CyberWire Daily - Threat actors with mixed motives: from the political to the financial.
Episode Date: November 21, 2023OpenAI's continuing turmoil. Crypto firm sustains API attack. Konni campaign phishes with a Russian document as bait. LockBit's third-party compromise of Canadian government personnel data. Ukraine re...moves senior security officials under suspicion of graft. Dave Bittner sits down with Steve Winterfeld from Akamai to discuss emerging threats in the financial services sector. And Idaho National Laboratory sustains data breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/222 Selected reading. Company that created ChatGPT is thrown into turmoil after Microsoft hires its ousted CEO (AP News) The Doomed Mission Behind Sam Altman’s Shock Ouster From OpenAI (Bloomberg) Briefing: OpenAI Execs to Continue Discussions With Altman, Board: Memo (The Information) OpenAI in ‘Intense Discussions’ to Quell Potential Staff Mutiny (Bloomberg) Microsoft Wants to Work With Altman, No Matter What, Says CEO (Bloomberg) Briefing: Microsoft CEO Nadella Says Altman Could End Up at Microsoft or OpenAI; Board Governance Should Change (The Information) Sam Altman's AI 'mission continues' at Microsoft, future of OpenAI and ChatGPT uncertain (ZDNET) OpenAI’s Customers Consider Defecting to Anthropic, Microsoft, Google (The Information) OpenAI’s Board Approached Anthropic About Merger (The Information) The Vast Majority of OpenAI Employees Ask the Board to Resign (The Information) Konni Campaign Distributed Via Malicious Document (Fortinet Blog) Ukraine sacks top cyber defence officials amid graft probe (Reuters) Two top Ukrainian cyber officials dismissed amid embezzlement probe (Record) Ukraine fires top cybersecurity officials (TechCrunch) Ukraine-Russia war: Ukraine sacks 'corrupt' cyber defence chiefs (The Telegraph) Kronos Research halts trading amid $25M API key hack investigation (Cointelegraph) Kronos Research Loses $26 Million in Unauthorized API Access Incident (Bitcoin News) Canadian government discloses data breach after contractor hacks (BleepingComputer) Idaho National Laboratory experiences massive data breach; employee information leaked online (East Idaho News) Detailed data on employees of U.S. national security lab leak online (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Open AI is continuing turmoil. Crypto firm sustains API attack.
Connie campaign fishes with a Russian document as bait.
Lock bits third-party compromise of Canadian government personal data.
Ukraine removes senior security official under suspicion of graft.
Dave Bittner sits down with Steve Winterfeld from Akamai to discuss emerging threats in the financial services sector.
And Idaho National Laboratory sustains a data breach.
I'm Trey Hester, filling in for Dave Bittner with your CyberWire Intel briefing for Tuesday, November 21st, 2023.
Turmoil at OpenAI continues as its workers threaten mass resignation if the board stays in place.
continues as its workers threaten mass resignation if the board stays in place.
738 of OpenAI's 770 employees have now signed a letter demanding the restoration of ousted CEO Sam Altman and his co-founder Greg Brockman and the resignation of the board that fired them.
Wired reports that the letter includes a threat to quit the company,
possibly to join a new venture headed by Altman. OpenAI was founded with the
mission to ensure that artificial general intelligence benefits all of humanity,
and Friday's dismissal, couched as a response to what the board characterized as Altman's lack of
candor, suggests that the new board believed Altman's leadership had drifted from that mission.
The organization's structure was probably unstable from the outset. It's a not-for-profit
research institution,
self-consciously animated by an idealistic humanitarian vision
that simultaneously oversaw a capped-for-profit company
characterized by the aggressive and fast-moving optimism
typical of Silicon Valley startups.
The Atlantic has an account, based on discussions with insiders
who spoke on a condition of anonymity,
that suggests OpenAI was riven by two rival futurist visions,
one utopian, the other dystopian,
but both in their own way,
representing an extreme picture of artificial intelligence's potentialities.
Shortly after firing Altman,
OpenAI's board approached rival Anthropic about a possible merger,
an approach, the information says,
that Anthropic quickly declined. Subsequent reports indicated that a number of OpenAI customers were considering moving to competitors, including Anthropic, Microsoft, and Google.
For now, and pending further developments, Microsoft appears to be the winner.
Redmond hired both Altman and Brockman to run a, quote,
new advanced AI research team, and the former OpenAI leaders
seem likely to attract much of the talent that may defect from their old company.
As recently as yesterday afternoon, however,
The Verge was reporting that Altman's return to OpenAI remained an open possibility,
and according to Bloomberg, that would be agreeable to Microsoft as well.
Microsoft CEO Satya Nadella stated, quote,
Irrespective of where Sam is, he's still working with Microsoft.
End quote.
We note in full disclosure that Microsoft is a CyberWire partner.
The operators behind the ConiRat have been observed using a Russian-language document,
Western Assessments of the Progress of the Special Military Operation, as fish bait.
Researchers at Fortinet report that the malicious Word document assessments of the progress of the special military operation as fish bait. Researchers
at Fortinet report that the malicious Word document contains a dropper that installs a
remote-access Trojan that serves as both an information stealer and a remote code execution
threat. The researchers conclude that the threat involves an advanced toolset employed by a
sophisticated threat actor within a Word document using batch scripts and DLL files.
The payload incorporates a UAC bypass and encrypted communication with a C2 server,
enabling the threat actor to execute privileged commands.
Fortinet does not speculate about targeting,
but circumstantially the intended victims appear to be Russian.
Fortinet also does not discuss attribution,
but Malpedia connects Connie with
APT37, a North Korean cyber espionage actor whose principal targets since the group's discovery in
2012 have been South Korean political organizations as well as Japan, Vietnam, Russia, Nepal, China,
India, Romania, Kuwait, and other parts of the Middle East. Two Ukrainian senior cybersecurity officials were removed from office yesterday,
resigning as they faced criminal corruption charges. The two officials, familiar to the
cybersecurity and defense sectors, are Yuri Shikol, head of the State Special Communication
Services of Ukraine, and Viktor Zora, the SSS-CIP's deputy head. They're suspected of establishing two
shell companies to rig bids for software, the excess charges for which were skimmed off by
the principals. The amount alleged to have been stolen amounts to 1.7 million U.S. dollars.
Both senior officials deny wrongdoing and say they look forward to vindication.
Mr. Zora worked closely with U.S. officials and agencies, notably with CISA.
Taiwanese crypto trading firm Kronos Research has sustained a theft of approximately $26 million
after an attacker gained unauthorized access to its API keys, Bitcoin.com reports.
The company stated on Sunday, quote,
Despite it being a sizable amount, Kronos remains in good standing.
All losses will be covered internally, no partners will be affected, end quote. Kronos did, however, halt its trading
services on Saturday while it investigated the incident. The Treasury Board of Canada's
Secretariat has disclosed a third-party data breach in which contractors handling information
of members of the Canadian Armed Forces, the Royal Canadian Mounted Police, and other Canadian government employees were
compromised by LockBit. The two affected contractors were Brookfield Global Relocation Services
and Serva Canada. Bleeping Computer says the compromised information goes back to 1999.
While Canadian authorities didn't offer an attribution of the attack to any particular
group, Lockbit, the privateering and profit-motivated Russian ransomware gang, has claimed the Serva
compromise and is probably responsible for the breach at Brookfield Global Relocation Services
as well. According to Bleeping Computer, Lockbit says it has 1.5 terabytes of stolen documents
and that Serva declined to pay the ransom demanded. And finally, the U.S.abytes of stolen documents, and that CERVA declined to pay the ransom demanded.
And finally, the U.S. Department of Energy is dealing with a data breach that compromised a
large quantity of personal information belonging to personnel at the Idaho National Laboratory.
CyberScoop reports that SiegedSec has claimed responsibility for the attack.
The breach has apparently affected the National Lab's Oracle HCM system.
SiegeSec claims to have obtained hundreds of thousands of user, employee, and citizen data,
which include names, social security numbers, bank account information, and addresses.
SiegeSec hasn't said why it's hit the lab, but it has shown complicated motives in the past.
It's a sometimes politically but often financially motivated threat group that describes itself as more black hat than activist.
The breach remains under investigation and the story is still developing.
Coming up after the break, Dave Bittner sits down with Steve Winterfeld from Akamai
to discuss emerging threats in the financial services sector.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. Our own Dave Bittner sits down with Steve Winterfeld
from Akamai to discuss emerging threats in the financial services sector. So today we're talking about some of the threats that you all are
tracking when it comes to financial services. You recently put out a report on this. Can we start
off with just some high-level stuff here? Can you give us a little bit of the lay of the land,
kind of where we find ourselves when it comes to folks coming at financial services?
Sure, yeah.
And this is our state of the internet report.
We do these on both financial sector, commerce sector, and then things like API security
or DDoS.
And so this one was focused on financial services.
We actually had the FSISAC, the Financial Service Information Sharing and Analysis Center,
kind of open this report up. They talked about some API security recommendations,
some of the DDoS challenges, because that continues to have significant impacts
and different financial organizations. And then some of the stuff we see coming for resiliency.
organizations. And then some of the stuff we see coming for resiliency. And then again, we jump into our research here at Akamai and, you know, it's based on our security capabilities. So,
you know, we won't talk about things like endpoint security. We protect the edge,
we protect segmentation. And so it's around things like that where we have visibility.
And so it's around things like that where we have visibility.
The one that doesn't surprise me, of course, is APIs.
Transformation is driving APIs rapidly.
You know, it started with open banking in Europe. We have API here growing at 65%.
Right behind that is the bot attacks.
We've seen that increase over a trillion hits.
That's grown at 69%.
You know, still hitting that edge is DDoS attack. Last year, you know, we were number,
financial services were number two in DDoS this year, back beating out gaming to number one in DDoS attack. So really the edge is under systematic and continuing in speed and scope
and complexity attacks. I think it's fair to say that the folks in financial services industry
have a reputation for being well-prepared for these sorts of things. Is that your perception
as well? Does that track with where we find ourselves?
It absolutely does. I mean, they have to be because the financial service is built around trust. You and I both want access to our wealth. I'll jokingly call what I have wealth. And so we have to protect that trust. Now, the Fortune 5000 banks have a lot of resources.
The local community banks don't.
You know, we're getting attacks across that entire spectrum.
And, you know, we've seen this increase.
You know, a while ago, we have regional changes. So it was the U.S. was most attacked.
Now, Europe and the Middle East and Africa, really Europe is the most attack,
growing at layer three foreign attacks because of the war in Europe. So we continue to see
great preparation, but the adversary continues to come across that entire spectrum.
Where do you see us heading in terms of trends with the organizations? I'm thinking of
the kinds of things that they're putting in place to protect themselves. So it's interesting you say
that because a lot of this is coming out of those transformation changes. So as you know, we've had
web pages out there a long time, they're well protected. But we're moving to different environments, different methodologies
of development. DevSecOps, a lot of banks are very conservative. Some are moving into that now.
Some haven't been in as long as other industries. And so containers, APIs, a lot of things that
are newer, and we don't have the same maturity of controls around that.
So we're seeing shadow APIs.
We're seeing API abuse.
All those access controls, if you look at the OWASP top 10 for APIs, all of those are something that we see a lot of the banks focusing on.
Continuing to see banks also focus, and this is really not banks, but
a lot of my peers, a lot of the CSs I'm talking to, we're shifting from protecting the edge to
minimizing that impact, minimizing the dwell time. So ransomware, we put out a report showing that
they're actually focused on making money off of threatening to expose your data. And so
more and more of us are saying, how quickly can we detect somebody exfilling data?
So that would be the other shift I've really seen a lot of.
One of the things that caught my eye in the report was the degree to which insurance
companies are finding themselves a target. Any insights there?
So, you know, insurance and healthcare are both interesting sectors because there is a lot of
fraud associated with both of those. This is the first year we broke out sub-verticals and
banking being the most attacked. Then there's kind of a mix of a bunch of smaller numbers,
you know, FinTech and trading and things.
And then finally insurance.
And we see insurance, you know,
they're scraping insurance data of the members. They're trying to, you know, put in false claims.
So it's a mix of trying to attack the customer
and attack the company.
But the fraud in both those is just really spiking.
Based on the information that you all have gathered here, what are your recommendations?
So I think, you know, it kind of follows the attack patterns we're seeing, you know.
So there's still things that are very traditional. So the, the cyber hygiene, the blocking and tackling the basic things are very important.
But then we say, you know, probably my most common conversation is around visibility,
situational awareness. You know, do you know where shadow APIs? Do you know when the next zero day comes out?
And we've actually seen threats investing in buying zero days, threat actors.
And so how quickly can you detect if you have that protocol or if you're using that vendor?
We've talked about software build of materials.
Now we have SBOMs for where do we have those protocols in our environment?
So how quickly can we do those kind of things to know where our threats are and have visibility?
I mentioned earlier that abuse.
People legitimately using your APIs in abusive ways to scrape customer data or try to aggregate a threat.
And so how do you know what's going on there?
DDoS, we've seen record numbers, a quick review of DDoS, attacking your web page at layer
seven, new records being set there, attacking your infrastructure, either taking away bandwidth
or taking away the
actual CPU cycles. We've seen, you know, a great number of new and innovative threats there.
And last, going after your DNS. And so with these, have you looked at all of those DDoS attacks and
have you seen what the latest records are? And are you about 10% over that?
This is something that, you know, we need to get our playbooks out. We need to refresh them. We have you seen what the latest records are and are you about 10% over that?
This is something that, you know, we need to get our playbooks out. We need to refresh them. We need to make sure that we're well coordinating if you're using a third party as most do for DDoS
and that we're not going to lose 20 minutes of downtime because we're not well coordinated.
And then, you know, the last is managing attack surfaces. We talk about third-party scripts. While
banking doesn't use JavaScript as much as a lot of, say, commerce or other industries,
it still could be impactful. So are we looking at that kind of an environment? Are we looking
at our financial aggregators and understanding what's going on in that environment. So where are we expanding our scope? Where do you suppose we stand in terms of compliance?
What do you, as you look toward the horizon, what are you seeing there?
Again, a lot of regional differences. We'll talk about kind of the basics. Europe is probably the
number one driver, a lot of compliance coming out.
So the first was around things like open banking.
So that drove a lot of API security.
The next was around privacy, GDPR, and other things.
And so that drove quite a bit of change on how are we managing privacy?
How are we doing that? We see PCI, DCSF, or DSS, I'm sorry,
coming out with a new version that has requirements around things like your scripts,
JavaScripts, and stuff like that. I think the biggest one I see coming is actually resiliency.
So we have DORA coming out of the EU, and this Resiliency Act is really going to, I think, kind of come into America the same way that privacy did.
We're going to start to see a lot of states looking at what do we expect for resiliency.
That's another place I would encourage everybody to start to prepare.
That's Dave Bittner sitting down with Steve Winterfeld from Akamai.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%...
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025. Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is me,
with original music by Elliot Peltzman. The show is written by our editorial staff.
Our executive editor is Peter Kilpie,
and I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.