CyberWire Daily - New Zealand stock exchange sustains DDoS attacks. Flash alert on GoldenSpy. Cyber mercenaries and industrial espionage. Lèse-majesté online. Offering $1 million to a potential co-conspirator?
Episode Date: August 26, 2020New Zealand’s stock exchange has sustained two distributed denial-of-service attacks this week. CISA and FBI issue an alert about GoldenSpy. Two cyber mercenary groups are engaged in industrial espi...onage for hire. Thailand decides to crack down on sites that host content the government deems illegal. Joe Carrigan looks at new types of crimes made possible by AI. Our guest is Shane Harris from The Washington Post on an Elite CIA unit which failed to secure its own systems. And a Russian national faces US charges of conspiracy to damage a computer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/166 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New Zealand Stock Exchange has sustained two distributed denial-of-service attacks this week.
CISA and FBI issue an alert about Golden Spy.
Two cyber-mercenary groups are engaged in industrial espionage for hire.
Thailand decides to crack down on sites that host content the government deems illegal.
Joe Kerrigan looks at new types of crimes made possible by AI.
Our guest is Shane Harris from The Washington Post
on an elite CIA unit which failed to secure its own systems.
And a Russian national faces U.S. charges of conspiracy
to damage a computer.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 26, 2020.
NZX Limited, operator of New Zealand Stock Exchange, halted trading for a few hours yesterday as it sustained a cyber attack.
Reuters reports that it was the second such attack the exchange had suffered in as many days.
According to Security Brief, the incident was a distributed denial-of-service attack,
specifically a volumetric distributed denial of service attack from offshore.
A distributed denial of service attack of this kind in itself doesn't put data at risk
but it does interrupt operations.
In this case, as the BBC points out, it's likely that investors and brokers were unable to execute trades.
The attack remains under investigation.
There's no indication in any of the reports that NZX received any threats or extortion demands before the attack hit,
but CertNZ did warn back in November that emails styling themselves as being from Fancy Bear
threatened denial-of-service attacks against financial services firms unless the companies paid a ransom.
But nothing came of it at the time
beyond a brief flurry of 30-minute demonstrations, so November's threats were empty. It's also a
lead-pipe cinch that the threats didn't come from the real Fancy Bear, which of course is a hacking
unit of Russia's GRU. Instead, they were an early instance of copycat criminals attempting to cash in on the intelligence service swank that attaches to the bears.
So, no, not Fancy Bear or any other ursine threat group, just hoods using a booter.
Infosecurity magazine reports that CISA and the FBI have issued a joint flash alert concerning the Golden Spy malware embedded in tech software
that Beijing requires businesses operating in China to use.
The alert points out that Golden Spy is the work of a threat group that knows what it's doing.
Quote,
This reveals the actor's high level of sophistication and operational awareness.
The software service providers have not provided a statement acknowledging the software
supply chain compromise. The alert reads, it goes on to say that the FBI assesses that the cyber
actor's persistent attempts to silently remove the malware is not a sign of resignation. Rather,
it is an effort to hide their capabilities. Organizations conducting business in China
continue to be at risk from system vulnerabilities exploited by the tax software and similar supply chains.
Two mercenary groups are drawing attention.
The first, Death Stalker, identified and named by the security firm Kaspersky,
targets financial services and legal firms.
Death Stalker doesn't seem to be monetizing its hacking in any obvious
way. It's not demanding ransom, and its take hasn't been seen for sale in any of the usual
dark web markets. This suggests that it's a hack-for-hire operation. As the report puts it,
quote, they don't deploy ransomware, steal payment information to resell it, or engage in any type of
activity commonly associated with
the cybercrime underworld. Their interest in gathering sensitive business information
leads us to believe that Deathstalker is a group of mercenaries offering hacking-for-hire services
or acting as some sort of information broker in financial services.
Kaspersky says they've found that Deathstalker has been active since 2018,
with some signs suggesting that the group may have been active as early as 2012.
Deathstalker's signature tool is PowerSing, a PowerShell-based implant.
Deathstalker could be a small group or even a skilled individual,
taking good advantage of a reliable tool.
Deathstalker appears to choose its targets either for their perceived value
or because it's been tasked to hit those targets by those who've hired Deathstalker.
The other mercenary gang doesn't have a name yet,
let alone one so menacing as Deathstalker.
Researchers at the security firm Bitdefender this morning
described the other mercenary crew as an industrial espionage outfit the target is an unnamed luxury real estate
company with a large architectural practice the hackers used a maliciously crafted plug-in for
autodesk 3d studio max a widely used 3d computer graphic tool the plug-in deploys a back door used
to scout for valuable files.
The threat group's command and control infrastructure is based in South Korea.
Telemetry suggests to Bitdefender that there may be other unidentified victims in South Korea,
the United States, Japan, and South Africa. Who's behind the group is unclear. It may be a purely
criminal operation, but Bitdefender points out that similar mercenary
operations in the past have been connected to state-sponsored groups, perhaps moonlighters.
The Washington Post reports that Thailand is cracking down on social media critical of the
country's monarchy. The Minister of Digital Economy and Society said that when it deemed
a web address to contain illegal material,
it would obtain a court order to block access in Thailand to that address. Enforcement would then
fall on the platform that carries the illegal material. They'd have 15 days to comply with the
court order or face legal action. The decision came to general attention because Facebook was
directed to take down the Royalist Marketplace group,
whose posts were deemed insulting to Thailand's monarchy.
Facebook complied, but it's also preparing legal action to challenge the order.
A Facebook spokesperson told CNN,
And finally, a Russian national, Yegor Yegorovich Kriuchkov, has been arrested in Los Angeles by U.S. authorities
who allege that he was conspiring to intentionally damage a computer.
The Las Vegas Sun reports that the FBI maintains that from about July 15th to about August 22nd,
Kriuchov conspired with associates to recruit an employee of a company to introduce malware
into an unnamed company's computer network. That unnamed company was in Nevada, and the feds say that Mr. Kriuchoff was offering prospective co-conspirators up to a million dollars to help him install that malware. Sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Shane Harris writes for the Washington Post, and he joins us with details from his recent story on an elite CIA unit that developed hacking tools, but came up short when securing its own systems.
a huge leak or disclosure of CIA computer hacking tools that occurred back in March 2017 when they were published on WikiLeaks, which gave this release the name Vault 7, which your listeners
may be familiar with. We were following that when it occurred, and then we later broke the story
about the government arresting someone who they suspected in the leak itself,
a former CIA employee. And so we've just sort of been on this for a while now, covering his trial
as well. And once this report, this internal report came to light, it was shared with us by
a senator who is key on these issues as well, Senator Wyden. And it was really the first look that we had had internally to the CIA at how they believed this leak occurred and the assessment of the damage
that they gave it as well. Your article mentions that perhaps there were some misunderstandings
between the folks who ran the unit and the people who maintained the network, that there might have been some problem with some contractors? Yes. One of the issues that got noted in the report is this
question around whether or not this network on which the CIA employees were building these cyber
tools, and we should emphasize this is a network that is separate from the larger enterprise network
of the CIA. So it's kind of its own
discrete little sandbox, if you will, that the engineers who were working on that presumed
that they had an ability to audit that network. It turns out that that actually was not as well
maintained as these offensive folks thought, and that the network itself was being maintained by
contractors. And this former official told us that there was this misunderstanding between the people who run the unit
and the people who maintained the network. And now, of course, we see why that misunderstanding
and that disconnect proved to be so disastrous. But what this person was essentially saying is,
like, look, these were separate jobs, and, you know, and the offensive guys assumed that
the contractors were protecting them in ways that ultimately they just weren't.
How is the CIA responding to this report?
Has there been much pushback or are they taking their lumps and looking at as lessons learned?
I think the latter, really.
I mean, it's our understanding that the panel that did this review, and they're not identified in the report, are well-respected in the agency. There's a sense that, you know, they did do an adequate job. They know what they're talking about. You know, they have enough familiarity with the subject matter.
not only a huge breach, but the government lawyers prosecuting the alleged leaker have said in court that it was the biggest unauthorized disclosure of classified CIA information in history.
You know, it led to the shutting down of operations. It exposed these tools to American
adversaries. So I don't think the agency is trying to sugarcoat it. They know how bad this is,
and they are very aggressively pursuing this individual who they think was the leaker.
That's Shane Harris from The Washington Post.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article came by from ZDNet.
It has what I guess is a somewhat breathless title.
It's Evil AI.
These are the 20 most dangerous crimes that artificial intelligence will create.
But under the hood there, there's some interesting things in here.
Take us through this article, Joe.
What's going on?
So what happened was there was a ranking that was put together after scientists from the University College London compiled a list of 20 AI-enabled crimes.
And this was kind of like a survey of these scientists, and they ranked these crimes in
order of concern based on what harm they could cause, the potential for criminal profit or for
gain, how easy they are to carry out and how
difficult they would be to stop. So topping the list, not surprisingly, something that we've seen
before are deep fakes. And I've said before that I'm not really concerned about deep fakes
for the 2020 election, but I'm very concerned about deepfakes in the 2024 election. I think that's
going to be enough time for these things to improve to the point where they may become a
problem. This article on ZDNet points out that there are tools out there on many of these platforms
that can detect deepfakes, but there are plenty of unmoderated or uncontrolled, I don't want to say censored,
but plenty of other channels for this information to flow through, this misinformation.
Yeah.
So that's actually, I don't actually disagree with that. Deep fakes are potentially one of
the most devastating things we're going to be seeing coming out of AI. In the list of crimes, they list of high concern. Another thing is the AI
authored fake news. And that's going to be, they predict that's going to be a real problem as well.
And it may very well be. This is where we're going to have to have information provenance on these
so we can know the history of where this information came from. And there's got to be some
kind of technical solution around verifiable information for this. But then that relies on the populace to understand
that how this works and how to collect valid information for your own opinion forming and not
collect this fake information. The other things they list here are driverless cars being weaponized,
tailored fishing. I think that's a good observation that tailored fishing is going to become a problem
with AI. Large-scale blackmail is interesting. You know, the ability to automate the collection
of data on all kinds of people and then essentially threaten them with doxing. I mean, can you imagine
the amount of money you could make on just threatening to dox a million people? Some of the lower concern things, they have misuse of
military robots, snake oil. I have a real problem with people that sell snake oil.
Learning-based cyber attacks, autonomous attack drones, denial of service and online activities.
And here's another one, manipulating financial or stock markets.
I actually think that's a bigger threat as well, that that is something that can have an opportunity for huge profits, huge profits.
And then the AI crimes that they have of low concern here are burglar bots, AI-authored fake reviews, and AI-assisted stalking. I don't know why that's so low.
But burglar bots, I'm not too worried about burglar bots.
Yeah, the only one that stands out to me, leaves me scratching my head, is driverless vehicles as
a weapon. And having that be a high concern. I don't know. I wonder about that. I mean,
a driverless vehicle presumably is going to be pretty traceable.
It's going to have, you know, some kind of VIN on it.
There are all kinds of—it's like people—folks I've talked to about this sort of thing have said,
yeah, but this is one of those things that sort of relies on social norms.
I mean, you don't have—it just doesn't really happen, you know.
Right.
They grab headlines.
They're interesting to think about as worst case scenarios, but they just don't really happen that much. Right. I don't, I don't, I'm not too terribly concerned about that right now. I am concerned
about the verifiability of autonomous systems. In fact, we have the Institute for Assured Autonomy
now at JHU, where we're focusing research on making sure
that autonomous systems are verifiable and among other things. The thing I find most concerning is
the deep fakes and the fake news from AI. I think those two are not, I don't think that people will
use them for profit, but I do believe people will use them as a means to power. And I don't know if
anybody of our listeners have picked up on this, but I am very leery of people who seek power.
Okay, fair enough. All right. Well, again, the article's titled Evil AI. These are the 20 most
dangerous crimes that artificial intelligence will create. It's over at ZDNet. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and four out of five dentists recommend it.
Listen for us on your Alexa smart speaker, too.
recommend it. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced
in Maryland at the startup studios of DataTribe
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com