The CyberWire Daily Podcast 1.17.23
Ep 1740 | 1.17.23

Phishing campaigns (one uses mobilization as phishbait). Credential-stuffing attack affects Norton LifeLock users. Trends in security. Azure SSRF issues fixed. Calls for a “digital UN.”

Transcript

Dave Bittner: A phishing campaign impersonates DHL. Conscription and mobilization provide criminals with phishbait for Russian victims. NortonLifeLock advises customers that their accounts may have been compromised. Trends in data protection. Veracode's report on the state of software application security. Ben Yelin looks at NSO Group's attempt at state sovereignty. Ann Johnson from "Afternoon Cyber Tea" speaks with Microsoft's Chris Young about the importance of the security ecosystem. And Ukraine calls for a digital United Nations.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 17, 2023. 

Dave Bittner: Happy Tuesday, everyone. Good to have you along with us here again today. 

Phishing campaign impersonates DHL.

Dave Bittner: Armorblox describes a phishing campaign that's using phony shipping invoices that purport to come from DHL. The campaign targeted an organization in the education sector with more than 100,000 emails. The phish hook in the email is contained in an Excel document which, when opened, will display a blurred-out preview of an invoice. The user will then be asked to enter their Microsoft account login credentials in order to view the invoice. The researchers note that the emails were able to bypass email security filters since they don't contain any malicious links. The general approach is familiar. First, impersonate a well-known and trusted brand using a convincing copy of that brand's logo and other branding elements. Second, use a single, simple call to action that's likely to involve something the recipient will care about - payment issues, account suspension or, in this case, getting that parcel you were expecting. 

Conscription and mobilization provide criminals with phishbait for Russian victims.

Dave Bittner: It's easy, as the world watches Russia's hybrid war in Ukraine and, in the narrower cyber phases of that war, to see the contribution criminal gangs are making as auxiliaries of Russia's intelligence and security services, to forget that more ordinary cyber crime persists. And moreover, Russians themselves can also be its victim. TASS reports, citing information provided by Kaspersky, that criminals are using Russian mobilization and conscription plans as an occasion for social engineering attacks against Russian victims. The goal appears to be theft of Telegram accounts. The report states, scammers steal Telegram user accounts using a phishing mailing list with an offer to get acquainted with a fake list of people who will allegedly be sent for mobilization on February 1 through the 3, 2023, the channel specifies. If the mark follows the link, they'll be directed to a credential theft site. As Meduza's coverage in its English-language edition suggests, the emotions being exploited are anxiety, worry and fear. The phishing messages promise to send you to a site that will let you know whether you or a loved one is on the list of those scheduled to be summoned for military service next month. 

Norton LifeLock advises customers that their accounts may have been compromised.

Dave Bittner: NortonLifeLock's corporate parent, Gen Digital, has warned some customers that their accounts may have been compromised. BleepingComputer quotes Gen Digital's letter to customers as saying, our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account. The incident appears to have been the result of a credential-stuffing campaign detected in mid-December when an unusually large volume of failed logins were detected on the 12. NortonLifeLock warns, in accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number and mailing address. 

Dave Bittner: In a Saturday update provided to BleepingComputer, Gen Digital said it was alerting customers to suspicious login attempts and helping them secure their accounts, stating Gen's family of brands offers products and services to approximately 500 million users. We have secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks. This is the second incident involving identity and access management services to come to light this month, the first being issues affecting LastPass users. The benefits of using a password manager remain, but they're not a panacea, and they have to be used with proper care. 

Trends in data protection.

Dave Bittner: Secure backup and recovery provider Veeam released their 2023 Data Protection Trends this morning, which surveyed 4,200 IT professionals on data-protection drivers, challenges and strategies. Hybrid IT remains common - balancing physical servers in data centers and cloud-hosted servers. Ransomware has been a pervasive issue that will continue steadily into 2023. And increasingly, data security is cloud security. Cloud dependence continues to grow, with 80% anticipating the use of backup as a service or disaster recovery as a service for server protection over the next two years. 

Orca describes, Microsoft fixes, four Azure SSRF issues.

Dave Bittner: Researchers at Orca Security discovered four server-side request forgery vulnerabilities affecting Microsoft Azure instances, two of which could be exploited without authentication. Microsoft has since patched the flaws. The affected services were Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins. All four of the flaws were nonblind SSRF vulnerabilities, which could allow an attacker to scan local ports, find new services, endpoints and files, providing valuable information on possibly vulnerable servers and services to exploit for initial entry, and the location of potential information to target. 

Veracode's report on the state of software application security.

Dave Bittner: Veracode has published a report on software application security, finding that 69% of applications have at least one OWASP Top 10 flaw. Around 4 out of 5 programs written in .NET and Java have at least one flaw, while just over half of JavaScript applications contain a flaw. 

Ukraine calls for a "digital United Nations."

Dave Bittner: Finally, Ukraine is calling for the formation of a digital United Nations. Yurii Shchyhol, who leads Ukraine's State Service of Special Communications and Information Protection, told POLITICO, we need this Cyber United Nations - nations united in cyberspace in order to protect ourselves - effectively protect our world for the future - the cyber world and our real, conventional world. What we really need in this situation is a hub or a venue where we can exchange information, support each other and interact. The goal of such an organization would be international threat-information sharing and preparation to withstand cyberattacks. 

Dave Bittner: The metaphor is probably wayward. The United Nations, after all, seeks to include all states, and the proposed organization would, of necessity, leave those who are bad actors out. And make no mistake about it, Russia - Ukraine is looking at you, and so are the members of NATO and any number of other countries. The proposal really represents a gesture in the direction of an alliance than it does a comprehensive global association. In any case, international threats would seem to call for some form of international cooperative defense. 

Dave Bittner: Coming up after the break, Ben Yelin looks at NSO Group's attempt at state sovereignty. Ann Johnson from "Afternoon Cyber Tea" speaks with Microsoft's Chris Young about the importance of the security ecosystem. Stay with us. 

Dave Bittner: Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast. And on a recent episode, she spoke with Microsoft's Chris Young about the importance of the security ecosystem. Here's part of that conversation. 

Ann Johnson: Speaking of partnerships, let's go to our core job - what you and I do daily. So you have this fairly large remit, where you think about business development. You're thinking about the company's strategy all up. And, of course, you lead, you know, the ventures team with Michelle Gonzalez. But I want to focus for just a minute about ecosystem and why you think ecosystem is important, even for a company like Microsoft. And why do you think it's so important for the security ecosystem to exist and help our customers and our partners? 

Chris Young: No company can solve all the problems themselves - you know, No. 1. I think - and that's true in any space. I think it's especially true in security. Like, nobody's got 100% of the solution, partially just because, you know, security is a living, breathing problem. It changes all the time. It changes faster, I'd argue, than other elements of the technology landscape. And that's one of the reasons why ecosystem work is super critical to security. Because as much as we can do at Microsoft - you know, we have a lot of great products and a lot of great solutions that we apply to helping our customers solve some of their thorniest cyber challenges, we don't cover the entire landscape, every use case, every platform, every threat mitigation technique. 

Chris Young: And so ecosystems are critically important because there are a lot of great companies out there that can help us cover the use cases that are most important to our customers. And therefore, the ecosystem creation and the orchestration of the ecosystem in ways that makes it come together in service of the customer's need, which is ultimately to deliver their business or deliver their outcomes in a secure, efficient, effective way - that's really what's most important. And as you point out, Ann, that's such a huge part of our role inside of Microsoft - is to be the orchestrator of these ecosystems, to bring companies together from outside of Microsoft with all the great people here inside of Microsoft who are trying to solve these problems on behalf of our customers and then to help our customers get the most out of the ecosystems themselves. It's hard - right? - because, you know, we all know some of the classic challenges that people face in cyber - you know, a lot of vendors, a lot of stitched-together solutions. You know, part of our goal in these ecosystem programs is to make it feel more seamless - to take some of the burden off of our customers so they don't have to do all the heavy lifting of bringing together some of the different solutions they need to ultimately solve their problems. 

Ann Johnson: So why is it your view that it's so important to have this vibrant security startup community? 

Chris Young: Startups are - they're the lifeblood, I think, of our industry. I think that's true in broader tech, and they're also - it's also true if you double-click down into cybersecurity. And the reason is they move us forward. Here's a good example. I talk about this - I used to talk about this all the time, which is, you know, if I think about just - take endpoint security. Until companies like Cylance and CrowdStrike came along, a lot of the endpoint security industry was - it was AV signature based. And in today's world, we've all moved on. Why? Because innovation happened. It didn't happen in the big companies. It happened in the startup landscape. It happened to be a bunch of McAfee alums that went out and did it. You could argue about, you know, the outcomes of the companies. You know, obviously, CrowdStrike has done really well. We don't see Cylance as much anymore. They're part of BlackBerry. But they push the industry forward in a unique way, and I think we're all better off for it. 

Dave Bittner: You can hear the rest of this conversation, along with all of the episodes of "Afternoon Cyber Tea," on our website, thecyberwire.com, or wherever you get your podcasts. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Welcome back, Ben. 

Ben Yelin: Thank you for having me, Dave. 

Dave Bittner: So - article over on the IEEE Spectrum website - and this is about a class-action suit that's being brought against GitHub Copilot and their parent company, Microsoft, about these claims that these AI engines are basically pirating open-source software. What do you make of this, Ben? 

Ben Yelin: So this is really fascinating. We have an issue here that I think is novel and extremely complicated. So Copilot, as probably most of our listeners would know, is an AI pair programmer for software developers. It suggests code in real time. But the input is, at least as alleged here, copyrighted material. Somebody has actually developed the code that goes into the system that leads to Copilot spitting out suggested code. This is open-source software as well. So obviously, the vision of open source is that anybody can use it and access it. But there are individuals - and that's the nature of this lawsuit - who think that their own creative work in developing these lines of code is being used without attribution. And eventually, if somebody uses the output from Copilot to make a profit, that's going to be a violation of our intellectual property laws. 

Ben Yelin: There's another side to this story, though, and I think that's best articulated by Kit Walsh, a staff attorney at the Electronic Frontier Foundation. And Kit argues that training Copilot on public repositories is fair use. Fair use allows for the analytical use of copyrighted work - so for academic purposes, for learning purposes. The question here is whether this counts as fair use under our intellectual property laws. What Kit is saying is that Copilot is ingesting code and creating associations in its own neural net about what tends to follow and appear in what contexts. 

Dave Bittner: Right. 

Ben Yelin: And that is sort of doing analytical - that's the equivalent of doing analytical work on somebody else's copyright-protected material. 

Dave Bittner: Yeah. 

Ben Yelin: Really, this could boil down to how much Copilot is reproducing from any given iota - any element of the training data that was used as input. And that's something that's somewhat metaphysical. We might not know exactly how much of the suggested code comes from a distinct piece of data that's somebody else's copyrighted work. So this is a really complicated issue. I'm not sure we're going to get a satisfying resolution for a long time. But I can understand why people who have poured their heart and mind into developing lines of code would be upset by it being used, potentially, to profit somebody else without attribution. 

Dave Bittner: Yeah. It strikes me that at the core of this is whether or not an AI system can express creativity. And is it - if you're able to input things, and it's able to come up with novel solutions based on inspiration from other people's work, to me, that's new work, as opposed to just cutting and pasting some lines of code. That seems pretty clear-cut to me. 

Ben Yelin: Right. 

Dave Bittner: If you find, you know, some code that you had put in your book about programming in whatever language, and the AI takes it and just pastes it in there and doesn't even change any of the variables, well, we've got an issue here. But if the AI is inspired by the code you write, I - as you say, that's a lot fuzzier in my mind. 

Ben Yelin: And can an AI even be inspired? Is that a thing? 

Dave Bittner: Right. 

Ben Yelin: Because, unlike us - you know, you used an example on "Caveat," where we talked about this as well, of going to an art museum, being inspired by Picasso or whomever and going home and coming up with your own painting inspired by his work, even though it's unattributed. 

Dave Bittner: Right. 

Ben Yelin: And that's a really interesting metaphor. But in that case, you're using your own creativity. You are using the contents of your own mind to turn the inspiration from somebody else into your own distinct creative work. And is that happening with artificial intelligence? It's a hard question to answer. Can a computer have creativity, or are they just digesting pieces of information and spitting them out algorithmically? It's something that I don't think is clearly answerable. 

Dave Bittner: Well, I think we all need to go back and watch the "Star Trek: The Next Generation" episode "Measure of a Man," where Lieutenant Commander Data is put on trial as to whether or not, as a computer, he has the rights of a human being. I think it's all pretty well laid out there (laughter). 

Ben Yelin: Maybe you and I can turn that into, like, a one-act play where we just do that scene, and we have attorneys on each side arguing the best arguments on behalf of their clients. 

Dave Bittner: Yeah. 

Ben Yelin: I sense that's a good creative work in our future. 

Dave Bittner: Yeah. All right. Well, this one - more to come, for sure, as this develops, and I find it fascinating. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.