to safeguarding all their messaging types of tools. For example, their email and their text messages and so on and so forth.
Speaking of the Roku 2024 breach,
I mean, are there any recommendations
or best practices for folks
to prevent something like this
from having a direct effect on them?
Yeah, so the simplest thing I recommend to everybody
is to choose a high entropy password.
I'm using the words very specifically here of entropy because ultimately what attackers try to
do is when they're trying to brute force a password in general, the way they approach it is they try
passwords that they think will make sense first. They don't just try to literally type in every
character to see what would work. They often will start off with things that will be much more natural.
So for example, dictionary words, dictionary words plus a number, simple sequences of letters
and numbers that are not complicated, pretty easy to guess.
And they'll build up from there to try different kinds of passwords and really find ones that
match what they think your password is.
Now, if you choose a password that's complicated enough, and by complicated,
I mean high entropy, and there's different ways you can achieve that. The two ways you can achieve
high entropy in a password are, number one, making the password longer. So typically,
as the password becomes longer, the complexity of cracking that password, when one sees a hash
of that password in a password file somewhere, it's exponential in the length of that password.
So that's one thing to keep in mind.
The second way you can make your passwords harder to crack and have higher entropy is to vary up the kinds of characters you use in your passwords.
Rather than just using lowercase or just using uppercase, a combination of uppercase, lowercase, numbers, symbols, etc. helps a lot.
et cetera, helps a lot.
The reason I mentioned both of those things is because many people often forget
that this is really about making the password hard
to determine and hard to figure out.
And if you make the password longer,
that's also a great way to do that.
And sometimes a longer password can be easier to remember
than a shorter one,
because you can base it off of a song lyric
or maybe a quote that you know
or a line in your favorite book.
And based on that,
you can come up with longer passwords that are harder to crack.
So I think starting there, a lot of these problems would go away because it would be
hard for anybody to achieve or identify your password purely from a hash of that password,
which is how typical cybercriminals operate.
So that's kind of the first big thing that I recommend to people.
The second big thing is if you are using a site that offers
two-factor authentication or multi-factor authentication, it's a great simple measure
that gives you a step function increase in protection. So we highly recommend people to
do that. And then of course, in general, it's always good to take a holistic
approach to dealing with all the different aspects of protecting yourself. So having things like
identity protection, monitoring, doing dark web monitoring to identify
whether or not your information is already on the dark web and updating your passwords accordingly,
making sure that you have and do things like data broker opt out so you don't end up in situations
where the average person may get compromised. And of course, Aura does all of this for people,
which is exciting.
We have one free service, by the way,
which I'd be remiss not to mention.
If you go to aura.com slash email scanner,
we've got a free tool that will scan your inbox
for scan messages.
And in many cases,
these breaches are rooted
in somebody falling
for like a phishing attack somewhere.
And so if we can identify
scanned emails in your inbox,
we can prevent you from inadvertently giving your credentials
and sensitive information away to threat actors.
That's Dr. Zulfikar Ramzan, Chief Scientist at Aura. Thank you. Partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, you may recall that about a month ago,
stories were circulating that the NSA had discovered archival videotapes
of a presentation given by Admiral
Grace Hopper in 1982, titled Future Possibilities, Data, Hardware, Software, and People. A true
pioneer and trailblazer, Admiral Hopper was known for her dry wit and compelling storytelling
abilities. NSA claimed they didn't have the necessary equipment to
transfer the old one-inch reels of analog videotape, but countless video archivists
offered up their services. In the end, it's unclear who handled the transfer,
but the good news is that the lecture is now available on YouTube,
and needless to say, it's worth your time. We'll have a link in the show notes.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. Don't forget to check out this weekend's Research Saturday and my
conversation with Tim Peck, Senior threat researcher at Securonics.
We're discussing their work.
Threat actors behind the Dev Popper campaign have retooled and are continuing to target software developers via social engineering.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making
your team smarter. Learn how at N2k.com. This episode was
produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot
Keltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Carr.
Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.