CyberWire Daily - Operation Endgame: Hackers' hideouts exposed.
Episode Date: May 30, 2024Operation Endgame takes down malware operations around the globe. A major botnet operator is arrested. Ticketmaster’s massive data breach is confirmed, and so is Google’s SEO algorithm leak. Journ...alists and activists in Europe were targeted with Pegasus spyware. Okta warns users of credential stuffing attacks. NIST hopes to clear out the NVD backlog. On our Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, joins us to discuss software security. LightSpy surveillance malware comes to macOS. ChatGPT briefly gets a god mode. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, joins us to discuss software security. Threat Vector In this Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Greg brings a wealth of knowledge from his military background and applies a disciplined, adaptive approach to securing one of America's most vibrant educational institutions. You can listen to David and Greg’s full discussion here. Selected Reading Police seize malware loader servers, arrest four cybercriminals (Bleeping Computer) Is Your Computer Part of ‘The Largest Botnet Ever?’ (Krebs on Security) Ticketmaster hacked. Breach affects more than half a billion users. (Mashable) Google confirms the leaked Search documents are real (The Verge) Phones of journalists and activists in Europe targeted with Pegasus (CyberScoop) Okta Warns of Credential Stuffing Attacks Targeting Cross-Origin Authentication (SecurityWeek) NIST says NVD will be back on track by September 2024 (Help Net Security) macOS version of elusive 'LightSpy' spyware tool discovered (Bleeping Computer) Hacker Releases Jailbroken "Godmode" Version of ChatGPT (Futurism) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. confirmed, and so is Google's SEO algorithm leak. Journalists and activists in Europe were targeted with Pegasus spyware.
Okta warns users of a credential stuffing attack.
NIST hopes to clear out the NVD backlog.
Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA,
joins us to discuss software security.
Light spy surveillance malware comes to macOS.
On our Threat Vector segment, host
David Moulton speaks with Greg Jones,
Chief Information Security Officer
at Xavier University of Louisiana.
And ChatGPT
briefly gets a god mode.
It's Thursday, May 30th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. An international law enforcement operation codenamed Operation Endgame has seized over 100 servers used by major malware loader operations
like Iced ID, Peekabot, and Trickbot.
The operation, conducted from May 27th through the 29th,
spanned Europe and North America. Authorities arrested four individuals, one in Armenia and
three in Ukraine, and identified eight fugitives who will be added to Europol's most wanted list.
The seized infrastructure hosted over 2,000 domains providing illicit services.
Operation Endgame was a collaborative effort involving police forces from Germany, the US, the UK, France, Denmark, and the Netherlands, with support from cybersecurity experts from various organizations, including Bitdefender and Proofpoint.
Malware droppers, which establish initial access to devices, were central to this operation.
These tools often come through malicious emails or trojanized installers and employ evasive tactics
like code obfuscation. Once installed, they can deploy more dangerous payloads, including
information stealers and ransomware. Europol reported that one suspect made over $75 million
by renting out their infrastructure for ransomware deployment.
It is worth noting the conspicuous swagger
that international law enforcement is displaying
in their online promotion of Operation Endgame.
The campaign features a custom website with a prominent countdown timer,
movie trailer-style videos, and foreboding text warning bad actors that there is nowhere to hide.
Operation Endgame could be subtitled Operation Mindgame.
The U.S. Department of Justice arrested Yun-Hae Wang, the alleged operator of the 911S5 anonymity service,
which was backed by one of the world's largest botnets. The arrest, made in Singapore,
coincided with the seizure of the 911S5 website and infrastructure. The service used free VPN
products to turn computers into traffic relays, facilitating billions in online fraud.
From 2015 to July of 2022, 911 S5 sold access to compromised Windows computers as proxies.
The service was popular for its low prices and reliability among cybercriminals.
Wang is charged with computer fraud, wire fraud, and money laundering,
facing up to 65 years in prison.
Authorities also seized $30 million in assets linked to the operation.
We reported yesterday on speculation that Ticketmaster had suffered a major data breach,
and since then, multiple confirmations have been reported.
suffered a major data breach, and since then, multiple confirmations have been reported.
The hacker group Shiny Hunters claims to have stolen data from over 500 million Ticketmaster customers. They're selling a 1.3 terabyte trove for half a million dollars, which includes full
names, addresses, phone numbers, email addresses, order history, and partial payment data. The breach follows a U.S. Justice Department antitrust lawsuit
against Ticketmaster's parent company, Live Nation Entertainment,
for monopolistic practices in the live music industry.
Australia's Home Affairs Department has confirmed a cyber incident
impacting Ticketmaster customers, but the company has yet to comment.
Shiny Hunters claim to have attempted to notify Ticketmaster customers, but the company has yet to comment. Shiny hunters claim to have attempted to notify Ticketmaster but received no response.
Speaking of confirmations, Google confirmed the authenticity of 2,500 leaked internal documents
detailing data collection practices, some potentially used in its search ranking algorithm. The leak offers an
unprecedented glimpse into Google's operations but remains murky. Google warned against drawing
conclusions from what they say are out-of-context, outdated, or incomplete information. SEO experts
Rand Fishkin and Mike King first analyzed the documents, revealing data Google representatives claimed were not used for rankings,
like clicks and Chrome user data.
While the exact use of this data remains unclear,
the leak is expected to impact the SEO, marketing, and publishing industries
by providing new insights into Google's highly secretive search algorithm.
A new investigation revealed that at least seven journalists and activists in Europe
were targeted with NSO Group's Pegasus spyware from August 2020 to April 2023.
The investigation by AccessNow Citizen Lab and researcher Nikolai Kvanteliani found that Russian, Belarusian, Latvian, and Israeli
individuals were targeted, especially following Russia's invasion of Ukraine in 2022. The report
highlights the ongoing threat to European civil society and calls for a moratorium on digital
surveillance technologies until proper human rights safeguards are established.
The EU has been criticized for its lack of action against spyware abuse,
despite multiple scandals and recommendations for stronger regulations.
Okta warns customers of credential stuffing attacks
targeting the Customer Identity Cloud's cross-origin authentication feature.
Threat actors are using stolen username and password combinations
from phishing, malware, or data breaches to compromise customers' tenants.
Customers should review logs for suspicious activity,
such as failed or successful cross-origin authentication attempts
and logins with leaked passwords.
Okta advises rotating compromised passwords, enrolling in passwordless authentication,
enforcing strong passwords, implementing MFA, disabling unused cross-origin authentication,
restricting permitted origins, and enabling breached password detection.
This warning follows a cyber attack in October of 2023,
where customer support system user data was stolen.
The National Institute of Standards and Technology, NIST,
has awarded a contract to help process incoming common vulnerabilities and exposures,
that's CVEs, for the National Vulnerability Database, the NVD.
They aim to clear the backlog of unprocessed CVEs by September 30th.
NVD's slowdown in CVE enrichment became evident in February.
NIST is implementing a multi-pronged solution,
including improved tools, automation, and a consortium to address challenges.
including improved tools, automation, and a consortium to address challenges.
They've started ingesting CVE 5.0 and 5.1 records hourly since May 20th. NIST is committed to modernizing the NVD and addressing the growing volume of vulnerabilities
with technology and process updates, ensuring the program's sustainability
and supporting automated vulnerability management.
A macOS version of the LightSpy surveillance framework,
previously known for targeting Android and iOS, has been discovered.
LightSpy, used to steal data such as files, screenshots, and location information,
has been active against targets in the Asia-Pacific region.
Security firm ThreatFabric reports that the macOS implant has been in the wild since January of this year,
but is currently limited to testing environments and a few infected machines used by cybersecurity researchers.
The attackers exploit WebKit flaws to compromise macOS devices.
WebKit flaws to compromise macOS devices. The macOS version uses 10 plugins, including sound recording, browser data extraction, and screen recording to exfiltrate data.
ThreatFabric's access to the control panel revealed potential implants for Windows,
Linux, and routers, although their usage remains unclear.
Coming up after the break, my conversation with Eric Goldstein,
Executive Assistant Director for Cybersecurity at CISA.
We're discussing software security. On our Threat Vector segment, host David Moulton speaks with Greg Jones,
Chief Information Security Officer at Xavier University of Louisiana. Stay with us. segment, host David Moulton speaks with Greg Jones, chief information security officer at
Xavier University of Louisiana. Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact
your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on know that real-time visibility is critical for security, but
when it comes to our GRC programs, we rely on point-in-time checks. But get
this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist, Vanta brings
automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Next up, we've got our biweekly Threat Vector segment.
Host David Moulton speaks with Greg Jones,
Chief Information Security Officer at Xavier University of Louisiana.
I would welcome everybody who wants to be there.
And I think that's what makes the best teams, David, people who actually want to be on the job, whether they know a lot or they have limited knowledge.
A lot of times people with limited knowledge are easier to train.
But I would say that my advice is cybersecurity is an ever-evolving career field.
You don't necessarily need a lot of background in tech to be able to contribute to the advancement of this industry.
Everyone brings different career and life experiences to the table.
And these collaborative ideas is what ultimately make us more cybersecurity.
Welcome to ThreatVector, the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats, security leadership strategies, into the world of academia, a space that to cybersecurity is shaped by his family's background,
which is steeped in service to country and community.
Greg brings to the table a wealth of experience from the disciplined and adaptive world of the
military directly into the dynamic and diverse ecosystem of a university.
Today, we'll discuss how he translates that sense of service into protecting one of the country's most vibrant educational institutions.
We'll explore the strategies that keep the digital campus secure, the innovative awareness campaigns that educate and empower both beginners and the most savvy users,
and the technological measures that combat the threats lurking to the academic community at Xavier.
Greg, thanks for taking the time with me today on ThreatVector.
You've got a really notable background,
military service and cybersecurity,
a family full of IT professionals.
I'm curious, how has this experience
shaped your approach to cybersecurity?
So my childhood was shaped
from growing up around lots of veterans and educators.
The majority of my family
were either worked in education or served in the military. My grandfather was a World War II
veteran. My dad was a technology administrator. Mom was an academic administrator for many years.
This is what most of the people in my family chose to do as a career. We call it service to country and community.
That's what cultivated my passion.
Great.
How do you ensure that the cybersecurity training is both accessible and effective for everyone at the university?
Because I imagine that you've got a wide, wide range of capabilities and technical skill levels.
Considering some faculty maybe have been there for
decades and you've got new students coming in that maybe don't have a ton of training.
And then maybe on the other end of things, you've got some really, really savvy computer
users that may be able to be more capable than expected.
And you've got a chance to level set everyone against that standard.
What are your approaches for that?
So the trainings usually cover various topics at a high level and are not overly technical.
My intent is to create our cyber campaigns to be both interactive and educational.
Whenever we have new employee orientation, I give cybersecurity presentations
where I demonstrate to our employees what cyber attacks look like, how their specific job role
may be a target for bad actors, and how to report suspected malicious activity. We also offer
training for new incoming students. So basically upon arrival at Xavier, everyone is introduced to cybersecurity
awareness in some form, regardless of their skill level. How do you prioritize your cybersecurity
tasks and what strategies are you using to ensure that you've got that comprehensive coverage
across all the universities of state? So what we do is after we complete our self-assessments or audits, we base that off
of our plans of actions and milestones. And this is usually what guides us with our daily
cybersecurity task. We get those third-party risk assessments and they list out everything that
lists where the gaps are in our environment, lists where the gaps are in coverage. And we try to manage that as best we can
with fighting those fires. So I promised you I was going to ask about AI. I'm curious,
you know, it's a hot topic, but I'm wondering, is Xavier University exploring the use of artificial
intelligence and cybersecurity? Some of our security tools and softwares do utilize machine learning and AI tactics to be able to identify those AI-based cyber attacks.
And our security team also participates in a lot of training on how to identify these types of attacks.
Greg, you sit at sort of an interesting intersection of academics and security.
intersection of academics and security. And if you were to give some advice to a person who wanted to either start a career or shift gears and income into security, what would you advise them to
look at? Talk to me about your thoughts there. I would welcome everybody who wants to be there.
And I think that's what makes the best teams, David, people who actually want to be on the job,
whether they know a lot or they have limited knowledge. A lot of times people
with limited knowledge are easier to train. And I would say that my advice is cybersecurity is an
ever-evolving career field. You don't necessarily need a lot of background in tech to be able to
contribute to the advancement of this industry. Everyone brings
different career and life experiences to the table, and these collaborative ideas
is what ultimately make us more cyber secure. Yeah, having a homogenous team. A mentor of mine
back at a previous job had talked about this. If everyone has the same experiences, same education,
same background, you're kind of blind to where your biases are. But when you mix it up and you
have a variety of people, you end up with a very, very strong team. And that's stuck with me quite
a bit. Greg, before we wrap up, I want to ask you, what's the most important thing that a person
who's listening today should take away from our conversation?
One of the most important things that someone should take away from today's conversation is that don't be afraid to jump into cyber.
If that's something you're interested in, don't feel discouraged by the, you know, thinking you may have a lack of experience.
Just get out there, meet people, ask questions.
Someone is willing to help you. We use students as student workers. They obviously don't have a lot of experience.
At one point, I didn't have any experience, especially when I joined the military. Most
of us were all brand new to cyber. And if you're willing to dedicate the resources to
train your employees, there will
be a great return on investment. Greg, I think you've got an amazing job. Xavier's lucky to have
you. They're protecting them. I'm sure that there's a sense of doing work at a place that
puts good out into the world. That gives you quite a bit of pride. Yes, it really does.
I love my job and I'm happy to be able to support
such a fantastic university. That's it for Threat Vector this week. I want to thank the Threat Vector
team. Michael Heller is our executive producer. Our content team includes Sheila Drozdki, Tanya
Wilkins, and Danny Milrat. I edit the show and Elliot Peltzman mixes the audio.
We'll be back in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
That was Threat Vector host Dave Moulton
from Unit 42 at Palo Alto Networks,
speaking with Xavier University of Louisiana's CISO,
Greg Jones.
You can find a link to their full discussion
in our show notes.
Eric Goldstein is currently the Executive Assistant Director for Cybersecurity at CISA.
Not long ago, Eric announced that he's leaving CISA for a position in the private sector.
While at CISA, Eric has kept us apprised of their work on important cybersecurity topics,
and we recently discussed software security.
We'll have a closing discussion with Eric about his work at CISA in the coming weeks.
Stay tuned.
I want to have, let's say, a high-level conversation here today
and start with just a really broad area, and that's software security.
You and your colleagues at CISA, when you're looking at something as broad as this,
as high-level as this, what's the approach that you all are taking here?
Yeah, you know, the approach is that, first of all, we have to start at a level of first principles.
And we have to be able to say, first of all, as clearly stated in the national cybersecurity strategy, we need to drive accountability to the right place. And we believe that historically, accountability for
cybersecurity investment has been over-allocated towards enterprises and end users and not
sufficiently towards the providers of technology products, particularly software products. And so
the first step is to really change the narrative to say, we need to shift the equilibrium, not so
that product manufacturers bear the sole
burden, but that we have more of an equilibrium between the product and the enterprise. And then
we need to really shift the window a bit to say it is possible to exist in a world with more secure
and safer technology. And one example of that, I think, is manifested by our Secure by
Design alert series that we've been developing at CISA. The most recent of these alerts in late
March focused on eliminating SQL injection vulnerabilities. And anybody who's worked in
this space knows that this has been a known class of vulnerabilities that we have known how to address for years,
at least since 2007.
So the fact that SQL injection vulnerabilities are still so
prevalent that this vulnerability still exists as a class,
and that they are causing so much harm to end users,
really says to us that we have to do something different.
That's the first step, is to shift that equilibrium,
and the second step is to shift that equilibrium.
And the second step is to say we can achieve and deserve more secure products.
You know, CISA's regulatory authority is limited by design. How much as an agency do you consider yourselves to be kind of the carrot versus the stick? And are there other agencies that you work with if a little bit of that stick is needed to be brought into the equation?
We think that this secure by design evolution is really going to be most effectively driven in the near term by market signals and by customer demand.
by market signals and by customer demand. And we know that customers around the world want to use products that reduces their likelihood of a damaging cyber intrusion.
And the fact of the matter is that too many products today aren't achieving that goal.
And so our intent is by saying very clearly the classes of vulnerabilities, the classes of dangerous product features
like default passwords are imposing undue risks on customers, we think that we can help generate
demand from customers to make this a pro-innovation, pro-market solution to what is really a key
security challenge. But there's also some tools that we can bring to bear on the
federal side. As one example, CISA and the White House Office of Management and Budget just published
a new software security attestation form, which is a new requirement for every company providing
software to the federal government to attest that they've adopted a set of practices aligned
to the NIST secure software development
framework. And that's a way of driving the market in a particular direction, focused first and
foremost on federal vendors, but we believe that the impact can sweep far more broadly.
Where do you suppose we are headed with this? What does the future look in terms of your
aspirational goals as we look toward the horizon? Yeah. We are never, at least in your and my lifetimes, going to reach a world of zero cyber
risk, zero security vulnerabilities. That is simply not the way that technology is designed,
and we know that our adversaries are persistent and sophisticated. But we do think that the world in which we currently live,
in which the majority of intrusions are caused by known classes of vulnerabilities that we know how
to fix or are caused by insecure product features or controls, we think that we can make life much
harder on the adversary. And so our goal would be to address the classes of vulnerabilities
that we think are resolvable
and have products that have features
and controls that prioritize customer security
so that we can drive down the rate of cyber risk,
the rate of intrusions,
such that our adversaries really do need
to find a novel weakness
and use a novel exploit every time.
That would be a much more secure environment and one where the rate of harm generated by cyber risk is vastly lower.
Well, before I let you go, I know engagement is always a priority for you and your colleagues there at CISA.
What's the best way for folks in our audience to do just that, to get in touch, to keep on top of what you all are up to?
So we would point everybody to sysa.gov slash securebydesign.
That is the landing page for all of our Secure by Design resources.
And there's also a link to reach out to our team.
All right. Eric Goldstein is Executive Assistant Director for Cybersecurity at Sysa.
Eric, thank you so much for taking the time for us.
Thanks, Sam. Always a pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, a white hat hacker and AI enthusiast named Pliny the Prompter unveiled Godmode GPT, a jailbroken version of OpenAI's GPT-4.0, proudly announced on ex-Twitter,
setting GPT-4.0 free from its restrictive guardrails, offering users an unchained AI experience.
Pliny boasted,
GPT-4-0 unchained! This very special custom GPT has a built-in jailbreak prompt that circumvents most guardrails,
providing an out-of-the-box liberated chat GPT so everyone can experience AI the way it was always meant to be, free.
Pliny shared screenshots showcasing the bot's newfound freedom, advising on meth recipes and
napalm creation using household items. However, the celebration was short-lived. OpenAI's
spokesperson Colleen Rise quickly responded, stating,
We are aware of the ChatGPT and have taken action due to a violation of our policies.
Despite its brief existence, the hack underscores the ongoing battle between OpenAI
and those eager to bypass its restrictions.
Jailbreaking AI models like ChatGPT has become increasingly difficult,
but Pliny's GodMode managed to slip through the cracks.
Testing the jailbreak confirmed its willingness to assist with illicit queries,
from making LSD to hotwiring a car.
GodMode, by the way, employs Leetspeak,
replacing letters with similar-looking numbers,
like E becomes 3 and O becomes a coy zero.
This trick seems to bypass OpenAI's defenses,
although the exact mechanics remain unclear.
This latest hack highlights the cat-and-mouse game between AI developers and hackers,
showing that as long as there are people like Pliny,
OpenAI will have its hands full keeping its systems secure.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people.
We make you smarter about your teams
while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor
is Brandon Karpf. Simone Petrella is our president. Peter Kilpie is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.