CyberWire Daily - On the eve of the holiday season, officials in many countries issue warnings and take action against cybercrime.
Episode Date: November 22, 2023CISA issues joint Cybersecurity Advisory on Citrix Bleed. Law enforcement takes down "pig butchering" operations. Altman will return to OpenAI. Israeli honeypots deployed during the war. A renaissance... in electronic warfare. And a response in the form of countermeasures. Ihab Shraim, Chief Technology Officer at CSC, shares how the growing popularity of AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world. And online safety during the holidays. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/223 Selected reading. CISA issues joint Cybersecurity Advisory on Citrix Bleed. (CyberWire) Cyber Scam Organization Disrupted Through Seizure of Nearly $9M in Crypto (U.S. Department of Justice) China Rounds Up 31,000 Suspects in Sweeping ‘Pig-Butchering’ Crackdown (Wall Street Journal) OpenAI Says Sam Altman to Return as CEO (Wall Street Journal) Altman Agrees to Internal Investigation Upon Return to OpenAI (Information) Sam Altman, OpenAI Board Open Talks to Negotiate His Possible Return (Bloomberg) Before Altman’s Ouster, OpenAI’s Board Was Divided and Feuding (New York Times) Altman Argued With OpenAI Board Member Toner Before Ouster (Information) The Invisible War in Ukraine Being Fought Over Radio Waves (New York Times) Exclusive: This pizza box-sized equipment could be key to Ukraine keeping the lights on this winter (CNN) Commercial Flights Are Experiencing 'Unthinkable' GPS Attacks and Nobody Knows What to Do (Vice) Shopping securely on Black Friday (and beyond). (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. CISA issues joint cybersecurity advisory on Citrixbleed.
Law enforcement takes down pig butchering operations.
Altman will return to open AI.
Israeli honeypots deployed during wartime.
A renaissance in electronic warfare.
Ehab Shraim, chief technology officer at CSC,
shares how the growing popularity of AI
is giving cybercriminals a new avenue to take advantage
of some of the largest companies in the world and online safety during the holidays.
I'm Trey Hester filling in for Dave Bittner with your CyberWire Intel briefing for Wednesday, November 22nd, 2023.
The authorities in Australia and the U.S. have issued some advice about the Citrix bleed vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation,
Multistate Information Sharing and Analysis Center, and the Australian Signal Directorate's
Australian Cybersecurity Center yesterday released a joint cybersecurity advisory
outlining LockBit 3.0 ransomware affiliates' exploitation of the Citrix bleed vulnerability, also known as CVE-2023-4966,
affecting Citrix Netscaler web application delivery control and Netscaler gateway appliances.
CISA notes that both cybercriminal and nation-state threat actors are exploiting the
vulnerability, which received a patch in October. The advisory is worth your attention, so please
give a look. In separate operations,
authorities in the U.S. and China took action against pig butchering gangs. The U.S. Department
of Justice seized almost $9 million in Tether altcoin that had been accumulated in the course
of pig butchering investment scams. Acting Assistant Attorney General Nicole M. Argentieri
of the Justice Department's Criminal Division said, quote,
Through this significant seizure, we disrupted the financial infrastructure of an organized
network of scammers who stole millions from victims across the United States.
These scammers prey on ordinary investors by creating websites that tell victims their
investments are working to make them money. The truth is that these international criminal actors
are simply stealing cryptocurrency and leaving victims with nothing. End quote. Tether worked closely with investigators to identify the fraud,
which had some 70 victims, and to secure the stolen assets. The other enforcement action was
on the other side of the globe. The Wall Street Journal reports that Chinese authorities went
after the criminal operators themselves. Working with both the government of neighboring Myanmar
and with the warlords who control effectively autonomous regions along the Chinese border,
they've arrested 31,000 alleged gang members since September. Much of the pig butchering
affects Chinese citizens, and Chinese expatriate criminals figure prominently in the gangs who
conduct it. As a reminder, pig butchering is protracted fraud that prospects and exploits
targets over a long
approach, metaphorically fattening them up for financial slaughter. The marks are almost always
lured by either catfishing romance scams or by the promise of wealth through sure-thing speculation.
Details remain to be worked out, but last night OpenAI announced that its former CEO,
Sam Altman, who was fired last Friday, would return to his
old job. The move appears to have involved compromise on both sides. The Wall Street
Journal reports that the company will get a new board, initially consisting of three members,
Brett Taylor, former co-CEO of Salesforce, Larry Summers, former Treasury Secretary and President
of Harvard University, and Adam D'Angelo. D'Angelo is the only member of OpenAI's
board to retain a seat on the new board, which Taylor will chair. The board may be expanded with
six more members, but who that might be is still undetermined. Altman will not be on the initial
board, according to the information, and has agreed to an internal investigation of whatever
conduct the previous board interpreted as a lack of candor. As of late yesterday afternoon, Bloomberg reported that Altman was still in talks with
his old company's board about a possible reinstatement. If he were to return, sources
then said, it would be as both CEO and member of a transitional board. He will have the CEO job back,
but not a seat on the board. Discussions are happening between Altman, CEO Emmett Shear,
and at least one board member.
The talks also involve some of OpenAI's investors, many of whom are pushing for his reinstatement.
Shear, who had been the second interim CEO to serve at OpenAI since Altman was dismissed Friday,
is said to have indicated that he would not stay unless the board can give him a clear account of
why it fired Altman in the first place. The New York Times reported that the company's board was divided before the firing. OpenAI seems to have been troubled by a deep and evidently
irreconcilable disagreement between sanguine utopians who saw artificial intelligence as
fundamentally benign and sought to push it to market as fast as possible, and melancholic
dystopians who were more alive to the potential dangers of the technology. That tendency was
represented by board member Helen Toner, who had published a paper that appeared critical of Open
AI's approach to safety. Turning from crime and commerce to hybrid war, the New York Times writes
that electronic warfare has been a relative strength of the Russian army. That army's ability
to jam drones in particular, and to successfully geolocate radio frequency
emitters accurately enough for targeting, has presented a contrast with the army's otherwise
lackluster tactical performance. Ukraine and its suppliers are adapting, using hackathons and what
The Times characterizes as a startup mentality to respond to the demonstrated Russian capabilities.
But the full spectrum of Russian electronic attack and collection capabilities remains a problem Ukraine has yet to fully solve. So GPS signals have been a common target of
Russian jamming. This is most commonly thought of in terms of interference with positioning,
but GPS signals are also a source of precision timing. Disruption of timing can interfere
fatally with elements of the power grid, and thus they're expected to figure prominently on Russian electronic attack targets lists this winter. CNN reports that Cisco has developed and
delivered switches that give Ukraine Ergo, Ukraine's power authority, redundant timing
to compensate for any GPS interference. The switches placed in electrical power substations
ensure those substations' connectivity will work even in the absence of GPS.
Interference with GPS is not confined to jamming and is not confined to Russian's war against
Ukraine either. Commercial aircraft are experiencing spoofed GPS signals intended
to mislead aircraft positioning and navigation systems during flights in the Middle East.
Wired reports that the incidents appear to be centered on Baghdad, Cairo, and Tel Aviv.
Who's behind the activity is unknown,
but in terms of capability and opportunity speculation has centered on Iran and Israel.
And finally, Thanksgiving traditionally in the United States
marks the beginning of the holiday season.
This, of course, also marks a season of buying, selling, and of charitable giving.
Since so much getting and spending and giving are now online,
the security industry has some advice for all to keep in mind.
We will not be publishing tomorrow or Friday,
and we hope you'll be observing the holiday as well.
But in the meantime, check out N2K Cyber's compendium of advice on the holidays.
You'll find it near the top of our stories on our website.
And of course, a happy Thanksgiving to all.
Coming up after the break, Dave Bittner sits down with Ihab Shraim,
Chief Technology Officer at CSC, to discuss how AI is giving cybercriminals a new avenue
to take advantage of some of the largest companies in the world. Stick around. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io. Our own Dave Bittner sits down with Ihab Shraim, Chief Technology Officer at CSC,
to discuss how the growing popularity of AI is giving cybercriminals a new avenue
to take advantage of some of the largest companies in the world.
Here's Dave. So today we're talking about the recent domain security report that you all put
out and some interesting findings here when it comes to AI. Can we start off with some high
level stuff here? Can you give us a little overview of what prompts the creation of this report?
We are in the backend registrar
and we are in the brand protection services
as well as the anti-fraud protection services.
And we offer these services for our customers.
And what we noticed is that there is lack of focus
on anything outside, per se, the D mark of a corporation.
As you know, the DMARC of any corporation could extend to someone's remote site or house
or any remote fields, data centers, etc.
Having said that, we embarked a few years ago on building this Global 2000 security report to highlight the importance
of domain security on the internet. We think it's a blind spot for a lot of security professionals,
not because they are not focusing on it. It's because they're focusing on defending the
enterprise and they do a very good job, say, within the perimeter of the enterprise.
But outside the enterprise, we see a lot of gaps,
and this is the missing link, and that's what CSC is trying to highlight in the industry.
Well, let's go through some of the highlights together here.
What are some of the things from the report that really caught your attention?
Very, very good question.
We've noticed that 43% of the.ai domains are registered to third parties.
And that's really critical because, as you know, on the domain name industry,
we get new extensions all the time.
For example, the traditional ones were.com,.net,.org,.biz,.us, etc.
Well, that's now extended to everything. It could be.ai,.live,.app, and so forth.
The most recent one is.ai or artificial intelligence. And having 43% to be registered by third party, meaning the brand
owner does not own that domain name that belongs to them. For example, if I were to say company XYZ
is operating online, XYZ.com is operating properly online, everything is fine. However, xyz.ai is owned by a third party.
And that could be a malicious party.
It could be a bad actor, a cyber criminal.
It could be a fraudster.
Brand owners must own these domain names
because that's their online presence.
That's their reputation.
And therefore, this is an alarming find that we
have seen. We've also seen about 21% of the subdomain names don't result to anything.
So what does that mean? When a subdomain name doesn't result to anything, it means it's prone
to be hijacked by cyber criminals. In fact, if you looked at this phenomenon or this problem,
it took place in the past several years
where people were hijacking, meaning cyber criminals were
hijacking subdomain names that are legit
in the cloud infrastructures. Why? Because
in general, for example,
a marketing team would launch a new campaign
for a new product they are releasing,
and by removing the content they think,
and the website, everything is fine.
But in reality, the subdomain name itself
is still in the DNS zone,
and it's prone to be hijacked.
And that's what we are trying to highlight with our report.
What are your recommendations here?
I mean, should it be a general cost of doing business
that an organization should buy up all of these domains?
We believe that domain security should be an integral part
of the security posture of any company,
any corporation operating online, as well as the government sector. What do we mean by that?
You have to think in terms of augmenting that data, not through a multitude of vendors. You have
to have full access by the security professionals and the CISO to the domain name portfolio.
And the domain name portfolio for a lot of companies is global.
It will include what's called the GTLD, a global top-level domain like.com,.net, and so forth, or CCT like a.uk or a.ru. You have to manage that portfolio and watch it, meaning monitor it,
continuously monitoring it by a professional team that will disallow
any social engineering attacks on the portfolio, DNS hijack,
any domain name hijack, domain name shadowing.
It prevents a lot of phishing attacks.
And we recommend that not only to have an enterprise-level class registrar, which is way different than a retail class registrar.
enterprise class registrar will have the teams that are working 24 by 7 to protect that domain name from add, modify, and delete. It has to be fully authorized, fully authenticated, and of
course those teams are well trained. Another thing that we would like to heavily recommend as part of the security posture is to look at your DNS as something that you must
watch. You have DNS zones that are not cleaned for, say, 20, 30 years. And this is not neglect.
This is part of how the corporation grows, there's acquisitions, and so forth. So these are what we
call the blind spots, the neglected areas,
and they are the exposed surfaces to the internet by which cyber criminals try to take advantage of.
Of course, we have many other recommendations, such as how do you look at your domain name
registrations, modifications, and drops on a daily basis. and if you see something that is suspicious it has to
be investigated and last but not least we heavily recommend and the ability to have the mitigation
piece the mitigation piece is composed of three parts on the in the industry what the first part
is a takedown enforcement capable to take down any malicious site anywhere around the world.
The second one, UDRP filings by which you can file a UDRP to regain control of that critical domain name that must belong to the brand owner.
And thirdly, it's the ability to block across the internet. For example, you block across browsers,
you share data with your partners, with ISPs, and
telco providers. So those are the tools
available. I mean, if I'm someone who discovers that my
xyz.com domain, that someone has spun
up xyz.ai,
there are things that I can do to set that right?
Yes, there are so many tools
in our arsenal today
that allows us to,
as soon as this domain name is registered,
it automatically gets highlighted
and alerts our teams.
For example, for our customer base,
we immediately alert the brand owner
that this domain name got registered,
not by you, by someone else.
And if the domain name is dormant,
meaning it doesn't have a website associated with it,
or it doesn't have an MX record,
one of the things that I would like to highlight
is that if you see an MX record and there is no website, it tells you that someone is going to do something.
What is that thing? Could be a phishing campaign or a phishing augmented with a malware campaign,
or it could be something very, very, very suspicious that will appear very soon.
very, very, very suspicious that will appear very soon.
So dormant domain names are a critical part of what we look for on a daily basis.
And that should be integrated in the modern security operations center by which it tells you what to do next.
And then if you are seeing it, you put it in monitoring, continuous monitoring.
As soon as a website is on, the website must be investigated. And if it's, say, a phishing site, you immediately
take action with the mitigation arm of enforcement by conducting an actual takedown. Now, of course,
you domain cast, which is you share that data, that suspicious domain name that is associated with that, say, phishing site.
You share it with your partners, your telco providers, the ISPs, browser carriers, and so forth.
We have built the largest network of blocking to block malicious URL-based behaviors that involves with phishing fraud.
That's Dave Bittner, sitting down with Yad Shrem, Chief Technology Officer at CSC.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant. the 1%? Maybe, but definitely 100% closer
to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is me, with original music by Elliot Peltzman.
The show is written by our editorial staff.
Our executive editor is Peter Kilpie.
And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.