CyberWire Daily - Opening up on hidden secrets.
Episode Date: June 5, 2024OpenAI insiders describe a culture of recklessness and secrecy. Concerns over Uganda’s biometric ID system. Sophos uncovers a Chinese cyberespionage operation called Crimson Palace. Poland aims to s...ure up cyber defenses against Russia. Zyxel warns of critical vulnerabilities in legacy NAS products. Arctic Wolf tracks an amateurish ransomware variant named Fog. A TikTok zero-day targets high profile accounts. Cisco patches a Webex vulnerability that exposed German government meetings. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, diving into Domain 7, Security Operations. A Canadian data breach leads to a class action payday. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe dive into Domain 7, Security Operations, and tackle the following question: Which of the following is the MOST important goal of Disaster Recovery Planning? Business continuity Critical infrastructure restoration Human Safety Regulatory compliance Selected Reading OpenAI Whistle-Blowers Describe Reckless and Secretive Culture (The New York Times) Uganda: Yoweri Museveni's Critics Targeted Via Biometric ID System (Bloomberg) Chinese South China Sea Cyberespionage Campaign Unearthed (GovInfo Security) Palau confirms 'major' cyberattack, points to China (Digital Journal) Poland to invest $760 million in cyberdefense as Russian pressure mounts (The Record) 'NsaRescueAngel' Backdoor Account Again Discovered in Zyxel Products (SecurityWeek) Arctic Wolf sniffs out new ransomware variant (CSO Online) CNN, Paris Hilton, and Sony TikTok accounts hacked via DMs (Security Affairs) Cisco Patches Webex Bugs Following Exposure of German Government Meetings (SecurityWeek) ICBC must pay $15K to all who had data breached before JIBC attacks (Vancouver Sun) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. OpenAI Insiders
describe a culture of recklessness
and secrecy. Concerns over
Uganda's biometric ID system.
Sophos uncovers a Chinese
cyber espionage operation called
Crimson Palace. Poland
aims to shore up cyber defenses against Russia.
Zyzel warns of critical vulnerabilities
in a legacy NAS product.
Arctic Wolf tracks an amateurish ransomware variant
named Fog.
A TikTok zero-day targets high-profile accounts.
Cisco patches a WebEx vulnerability
that exposed German government meetings.
On our Learning Layer segment, hosts Sam Meisenberg and Joe Kerrigan continue their discussion of Joe's ISC2 CISSP certification journey,
diving into Domain 7 security operations.
And a Canadian data breach leads to a class action payday.
It's Wednesday, June 5th, 2024.
I'm Dave Bittner,
and this is your CyberWire Intel Briefing. briefing. Thank you for joining us here today. It is great to have you with us.
A group of open AI insiders, including nine current and former employees, is exposing what they describe as a culture of recklessness and secrecy at the company,
the New York Times reports.
The insiders claim OpenAI prioritizes profits over safety in its race to develop Artificial General Intelligence, or AGI.
The insiders accuse the company of using restrictive non-disparagement agreements to silence concerns.
Former researcher Daniel Cocotayelo, a leading whistleblower, criticized OpenAI for its aggressive pursuit of AGI without sufficient safety measures.
The group recently published an open letter calling for greater transparency and protections for whistleblowers
and AI companies. They demand an end to restrictive agreements and advocate for a culture that allows
open criticism and anonymous reporting of safety issues. OpenAI is also dealing with several
controversies, including legal battles over copyright infringement and backlash from its recent Voice Assistant launch.
The company has faced internal turmoil, including the departure of senior AI researchers Ilya Sutskiver and Jan Leakey,
who left due to concerns over safety being neglected in favor of rapid development.
OpenAI has responded, claiming a commitment to safety and transparency and
announcing new safety initiatives. The whistleblowers, however, remain skeptical and are
urging regulatory oversight to ensure responsible development of powerful AI systems.
Bloomberg reports on Uganda's biometric identification system. Introduced to enhanced security, it's become a powerful tool for state surveillance,
targeting critics and opposition.
The system collects citizens' biometric data, including faces, fingerprints, and irises,
and is tied to various essential services, allowing extensive monitoring.
essential services, allowing extensive monitoring. In December 2020, human rights lawyer Nick Opeo was detained by armed security forces. Accused of money laundering, Opeo believes his arrest was due
to his work at the non-profit Chapter 4, documenting extrajudicial killings by state
security forces before the 2021 elections. His possessions were confiscated,
and he was interrogated for days before being released. The charges were dropped nine months
later. Opio's case highlights the misuse of the biometric system for political repression.
Despite international criticism, President Museveni continues to leverage this system to consolidate power.
As Uganda prepares for the 2026 elections, the government plans to roll out a new ID system,
further entrenching surveillance capabilities. Opio remains committed to advocating for human
rights amidst increasing authoritarianism. A prolonged cyber espionage campaign has targeted a government
agency in a country clashing with China over the South China Sea. Researchers at Sophos uncovered
the operation, dubbed Crimson Palace, attributing it to Chinese state-sponsored hacking clusters.
The attackers targeted documents with intelligence value, including military strategies.
Sophos does not name the targeted nation in their research.
Sophos identified three hacking clusters, Alpha, Bravo, and Charlie, each showing coordinated activity.
Cluster Alpha linked to backdoor diplomacy and TA-428, while Cluster Charlie connected to Earth Longey, ABT-41. Cluster Bravo
used a new back door, C-Core Door. The campaign utilized DLL sideloading and other evasive
techniques. Despite blocking known implants, Cluster Charlie resumed hacking with greater
intensity. The activity corresponded to Chinese working hours,
reinforcing the attribution to Chinese state interests. Elsewhere in the region, Palau is a
small island country located in the western Pacific Ocean, part of the larger island group
of Micronesia, and one of Taiwan's few diplomatic allies. Earlier today, Palau's president, Serangel Whipps,
accused China of a major cyber attack on the country.
Over 20,000 government documents were stolen in March,
shortly after Palau signed a 20-year economic and security deal with the U.S.
The documents appeared on the dark web,
with the ransomware group Dragonforce claiming responsibility.
WIPS suggested the attack had ties to China, as there was no financial motive,
branding it harassment and a bid to weaken Palau's international relationships.
Taiwan, Japan, and the U.S. have offered to help strengthen Palau's digital defenses.
offered to help strengthen Palau's digital defenses.
This incident highlights ongoing tensions,
with China denying involvement and condemning cyberattacks.
Poland will invest nearly $760 million to bolster its defenses against ongoing Russian cyberattacks,
according to Digital Minister Krzysztof Gokowski.
The new CyberShield program aims to enhance the resilience
of critical infrastructure and government services. This follows a false article about
military mobilization published by hackers on Poland's state news agency, PAP, which is believed
to be the work of Russian-sponsored hackers. Gokowski highlighted the increase in cyber attacks, particularly ahead of the upcoming
EU parliamentary elections, and emphasized Russia's goal to destabilize Poland and the EU.
The recent cyber incidents include espionage campaigns targeting Polish government institutions
attributed to Russian hacker group APT28. Network device manufacturer ZyZell has warned of three critical vulnerabilities
in discontinued NAS products NAS326 and NAS542,
which can lead to command injection and arbitrary code execution.
These flaws can be exploited without authentication.
Despite discontinuation in December of last year,
ZyZle released patches for extended support customers.
The vulnerabilities were reported by Outpost 24's Timothy Hjort,
who highlighted that successful exploitation could allow attackers
persistent root access and code execution on the devices.
Arctic Wolf's incident response team identified a new ransomware variant named FOG
targeting the education and recreation sectors in the U.S.
The ransomware uses compromised VPN credentials for infection,
gaining remote access through unidentified VPN gateway vendors.
The attack initializes by querying system details
to configure a multi-threaded encryption routine,
utilizing Windows APIs for encryption.
After encrypting files, a ransom note is left on the disk.
Fogg's methods are considered amateurish,
focusing on quick paydays
without deep system infiltration or data exfiltration,
Arctic Wolf has shared indicators of compromise
and incorporated targeted detection capabilities
within its managed detection and response services to mitigate these attacks.
The identity of the threat actors remains unknown.
Threat actors have exploited a zero-day vulnerability in TikTok's direct messages feature to hijack high-profile accounts, including those of CNN, Paris Hilton, and Sony.
The malware spreads by simply opening a direct message within the app.
TikTok spokesperson Alex Horek stated that their security team has stopped the attack and is working with affected users to
restore access. The extent of the impact remains unclear, and no technical details about the
vulnerability were disclosed. Cisco released a security advisory after media reports that
vulnerabilities in the German government's Webex meetings exposed sensitive information.
government's Webex meetings, exposed sensitive information. German publication Zeit Online reported that an insecure direct object reference vulnerability allowed adversaries to access
internal meeting links by altering link numbers. This exposed details of sensitive meetings,
including military discussions. High-ranking officials' personal meeting rooms were also unprotected.
In response, the German government blocked access and took Webex offline.
Cisco patched the vulnerabilities by May 28th and has not observed further unauthorized attempts Coming up after the break on our Learning Layer segment,
Sam Meisenberg and Joe Kerrigan continue their discussion
of Joe's SISB certification journey.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackCloak.
Learn more at blackcloak.io.
On today's Learning Layer segment, our host Sam Meisenberg is joined once again by my
Hacking Humans co-host Joe Kerrigan. They continue their discussion of Joe's ISC2
CISPI certification journey, this time diving into Domain 7 security operations. Welcome back to another Learning Layer segment.
Today, we are continuing our conversation with Joe Kerrigan
as he gets ready for his CISSP.
Joe.
Yes.
I heard you weren't feeling well.
I was not.
Okay, so did you get't feeling well. I was not. Okay.
So did you get some studying in?
I did.
I got most of the way through Domain 7.
Ah.
Do you think it was the content in Domain 7 that made you sick?
No.
It was some virus that some kid brought into my house.
I see.
Was the virus a cybersecurity joke?
Are we talking about like a real virus? No, no.
It could have been.
I think it was a real virus.
It may have been a bacteria,
but probably a virus because of the way it contaged.
All right.
Well, we're really going to put the studying that you did do to the test
because we're going to do a question together
to retain your information of the themes of Domain 7.
So why don't you do the usual thing,
read the question for us,
and tell me what you're thinking as you read it.
All right.
So, I'm going to read just the body of the question, not even looking at the answers.
So, which of the following is the most important goal of disaster recovery planning?
Okay.
I was going to read it as a disaster recovery plan, pretty much the same thing.
So, immediately, the strategy is try to guess at an answer.
So immediately, the strategy is try to guess at an answer.
So when you have a disaster, the most important thing I'm going to think is probably something along the lines of business continuity.
Being able to continue because the business continuity plan is what you put in place before disaster recovery.
So it's a step right before that. But now we're in a more severe state
than we are with the business continuity plan.
We're now actually going to try to recover from the event
and try to keep the business up and running.
To summarize and say this back to you,
I like to think of like a business continuity
as a concept, as like the umbrella term.
And disaster recovery is part of that overall strategy.
And like you said, again, as IAC squared CISPs,
we have to think like managers.
We got to think like our bosses, boss and senior executives.
We want to make sure that
the business survives. Security is there to enable the business. So that's why we're even like
talking about these plans. Right. So it sounds like then with all that in mind, what would you
sort of predict or look for in an answer choice? I would look for something along the lines of
keeping the business up and running or something that maybe contains the word business continuity.
Awesome. All right. What do we got for answer choices? Answer number A, business continuity.
Oh, nice.
So like, ooh, I was on the right track.
Well done.
Right away.
Answer number two, critical infrastructure restoration.
Right away, I'm going to dismiss that,
or maybe I won't dismiss it,
but it's not the most important thing.
Yeah.
In disaster recovery, you're going to do that,
but you may not do that right away.
It's kind of narrow.
Yeah.
It serves other purposes. The end goal is to be able to continue to operate. But then C
comes up. Okay. And the C, it's always C, right? C says human safety. Uh-oh. Right? And I have taken
enough of the practice test to know that whenever you see human safety, that is always going to be the most important thing.
Yep.
So go back to the question.
Which of the following is the most important?
Most, all caps.
Immediately.
I don't even know that I need to read D, but D says regulatory compliance.
So I don't need to read
D. It's human safety. It's about making sure that nobody dies during the process or gets harmed.
So I'm going to go with C. And drum roll.
C is the right answer. Right. Well done. That's not a hard question.
I like that. But you know, for somebody who maybe is looking at the content for the first time
or isn't familiar with, like, I'll call it themes of IAC squared,
that actually might be a hard question.
Because it's so obvious.
It's almost like a little trivial or silly or it seems like detached from reality.
Like, humans say, like, where did that come from?
But as you said, the whole point of, the CSSP and IAC squared, what they're trying to do is get you to think in
a certain way. Right. That's what their end goal is, right? For people who are going through this
exam and business, you know, issues and human safety is literally one of the most important
things, the most important thing. Right. The most important thing.
That's why in Domain 7.2,
you'll get to content about like fail safe versus, you know, fail secure.
Right.
Those are concepts that we talk about
because it has to do with human safety.
Yeah.
If you fail secure
and you lock people inside a burning building,
that's bad.
That is bad.
Right.
Violates C.
So I like to say,
as you did in real time,
if you see human safety as an answer choice, it's probably right.
Right. Yep.
So, this reminds me of, if I can digress a little bit.
Please.
The last certification, actually license that I got was a FAA Part 107 license, which is the remote pilot in command for unmanned aircraft, UAVs.
And in there, one of the questions they keep asking over and over again is,
who is responsible for filing the flight plan?
It's the remote pilot in command.
Who is responsible for notifying, for filing a NOTAM, remote pilot in command?
This is the kind of same thing.
And there are other safety questions in there.
But the big point that they want to drive home in those tests
is who's the responsible
person? And the answer always has to be, oh, the guy
taking the test.
I like that. This is kind of a similar application
there. Yeah, makes sense.
So, Joe, we are in the home stretch.
Next time we'll talk about Domain 8, which I know you have experience in,
yet also that was one of the weaker ones in your diagnostic.
It was.
Somehow.
There weren't a lot of questions on it.
Well, we're going to go find out why that's the case.
We'll talk to you next week, and we are getting closer to exam day.
I'm excited.
Absolutely. Me too.
Absolutely. Me too.
Thanks to Sam and Joe.
And don't forget, we've got details on the course Joe is using to prepare for his SISB and today's sample question in our show notes. Thank you. to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite
of solutions designed
to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And finally, an unusually satisfying end to a protracted class action lawsuit.
We've all been there. You get a letter in the mail
telling you you're part of a class action sued against a company that's wronged you.
Excited, you envision a massive payday. Will it be a new car? A dream vacation? Then,
months later, another letter arrives. Congratulations, your settlement is a crisp $2.50. Not enough for a coffee, but just
enough to remind you that, yes, you were wronged. Meanwhile, the lawyers, they're driving off into
the sunset in their new convertibles, funded by your victory. This leads us to 79 unlucky customers of ICBC,
the insurance corporation of British Columbia in Canada.
A rogue employee, Candy Elaine Rumeau,
sold their personal information to some not-so-nice folks.
And by not nice, I mean gangsters. As a result, 13 homes were hit with arson and shootings.
As a result, 13 homes were hit with arson and shootings.
ICBC argued that a mere $500 per person would suffice as compensation.
However, a British Columbia judge disagreed,
awarding $15,000 each to the victims,
emphasizing the gravity of the data breach. The court also ruled ICBC vicariously liable after multiple appeals.
The court stressed the importance of protecting personal data, especially as large organizations
collect and store vast amounts of it. Lawyers for the class action will receive 35% of the
total damages, but it's nice to see that rare case where plaintiffs will walk away with a
meaningful windfall. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing Thank you. We make you smarter about your teams while making your team smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.