The Week that Was: An open letter asks for a pause in advanced AI development. 3CXDesktopApp vulnerability and supply chain risk. The Vulkan papers.

At a glance.

• An open letter asks for a pause in advanced AI development.
• 3CXDesktopApp vulnerability and supply chain risk.
• The Vulkan papers.
• Other developments in the cyber phases of Russia's hybrid war against Ukraine.
• Threat actor movements observed and reported over the week.
• Latest trends and reports.
• Patch news.
• Crime and punishment.
• Courts and torts.
• Policies, procurements, and agency equities.
• Cybersecurity's latest business developments.
• Research developments this week.

An open letter asks for a pause in advanced AI development.

Elon Musk, Steve Wozniak, and Andrew Yang are all among those who’ve signed an open letter urging for a slowdown in the development of AI technology. The letter warns of the danger that they believe advanced AI poses to humanity. (But some critics disagree.)

The letter begins by asserting that “powerful AI systems should be developed only once we are confident that their effects will be positive and their risks will be manageable.“ The letter calls for a pause of at least six months on the training of AI systems more powerful than GPT-4. The letter emphasizes that this pause should be used for development of existing AI interfaces, to make them “more accurate, safe, interpretable, transparent, robust, aligned, trustworthy, and loyal.” Also considered is a need for AI developers to work with policymakers to implement regulations on AI. Dark Reading reports that even proponents of AI development, like the chief executive of OpenAI, shared concerns about “AI's ability to both spread disinformation and launch cyberattacks.” For more on the letter (and its critics), see CyberWire Pro.

3CXDesktopApp vulnerability and supply chain risk.

A supply chain attack on enterprise phone company 3CX may have compromised thousands of business networks, the Record reported Thursday. SentinelOne, Sophos, and CrowdStrike have all made public reports about the intrusion, with 3CX itself issuing its own warning Thursday morning. The company, which Bleeping Computer says provides services to companies like Coca-Cola, Honda, and the UK's National Health Service, confirmed Thursday that its desktop app had contained malware. The desktop app, TechCrunch reports, is used for voice and video calls. Security Week reports that 3CX chief information security officer, Pierre Jourdan, said that the intrusion could be the work of a state-sponsored advanced persistent threat (APT). CrowdStrike confirmed activity on both Windows and macOS, and found the malware to be notarized by Apple, which the outlet says “indicates that the tech giant checked it for malicious elements and failed to find any.” However, that seems to no longer be the case, as users are now seeing a warning before the installation of the app. The approximately 400MB Mac application was confirmed by Wardle to contain suspicious activity, the outlet reports. TechCrunch notes that Linux, iOS, and Android versions of the app still appear unaffected at this time. For more on the 3CX incident, including industry comment, see CyberWire Pro.

The Vulkan papers.

NTC Vulkan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR, and the FSB. Vulkan's specialty is the development of tools for cyberattack. Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak. The Vulkan papers reveal that the company is engaged in supporting a full range of offensive cyber operations. Its services and products extend to espionage, disinformation, and disruptive attacks intended to sabotage infrastructure, and the company also provides training to its customers in the security and intelligence organs. The Washington Post, another recipient of the leaks, ascribes them to a disaffected insider who's motivated by opposition to Mr. Putin's war against Ukraine. The Post reports that "an anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia’s attack on Ukraine.” The anonymous leaker cited their anger over the invasion of Ukraine as motivation. Taken as a whole, the documents show that Russia is devoting considerable attention to cyber battlespace preparation.

Other developments in the cyber phases of Russia's hybrid war against Ukraine.

Rostec, a Russian state-owned defense conglomerate, is reported to have developed a way of de-anonymizing Telegram channels, BleepingComputer reports. The capability is expected to be delivered to the FSB and other security organs this year. In the account by the dissident Russian outlet Bell, the effort amounts to a heavy-handed campaign designed to align Telegram feeds with the government line.

NoName057(16), a Russian hacktivist auxiliary, claims to have conducted a distributed denial-of-service attack against a website belonging to France's National Assembly. Privacy Affairs reports that the site went down early Monday morning and remained unavailable into the afternoon. The site is now back online.

The State Service of Special Communications and Information Protection of Ukraine Monday tweeted an appreciation of how Russian cyberattacks have progressed during Russia's war. Local government has eclipsed the defense industry as the second most targeted sector. There's also been a shift toward espionage as opposed to disruption, and infrastructure remains a favored target set.

Barron's reviews industry consensus that "Russia's cyberwar on Ukraine largely failed and Moscow is increasingly targeting Kyiv's European allies."

Thales's Cyber Threat Intelligence Team is the latest industry source to discern a change in Russian cyber operations. Ukraine having proved a hard target, and cyberattacks there having been largely supplanted by kinetic strikes, Russian operators are increasingly focused on hitting Western Europe. The Baltic and Nordic countries, along with Poland, have been singled out for special attention, as have smaller states who are candidates for full EU integration, such as Montenegro and Moldova.

Ukraine's Defense Ministry said this week that Russia has declared online piracy patriotic. "The word 'pirate' is now rehabilitated in russia," the Ministry tweeted (lowercasing the word "Russia" as has become common in official Ukrainian communications). "Deputy Chairman of the Security Council Medvedev & Putin's spokesman Peskov urged russians to download Western movies, music and programs from pirate sites. No need to be shy, just add the skull and bones to the tricolor."

The Voice of America reviews more comments from Ukrainian officials and experts in allied countries to the effect that Russian cyber operations seem to be rising as Russian offensives fall short. Russia is preparing for a long war. Its intelligence services are working to establish persistence in adversary networks, its hacktivist and criminal auxiliaries are taking the fight to Ukraine's Western sympathizers, and its attempts to influence opinion continue unabated, both domestically and internationally.

The CyberWire's continuing coverage of Russia's war against Ukraine, with focus especially on the war's cyber phases, may be found here.

Threat actor movements observed and reported over the week.

Proofpoint Monday morning released a report describing three strains of the IcedID banking malware, in use by several distinct threat actors. The classic, Standard IcedID variant is the one most clearly adapted to traditional banking attacks. The Lite and Forked variants have seen removal of the components typically found in banking malware, which suggests to the researchers that IcedID is evolving away from its traditional uses, and is becoming a loader for follow-on infections. Such follow-on attacks are likely to include ransomware.

Bleeping Computer Sunday morning reported that researchers at Malwarebytes and Palo Alto Networks’ Unit 42 have observed an Emotet phishing campaign targeting US taxpayers with emails containing bogus W9 tax forms as attachments, with the phishing email claiming to be from an “Inspector“ at the Internal Revenue Service. Brad Duncan of Unit 42 observed that this campaign used Microsoft OneNote documents with embedded VBScript files containing and installing Emotet. Emotet will then be installed and run on the device, awaiting further payloads and engaging in credential harvesting.

In its latest campaign, Bitter sent spearphishing emails posing as the Embassy of Kyrgyzstan to target individuals working in China’s nuclear energy industry: “The email subject and body use terms and themes that would be familiar with the recipients in governmental and energy sectors, such as International Atomic Energy Agency (IAEA), China Institute of International Studies (CIIS), strategic alliances, and nuclear doctrines.”

SentinelOne describes “AlienFox,” a toolset designed to steal credentials and API keys from at least eighteen cloud service providers. The toolset is being sold over Telegram, and is under active development. AlienFox opportunistically targets misconfigured web servers hosting web frameworks such as Opencart, Prestashop, and WordPress, among others. The toolkit will then dump the server’s configuration files and extract cloud API keys and secrets. For more on this commodity criminal tool, see CyberWire Pro.

Latest trends and reports.

Immersive Labs Tuesday morning released its study, “Cyber Leaders Need A More Effective Approach to Building and Proving Resilience.” The study surveyed decision makers in cybersecurity about the state of their organization’s cyber resilience. The responses indicated that 82% of respondents believe they could have mitigated some or all of the damage of the most significant cyber incidents they sustained if they had been better prepared. Senior leadership is also putting pressure on cyber teams, as 84% of respondents feel increasing pressure to be prepared for impending cyber attacks. Only 32% of respondents believe that there actually is an implementable strategy for cyber resilience within their organization. For more on Immersive Labs' study, including recommendations for improving resilience, see CyberWire Pro.

Code42 Tuesday released its 2023 Annual Data Exposure Report, discussing the complex nature of addressing insider risk, or, the threat of someone within an organization using their access to do harm to the company, either maliciously or otherwise. Most CISOs who responded see the insider risk as a problem in their organization. It's also difficult to detect data loss to insiders. Despite the use of a multitude of tools to protect against insider threats, 75% of CISOs note that detection of data loss from within their company is difficult, with 27% saying that it is, in fact, the most difficult threat, above cloud data exposure and malware. For more on Code42's survey, see CyberWire Pro.

Cofense has published its 2023 Annual State of Email Security Report, finding that the vast majority of phishing attacks in 2022 were focused on credential theft. The company observed a 478% increase in credential harvesting phishing attacks last year. The two most common themes in phishing lures were notifications and finance.

Outpost24’s KrakenLabs describes how “traffers” fit into the criminal ecosystem. Traffers are cybercriminal gangs focused on stealing and selling credentials. The criminals hide infostealing malware in cracked software products and distribute it via social engineering. The researchers explain, “To spread the malware as far and wide as possible, they have formed an industry-like structure of product and service providers, as well as dedicated marketplaces, in the form of Telegram channels, to facilitate the sale of those credentials.”

BleepingComputer reports that researchers from Northeastern University and imec-DistriNet, KU Leuven have discovered a flaw in the IEEE 802.11 WiFi protocol standard that can allow an attacker to access WiFi frames in plaintext. The researchers were able to exploit a flaw in the WiFi protocol’s power-saving features, which queues frames that are sent to sleeping devices.

Akamai blogged about cybersquatting, which creates a domain name closely related to an impersonated brand's or organization’s domain. One of the more effective forms of cybersquatting has come to be “combosquatting,” which adds a plausible keyword to a domain name. A careless recipient of the link, even if they've been trained to look at the domains, might well decide it looked legit and click through. Combosquatting was in 2022 the most observed cybersquatting tactic, with combosquatting also generating the most DNS queries.

Patch news.

Researchers at Orca Security discovered a Cross-Site Scripting (XSS) vulnerability affecting Azure Service Fabric Explorer (SFX). The vulnerability, which Orca calls “Super FabriXss,” can allow “remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.” Microsoft issued a patch for the flaw in its March 2023 Patch Tuesday fixes. Organizations that have updated Service Fabric Explorer to the latest version are protected against this vulnerability. For more on the vulnerability in SFX, see CyberWire Pro.

Crime and punishment.

The Record last Friday reported that the United Kingdom's National Crime Agency (NCA) disclosed secretly running fake DDoS-for-hire sites to collect data from those involved in cybercrime. Those who registered for the fake sites would not be given access to attack tools. Instead, their data would be taken by investigators. PCMag reports that the sites are designed in a way to collect any user data, which would then be relayed to appropriate law enforcement. That includes international law enforcement authorities if the sites were accessed from outside the UK.

Russia's FSB has arrested US journalist Evan Gershkovich, a reporter for the Wall Street Journal who works from the paper's Moscow bureau, the AP reports. He was taken into custody in Ekaterinburg in the course, the FSB claims, of trying to obtain classified documents. The Wall Street Journal said of the arrest, “The Wall Street Journal vehemently denies the allegations from the FSB and seeks the immediate release of our trusted and dedicated reporter, Evan Gershkovich. We stand in solidarity with Evan and his family.”

As we noted last week, owner and administrator of cybercriminal marketplace BreachForums Conor Brian Fitzpatrick, aka "Pompompurin," was arrested by the US Federal Bureau of investigation (FBI) on March 15. The FBI and Department of Health and Human Services Office of Inspector General also conducted a disruption operation that resulted in the shutdown of the site. In connection with his activities on BreachForums, Fitzpatrick was charged with one count of conspiracy to solicit individuals with the purpose of selling unauthorized access devices and could serve a maximum sentence of five years in prison if convicted.

The Department of Justice reports that Fitzpatrick made his first appearance in court on Friday in the Eastern District of Virginia. With 340,000 members at the time of the arrest, BreachForums supported the sale of stolen data including bank account information, login credentials, social security numbers, and other personally identifying information, as well as hacking tools, breached databases, and services for gaining unauthorized access to victim systems. The Hill notes that the marketplace has been linked to breaches of millions of citizens, including lawmakers. The Record by Recorded Future adds that the FBI were able to determine that Fitzpatrick was the man behind the pompompurin account by using IP address data obtained from Verizon, Google, and Apple.

Courts and torts.

Earlier this week a Washington, DC Circuit Court judge determined that three data breach lawsuits being filed against CareFirst will not be consolidated into a class action filing. After a phishing scam successfully duped a CareFirst employee into handing over his credentials, the health insurance giant experienced a 2014 cyberattack that potentially exposed the data of 1.1 million patients, SC Media recounts. The lawsuits claim that “CareFirst committed a host of errors that allowed the hackers to access the company’s data and remain undetected for a prolonged period of time, including failing to reset passwords on certain company accounts, disable local administrator accounts, perform a password reset… install two-factor authentication,” among other accusations. The judge in question, however, declined the effort to consolidate the cases, stating “it would impermissibly sweep” individuals into the suit who have not experienced actual harm.

The city of Oakland, located in the US state of California, experienced a ransomware attack last month, and now the Oakland Police Officers' Association is threatening to file a lawsuit over what they feel was lack of response and transparency from the city. As KTVU FOX 2 explains, data belonging to several dozen police officers, as well as other city employees, were exposed in the breach, and police union officials say they’ve been left in the dark about the impact of the attack and what steps the city has taken to prevent it from happening again. Oakland Police Officers' Association President Barry Donelan said in a statement, "Oakland city leaders talk about accountability, yet there has been zero accountability and a deafening silence for the safety and financial security of the city's valued employees." Meanwhile, ABC7 News reports that the Federal Bureau of Investigation is still conducting negotiations with the hackers, and the police union alleges that Mayor Sheng Thao and the interim city administrator are withholding information from the victims. Donelan says six weeks after the attack he received an email from the city informing him that he, as a victim of the attack, was eligible for free credit reporting, but it was little help. "When you call the phone number they gave us, it responds back to all of us saying all your information has been compromised, that's it," Donelan explained.

Policies, procurements, and agency equities.

The FBI has issued an alert warning that criminals are launching business email compromise (BEC) attacks to acquire physical goods in bulk. The targeted goods include construction materials, agricultural supplies, computer technology hardware, and solar energy products.

The Bureau states, “To further delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms known as Net-30 and Net-60 terms, providing fake credit references and fraudulent W-9 forms to vendors. The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment.”

Tom Tugendhat, the UK's minister of state for security, has published an op-ed in the Telegraph in which he extols the value of open-source intelligence (OSINT) and describes steps the Government is taking toward institutionalizing OSINT collection and analysis. The center of that push will be the establishment of an Open-Source Intelligence Hub.

Cybersecurity's latest business developments.

Rogers Cybersecure Catalyst Wednesday released their Catalyst Cyber Accelerator Report, which tracks the growth of 39 cyber security startups and scale-ups in Canada. All companies included in the report graduated from the Rogers Cybersecure Catalyst's Cyber Accelerator program within the past two years. It was found that the Canadian cyber security startup workforce grew collectively by 72%, and saw the creation of 351 jobs. Participants also collectively raised CAD$100 million. In movements within the labor market, Accenture has announced the lowering of its annual revenue and profit forecasts, and also has announced the decision to cut about 19,000 jobs or 2.5% of its staffing, Reuters reported. Those working in "non-billable corporate functions" are most likely to see the cuts, the outlet shared Thursday. For a look into this week's mergers, investments, and executive moves, check out this week's edition of the CyberWire Pro Business Briefing.

Research developments this week.

In research developments this week, activity has been observed in China, the Middle East, and North Korea. SentinelOne is tracking a Chinese cyberespionage campaign targeting telecommunication providers in the Middle East. The researchers believe with high confidence that the group behind this campaign is associated with the Chinese threat actors Gallium and APT41. Mandiant describes the activities of APT43, a North Korean threat actor that conducts cybercrime to fund its cyberespionage efforts. APT43 is also tracked as “Kimsuky,” or “Thallium.” Mandiant says the threat actor uses “aggressive social engineering tactics” combined with moderately-sophisticated technical capabilities” to target “South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.” And finally, Intezer says the Bitter APT is conducting cyberespionage against nuclear entities in China. Bitter is a South Asian cyberespionage actor known to target Pakistan, China, Bangladesh, and Saudi Arabia. For a deeper look into cybersecurity research news, check out this week's edition of the CyberWire Pro Research Briefing.