CyberWire Daily - Hunting vulnerabilities.
Episode Date: April 15, 2024Palo Alto Networks releases hotfixes for an exploited zero-day. Delinea issues an urgent update for a critical flaw. Giant Tiger data is leaked online. A European semiconductor manufacturer deals with... a data breach. Roku suffers its second breach of the year. Operators of the Hive RAT face charges. A former Amazon security engineer gets three years in prison for hacking cryptocurrency exchanges. Zambian officials arrest 77 in a scam call center crack down. Our guest Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division describes dual ransomware. And Rob Boyce, Managing Director at Accenture, shares his thoughts on security testing of generative AI. And selling Pokemon cheats leaves one man in Japan feeling like he had a run-in with a Scaldiburn. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we have two guests, Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division discussing dual ransomware. Followed by Rob Boyce, Managing Director at Accenture, sharing some thoughts on security testing of generative AI. Selected Reading Palo Alto Networks Releases Fixes for Firewall Zero-Day as First Attribution Attempts Emerge (SecurityWeek) A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (Help Net Security) Hacker claims Giant Tiger data breach, leaks 2.8M records online (Bleeping Computer) Press statement: Nexperia IT Breach (Nexperia) Roku issues warning over massive customer account breach (ITPro) Two People Arrested in Australia and US for Development and Sale of Hive RAT (SecurityWeek) Ex-Amazon engineer gets 3 years for hacking crypto exchanges (Bleeping Computer) Zambia arrests 77 people in swoop on "scam" call centre (Bitdefender) Japanese Police Arrest 36-Year-Old Man on Suspicion of Tampering With Pokémon Violet Save Data (IGN) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. Tiger data is leaked online. A European semiconductor manufacturer deals with a data breach.
Roku suffers its second breach of the year.
Operators of the Hive Rat face charges.
A former Amazon security engineer gets three years in prison for hacking cryptocurrency exchanges.
Zambian officials arrest 77 in a scam call center crackdown.
Our guest, Deputy Assistant Director Cynthia Kaiser
from the FBI Cyber Division,
describes dual ransomware.
And Rob Boyce, Managing Director at Accenture,
shares his thoughts on security testing of generative AI.
And selling Pokemon cheats leaves one man in Japan
feeling like he had a run-in with a Skaldaburn.
It's Monday, April 15th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thank you for joining us. It is great to have you with us here today.
Palo Alto Networks is addressing a zero-day vulnerability exploited by suspected state-sponsored hackers, impacting its PanOS firewall appliances.
The vulnerabilities, allowing remote code execution with root privileges,
affects devices with global protect and telemetry features enabled.
Following initial mitigations, Palo Alto began releasing hotfixes on Sunday
with 40,000 appliances potentially at risk.
Veloxity linked the exploitation to threat actor UTA-0218, noting data exfiltration and internal network movement, including attempts to deploy a Python backdoor named UpStyle.
backdoor named UpStyle. There's speculation on the involvement of BNLien, a ransomware group,
and Lazarus, a North Korean-sponsored entity in these attacks, following observations by Valdi B. While the two groups operate differently, there have been instances where Lazarus disguised
its operations as BNLien's ransomware attacks for intelligence collection.
Discussions around a proof-of-concept exploit surfaced on social media,
though the cybersecurity community has debunked these as fake.
Delinea, known for its secret server-privileged access management solution,
has issued an urgent update for on-prem installations to address a critical flaw
that could let attackers bypass authentication, gain admin rights, and steal sensitive information.
This vulnerability, found in the secret server SOAP API,
prompted Delinea to initially block SOAP endpoints for cloud customers and subsequently release a patch.
endpoints for cloud customers and subsequently release a patch. Despite the severity,
Delinea reports no evidence of data compromise or exploitation attempts. They've also provided guidance for on-prem users to detect potential exploitation. The vulnerability and a proof-of-
concept exploit were publicly disclosed by security researcher Kevin Beaumont
following a discovery and disclosure attempt by Johnny Yu.
Back in March, Giant Tiger, a Canadian retail chain,
experienced a data breach exposing 2.8 million customer records,
including names, email addresses, phone numbers, and physical addresses.
A threat actor has now claimed responsibility for this breach,
leaking the data on a hacker forum.
Have I Been Pwned has since added the leaked database to its platform,
allowing individuals to check if their information was compromised.
The breach was linked to a third-party vendor used by Giant Tiger
for customer communication and engagement.
No payment details or passwords
were disclosed. Giant Tiger has informed affected customers, advising caution against potential
phishing attempts. Users are encouraged to consider identity monitoring services to protect
against identity theft. Nexperia, a prominent semiconductor manufacturer headquartered in the Netherlands,
experienced a cybersecurity incident in March where unauthorized access to its IT servers was detected.
The company immediately isolated the compromised systems and engaged third-party cybersecurity specialists,
including Fox IT, to assess and mitigate the breach.
including Fox IT, to assess and mitigate the breach.
Nexperia has informed relevant authorities and continues to investigate the incident's full scope and impact.
Online streaming service provider Roku
has experienced its second cybersecurity incident of this year,
with 576,000 user accounts affected due to credential stuffing attacks,
leveraging reused passwords.
This follows a previous breach impacting over 15,000 accounts.
Roku states that in fewer than 400 instances,
attackers made unauthorized purchases,
though sensitive payment information remained secure.
Roku has reset passwords for the compromised accounts,
refunded unauthorized transactions, and is advising customers to use unique passwords
and watch for suspicious communications. To enhance security, Roku has enabled two-factor
authentication across all 80 million user accounts. Authorities in Australia and the U.S. have arrested two individuals
linked to the Hive remote access Trojan, previously known as Firebird. The malware was advertised as a
tool for covertly accessing and extracting sensitive data from targeted systems. In Australia, one of
the accused faces 12 computer offense charges,
with a court appearance set for May 7th.
Meanwhile, in the U.S., Edmund Chakmachian, 24, from Van Nuys,
was indicted for selling Hive Rat on hacker forums,
assisting customers and knowingly facilitating illegal activities,
including cryptocurrency theft.
Chakmachian, who pleaded not guilty, is due for trial on June 4.
The RAT enables unauthorized system access, application manipulation, data theft, keystroke
logging, and eavesdropping on communications.
Shakib Ahmed, a former Amazon security engineer, has been sentenced to three years in prison for hacking two cryptocurrency exchanges in July 2022, resulting in over $12 million in theft.
and is ordered to forfeit $12.3 million and pay restitution.
Utilizing his expertise in smart contract reverse engineering and blockchain audit,
Ahmed targeted Nirvana Finance and an unnamed Solana blockchain exchange.
His guilty plea to computer fraud could have led to a maximum of five years in jail. U.S. attorney Damian Williams emphasized the commitment to prosecuting hackers
regardless of the hack's sophistication.
Ahmed's tactics involved manipulating smart contracts to steal and launder the funds,
including using cryptocurrency mixers to convert the assets into Monero for anonymity
while also researching ways to avoid detection and extradition.
Zambian law enforcement arrested 77 individuals at Golden Top Support Services,
a call center alleged to scam global internet users.
The Chinese-run company located in Lusaka is accused of hiring Zambian youths under the guise of legitimate
call center work, only to involve them in fraudulent schemes over WhatsApp, Telegram,
and other chat platforms. The scams targeted victims worldwide, including in Singapore,
Peru, the UAE, and across Africa. The operation, which the Drug Enforcement Commission hailed as a major
cybercrime crackdown, resulted in the seizure of vehicles, firearms, computers, and thousands of
SIM cards. While 17 Zambian suspects were released, the rest, including 22 Chinese
nationals and one Cameroonian, remain detained for further investigation.
Coming up after the break,
Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division describes dual ransomware,
and Rob Boyce, Managing Director at Accenture,
shares his thoughts on security testing of generative AI.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show deputy assistant director for the fbi's cyber division cynthia kaiser cynthia welcome back happy to be back thank you i want to touch
base on uh some information that you all released recently and this was touching on this notion of
dual ransomware some of the actors that you've been tracking. And this was touching on this notion of dual ransomware.
Some of the actors that you've been tracking
that have been using this particular technique.
Can you describe to us what's going on here?
This is a new trend that we've seen over the last year
where either through an initial access broker,
so that's a person that's already obtained
compromised credentials to a system.
Those initial access brokers are selling companies information,
how to get into a company's network in dark marketplaces.
And more than one person's buying them.
And then more than one affiliate is deploying ransomware onto a system.
Or we've also seen an affiliate who's an affiliate.
An affiliate is somebody
who deploys ransomware,
not necessarily the developer,
but pays a fee to the developers
to deploy that ransomware.
We see some of those affiliates
also use two different variants
to target the same company.
And this is really worrisome.
We've seen it across a spate
of different ransomware sets.
You see LockBit,
Zeppelin, a lot of other different sets, ransomware variants being able to be deployed
against a victim. And can you imagine if you're not the victim of one ransomware attack, but within
48 hours, you're the victim of two, or within 10 days, the victim of more. It's really frightening to think about how that
must feel as a network owner. And it just hits home why it's so important to do the basics,
to make sure that you have the appropriate cyber hygiene across your system, that you're doing your
endpoint detections, that you're putting
the right security in place so that your employees and your credentials can't be compromised in the
first place and sold to the highest bidder, and that you're also not allowing an affiliate or
some other ransomware actor to come onto your system because in the end, they're seeking just to exploit any weakness.
And it's where we're working as the FBI then to make sure that we can get all the information out
that we can about how these actors are doing it, what the indicators of compromise might be,
how you can protect your systems, because we want to help protect American networks
from these just nefarious actors who continue to find ways to harm us.
Cynthia Kaiser is Deputy Assistant Director with the FBI's Cyber Division.
Cynthia, thanks so much for joining us.
Thank you for having me. And joining me again is Robert Boyce.
He is the global lead for cyber resilience at Accenture.
Rob, it's great to have you back.
I want to touch today on generative AI and specifically this idea of red teaming and how that can apply to generative AI.
What can you share with us today? Yeah, well, Dave, first of all, thank you for having me back.
So it's a pleasure. Yeah, I think the first of all, the term red teaming applies to AI or
generative AI, I think is almost the first stumbling block out of the gate in some cases.
So we're talking to a lot of organizations.
And as you know, in the security community, red teaming has a very specific connotation.
Red teaming to us typically means a point-in-time test.
You get some results.
You may make some changes based on those results.
And maybe best case scenario, you test again to see if you get the results that you had hoped for.
I think that is not really how we need to think about offensive testing when we think about
generative AI. Because generative AI is being so dynamic and changing all the time, building models
that are literally learning. These point-in-time tests are not going to be sufficient. So I think
the first thing we have to think about as a community
is how to maybe just change the name from red teaming
to just say security testing, offensive testing,
because it's going to be a lot more encompassing
than just point-in-time tests.
So is it continuous testing?
Great question.
So I think that's a big part of it.
I think there's definitely a place for the point-in-time tests,
but the
continuous testing is really going to be what's much more important. As you can see these models
evolving, there's going to be a point in time where we need to be testing as they're learning
to make sure that the outcomes and the outputs that we're getting are going to be what's expected.
And that can't be done with point-in-time testing. That really has to be done with continual testing.
So that's going to be super, super critical.
I think the other point that we really need to think through, too, is what we're going to test.
I think that's going to be another big part.
How do we approach this?
I mean, we use this metaphor of these models being black boxes.
And I'm thinking of standing inside of a black box and not having any idea where the edges are.
How do I know which direction to go in?
Yeah, another great question.
So we think about this in terms of their personas, user personas, as it applies to Gen AI.
And there will be organizations that will be what we call creators, creating the models from top to bottom, right?
So infrastructure, application, LL Lab,
the models running on top of the LL Labs,
you know, all of that, that's, you know,
there will be companies that do all of that.
And for them, the testing is super important
that they're doing testing at all layers.
And the good news is, as a security community,
we probably already know how to test about 80% of that
because we've been testing applications and infrastructure and data layers for a long time. It's that new layer
around the LLMs and the models they're going to be putting on top of that. There's going to be
what's really different for us. And even the skill set that's going to be required
to be able to test those is going to be a little unique. It's not going to be just the traditional
pen testers. We're going to have to think about how to build these pods of skills that could
include data scientists and others who are helping build the models and who understand the models
better than just, you know, a security pen tester would. So I think that's going to be,
you know, super interesting. Conversely, though, there will be organizations that we call more
consumers. They will be just buying, you know, the black box models that you talked about.
And how do they do the testing?
Because they can't test the same way the creators can test.
They can't test top to bottom.
So they're going to rely on, you know, the company that's selling this to them to do that testing.
What they can test is, you know, are the outputs that they're getting the expected output?
So they'll be doing testing more at the LLM layer.
And I think that's going to be super important for them to understand the distinction of what they should be testing as well as the how to test.
So I think that's going to be also incredibly important for them. And where they can't test, how do they build maybe into their procurement process or their
third-party risk process, mitigating controls on how do they put more of the responsibility
on the creators of those so that they feel like they're getting some level of assurance
that there has been some testing done on that infrastructure, the application,
the data, et cetera, prior to them putting it into production.
I think about different kinds of testing. And part of what you're talking about makes me think about
the kind of testing my teenagers do with my wife and I, where they're kind of nibbling at the edges
of like, what can I get away with? And how that can apply to generative AI,
maybe from the other direction of like,
what do I, as a user of this technology,
what do I push on?
How do I test the boundaries to see where the edges are?
Yeah, no, that's exactly right.
I think there's these concepts of,
can we test, how do we poison the LLMs so that we can produce false results or unexpected results?
And really, the testing that we know of today is holding the integrity of the models so that they're producing the results we want them to produce.
But I think what we're going to find quickly as we're starting to explore this area more is a security community.
That's just one vector.
There's going to be many, many more.
as a security community, but that's just one vector.
There's going to be many, many more.
And I think that's the other thing that organizations really need to think about or understand maybe more is that this is going to change at such a rapid pace
that we really need to be flexible and dynamic in our approach to be testing these, right?
And changing the way we test them on a frequent basis.
We know this is coming.
The executive order says red teaming, what, 15 times or something in there for the U.S.?
And then we're seeing Canada having regulations.
We're seeing the U.K.
We're seeing Australia.
We're going to see many other European countries have these types of requirements being put on creators of AI.
creators of AI.
And so I think now that the focus is being put here on the security testing,
we're going to start to see the evolution of these tests.
And we're just going to learn a lot,
I think, in the next 6-12 months
of the types of testing that really need to be done.
Because honestly, I don't think we fully appreciate yet
the complexities that are going to have to be required
for these tests.
Alright.
Well, Robert Boyce is Global Lead for Cyber
Resilience at Accenture.
Rob, thanks so much for joining us.
Thanks, Dave. It was a pleasure. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, in Japan, a 36-year-old man was arrested for selling modified Pokemon save data,
a violation of the country's 2019 Unfair Competition Prevention Act.
Detected by a police cyber patrol, he modified Pokemon online, charging up to 13,000 yen,
about $84 per transaction, from December 2022 to March 2023. He confessed to the crimes,
claiming it was a means to earn a living. He faces up to five years in prison and or a fine
of up to 5 million yen, about $32,000. This incident adds
to a string of crimes involving the lucrative Pokemon franchise, including a January 2022
incident that saw two Los Angeles police officers fired after they ignored a call to respond to a
burglary in order to chase down a Snorlax in Pokemon Go.
This Pokemon trainer's next quest?
Finding the legendary Get Out of Jail Free card.
Maybe they can make clever use of the elusive Balbondasaur.
Peek-a-boo!
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben
and Brandon Karp. Our executive editor are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.