CyberWire Daily - Stealth, command, exfiltrate: The three-headed cyber dragon of Crimson Palace.
Episode Date: September 10, 2024Crimson Palace targets Asian organizations on behalf of the PRC. Europe’s AI Convention has lofty goals and legal loopholes. The NoName ransomware gang may be working as a RansomHub affiliate. Wisco...nsin Physicians Service Insurance Corporation, SLIM CD, and Acadian Ambulance Service each suffer significant data breaches. CISA adds three vulnerabilities to its Known Exploited Vulnerabilities Catalog. Researchers from Ben-Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers. In our latest Threat Vector segment, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. Sextortion scammers have gone to the dogs. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. Ryan delves into the practical applications of AI in tasks such as OSINT analysis, payload development, and evading endpoint detection systems. To listen to their full conversation, check out the episode here. You can catch new episodes of Threat Vector every Thursday on the N2K CyberWire network. Selected Reading Chinese Tag Team APTs Keep Stealing Asian Gov't Secrets (Dark Reading) The AI Convention: Lofty Goals, Legal Loopholes, and National Security Caveats (SecurityWeek) NoName ransomware gang deploying RansomHub malware in recent attacks (Bleeping Computer) Wisconsin Insurer Discloses Data Breach Impacting 950,000 Individuals (SecurityWeek) Payment Gateway SLIM CD Data Breach: 1.7 Million Users Impacted (HACKREAD) Acadian Ambulance service is reporting data breach, exposing almost 3 Million people (Beyond Machines) CISA Warns of Three Vulnerabilities That Are Actively Exploited in the Wild (Cyber Security News) Researchers Detail Attacks on Air-Gapped Computers to Steal Data (Cyber Security News) Sextortion scams now use your "cheating" spouse’s name as a lure (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. The no-name ransomware gang may be working as a ransom hub affiliate. Wisconsin Physicians Service Insurance Corporation, Slim CD, and Akkadian Ambulance Service each suffer significant data breaches.
CISA adds three vulnerabilities to its known exploited vulnerabilities catalog.
Researchers from Ben-Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers.
up new techniques to exfiltrate data from air-gapped computers. In our latest Threat Vector segment, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan
Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive
security. And sextortion scammers have gone to the Dogs.
It's Tuesday, September 10th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here. It is great to have you with us. Dark Reading has published an examination of Operation Crimson Palace, a sophisticated cyber campaign linked to the threat clusters
working on behalf of the People's Republic of China. These clusters, tracked as Alpha,
Bravo, and Charlie, have been actively breaching public and private organizations in Asia,
including a Southeast Asian government agency, to steal strategic data. Each cluster has a specific role.
Cluster Alpha focuses on initial access,
performing network reconnaissance,
establishing persistence,
and disabling security measures.
Cluster Bravo manages the infrastructure,
spreading across networks
and setting up command and control channels,
often hiding its activities
within normal network traffic,
making it hard to detect.
Bravo has been particularly active in recent months,
using compromised infrastructure from previous victims
to stage further attacks.
Cluster Charlie, the most active and advanced of the three,
is responsible for maintaining access and exfiltrating data.
Known for its adaptability, Charlie frequently switches tactics when detected.
After a run-in with cybersecurity researchers in 2023, Charlie began using open-source tools
like Cobalt Strike to evade detection and deploy malware. It has shown a relentless ability to innovate, using numerous
sideloading chains and shellcode loaders to deliver its malicious payloads. Despite ongoing
efforts to combat Crimson Palace, its clusters continue to evolve and pose a significant threat
to organizations across Asia. Their persistence and creativity make them a formidable adversary in the cybersecurity landscape.
The AI Convention, officially titled the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law, was signed on September 5.
It aims to protect human rights from potential misuse of AI, but faces challenges
due to exemptions and broad language. Unlike the EU AI Act, this convention focuses on safeguarding
democracy and human rights, but allows countries to exempt AI activities tied to national security,
which can be broadly defined during geopolitical tensions. Legal experts
criticize its vague principles and lack of enforceability. The convention imposes stricter
obligations on public authorities than private industry, which only needs to address risks.
Though well-intentioned, the convention's exclusions and conflicting national interests limit its effectiveness.
While it sets a positive framework for AI oversight,
differing priorities between human rights, security, and economic competitiveness
undermine its ability to fully protect against AI-related harm.
The no-name ransomware gang, also known as Cosmic Beetle, has been active for over three years, targeting small and medium-sized businesses.
Using custom tools from the Space Colon malware family, the group gains network access through brute force and exploits old vulnerabilities like EternalBlue and ZeroLogon.
vulnerabilities like EternalBlue and ZeroLogon. Recently, NoName shifted from the Scarab encryptor to SCRansom, a more versatile malware capable of encrypting files across various drives.
SCRansom's encryption process is complex, sometimes leading to errors that prevent
file decryption even with correct keys. NoName is experimenting with LockBit 3.0's leaked ransomware builder
to increase its visibility, setting up extortion sites similar to LockBit's.
Though not fully confirmed, ESET believes NoName may be working as a ransom hub affiliate,
evidenced by overlapping malware and tactics.
Despite its shortcomings, SC Ransom
continues to evolve, showing no-name's persistence in the ransomware scene.
A number of organizations have announced significant data breaches. Wisconsin Physicians
Service Insurance Corporation, WPS, is notifying approximately 950,000 individuals that their personal data
was stolen in the 2023 MoveIt hack. The breach, orchestrated by the Klopp Ransomware Group,
exploited a zero-day vulnerability in the MoveIt transfer software. WPS initially found no evidence
of data theft, but later confirmed that personal information,
including names, social security numbers, and Medicare details, was compromised. Although no
fraud has been reported, WPS is offering affected individuals credit monitoring and identity
protection services. Slim CD, a payment gateway provider, experienced a significant data breach between August 2023 and June 2024,
compromising sensitive personal and credit card information of over 1.7 million customers.
The stolen data includes names, addresses, credit card numbers, and expiration dates.
Though the attack method remains undisclosed, experts suggest phishing or malware
may be involved. Slim CD advises affected customers to monitor their accounts for suspicious activity
and offers free credit monitoring services to mitigate the risks of identity theft and financial
fraud. Acadian Ambulance Service, a Louisiana-based emergency care provider,
reported a data breach affecting nearly 3 million individuals
following a ransomware attack by the Dioxin Group in June of 2024.
Sensitive information, including names, addresses, social security numbers,
and medical details, was stolen and published on the dark web.
Acadian detected
the breach on June 21st and launched an investigation. The company disputes Dioxin's
claim that 10 million patients were affected. Akkadian is offering free credit monitoring
and faces multiple lawsuits over security negligence.
The Cybersecurity and Infrastructure Security Agency
has added three vulnerabilities
to its known exploited vulnerabilities catalog,
urging organizations to address them promptly.
These vulnerabilities include
an image magic improper input validation vulnerability.
This is a flaw in the image processing library
that allows remote code execution through crafted images.
The second vulnerability is a Linux kernel pi stack buffer corruption. This allows a local
attacker to escalate privileges using a buffer corruption vulnerability in the Linux kernel,
known to be exploited in ransomware campaigns. And finally, SonicWall SonicOS improper access control.
This flaw allows unauthorized access to SonicWall firewalls, potentially causing a system crash.
CISA advises organizations to apply patches or discontinue affected products if mitigations are unavailable,
with a remediation deadline for federal organizations of September 30, 2024.
mediation deadline for federal organizations of September 30, 2024.
Security researchers from Ben-Gurion University in Israel have developed new techniques to exfiltrate data from air-gapped computers, systems isolated from unsecured networks.
Led by Dr. Mordecai Gouri, the team exploited electromagnetic, acoustic, thermal, and optical emanations from computer components to transmit data to nearby receivers.
For example, the Rambo attack uses electromagnetic emissions from RAM to leak data, while AirFi generates Wi-Fi signals via DDR memory buses.
signals via DDR memory buses. Other techniques like power supply manipulate power supplies to create acoustic signals, and Let It Go uses hard drive LEDs to encode data. Even subtle vibrations
from computer fans can be detected by nearby smartphones. These attacks show that air gaps,
though effective, are not foolproof. To defend against
such sophisticated methods, organizations must apply stringent access controls, endpoint protection,
and monitoring.
Coming up after the break on our latest Threat Vector segment,
a discussion of how AI is revolutionizing offensive security.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
In this week's Threat Vector segment,
David Moulton, Director of Thought Leadership at Unit 42,
sits down with Ryan Barger,
Director of Offensive Security Services,
to explore how AI is revolutionizing offensive security.
So an unskilled attacker attempting to do anything nowadays is able to be much more powerful than they were in a pre-AI era.
Welcome to Threat Vector, the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership.
Today, I'm speaking to Ryan Barger, Director of Offensive Security Services, about how they're using AI.
Here's our conversation.
Ryan Barger, welcome to ThreatFactor. Excited to have you here.
Likewise. Excited to be here. Thanks for having me.
Let's get right into it.
In offensive security, how is AI being leveraged to automate and enhance tasks that were previously manual or time-consuming?
to automate and enhance tasks that were previously manual or time-consuming.
It's interesting.
A lot of what offensive security is, is manually grinding through dead ends until after 99% of your dead ends, you finally find that one leeway
that leads you further into an attack.
So what we're doing with using AI is trying to help more quickly filter
through those potential dead ends.
So let me give you some examples. Areas where we're using it is inside of OSINT analysis,
as we're assessing open source information just sitting on the internet, as we're doing
payload developments and establishing new evasion techniques to get around defensive products.
We're also using it to help establish and build our infrastructure. But that's just a small snippet of things. Additionally, from the overall
management of an operation in offensive security for things like
report writing and all of the things that go along with just doing a test event,
we're trying to find a way to reduce that manual grind that is
hacking and focus in on the areas that
are really useful and increase efficiency.
Ryan, for listeners that haven't heard the term offensive security, can you define that?
Absolutely. So at its crux, right, you could just dwell it down and say it's hacking,
right? It's ethical hacking. So I'm going to use the exact same techniques that an adversary uses to attempt to identify vulnerabilities and move through an environment, usually after trying to get access to a specific system that is specified by
the customer to be their golden, their crown jewels, right? So we move through a network and
try and use the exact same techniques as an adversary to try and assess overall cyber risk.
That's really the single sentence description. At the end of the day, I like to say that my
mission objective is not just to emulate the adversary, but to help the CISOs sleep at night, right? CISOs, they're aware that there's
a risk in their network somewhere, or at least they think there is. They send us after that
perceived risk. We use all the techniques that a bad guy can use. And we tell them at the end,
go, yeah, that is a valid risk. And here's some recommended remediations. Or otherwise,
they tell us, we tell them, no, actually, there's sufficient safeguards there to prevent it.
And then they can sleep at night.
Ryan, I often joke that the AI that we often talk about is artificial intelligence, but the Unit 42 team is the actual intelligence team.
actual intelligence team.
And I like this idea that the future of OffSec coming out of your teams has actual intelligence applied to the power and scale and speed of artificial intelligence.
It's a concern, but it's one that is lessened when there's responsible folks on this side taking care of things.
So I always like to ask, what's the most important thing a listener should remember from our
conversation? So I think that everything has this core foundation of the fact that we are definitely
living in an AI boom. And I hit earlier on the fact that I can't picture what six months looks
like, six months from now looks like, and in the same way, I can't picture what five years looks
like. So I think we should just make our decisions, whether they be cybersecurity-based, whether they
be design-based, whatever you're doing in your organizations, you should be aware of the fact
that this is a rapidly changing landscape. Also, we hit on here something,
a key takeaway is the fact that
there's an increased efficacy on my side
as an ethical hacker,
but at the same point in time,
the adversary is also going to benefit
from that same increased efficiency.
So we're looking at a potentially more dangerous
threat landscape.
And so it's time to really pause
and assess, have I done
everything to
do due diligence and
preparation for a potential coming wave
of more advanced cyber attacks?
So have I
deployed the right tooling? Have I done
penetration tests
from an independent authority to assess
my
network? Because at the end of the day, an AI-driven, I use the theoretical AI-driven worm, it's going from an independent authority to assess my network, right?
Because at the end of the day, an AI-driven,
I use the theoretical AI-driven worm,
it's going to look for off the bat
those top 10, 20 things that I'm going to look for
as I'm moving through a network.
And if it finds it, it's going to proliferate through.
So have you done everything possible
to try and identify that low-hanging fruit
that allows for movement through your network? Have you done everything possible to try and identify that low-hanging fruit that allows for movement
through your network? Have you done everything possible to try and increase detection so that
your mean time to detection from a compromise is as quick as possible? Maybe even automated response.
If you start seeing attack techniques, can your network respond accordingly? So I think the
takeaway is you're in the middle of an AI know, don't go back and concentrate on the same
problems you've always had.
Make sure you're spending time to look forward and think about the problems that are coming
that theoretically could be, again, much more advanced.
Thanks for listening to this segment of the Threat Vector podcast.
If you want to hear the whole conversation, you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry and from Palo Alto Networks
to get their insights on cybersecurity, the threat landscape, and the constant changes we face.
See you there.
Be sure to check out the Complete Threat Vector podcast.
You can find that right here on the N2K CyberWire network or wherever you get your favorite podcasts.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And finally, our love and marriage desk reports a new twist on the
classic sextortion scam, which is now targeting spouses, claiming their partner is cheating, even offering a link to proof.
In typical fashion, the scammers demand money to keep these so-called secrets quiet.
While you'd think no one would fall for such tricks, these scams have been quite profitable,
pulling in over $50,000 a week when they first appeared in 2018.
a week when they first appeared in 2018. The latest scam, which surfaced about three weeks ago,
has Reddit buzzing with confused spouses. Recipients report getting emails from sketchy domains using personal details not commonly shared online, like second last names or even pet names.
One poor soul received an email accusing their dog, Mr. Wiggles, of cheating. Yes, the dog.
The source of these personal details is still unclear, with some pointing fingers at a wedding
planning site. While the emails are unsettling, they're just scams. If Mr. Wiggles gets accused
again, just hit delete. Poor Mr. Wiggles gets accused again, just hit delete. Poor Mr. Wiggles.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
Thank you. and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.