CyberWire Daily - The beginning of an international consensus on AI governance may be emerging from Bletchley Park.
Episode Date: November 2, 2023Bletchley Declaration represents a consensus starting point for AI governance. Lazarus Group prospects blockchain engineers with KANDYKORN. Boeing investigates ‘cyber incident’ affecting parts bus...iness. NodeStealer’s use in attacks against Facebook accounts. Citrix Bleed vulnerability exploited in the wild. MuddyWater spearphishes Israeli targets in the interest of Hamas. India to investigate alleged attacks on iPhones. Tim Starks from the Washington Post on the SEC’s case against Solar Winds. In today’s Threat Vector segment David Moulton from Unit 42 is joined by Matt Kraning of the Cortex Expanse Team for a look at Attack Surface Management. And Venomous Bear rolls out some new tools. On the Threat Vector segment, David Moulton, Director of Thought Leadership for Unit 42, is joined by Matt Kraning, CTO of the Cortex Expanse Team. They dive into the latest Attack Surface Management Report. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/210 Threat Vector Read the Attack Surface Management Report. Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. Selected reading. The Bletchley Declaration by Countries Attending the AI Safety Summit, 1-2 November 2023 (GOV.UK) US Vice President Harris calls for action on "full spectrum" of AI risks (Reuters) Elastic catches DPRK passing out KANDYKORN (Elastic Security Labs) North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware (The Hacker News) Lazarus used ‘Kandykorn’ malware in attempt to compromise exchange — Elastic (Cointelegraph) An info-stealer campaign is now targeting Facebook users with revealing photos (Record) Mass Exploitation of 'Citrix Bleed' Vulnerability Underway (SecurityWeek) MuddyWater eN-Able spear-phishing with new TTPs | Deep Instinct Blog (Deep Instinct) Centre's Cyber Watchdog CERT-In To Probe iPhone "Hacking" Attempt Charges (NDTV.com) Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) (Unit 42) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Bletchley decoration represents a consensus starting point for AI governance.
Lazarus Group prospects blockchain engineers with candy corn.
Boeing investigates a cyber incident affecting their parts business.
Node stealers use in attacks against Facebook accounts.
The Citrix bleed vulnerability is exploited in the wild.
Muddy water spearfishes Israeli targets in the interest of Hamas.
India investigates
alleged attacks on iPhones.
Tim Starks from the Washington Post
on the SEC's case
against SolarWinds.
In today's Threat Vector segment,
David Moulton from Unit 42
is joined by Matt Kraning
of the Cortex Expanse team
for a look at
attack surface management.
And Venomous Bear
rolls out some new tools.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, November 2nd, 2023. This week, British Prime Minister Rishi Sunak hosted an AI safety summit,
convening about 100 government leaders, tech executives, and scholars.
The summit is British-led,
but with a broad international participation. The BBC explains that Prime Minister Sunak's
plan is to make the UK a global leader in AI safety, but the summit reached broad consensus
on AI governance. It was expressed in a draft agreement, the Bleckley Declaration,
which outlined two general directions for further work.
The first involves research so global leaders can arrive at a proper understanding of AI risk.
The Declaration describes this as identifying AI safety risks of shared concern,
building a shared scientific and evidence-based understanding of these risks,
and sustaining that understanding as capabilities continue to increase in the context of a wider global approach to understanding the impact of AI in our societies. The second builds on the first
and involves using the results of such research to develop policies that can manage the risks the science discovers.
The declaration calls this building respective risk-based policies across our countries
to ensure safety in light of such risks, collaborating as appropriate while recognizing
our approaches may differ based on national circumstances and applicable legal frameworks.
This includes alongside increased transparency
by private actors developing frontier AI capabilities, appropriate evaluation metrics,
tools for safety testing, and developing relevant public sector capability and scientific research.
The 28 signatories represent the world's major cyber powers, with the exception of Russia, Iran, and North Korea, who weren't invited.
China was there, however, and they signed on.
Elastic Security Labs describes an attempt by North Korea's Lazarus Group to target blockchain engineers with a newly observed strain of macOS malware called CandyCorn.
with a newly observed strain of macOS malware called CandyCorn.
The malware was delivered via a camouflaged Python application designed and advertised as an arbitrage bot targeted at blockchain engineers.
The researchers note,
We observe the threat actors adopting a technique we have not previously seen them use
to achieve persistence on macOS, known as execution flow hijacking.
The target of this attack was the widely used application Discord. The Discord application
is often configured by users as a login item and launched when the system boots,
making it an attractive target for takeover. Hloader is a self-signed binary written in Swift. The purpose of this loader is to execute both the legitimate Discord bundle and the.log payload,
the latter of which is used to execute MachO binary files from memory without writing them to disk.
The campaign has been ongoing since April 2023, and the tools and techniques are being continuously developed.
April 2023, and the tools and techniques are being continuously developed.
Halloween may be over, but as any trick-or-treater can tell you, candy corn lasts forever.
Boeing has disclosed a cyber incident that affects its parts and distribution business,
Reuters reports. A Boeing spokesperson stated,
This issue does not affect flight safety. We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and
suppliers. The company didn't specify the nature of the incident, but Reuters notes that the Lockbit
cyber criminal group claimed last week that it had stolen a tremendous amount of data from Boeing
and would leak the data if the company didn't pay the ransom by November 2nd.
The gang has since removed this threat from its website.
Researchers at Bitdefender are tracking evolutions in NodeStealer malware campaigns.
NodeStealer is an infostealer discovered in January 2023
that's designed to steal browser cookies and take over Facebook
accounts. Threat actors are now using compromised Facebook business accounts to serve malicious ads.
The ads use lewd photos to entice users into downloading a file that purports to be a photo
album but will instantly install a new version of NodeStealer. The researchers note that this version of the malware has new features
that allow criminals to obtain unlawful entry into additional platforms
like Gmail and Outlook to steal crypto wallet balances
and download additional malicious payloads.
Security Week reports on the ongoing mass exploitation of the Citrix bleed vulnerability affecting Netscaler ADC and Netscaler Gateway.
Citrix issued patches for the flaw on October 10th and said last week,
we now have reports of incidents consistent with session hijacking and have received credible reports of targeted attacks exploiting this vulnerability.
and have received credible reports of targeted attacks exploiting this vulnerability.
Security researcher Kevin Beaumont says at least two ransomware groups are currently exploiting the vulnerability,
and one group is distributing a Python script to automate the attack chain.
Deep Instinct has posted research on a new campaign by the Iranian threat group Muddy Water that appears to represent involvement in the
cyber phases of the war between Hamas and Israel. The precise infection mechanism is unknown,
but Deep Instinct believes it to have been spear phishing. Deep Instinct writes,
in this campaign, Muddy Water employs updated TTPs. These include a new public hosting service employing a LNK file to initiate the infection
and utilizing intermediate malware that mimics the opening of a directory while executing a new remote administration tool.
The goal appears to be espionage, although battle space preparation for subsequent attacks can't be ruled out either.
The Indian Computer Emergency Response Team will investigate
numerous opposition leaders' claims that they had been notified by Apple that their phones were
targeted by state-sponsored attackers, NDTV reports. Apple confirmed that it sent the alerts,
but said it does not attribute the notifications to any specific state-sponsored attacker,
noting the possibility that the alerts may be false alarms.
According to TechCrunch, India's IT minister downplayed allegations
that the Indian government was behind the attacks.
So far, the investigation remains in its early stages,
so espionage, political scandal, or nothing more than a false alarm
all remain possibilities.
Finally, there are some other sightings of cyber bears, or if your nomenclature rolls that way, snakes.
Turla, the threat group operated by Russia's FSB that's also known as Venomous Bear,
Pensive Ursa, Uroboros, or just plain Snake, has long operated against Ukraine.
Palo Alto Network's Unit 42 has observed Pensive Ursa, their preferred name for the threat actor,
using an advanced and stealthy.NET backdoor, also called Kajuar.
The backdoor has been used against the Ukrainian defense sector, the Ukrainian CERT reported in July,
where it's been used to obtain sensitive access and information. It hijacks legitimate websites
for command and control, which renders Casuar resistant to takedowns, and it also has stealthy
and anti-analysis features. Unit 42 offers an extensive account of the 40 distinct commands Casuar supports
and provides a list of indicators of compromise.
A Casuar, by the way, is a cassowary, a big, flightless, solitary, and bad-tempered bird.
So go ahead and add that to the malware bestiary.
Where's the consistency, though?
We know, we know, every research crew has its own nomenclature,
and everybody's cool with that,
but our editorial staff has formula-evolving minds,
and they obsess over this kind of thing.
So, hey, Fort Meade, how about taking the lead on this one,
if only to get the staff off our backs?
Russian threat actors should be bears,
Chinese units, pandas, Iranian cats,
Indian elephants. Infer the principle and go from there. And where's the patriotic pride?
What about the good guys? Don't they deserve mascots too? For the five eyes? Well, eagle is
too obvious for the Americans, but then America is sort of the world rattlesnake capital,
so why not those?
Happy Sidewinder, Goofy Mojave Green, things like that.
For Canada, how about some loons?
Friendly loon, diligent loon.
For the United Kingdom, switch it up
and use characters from Wind in the Willows.
Who wouldn't like Honest Badger or Tethered Mole?
New Zealand?
The Tuatara has a nice ring to it.
Kangaroos are too obvious for Australia,
but hey, what about the cassowary?
No way, it's already taken.
Curse you, venomous bear.
Coming up after the break, Tim Starks from The Washington Post on the SEC's case against solar winds. In today's Threat Vector segment, David Moulton from Unit 42 is joined by Matt Kroening of the Cortex Expanse team for a look at attack surface management.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
20% of the cloud changes every month. That means that 20% of the exposures an organization hasn't given month
were not present the previous month in cloud.
Unless you're actually doing something pretty much daily and continuously, you're actually missing almost all of your risk.
Welcome to Threat Factor, a segment where Uni42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies.
threat actor TTPs, and real-world case studies.
Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Unit 42.
In today's episode, I'm going to be talking with Matt Kroening.
Matt is a CTO on the Cortex Expanse team and will be unpacking the findings from the latest Attack Surface Management report.
Matt and his team are able to scan the entire internet and find weaknesses and vulnerabilities that plague organizations with the expanse technology they've invented. This report shines a light on the most worrisome problems the team has uncovered. Matt, your team just put out a new attack surface management report. Can you describe
what this report is and who it's for? The report that we just put out is a survey of over 250 large organizations
and it analyzes the risks and configurations present on the IT that they deploy across
the internet. So this report is for senior security leaders, CISOs, CIOs, to understand the risks that are present in large organizations.
So Matt, the report says that RDP, Remote Desktop Protocol, exposures are prevalent.
What are these and why is that such a bad thing?
Remote Desktop Protocol, or RDP, is a service that is very frequently run by organizations across many, in some cases, all of their laptops.
But this allows legitimate IT administrators of an organization to remotely troubleshoot and diagnose problems.
This is a great tool that lots of teams should use.
problems, this is a great tool that lots of teams should use. Unfortunately, it also tends to contain a number of security issues associated with the protocol. And if this protocol is actually
present on the public internet, then anyone in the world can go in and do one of two things. One,
you can just start guessing passwords. And if you don't have a
great password policy, it's like leaving a laptop open in Central Park. In addition, if you're
running older versions of this protocol, which unfortunately are present on the internet
frequently, there are also a number of remote code execution exploits where even if you don't
know a username password combination, you can immediately gain access to the client machine
and any sensitive data and credentials on that machine.
Matt, one of the things that stood out in the report
was that 85% of the industries studied had RDP exposed
for at least a quarter of the month.
If you're a security practitioner or you're a CISO that's listening right now,
do you see that as one of those things that they're surprised that it's that prevalent? I think a number of people are not surprised that it happens frequently to
other people, but are sometimes surprised that it's happening to them. And there's two different
ways that I explain this. One, our own reporting with Unit 42 has found that in the case of
ransomware attacks, which can generate substantial business interruption costs into
the millions or multiple millions of dollars, over 60% of the time, there's ransomware that
we have to respond to. The actual origin of the ransomware is not phishing. It is actually a
remote desktop protocol system on the public internet that was exploited. So there's substantial
risk when these exist. I think what a lot of people are surprised on is just how often and how many organizations this occurs for.
And this report looked at over 250 organizations with over 10,000 people each.
These are large organizations, typically with well-funded, substantial, both IT and IT security teams.
And even then, we see these exposures happening regularly. And when we look
at the root cause of why this happens, ultimately, it's that IT security teams typically do not have
total visibility over all of the assets that the organization owns and manages. So while they may
be very secure and for the assets they know about and track regularly, there might not be RDP exposed on the internet.
There's another class of assets that usually is 30, 40, sometimes even 50% of the total assets of the organization
that security is effectively blind to.
And that's where a substantially higher fraction of their risk lies in the systems that they don't even know about.
The report shows that there are several paths of least resistance for attackers to exploit.
And if they're so prevalent,
why aren't we seeing more attacks against those exposures?
I think we see a number of attacks against these.
So over the last 20 years,
I think it's been a kind of unchallenged belief
in security that employees are always the weakest link.
And this goes back more than two decades.
And I think for a large fraction of that time, it was true.
And you saw both very high investment in attackers, in attacking employees,
and then also in defenders inventing a variety of different technologies to protect employees.
I think what we're now seeing is no longer the
early days, but now kind of the middle of attackers realizing the weakest link and the easiest way
into organizations, in a lot of cases, is actually through unknown, unmanaged IT assets of the
organization, rather than trying to get around a number of different phishing and other endpoint protection mechanisms.
And when we look at some of the largest, worst breaches of the last decade, many of them were not phishing.
They were actually exactly this, an asset getting exploited on the public internet that was not known, or at least not centrally known, in a standardized way to the security team.
Some of the best examples of this are things like the WannaCry attacks.
Then you also look at things like TJ Maxx going through HVAC systems, the Equifax hack as well.
All these are examples of where the company in question lost hundreds of millions or in some cases billions of dollars,
and it wasn't somebody being phished.
hundreds of millions, or in some cases, billions of dollars. And it wasn't somebody being phished.
It was actually an IT asset that was on the public internet that was usually unmanaged,
had not been updated in a very long time. And the companies unfortunately had a very bad day in all of those cases. Matt, thanks for joining me today on ThreatFactor. It's amazing what you
and your team have been able to discover and publish. For those listening, the latest attack surface management report is available on the Expanse
website. A link will be on our show notes. We'll be back on the Cyber Wire daily in two weeks.
In the meantime, stay secure, stay vigilant. Goodbye for now.
That's David Moulton, Director of Thought Leadership for Unit 42,
joined by Matt Kroening, CTO of the Cortex Expanse team,
with our Threat Vector segment.
And it is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
My man, Dave.
Thank you. Thank you.
Really interesting reporting that you did on the 202 this week about the SEC's
case against SolarWinds. Can you unpack your reporting here for us?
I will try. This is a very, very big deal in so many ways. First off, we're starting from
one of the biggest breaches that's ever happened by many measures with the SolarWinds.
We're talking about thousands of organizations.
We're talking about at least nine agencies
that were breached as a result of the SolarWinds attack.
That's the beginning.
That's the very start of it.
The next thing that happens is that the SEC
purchases SolarWinds and says,
we're investigating this.
They're also investigating the CISO
of the organization.
So that's a different thing.
Then they actually go through with it.
They actually do the investigation. They actually
file the suit
in the District Court of New York.
And there's multiple levels
of new about that.
By the way, I never heard this term censure.
Censure?
The term is related to the willingness or the cognizance of someone to deliberately lie to the SEC.
So that's new.
They're saying, we know that you know that you were lying about this.
You were very aware of all your vulnerabilities and you misrepresented yourself.
That's another new level.
And so there's just all these levels of newness to this that are really, really important in the cyber world
that are really going to set precedence in a lot of ways for how regulators, for how suits can
proceed in the cyber world right now.
I think, needless to say, this has the attention of a lot of CISOs and their boards.
If I'm a CISO looking at this, how do you suppose I should react to this news?
Well, I think you should be a little scared.
You know, the response from SolarWinds
is obviously very defensive, right?
I mean, SolarWinds is being prosecuted,
literally, by the SEC.
And so their reaction is naturally very defensive.
But even before this suit actually happened,
there was a little bit of a panic in the CISA world of like,
oh my God, if I talk about a vulnerability inside of my company,
I might be subject to regulators.
So yeah, it's a thing that people should be very concerned about.
Now, if you're on the SEC side, and I'm trying to be both sides here,
you want that.
You want people to be being better about the vulnerabilities you've discovered
because you fear the SEC.
You can say a lot internally about, and by
the way, you should really read the
entire complaint
because there's a lot of details about
how much people were
talking internally about how poor
the security was. If you're in a
company and you're talking about
vulnerabilities and you're scared about vulnerabilities,
maybe you should be scared of the SEC.
That's the thing I would say.
Is this a case of that classic old yarn
about how the cover-up is worse than the crime?
A little bit, yeah.
Yeah, a little bit.
I mean, I talked to an attorney
who has been at the SEC,
who has represented companies
in SEC enforcement actions.
One of her responses was, everybody
should be really careful about what they say, what they say internally.
Again, that goes to the cover-up of the crime.
If you have a vulnerability, you should obviously be concerned about it.
But if you say it out loud or you say it in an email, that could be a problem. And that's one of the SolarWinds complaints, implicitly, not explicitly,
that if you are a CISO and you are aware of a vulnerability in your company
and you say it in an email or whatever to someone else in the company,
without addressing it, you could be vulnerable to SEC action. That's their
sort of worst case scenario of like, this is bad for America if you just even talk about a
vulnerability inside your company. I can see the SEC's point of view that if you're aware of a
vulnerability and you don't address it, that's a problem. Yeah, no. I mean, we are both
accustomed to being devil's advocates.
In a situation like this where SolarWinds and the SEC have points
of view, I think there are really strong arguments on both sides, actually.
How is this going to play out from here?
Really good question.
You know, if you go back to 2014,
and we all want to go back to 2014, don't we? We want to rewind and go back to 2014.
Yahoo got hit with that very big breach back in the day.
And in 2018, they eventually settled with the SEC.
I mean, the likely scenario is that there will be some kind of settlement,
to be honest.
But if there's not, if SolarWinds really, really fights this,
and they could, we could have some precedent setting
about what the requirements are for a company
to know about a vulnerability and report about a vulnerability.
It could be a very big deal if it actually goes
to court and is actually settled. Sorry, not settled, but is actually litigated.
Yeah. All right. Well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post.
Do check out his reporting on the SEC's case against SolarWinds. It is well worth your time.
Tim, thank you so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning. Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your
feedback helps us ensure we're delivering the information and insights that help keep you a
step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and
podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most Thank you. workforce intelligence optimizes the value of your biggest investment, your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with
original music by Elliot Peltzman. The show was written by our editorial staff. Our executive
editor is Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow.
Thank you. can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.