CyberWire Daily - SIM swap scammer pleads guilty.
Episode Date: March 19, 2024A SIM-swapper faces prison and fines. Here come the class action suits against UnitedHealth Group. Aviation and Aerospace find themselves in the cyber crosshairs. A major mortgage lender suffers a maj...or data breach. A look at election misinformation. The UK shares guidance on migrating SCADA systems to the cloud. Collaborative efforts to contain Smoke Loader. Trend Micro uncovers Earth Krahang. Troy Hunt weighs in on the alleged AT&T data breach. Ben Yelin unpacks the case between OpenAI and the New York Times. And fool me once, shame on you… Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, Program Director at University of Maryland’s Center for Health and Homeland Security and cohost of our Caveat podcast, discusses the article on how “OpenAI says New York Times ‘hacked’ ChatGPT to build copyright lawsuit.” Selected Reading District of New Jersey | Former Telecommunications Company Manager Admits Role in SIM Swapping Scheme (United States Department of Justice) Cash-Strapped Women's Clinic Sues UnitedHealth Over Attack (Gov Info Security) Nations Direct Mortgage Data Breach Impacts 83,000 Individuals (SecurityWeek) Preparing Society for AI-Driven Disinformation in the 2024 Election Cycle (SecurityWeek) NCSC Publishes Security Guidance for Cloud-Hosted SCADA (Infosecurity Magazine) Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor (Palo Alto Networks Unit 42) Prolific Chinese Threat Campaign Targets 100+ Victims (Infosecurity Magazine) Troy Hunt: Inside the Massive Alleged AT&T Data Breach (Troy Hunt) Kids’ Cartoons Get a Free Pass From YouTube’s Deepfake Disclosure Rules (WIRED) Ransomware Groups: Trust Us. Uh, Don't. (BankInfoSecurity) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A sim swapper faces prison and fines.
Here come the class action suits against United Health Group.
Aviation and aerospace find themselves in the cyber crosshairs.
A major mortgage lender suffers a major data breach.
A look at election misinformation.
The UK shares guidance on migrating SCADA systems to the cloud.
Collaborative efforts to contain smoke loader.
Trend Micro uncovers Earth Krayhong. You know the rest.
It's Tuesday, March 19th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today. It is great to have you with us.
Jonathan Katz, a 42-year-old former telecommunications store manager from Marlton, New Jersey,
pleaded guilty to participating in a scheme involving unauthorized SIM swaps.
Katz admitted to using his managerial credentials to access customer accounts and swap their subscriber identity module numbers to devices controlled by an accomplice
who compensated Katz with Bitcoin for the swaps.
This enabled the accomplice to take over the victims' phones and access their
emails, social media, and cryptocurrency accounts. The plea was entered in a Camden federal court on
March 12, 2024, before Chief U.S. District Judge Renée-Marie Boom. Katz now faces a maximum
sentence of five years in prison and a fine up to $250,000 or double the monetary gain or loss from the crime.
Sentencing is scheduled for July 16, 2024.
Advanced Obstetrics and Gynecology in Mississippi has filed a class action suit against UnitedHealth Group,
in Mississippi has filed a class action suit against United Health Group, alleging disruptions from a cyber attack on Change Healthcare have delayed claims processing, threatening bankruptcy
for medical providers. The complaint, filed on March 14th, represents all U.S. medical providers
affected by the February 21st cyber attack's fallout. The lawsuit claims the attack has
prevented payments for services,
risking the financial stability of health care providers,
including the plaintiff, who has missed approximately $133,000 in payments as of March 14th.
The legal action accuses Change Healthcare of failing to secure its systems adequately,
leading to widespread Disconnections.
While UnitedHealth Group asserts the attack was limited to change healthcare's IT systems,
the lawsuit highlights the broader implications for healthcare providers reliant on timely claim payments.
The incident reflects the critical need for robust cybersecurity measures within healthcare IT infrastructure and raises questions about liability and protection against cyber-induced operational disruptions.
The aviation and aerospace sectors are fighting increased attention from cyber attackers.
T-Minus host Maria Vermasas has the story.
China's host Maria Vermasas has the story.
We're starting our show today looking at a brand new report from cybersecurity firm Resecurity that's titled Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats.
And the report points to the increasingly interconnected aerospace sector from design
to supply chain and operations, as one of the reasons
for the more than 600% increase in cybersecurity attacks on the aerospace industry in 2022 alone.
And more recently, also, the ongoing importance of space assets in the war in Ukraine has also
certainly put space infrastructure in the hacker spotlight, not to mention the continuing discussion about designating, or not designating, space as critical infrastructure. That has also
piqued the interest of hacker groups looking to extort aerospace operations with ransomware attacks.
But the increasing use of internet-enabled devices, and that's good old-fashioned IoT for
those of us keeping track at home, that has, in the words of this new report,
drastically amplified the attack surface for aerospace organizations
at more granular levels of their supply chain.
Be sure to check out the T-minus Daily Space podcast wherever you get your podcasts.
Nation's Direct Mortgage reported a data breach in December 2023 that
affected over 83,000 individuals, exposing personal details such as names, addresses,
social security numbers, and loan numbers. Although the breach allowed unauthorized system access,
there's no evidence of data removal or misuse. The company says they've contained the incident
and notified authorities and is offering free identity monitoring services to those impacted.
It also faces a class action lawsuit related to the breach. This incident adds Nations Direct
to the list of major U.S. financial services firms experiencing security breaches recently, alongside Fidelity National
Financial, First American, Loan Depot, Mr. Cooper, and Prudential Financial. Nations Direct is a
significant mortgage lender in the U.S., approved by Fannie Mae and Freddie Mac.
Rick Ferguson is the Vice President of Security Intelligence at Forescout,
Rick Ferguson is the Vice President of Security Intelligence at Forescout, and in a piece published by Security Week, he outlines the escalating challenge of AI-driven disinformation, particularly in the context of political campaigns.
Ferguson warns that the issues observed during the 2020 U.S. presidential election may pale in comparison to what future elections could face. The advancement of artificial intelligence and analytics has the potential to accelerate the creation, dissemination,
and impact of disinformation. To combat this, an understanding of AI's role in disinformation is
crucial. The report breaks down an AI-driven disinformation campaign into four key steps,
reconnaissance, content creation, amplification, and actualization.
Ferguson emphasizes the urgent need for security teams to proactively address these AI-powered disinformation tactics.
Strategies such as pre-bunking are highlighted as essential to psychologically prepare the public for disinformation impacts,
suggesting a focused approach for security teams to mitigate the advancing tactics of malicious actors
ahead of significant events like the 2024 election cycle.
Meanwhile, YouTube has introduced a policy requiring users to disclose the use of synthetic media or generative AI in videos that alter reality in a realistic manner, like falsifying events or swapping faces.
This is to combat AI-generated misinformation ahead of the U.S. presidential election.
election. However, the policy exempts AI-generated animations targeting children and minor aesthetic AI enhancements from this disclosure requirement. This decision allows content creators to produce
and upload animated content for children without revealing the use of AI, raising concerns about
the quality and authenticity of such videos. YouTube's move aims to address the spread of misleading AI-generated content
while also acknowledging challenges in moderating children's content.
The platform's history of struggles with moderating content for kids is noted by critics,
alongside the potential for AI tools to exacerbate these issues
by facilitating the rapid production of low-quality videos.
The UK's National Cyber Security Centre has released guidance for organizations
considering the migration of their supervisory control and data acquisition systems to the cloud.
Recognizing SCADA's critical role in infrastructure and its vulnerability to cyber
attacks, the guidance aims to navigate both the benefits and challenges of such a transition.
It highlights the fundamental changes in management, security, and connectivity,
emphasizing the need for enhanced cybersecurity policies, skills, and consideration of shared
services impact on security.
The guide also discusses the suitability of technology for cloud migration,
architectural considerations, and the potential risks of increased attack exposure due to internet connectivity. Experts advocate for a zero-trust approach to improve cyber resilience
in light of these migrations.
Palo Alto Network's Unit 42 reports on a collaboration with Ukraine in combating Smoke Loader, also known as Dofoyle or Sherryk,
a malware targeting Windows systems.
Originating from Russian cybercrime circles since 2011,
it functions primarily as a loader with information-stealing capabilities.
Ukrainian financial and governmental sectors are increasingly targeted by Smoke Loader
through phishing emails, indicating a concerted effort to disrupt operations and steal data.
Researchers from Trend Micro have uncovered a significant Chinese cyber espionage campaign called Earth Krei Hong
that's possibly linked to the obscure cybersecurity firm iSoon.
This campaign shares multiple connections with the Earth Luska Group,
suspected to be iSoon's penetration team, a Chinese government contractor.
The revelation came after a GitHub leak exposed iSoon's internal
structure, suggesting two separate penetration subgroups. EarthKreiHong has targeted 116
organizations across 35 countries, compromising 70 mostly in Southeast Asia, including 48
government organizations with foreign affairs departments being a primary focus.
The campaign utilizes government infrastructure for further attacks,
hosting malicious payloads and spear phishing using compromised government emails.
Tactics include VPN servers on compromised servers for access,
brute force attacks for email credentials, and cyber espionage as the ultimate goal.
Despite differences in initial attack backdoors, overlaps with Earth Luska's infrastructure and malware suggest a connection between the two campaigns.
Troy Hunt takes a closer look at the breach of over 70 million records that online hackers say came from AT&T, but that AT&T
themselves deny. The incident began back in 2021 when the data was put up for sale on a dark web
forum, with the entire dataset now freely available online, magnifying the potential threat to
individuals' privacy. Given AT&T's stance that the data did not come from their systems,
this assertion of authenticity leaves researchers like Troy Hunt in a tricky position,
trying to validate the breach without direct evidence from the supposed source.
Utilizing Bleeping Computer's initial report as a starting point,
Hunt embarked on a mission to verify the data's
authenticity. Leveraging Have I Been Pwned allowed him to cross-reference the breach against 4.8
million subscribers, revealing that 153,000 of them were indeed present in this dataset.
He reached out to a small sample of these individuals for verification, receiving confirmation of the data's accuracy,
including sensitive details like social security numbers,
some of which were decrypted,
indicating a sophisticated level of access by the threat actors.
Hunt is convinced the data set is real,
although AT&T's continued denials complicate his and other researchers' attempts to determine
the breach's original source.
Coming up after the break, Ben Yellen unpacks the case between OpenAI and the New York Times.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Ben Yellen. He is my co-host on the
Caveat podcast and also from the University of Maryland Center for Health and Homeland Security.
Ben, welcome back. Good to be with you again, Dave.
Interesting reporting here from Reuters about OpenAI, who are the makers of ChatGPT.
They are asking a federal judge to dismiss parts of the New York Times' copyright lawsuit against them.
What's going on here, Ben? So New York Times, the New York Times filed a suit against OpenAI saying that they are violating the New York Times's, or OpenAI is violating the New York Times's intellectual
property rights. They say that they're stealing New York Times content in the output of their
chatbot. Right. OpenAI has filed a motion to a federal judge to dismiss parts of the New York Times lawsuit.
And their claim is that the New York Times
quote, hacked ChatGPT and other AI systems
to generate misleading evidence for the case.
What's interesting to me is
OpenAI isn't accusing the New York Times
of violating like federal anti-hacking statutes.
That's how I would understand hacking.
What they are alleging rather is that the Times caused the technology violating federal anti-hacking statutes. That's how I would understand hacking.
What they are alleging, rather,
is that the Times caused the technology to reproduce its material through, quote,
deceptive prompts that blatantly violate
OpenAI's terms of use.
I'm not exactly sure what that means.
What I think happened is somebody within the Times
who might have some type of specialized knowledge in chatbots figured out a way to type something into the chatbot designed to produce that copyrighted material in a way that a normal person might not be able to do.
Yeah.
What the New York Times here is saying, I think quite reasonably, is, yes, we did do that because that's going to be discovery in our lawsuit.
We're trying to show a court, maybe eventually a jury, that our copyrighted material can and may end up as part of an answer to somebody's question on ChatGPT.
So, yes, we did do that, but there's nothing untoward about us doing that. That was part of our discovery process and that this litigation
should continue. And OpenAI claims that in the ordinary course of its business,
one cannot use chat GPT to serve up New York Times articles at will. It would take the type of specialized knowledge
that apparently one New York Times tactician or employee has
to reprint New York Times articles verbatim.
So I think that's really the nature of the dispute here.
So OpenAI is saying in their filing
that it took the Times tens of thousands of attempts
to generate the highly anomalous results.
Now, obviously them saying they're highly anomalous,
that's their take on it.
But you'd think that OpenAI would have the logs to know
if it did indeed take the Times tens of thousands of attempts
to generate this sort of thing.
So it seems to me like that could be compelling
to demonstrate that if you want our machine to spit out this sort of thing, you got to really want it.
Right. You have to manipulate it in such a way that a normal person would not be able to manipulate it.
Right.
And I think that could be compelling in a copyright case. to claim damages from the reproduction of your copyrighted work, if the other company argues,
well, you know, it takes millions and millions of attempts or however many it took, and in the
normal course of business, nobody who uses ChatGPT would actually be able to do that,
that's going to be compelling evidence. And I think that's ultimately OpenAI's strategy here in trying to get the case dismissed.
They may not get the case dismissed, but this may be good evidence eventually in their trial to say,
the New York Times couldn't properly allege legal harm here because, you know,
what they can allege is that with brute force, eventually some of their copyrighted material will be reproduced.
That's not a sufficient allegation to show harm in a legal sense.
And I think that's going to be part of their strategy here.
There's another thing here that caught my eye from what OpenAI put in front of the judge here.
They said, the Times cannot prevent AI models from acquiring knowledge about facts
any more than another news organization can prevent the Times itself
from re-reporting stories it had no role in investigating.
Zing.
Yeah, I mean, I think there is some truth to that.
Right, that's exactly.
The AI model is learning from what it sees on the capital I Internet, right?
And some of that is going to include copyrighted material.
Now, you can put up guardrails so that it doesn't literally reproduce articles.
But if the information is out there, should ChatGPT not have access to that information?
I mean, if New York Times has an exclusive story on something,
I mean, if New York Times has an exclusive story on something, you know, probably eventually other news articles with attribution to the New York Times are going to bring it up.
Exactly.
And that becomes a news story.
That's information that's out there.
Why should people who are trying to get information on ChatGPT not have access to that information?
And you can't copyright a fact. And if that fact is the New York Times reports, whatever,
the fact that the New York Times reported something can't be copyrighted.
I think that's exactly right.
Yeah.
Now, trust us, we are not being paid by OpenAI to say this.
I know it kind of seems like we are taking their side against the New York Times. For big LLM.
Big LLM, yeah.
No, that is not us.
This is just how we see it in this particular case.
Yeah, I mean, I guess it's interesting to me as this goes through
to see where things are being chipped away, right?
To see the legal arguments, to see, because this is so new and novel.
And I think what's really interesting about it
is the way that it's shining a light
on how our copyright law exists today.
And it's exposing what I believe
are some of the areas where it's gotten kind of creaky.
Yeah, I agree.
I don't think there's a proper application
of traditional intellectual property law
to these chatbots or
these LLMs that's going to be useful and applicable in every single one of these cases, because it's
not a straight reproduction. I mean, there are going to be limited cases where maybe it is if
you get an expert to go at it with brute force, but in most circumstances, it's not a straight reproduction. So I think it's going to take years of litigation
to kind of settle where these cases are going to end up.
Yeah.
All right.
Well, Ben Yellen, thanks so much for joining us.
Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. Hundreds of wildfires are burning. Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And finally, ransomware groups such as the Russian-speaking Akira
frequently threaten to publish stolen data on dark web leak sites to extort victims.
However, publishing this data often proves challenging,
and some victims never appear on the sites.
Threat intelligence firm Kila reports that even after paying ransoms,
victims rarely receive the promised outcomes, such as effective decryption tools or evidence
of data deletion. Kila's report highlights that Akira has never been proven to sell stolen data
and often fails to honor commitments, like deleting negotiation chats or providing functional decryptors.
The report also notes that ransom demands typically range from 0.1% to 12% of a victim's
annual revenue, with victims often negotiating significant discounts. Security experts advise
against paying ransoms, recommending instead investing in preparation such as robust backup and
recovery systems and incident response plans. Our hearts go out to any organization that finds
themselves victims of these ransomware groups. It's a no-win situation and puts you in the
unenviable position of deciding whether to trust someone who just robbed you blind.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.