CyberWire Daily - Inside the crypto scam empire.
Episode Date: July 11, 2024A major Pig Butchering marketplace has ties to the Cambodian ruling family. Lulu Hypermarket suffers a data breach. GitLab patches critical flaws. Palo Alto Networks addresses BlastRadius. ViperSoftX ...malware variants grow ever more stealthy. A New Mexico man gets seven years for SWATting. State and local government employees are increasingly lured in by phishing attacks. Hackers impersonate live chat agents from Etsy and Upwork. The GOP’s official platform looks to roll back AI regulation. On today’s Threat Vector, David Moulton from Palo Alto Networks Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalon. NATO brings the social media influencers to Washington. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, hosted by David Moulton, Director of Thought Leadership at Palo Alto Networks Unit 42, he explores the evolving world of AI-generated malware with guests, Rem Dudas, Senior Threat Intelligence Analyst, and Bar Matalon, Threat Intelligence Team Lead. From exploring the vulnerabilities in AI models to discussing the potential implications for cybersecurity, this episode offers a deep dive into the challenges and opportunities posed by this emerging threat. You can listen to the full episode here. Selected Reading The $11 Billion Marketplace Enabling the Crypto Scam Economy (WIRED) Hackers steal data of 200k Lulu customers in an alleged breach (CSO Online) GitLab update addresses pipeline execution vulnerability (Developer Tech News) Palo Alto Networks Addresses BlastRADIUS Vulnerability, Fixes Critical Bug in Expedition Tool (SecurityWeek) ViperSoftX malware covertly runs PowerShell using AutoIT scripting (Bleeping Computer) Man sentenced to 7 years for Westfield High School threat hoax (Current Publishing) State, local governments facing deluge of phishing attacks (SC Media) Hackers impersonate live chat support agents in new phishing scam (Cybernews) 2024 GOP platform would roll back tech regulations on AI, crypto (The Washington Post) NATO's newest weapon is online content creators (The Washington Post) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A major pig butchering marketplace has ties to the Cambodian ruling family.
Lulu Hypermarket suffers a data breach.
GitLab patches critical flaws.
Palo Alto Network's address is blast radius.
Vipersoft X malware variants grow ever more stealthy.
A New Mexico man gets seven years for swatting.
State and local government employees are increasingly lured in by phishing
attacks. Hackers impersonate live chat agents from Etsy and Upwork. The GOP's official platform
looks to roll back AI regulation. On today's Threat Vector, David Moulton from Palo Alto
Network's Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalan.
And NATO brings the social media influencers to Washington. It's Thursday, July 11th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for once again joining us.
It is always great to have you here with us.
A feature story in Wired from Andy Greenberg and Lily Hay Newman
examines pig butchering crypto scams,
which have evolved into a vast criminal industry,
stealing tens of billions annually.
The scam ecosystem includes tools and services
for targeting victims, laundering stolen funds,
and even detaining human trafficking victims
forced to work in scam operations.
New research by Elliptic, a crypto-tracing firm,
reveals that a single Cambodian platform,
Huion Guarantee, linked to the Cambodian ruling family, supports this industry.
Huion Guarantee, launched in 2021, facilitates peer-to-peer transactions using Tether cryptocurrency via Telegram.
Elliptic traced $11 billion in transactions through Huion Guarantee, with $3.4 billion in 2023 alone,
primarily supporting pig butchering scams.
The platform offers a range of illicit services,
including human trafficking tools, scam target data,
fake investment websites, deepfake services, and money laundering.
Elliptics co-founder Tom Robinson describes Huion Guarantee as the largest public platform for illicit crypto transactions.
The scam operations are often run from compounds in Southeast Asia, where forced laborers live and work under harsh conditions.
suggests that platforms like Huion Guarantee allow scammers to outsource various aspects of their operations, contributing to the increasing scale of these scams. Sean Gallagher from Sophos
notes that pig butchering operations often use identical tools and infrastructure across
different scams. Robinson proposes international sanctions against Huion's leadership to disrupt this criminal industry.
He emphasizes the need to target such marketplaces to combat the growing threat of crypto scams.
Lulu Hypermarket, based in Abu Dhabi, has reportedly suffered a significant data breach, exposing personal details of at least 196,000 customers. The hacker group Intel
Broker claimed responsibility, initially leaking some customer details on breach forums. They
announced plans to release the full database later, which includes millions of users and orders.
Leaked details include email addresses and phone numbers, posing risks of phishing and identity theft.
Lulu Hypermarket has not confirmed the breach
or specified the types of data affected.
Intel Broker has a history of targeting major organizations
and remains active on breach forums,
now under Shiny Hunter's administration.
Lulu customers are advised to stay vigilant.
GitLab has issued critical security updates to fix multiple vulnerabilities,
including a severe flaw with a CVSS score of 9.6, allowing attackers to run pipeline jobs
as arbitrary users. The company urges immediate upgrades for both Community and Enterprise
Editions users. The critical flaw affects GitLab versions 15.8 to 17.1.1 and was reported through
GitLab's HackerOne program. Palo Alto Networks released patches for multiple vulnerabilities,
Palo Alto Networks released patches for multiple vulnerabilities,
including a critical bug in its Expedition migration tool,
allowing attackers to take over administrative accounts.
This was fixed in Expedition version 1.2.92.
Additionally, a high-severity file upload issue in Panorama could lead to a denial- denial of service condition requiring manual intervention.
Medium severity flaws in Cortex XDR and PanOS software were also addressed,
preventing attackers from running untrusted code and tampering with the file system.
The company provided an advisory on the blast radius vulnerability,
which could enable attackers to bypass authentication and escalate privileges
in PAN-OS firewalls using CHAP or PAP protocols. No exploitation of these vulnerabilities has
been reported. Researchers at Trellix report the latest variants of Vipersoft X malware
use the Common Language Runtime to execute PowerShell commands within AutoIT scripts,
evading detection. CLR, part of Microsoft's.NET framework, allows code execution in a trusted
environment. Vipersoft X leverages this to load code within AutoIT, commonly trusted by security
solutions. The malware also incorporates modified offensive scripts for increased sophistication.
Vipersoft X steals system details, cryptocurrency wallet data, and clipboard contents.
Trellix emphasizes the need for comprehensive defensive strategies
to detect, prevent, and respond to such sophisticated threats.
to prevent and respond to such sophisticated threats. James Thomas Andrew McCarty, age 21,
from Cuyenta, New Mexico, was sentenced to seven years in federal prison for making hoax threats,
including a call to Westfield High School in 2021 that led to a two-hour lockdown.
McCarty pleaded guilty to making false calls and aggravated identity theft using real students' identities. His hoax calls targeted schools and governmental entities across multiple
states, none of which were credible threats. McCarty also admitted to hacking a ring doorbell
in Florida, causing a police response, which he live-streamed for his own amusement.
The FBI and various local authorities assisted in the investigation.
Phishing attacks on state and local government employees have surged by 360% from May 2023 to 2024,
driven by the rise in business email compromise attacks, which increased by 70%,
according to Abnormal Security's annual report.
BEC attacks involve impersonating contractors or accounting employees to reroute payments to attackers.
These attacks use social engineering tactics,
avoiding clear indicators of compromise and often evading conventional security measures.
State and local government agencies are particularly vulnerable due to their
frequent interactions with local contractors and mandated transparency, which provides
attackers with detailed information to craft convincing emails. Account takeover attacks
also rose by 43%, highlighting phishing as a reliable method for breaching networks.
Limited cybersecurity resources in government entities increases the likelihood of undetected
compromised accounts, posing significant risks. Hackers are posing as live chat agents for
companies like Etsy and Upwork, tricking victims into providing credit
card and banking information. This new phishing scam, detailed by cybersecurity firm Perception
Point, exploits users' trust in live chat support. Unlike typical scams, this involves real humans
giving real-time responses, making it harder to detect. Hackers create fake webpages mimicking platforms' payment pages.
When victims attempt to verify payments, they're redirected to a spoofed Stripe page where
they enter their credit card details, which are then stolen.
The scam escalates with a live chat support feature on the fake Stripe page, further extracting
sensitive information.
The phishing kit is described as sophisticated and versatile, with reusable templates across
multiple platforms. Users are advised to verify support communications, avoid unsolicited links
or QR codes, check website URLs for legitimacy, and use multi-factor authentication.
website URLs for legitimacy, and use multi-factor authentication.
The Republican Party's new official platform, proposed by Donald Trump,
emphasizes a laissez-faire approach to tech regulation. It advocates for boosting cryptocurrency and AI, opposing President Biden's crypto crackdown, and repealing his executive order on AI.
crypto crackdown, and repealing his executive order on AI. The platform promises to support cryptocurrency mining, self-custody of digital assets, and transactions free from government
control. Critics argue this could harm consumers and promote fraud. The platform also highlights
commercial space exploration, aiming to bolster that industry. Notably, it does not address Section 230 or
antitrust enforcement. Consumer advocates and some tech industry voices express concerns about
these policies, emphasizing the need for regulations to protect consumers and ensure development. Coming up after the break, on today's Threat Vector, David Moulton from Palo Alto
Networks discusses the evolving threats of AI-generated malware with experts Rem Dudas
and Bar Matalan. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On the latest episode of the Threat Vector podcast, host David Moulton from Palo Alto Networks Unit 42
discusses the evolving threats of AI-generated malware
with experts Rem Dudas and Bar Matalan.
Here's part of their conversation.
Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats, cyber resilience, and uncover insights into the latest industry trends.
I'm your host, David Moulton the world of AI-generated malware.
Joining me are two exceptional guests from the Palo Alto Network's Cortex Research Group.
Rem Dudash, Senior Threat Intelligence Analyst,
and Var Madelon, Threat Intelligence Team Lead.
The rapid advancements in AI have brought about numerous benefits,
but they've also introduced new and unprecedented challenges in the realm of cybersecurity.
Over the past year and a half, we've seen generative AI models
like ChatGPT rise to prominence,
offering powerful tools that anyone with an internet connection can access.
While these tools have the potential for positive application,
they also pose significant security risk when used maliciously.
RIM and BAR have been at the forefront of researching these risks, conducting groundbreaking
experiments to understand just how capable these AI models are in generating sophisticated malware.
Today, we'll be discussing their findings,
the implications of AI-generated malware for the cybersecurity landscape, and what organizations
can do to protect themselves from these emerging threats. We'll explore questions such as,
can generative AI truly build malware? How difficult is it for a threat actor to leverage
these tools? And what does this mean for the future of cybersecurity defense?
Here's our conversation.
So I think I'll start with you, Bar.
Talk to me a little bit about yourself, your team, and what you've been up to.
Yeah, so we're from the threat intelligence team in Cortex Research Group here at Palo Alto.
So we're from the threat intelligence team in Cortex research group here at Palo Alto.
And we are kind of the team that mainly focused on external sources.
There are other teams that do telemetry, but we're focused on open source intelligence.
And we track the threat landscape to find new campaigns, new malware.
And our mission is to make sure that our customers are protected from these
emerging threats.
And let me ask, you said open source in there.
What is it about open source
that either drew you in
or is an organizational choice?
It can be like
open repositories where
malware samples are
uploaded to. But it can also be
like reports published by other security companies.
So we monitor this, we take the samples and the
indicators that they mention and run them in our labs
against Cortex XDR to see its coverage.
Most of the time, yeah.
Most of the time, Cortex does a great job.
Sometimes there are some gaps,
so our mission in the team is to hand it over
to the other research teams
and make sure we add this coverage
as quickly as possible.
Bottom line, can generative AI build malware?
The simple answer is yes.
And there is a bit of a longer version for that answer.
It's a lot more complex than it seems at first, but it is possible.
With a little bit of knowledge, with a little bit of prompting,
how did you judge where generative AI
and building malware was dangerous
or it starts to go into the realm of
this is a tool that a professional could use
to go faster or build more creative malware?
It took a while.
It was a trial and error process, pretty much.
We had a lot of attempts at first
and we didn't manage to generate much in the beginning.
But after getting the hang of it,
researching it a bit,
and learning what makes it tick,
yeah, we started getting more frightening results.
So is it possible to instruct AI to mimic another malware?
That was the next stage of our research.
Yes, it is.
Our next stage was to test the ability of generative AI,
the abilities of generative AI
in terms of impersonating threat actors
and specific malware types.
We used open source materials.
So, Bar touched upon this earlier,
those articles regarding analysis of malware families and threat actors.
We used a couple of those as a prompt or description
for a generative AI engine
and asked it to impersonate the malware discussed in these articles.
And we managed to do
some pretty nasty things with that.
Bar, what's the most important thing
that a listener should remember
from this conversation?
It is possible
to generate malware using AI,
but it's not so easy.
You need to have basic understanding of how coding works
and how to compile such malware.
And you have to bypass these guardrails that the AI models have today.
Let's plan on coming back to this conversation in, I think,
six months, because I think that the
pace of
development in and around AI has
caught me off guard. You guys into that?
Sure. Yeah, sounds great.
All right. Bar,
Rem, thank you so much for coming on ThreatVector
today and giving us your insights on the
research that you've been running and
the findings that you've been running and the findings that
you've talked about today. Thanks for having us, David. And thank you very much.
Thank you for joining today and stay tuned for more episodes of Threat Vector.
If you like what you heard, please subscribe wherever you listen and leave us a review on
Apple Podcasts. Your reviews and feedback really do help us understand what you want to hear about.
I want to thank our executive producer, Michael Heller.
I added ThreatVector and Elliot Peltzman mixes our audio.
We'll be back in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
Be sure to check out the Threat Vector podcast
wherever you get your favorite podcasts.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And finally, NATO has decided to bring social media influencers to their Washington summit to improve their image among young people.
That's right.
16 content creators from various countries,
along with 27 invited by the U.S. Defense and State Departments, are mingling with world leaders.
These influencers, popular on platforms like TikTok, YouTube, and Instagram, met top officials, including at the Pentagon and the White House.
The idea is to engage a generation born after the Cold War using people who make dance videos and how-to clips.
Critics argue this approach is misguided. They say NATO, a critical defense alliance,
seems more interested in viral videos than substantive engagement. Using influencers
to promote NATO's mission might appeal to some, but it risks trivializing serious global security issues.
Some say it feels like a desperate attempt to stay relevant, glossing over deeper challenges
facing the alliance and its public perception. On the other hand, by leveraging influencers,
NATO aims to combat misinformation and disinformation campaigns, particularly those
propagated by hostile state actors.
Influencers can play a role in disseminating accurate information
and countering false narratives.
It's a bit of a head-scratcher,
but if it fulfills NATO's strategic PR goals,
it may also be the shape of things to come.
shape of things to come. And that's The Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.