CyberWire Daily - Uniting against APT40.
Episode Date: July 9, 2024The UK’s NCSC highlights evolving cyberattack techniques used by Chinese state-sponsored actors.A severe cyberattack targets Frankfurt University of Applied Sciences. Russian government agencies fal...l under the spell of CloudSorcerer. CISA looks to Hipcheck Open Source security vulnerabilities. Avast decrypts DoNex ransomware. Neiman Marcus data breach exposes over 31 million customers. Lookout spots GuardZoo spyware. Cybersecurity funding surges. Our guest is Caroline Wong, Chief Strategy Officer at Cobalt, to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. Scalpers Outsmart Ticketmaster’s Rotating Barcodes. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Dave Bittner is joined by Caroline Wong, Chief Strategy Officer at Cobalt, to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. You can learn more about the state of pentesting from Cobalt’s State of Pentesting 2024 report here. Selected Reading The NCSC and partners issue alert about evolving techniques used by China state-sponsored cyber attacks (NCSC) ‘Serious hacker attack’ forces Frankfurt university to shut down IT systems (The Record) New group exploits public cloud services to spy on Russian agencies, Kaspersky says (The Record) Continued Progress Towards a Secure Open Source Ecosystem (CISA) Decrypted: DoNex Ransomware and its Predecessors (Avast Threat Labs) Neiman Marcus data breach: 31 million email addresses found exposed (Bleeping Computer) GuardZoo spyware used by Houthis to target military personnel (Help Net Security) Cybersecurity Funding Surges in Q2 2024: Pinpoint Search Group Report Highlights Year-Over-Year Growth (Pinpoint Search Group) Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The UK's NCSC highlights evolving cyber attack techniques used by Chinese state-sponsored actors.
A severe cyber attack targets Frankfurt University of Applied Sciences.
Russian government agencies fall under the spell of cloud sorcerer.
CISA looks to hip-check open-source security vulnerabilities.
Avast decrypts Dunex ransomware.
Neiman Marcus data breach exposes over 31 million customers.
Lookout spots guard zoo spyware.
Cybersecurity funding surges.
Our guest is Caroline Wong, chief strategy officer at Cobalt,
to discuss the state of pen testing and adapting to the impact of AI in cybersecurity.
And scalpers outsmart ticketmasters rotating barcodes.
It's Tuesday, July 9th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us. As always, it is great to have you here with us. The UK's National Cyber Security Centre, alongside partners including Australia's ASD and the US's
CISA, issued an advisory on APT40, a Chinese state-sponsored cyber group. APT40 targets
entities in various countries exploiting network vulnerabilities and public-facing applications.
They use advanced techniques like rapid deployment of exploits for newly discovered vulnerabilities,
reconnaissance, and web shells for persistent access.
The advisory includes case studies highlighting their methods, such as credential harvesting and network scanning.
Organizations are advised to implement stringent security measures like prompt patching,
multi-factor authentication, and network segmentation to mitigate these threats.
Frankfurt University of Applied Sciences experienced a severe cyber attack
leading to a complete shutdown of its IT systems.
The attack, which occurred on Saturday
evening, compromised parts of the university's infrastructure despite high security measures.
The incident has been reported to the police and relevant authorities. External access and
some services have been disabled, affecting communications and safety systems like elevators.
affecting communications and safety systems like elevators.
The extent of the damage is still unknown,
and it's unclear when systems will be fully restored.
On-site courses continue,
but online enrollment and external communications are currently unavailable.
Researchers at Kaspersky Lab have identified a new hacker group,
Cloud Sorcerer, using advanced cyber espionage tools to target Russian government agencies. First observed in May, Cloud Sorcerer's
techniques are similar to Cloud Wizard, but utilize unique malware, indicating a new threat actor.
Their custom malware leverages GitHub for command and control and services like Yandex Cloud and Dropbox for data collection.
The malware's modular structure allows for various independent tasks
such as data exfiltration and system manipulation.
The initial access method remains unclear,
but overlaps with activity tracked by Proofpoint,
which observed related attacks on a U.S. organization.
In March, CISA held its inaugural Open Source Software Security Summit to enhance OSS security.
The event featured OSS leaders and a tabletop exercise to collaboratively respond to a hypothetical vulnerability in critical OSS.
to a hypothetical vulnerability in critical OSS.
Now, an article by Ava Black,
Section Chief for Open Source Software Security at CISA,
focuses on increasing visibility into OSS usage and risks,
vital for federal agencies and critical infrastructure.
The agency is developing a framework to assess OSS trustworthiness,
considering project activity,
product vulnerabilities, protection measures, and policies. To scale this effort, CISA is funding a tool called HipCheck for automating these assessments. This initiative aims to fortify
OSS security through transparency, collaboration, and proactive security principles.
transparency, collaboration, and proactive security principles.
By promoting the Secure by Design campaign and encouraging early and consistent security practices,
CISA seeks to prevent exploitation of OSS by malicious actors.
The collective effort of the cybersecurity and OSS communities is crucial for maintaining a robust and secure open-source ecosystem,
ultimately benefiting federal agencies, critical infrastructure, and the public.
Researchers at Avast discovered a cryptographic flaw in Dunex ransomware,
allowing them to provide a decryptor to victims since March of this year.
Announced at Recon 2024, the flaw had been kept secret for operational security.
Dunex, initially called Muse, evolved through several rebrands before stabilizing in April.
The ransomware targets the U.S., Italy, and the Netherlands and uses advanced encryption methods.
Avast's decryptor leverages the identified flaw
to help victims recover their files without paying the ransom.
The decryption process requires providing an original and an encrypted file for reference.
Retailer Neiman Marcus disclosed a May 2024 data breach
exposing over 31 million customer email addresses,
according to an analysis by Troy Hunt of Have I Been Pwned? Initially reported to affect just over 64,000 people,
the breach also compromised names, contact info, birthdates, gift card info, partial credit card
numbers, social security numbers, and employee IDs. The breach was linked to the Snowflake data theft attacks with data sold on hacking forums.
A joint investigation revealed the attack targeted organizations without multi-factor authentication on Snowflake accounts.
Researchers at Lookout have identified GuardZoo, an android spyware targeting Middle Eastern military personnel through apps with military and religious themes.
The spyware is linked to a Houthi-aligned threat actor and primarily affects victims in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar, and Turkey.
the UAE, Qatar, and Turkey.
GuardZoo, derived from the dendroid rat,
can act as a conduit to download additional malware,
posing significant risks.
Recent samples disguise as apps like Constitution of the Armed Forces,
exposing sensitive military documents.
This advanced surveillanceware poses a growing threat,
emphasizing the need for heightened security measures.
Pinpoint Search Group has published research analyzing cybersecurity vendor funding.
In the second quarter of this year, the cybersecurity vendor landscape saw significant financial activity,
with a total of $4.3 billion raised over 92 funding rounds and 33 acquisitions.
Key acquisitions included Cisco's purchase of Armor Blocks and Talus acquiring Tesserant.
Notable funding rounds involved companies like Digg Security, which raised $100 million,
and Syera, securing $300 million.
The report highlights a mix of seed and late-stage investments,
reflecting a growing interest in sectors like AppSec, Threat Intel, and data security.
Examples include Sequoia raising $37.5 million in XDR
and Blackpoint Cyber's $190 million for detection and response.
and Blackpoint Cyber's $190 million for detection and response.
Overall, the quarter underscores robust investor confidence in cybersecurity startups and established vendors,
driven by increasing cyber threats and the need for advanced security solutions. Coming up after the break, my conversation with Caroline Wong, Chief Strategy Officer at Cobalt.
We're discussing the state of pen testing and adapting to the impact of AI in cybersecurity.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
On today's sponsored Industry Voices segment, my conversation with Caroline Wong, Chief Strategy Officer at Cobalt.
We're discussing the state of pen testing and adapting to the impact of AI in cybersecurity.
You know, one of the things that is so fun for me to talk about when it comes to artificial intelligence and cybersecurity
is that there are all these different ways
in which they interact with one another.
So AI systems themselves
can be thought of as targets or assets
for conducting security testing,
including manual penetration testing.
Now, when I think about this model that
we have of the good people, quote unquote, and the bad people, which might be more accurately
characterized as people who build, operate, and maintain software and intend for that software
to work in a certain way, and then other people whose objective is to abuse or
misuse software, to get software to work in unintended ways, then we also see that artificial
intelligence can help both parties. If I'm a malicious threat actor. I can use artificial intelligence to make my attacks faster and smarter and better.
Now, at Cobalt, we are lucky to have a front seat in terms of what's going on with artificial intelligence systems and pen testing in particular.
pentesting in particular, having conducted several manual pentests on artificial intelligence systems in the years 2022 and 2023, we actually have data that shows what the top common security
vulnerabilities are that are found in these models. And perhaps it's no surprise that these are three categories in the OWASP top 10 for LLMs, which is at this moment a bit of a work in progress.
But it's exciting to see these things actually being found in real life, in live systems, in the wild, if you will.
Well, let's dig in there. I mean, what are the findings that you all are seeing
coming up here? Yeah, so the number one, two, and three vulnerability types that were the most
commonly found during Cobalt pen tests for artificial intelligence systems include, number
one, prompt injection, including jailbreak, number two, denial of service. And number three,
prompt leaking or sensitive information disclosure.
Can we go into each one of those kind of one by one and how they apply here and the implications?
I would love to. So first, let's talk about prompt injection. So injection, of course,
is a theme when it comes to security vulnerabilities that we've known a lot about
for a long, long time. SQL injection, you know, other types of injection. The idea here, of course,
is that any AI system operates with an LLM, a large language model. And this really
has to do with the component of information security, which has to do with both confidentiality
as well as integrity. So to the extent that a user should only be able to access certain data bits in the LLM,
prompt injection may allow an attacker to
access more information than a user is supposed to,
based on their role.
The other, I think,
even more significant impact that we see here is that if
an attacker can use prompt injection
to actually change, modify, add, or delete data to an LLM,
then that, of course, is a massive integrity violation,
which is very interesting.
And I think that naturally,
if an attacker is able to change the content within an LLM, then that will naturally have an impact on the results or the output of any queries to that AI system.
Yeah, I mean, that's fascinating, given how we hear time and time again how these systems are kind of black boxes.
Let's move on to the model denial of service.
What are we talking about here?
Yeah, so this is simply, can the intended users access the system?
Is it working when you try to use it?
And I think one of the things that we know about these systems is that they have and require an enormous amount not only of data, but also processing power. And so the ability for an attacker to come in and sort of muck up the system,
you know, get it to slow down, get it to not work so that the users for whom it's intended
are unable either to access or get it to work, that is certainly an availability problem.
You know, again, when we're talking about that CIA triad.
So not so dissimilar from any of our more commonly known, you know, network denial of service,
application denial of service. You know, I can't help but think about when my young son grabs my
iPhone and tries the wrong passcode too many times. You know, he basically dosses me out of my phone,
depending on how quickly I can wrestle it out of his hands, because it's intended to prevent,
you know, password guessing. Yeah, yeah. Guess I won't be checking Facebook for the next hour.
Or Slack. Right. Well, yeah, you know, you got the good and the bad, right?
So, well, let's talk about prompt leakage then. What does that entail?
Yeah. So this one, prompt leaking, also called sensitive information disclosure.
You know, this is what folks classically think of when it comes to any sort of vulnerability, security vulnerability.
when it comes to any sort of vulnerability,
security vulnerability,
the LLM may actually provide confidential data,
which it is not supposed to provide.
So we're talking things like unauthorized access,
privacy violations, your classic security breaches.
Naturally, this is very highly associated with the C in the CIA triad.
And this is, I think, for our pen testers,
one of the most interesting and exciting
security vulnerabilities to get to work.
And in fact, they are getting it to work.
I think there's this inherent tension
that a lot of folks find themselves
dealing with these days,
which is that there's no denying
the power of these tools and the
utility of these tools. And so I think folks feel as though they have to implement them,
they have to allow them in order to keep up with their competition or give their employees the
tools that they need or desire to do their work, how do you reconcile that against properly securing
the organization when this is so new, when there's so many unknowns here?
What a great question.
I think that it is important for an organization to take a formal stance on how employees are
expected to use or not use AI sort of within the corporate boundaries.
You know, one example at Cobalt is we actually have an internal private instance, which employees
are encouraged to use, you know, for all of their purposes. You know, but naturally, we don't want folks, you know,
no organization is going to want folks to be putting their code or any of their company
IP out onto any of these public models.
You know, I think that one of the things that I would encourage for listeners is simply
to try this stuff out.
Just try it out as a user. What I encourage is for folks
to really have a little bit of fun with some of these consumer-facing applications because
in the workplace, you know, the use cases really ought to be defined at a policy level by the
employer. As consumers, as technologists, I think it's just a really fun
place to be right now. And we have an opportunity just to play around with it and learn about it
that way. Yeah. You know, looking at this year's state of pen testing report, one of the things
that struck me was how both the number of findings are increasing, but also the time to resolve findings are increasing.
I'm wondering what insights do you gather from that data?
Yeah, so one of the things that we're really proud of at Cobalt is that our offensive security platform,
having established PTAS, pen testing as a service for many years now,
we've always been quite interested not only in helping our customers to find security vulnerabilities
in their applications, networks, devices, what have you,
but we're also really interested in helping organizations get those things fixed.
And that is actually an entirely different business process. Primarily,
security folks are going to be your pen test or offensive security buyers, when it's really
developers who are going to be performing the remediation. And so Cobalt really strives to
provide easy workflows for those different stakeholder groups to work effectively together.
easy workflows for those different stakeholder groups to work effectively together. Now, one of the things that we have been able to observe is that in the past few years, and the report contains
data from 2021, 2022, 2023, we are actually finding that the median time to fix is increasing.
is increasing. And this is worrisome. This does pose more risk to organizations. And it's unfortunately not surprising. In addition to the pen test data that we always use for our state of
pen testing reports, this year is actually our sixth installment, we also do a survey. And we survey nearly 1,000 global information
security professionals. And we're finding that in 2024, folks are still seeing budget cuts and
reductions in headcount on security teams. And one of the areas that is really being impacted is remediation of security vulnerabilities.
Wow.
Before I let you go, in the time we have left here together, I want to touch on offensive security and organizations putting together strategies for their offensive security.
But then also, how can AI fit into that?
of security, but then also how can AI fit into that? Yeah. So, you know, I wanted to start with sort of a very basic description, offensive versus defensive security. Defensive security
is offense. Offensive security is really about the attacker mindset. And I really think that in a time where resources, budget, and time are scarce,
looking at what our applications, what our networks, what our devices might look like
from an attacker's point of view is really going to help organizations to focus those very limited
time and resources. One of the exciting engagements that we've launched this
year is called Digital Risk Assessment. And this is really an OSINT, open source threat
intelligence type of exercise that says, hey, Pentester, take a look at this organization and
tell me what can you find out about it publicly? Because naturally, any attacker who's going to go and hack an organization,
that's the very first thing that they're going to do. And depending on what they find,
it's going to affect the steps that they choose to take. And so we really encourage our customers
to be informed as they can in terms of what their targets, what their applications, what their
systems are going to look like from the viewpoint of an attacker. That's Caroline Wong, Chief
Strategy Officer at Cobalt. You can learn more about the state of pen testing from Cobalt's
State of Pen Testing 2024 report. We'll have a link in the show notes. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to
partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And finally, a report from 404 Media
describes a lawsuit by online event ticketing company AXS,
which reveals that ticket scalpers have found ways to circumvent anti-scalping measures put in place by platforms like Ticketmaster and AXS.
By reverse engineering the ticket generation methods, scalpers can create genuine entry barcodes on their own infrastructure,
effectively bypassing the untransferable restrictions.
This allows them to sell and transfer these tickets, potentially undermining the security measures intended to prevent scalping.
helping. AXS accuses the scalpers of hacking and creating counterfeit tickets, although the tickets are often legitimate and scan correctly at events. Security researchers demonstrated how
these barcodes, which rotate every few seconds for security, can be recreated if a token is
extracted from the Ticketmaster app. This process has allowed scalpers to sell tickets through secondary markets like StubHub and SeatGeek
using services such as Secure.Tickets and VerifiedTicket.com,
which operate in the shadows with little online presence.
Fans can be left confused and concerned
about the legitimacy of their purchases,
but these methods usually result
in valid tickets. Despite the efforts of Ticketmaster and AXS to control and restrict
ticket transfers, scalpers have consistently found ways to exploit the systems, raising
questions about the efficacy of current security measures and the ongoing battle between ticket platforms and scalpers.
Ah, Ticketmaster. Seems their security is as transparent as their fees.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.