Ransomware in Costa Rica. Cyberespionage against unpatched FortiOS instances. Credential stuffing PayPal, breaching T-Mobile. Utility business systems hit. Hackathons and phishing in Russia.

Dave Bittner: Ransomware hits Costa Rican government systems again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a data breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini from iboss with insights on Zero Trust. And the FSB's Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 20, 2023. 

Ransomware hits Costa Rican government systems.

Dave Bittner: Happy Friday, everyone - good to have you here along with us once again. Costa Rica's Computer Incident Center disclosed this week that it's been subjected to a ransomware attack that encrypted 12 government servers. None of them, the statement said, affected critical systems, and the attack has been contained - that is, confined - to the systems already affected. There is no official general attribution of the attack nor any word on what strain of ransomware may have been involved. But as The Record by Recorded Future reminds readers, Costa Rica began receiving some hostile and determined attention from Conti last spring, with the gang going so far as to express its determination to bring down the government. That's not an expression of serious political purpose but more like Conti saying, gosh, I'm telling you, brother, we're mad as heck, and we want to get paid. Hang tough, and get well soon, Costa Rica. 

Chinese threat actor deploys BOLDMOVE backdoor against FortiOS.

Dave Bittner: A suspected Chinese threat actor is exploiting a recently patched critical flaw in Fortinet's FortiOS SSL-VPN, according to researchers at Mandiant. The threat actor began exploiting the vulnerability in October 2022, months before the flaw was disclosed publicly. Fortinet issued an advisory on December 12 rating the vulnerability as critical, noting that the company was aware of an instance where this vulnerability was exploited in the wild. Mandiant says the threat actor targeted a European government entity and managed service provider located in Africa. The researchers discovered a new malware, dubbed BOLDMOVE, that was developed to exploit this vulnerability. The threat actor appears to be sophisticated and well-funded. Note that there's been a patch for the vulnerability available since last month, and Fortinet users are urged to apply it. 

Credential stuffing afflicts PayPal users.

Dave Bittner: On January 18, PayPal said in a security incident notice that unauthorized parties had accessed thousands of user accounts between December 6 and 8 of last year in a credential stuffing attack. Credential stuffing is one method of attack that can be made less likely to succeed by the application of some sound digital hygiene. This credential stuffing attack, Bleeping Computer explains, works by utilizing a bot that attempts various user credentials sourced in other leaks to access accounts on other sites. That is, it's a lazy hacker's way of brute forcing a credential. So it follows that those reusing passwords across accounts with shared usernames and emails or password recycling would be most likely to fall victim to these attacks. 

Dave Bittner: Forbes writes that this incident was reported as of yesterday to have given threat actors access to 34,942 PayPal accounts. In a statement to EcommerceBytes, PayPal asserts that no financial information was accessed and that payment systems were not affected. PayPal says they're reaching out to those who may have seen their accounts accessed. It's not clear that PayPal has that much to apologize for since this seems to be a matter of user headspace and not a security flaw within PayPal itself. 

T-Mobile discloses a data breach.

Dave Bittner: Mobile carrier T-Mobile disclosed a data breach yesterday that affects around 37 million postpaid and prepaid customer accounts, SecurityWeek reports. The telecommunications firm said in a Thursday filing with the U.S. SEC that the data breach was the work of a malicious actor abusing an API without authorization. The wireless provider claims that the attack, discovered January 5, was stopped within a day of discovery and that they had pinpointed the source, Bloomberg reports. The carrier says that there is no evidence showing that any other systems were affected and also did not appear to affect any sensitive data. 

Cyberattack hits Nunavut utility.

Dave Bittner: Qulliq Energy Corp, QEC for short, in Nunavut, the largest and northernmost territory of Canada, was hit by a cyberattack on Sunday that took down some business systems, the CBC reports. QEC disclosed yesterday that the attack took down the systems at its customer care and administrative offices. The company has enlisted external cybersecurity experts to investigate the scope of the attack and determine which data was accessed. QEC says it will notify anyone whose information was accessed. Premier P.J. Akeeagok said in a statement that various territorial and federal agencies are assisting with the recovery and that the Royal Canadian Mounted Police are investigating the incident. The attacks didn't affect power plant operations, just business systems. And customers are presently unable to pay their bills via credit card. While it's still unclear whether the attackers accessed customer information, the company says customers should be vigilant just in case. 

Wagner Group sponsors a hackathon.

Dave Bittner: Russia's Wagner Group private military corporation hasn't neglected information technology. The mercenary group sponsored a hackathon last month designed to contribute to the hired guns said, to the development of IT projects to protect the interests of the Russian army. The hackathon offers another example of the ways in which criminals serve as cyber auxiliaries for the Russian organs. The co-founder of the team that placed an honorable third, one Igor Turashev, is wanted by the U.S. FBI for his involvement with, among other things, the Dridex banking malware. Mr. Turashev was indicted in the Western District of Pennsylvania on November 13, 2019. The charges he faces, if the U.S. ever gets its hands on him, include conspiracy, conspiracy to commit fraud, wire fraud, bank fraud and intentional damage to a computer. Mr. Turashev should choose his vacation spots with care. 

Gamaredon APT runs Telegraph phishing against Ukrainian targets.

Dave Bittner: BlackBerry researchers reported yesterday that they'd observed the Gamaredon operators running phishing attacks against Ukrainian targets. The phishbait consists of spoofed Ukrainian government or corporate documents. As BlackBerry puts it, the Gamaredon group's network infrastructure relies on multistage Telegram accounts for victim profiling and confirmation of geographic location and then finally leads the victim to the next-stage server for the final payload. This kind of technique to infect target systems is new. The final payload is an information stealer first observed in September of this past year. Gamaredon, also known as Primitive Bear or Actinium, is generally believed to be an FSB operation run out of occupied Crimea. This particular operation seems to be hands-on and not heavily automated. 

CISA releases one ICS advisory.

Dave Bittner: And finally, the U.S. Cybersecurity and Infrastructure Security Agency, that CISA, has issued an industrial control system (ICS) advisory affecting Hitachi Energy PCU400.. So read it and heed it, ye captains of industry. It's Friday afternoon. Do you know where your Hitachi ICS is? 

Dave Bittner: Coming up after the break, our guest is Paul Martini of iboss with insights on zero trust. Malek Ben Salem from Accenture describes prompt injection for chatbots. 

Dave Bittner: Paul Martini is CEO of security firm iboss, where they recently released a report titled "Bolster Your Company Defenses with Zero Trust Edge." I checked in with Paul Martini for insights for companies looking to make the transition to zero trust. 

Paul Martini: First and foremost is choose a framework that is based off a standard or create standards. So NIST - they're very well known for not just the risk management framework, the RMF, but they create a lot of different standards. And so by choosing NIST 800-207, I think what that's going to help with is, first, it's vendor agnostic. It's really based on concepts and ideas that can be implemented. But secondly, as, you know, regulation comes down, you know, from government to the commercial and enterprise sector as well as into other sectors as well, it's going to make sure that you're going to be meeting fundamental compliance requirements because ultimately it is - we believe this becomes regulation and becomes law. And by doing it in a way that not only reduces risk but helps you remain compliant is always helpful. So the first is pick a framework that you can understand and that is tangible and discrete. The second is really understand what it is that you're trying to achieve. 

Paul Martini: I think this really shouldn't be about just the term or technology that, you know, people hear about and think is a great idea. It should be really taking a step back and understanding what is zero trust and what does that mean and how does it reduce risk? CISA, which is the Cybersecurity and Infrastructure Security Agency, put out a report in 2021 which studied the fundamental root cause of ransomware. They partnered with the FBI, NSA, as well as other governments, the U.K. and Australia. And what they found was the top three initial infection vectors for ransomware in 2021 was unauthorized access. They were all based on unauthorized access, things like stolen credentials, phishing or vulnerabilities. 

Paul Martini: But the real question really comes down to why is it that when software becomes vulnerable, that it gets - it's accessible? Like, why is it that there's an attacker in Russia that can even access the application to begin with? And the reality is because the world looks a lot different today. You know, those applications used to be in a data center or used to be in your office. But now they're SaaS applications, meaning there's a path through the front door of that application. As soon as it becomes vulnerable, an attacker can take advantage of that vulnerability. And if you look at the number of vulnerabilities coming out on a daily basis from CISA, they just sit there waiting for these vulnerabilities to come out to take advantage of them. 

Paul Martini: So I like this idea. You know, this is fundamentally about resource access, controlling resource access, using process, people and technology to basically put a front door in front of all of the critical resources and enterprise zones and ensure that those applications and data remain private at all times. I do also like all of the network requirements, the requirements to support zero trust architecture from NIST. The tenants - they have seven tenants that are required to meet a zero trust architecture according to their framework. But looking at those tenants and those network requirements, making sure that you're really checking each of those boxes, they (inaudible) a lot of work to really think about them and the impacts of what they mean. But following those, I think, will put you in a much better position. 

Dave Bittner: You all recently released some survey data about zero trust. Were there any particular bits of information that you gathered that caught your eye or were surprising or unexpected? 

Paul Martini: I think they just reaffirmed what we already - we're seeing, which is, you know, zero trust is a mainstream type of process and technology that's being implemented across federal governments and enterprises. It's top of mind. We think that there's a lot of confusion as well that happens when there's something that's new, incoming - you know, newer types of technologies, newer types of processes. But it also - you know, we find that it's not just the government. It's reaffirming - it's not just the government moving to these models. It's every company in every enterprise in every sector moving to this model, but reaffirmed that belief. I'm not sure if you're aware, today, actually, just a few hours ago, Okta announced a new breach. Did you see that? 

Dave Bittner: Yeah. Yeah, absolutely. 

Paul Martini: And if you think about that particular breach, the new one that just came out, it was source code that was stolen from GitHub. So basically the Okta source code was stolen. And you just wonder, how is it that an attacker gets to the front door of their GitHub repository because if you're using a zero trust model, the zero trust gatekeeper or checkpoint, is the job of that gatekeeper, is to make sure that no one except for employees are touching that resource, and everybody else is denied by default? So I think this type of technology, when you look at these types of breaches, can, in my opinion and in our opinion - it doesn't just slightly reduce risk. It's the best way, combined with all of the other good hygiene that you need to do with, you know, other technology and processes. But it's the best way to get the biggest bang for the buck to reduce risk. And this is why we're seeing with the survey data and with the government that everybody's moving to this model, you know, as quickly as possible. 

Dave Bittner: You know, it's been my experience that quite often, when bits of technology like this come to the fore, there are several stages that it goes to where, you know, it first gets announced, people start to understand it, and then, quite often, the marketing people get a hold of it. And that leads to, I guess, what I would refer to as the eye-rolling zone where, you know, it gets talked about so much that people kind of put up their defenses about it 'cause they're hearing so much about it. It strikes me that Zero Trust is here to stay. We've gotten past that eye-rolling point, and people are really seeing that this is going to be with us for the long haul. 

Paul Martini: Yeah, absolutely. You know, I think it's a Catch-22. When technology or processes come out and they're not really spoken about or there's not a lot of, you know, vendors jumping on to that type of technology or marketing, the marketers, you know, to your point talking, about it, it might mean that it's either too early, or it's not that interesting or that helpful. But I think that, you know, it's a Catch-22 because when something is that helpful, then, you know, of course, marketing wants to follow that because they know a lot of transitions are going to occur. So you kind of have to get past that hurdle. And I do think that, you know, we're - there's still a lot of noise. But because of these standards - and this is why I appreciate NIST so much, is when you start looking at these standards that include requirements that show tangible deployment strategies, this helps reduce that noise as well as provide, you know, guardrails to prevent people from, you know, jumping off the cliff or, you know, making decisions that are just for the sake of using a term. 

Dave Bittner: That's Paul Martini from iboss. The report is titled "Bolster Your Company Defenses with Zero Trust Edge." We'll have a link in today's show notes. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Malek Ben Salem. She's the managing director for security and emerging technology at Accenture. Malek, it is always great to welcome you back to the show. We've been seeing a lot of stories about chatbots. They've been getting a lot of attention with some of the developments with AI, related to that. I know you and your colleagues have been doing some work when it comes to prompt injections in chatbots. What can you share with us about that today? 

Malek Ben Salem: Thanks, Dave. So, yeah, we've seen language models, chatbots included, gain some popularity recently. And again, just like any other AI models, we've talked before on this show about the vulnerabilities of AI and machine-learning models in particular. But we have not talked about chatbots specifically. And it turns out that chatbots, just like any other machine-learning models, are vulnerable to certain types of adversarial attacks. These are known as adversarial examples. If you think about, you know, the computer vision systems that have been shown to be vulnerable to changes in - you know, small changes in any - small changes in pixel in an image would completely make an image classifier fooled and misrecognize the image just by those few changes in pixels. Those types of attacks are also valid and work against chatbots. And one of these adversarial examples is - or adversarial attacks is known as prompt injections. This is akin to the sequel injections that we know and that we're familiar with, you know, other types of applications like web applications. 

Malek Ben Salem: So if you think about, let's say, a model that translates languages and you have an API language model with an API that you can call through the API to translate certain language - so you give it your input. Your prompt is to translate a certain sentence. And then, you give it that input that you want to translate, which is - so you have your prompt, and you have your input. It turns out that these models are vulnerable to these prompt injections in the sense that if you modify your input, you can completely make the chatbot do something wrong, such as, you know, share information that it's not supposed to share or tell you how - what's the last prompt it has received, so reveal some information that is not supposed to be returned back to the user. 

Dave Bittner: How are these prompts surfaced? How do we learn about them? 

Malek Ben Salem: So far, I think we need to do more work on developing security scanners to detect these types of, you know, bad inputs. And unfortunately, the security community is not focused on that. You know, most app scanners that I know of are not looking into this issue yet, and I think this is - my point here is to raise awareness about these types of attacks and hopefully draw the attention both for app scanners and also for the users of - or the companies using these types of chatbots to think about these security vulnerabilities. 

Dave Bittner: Is this a matter of just sort of pounding away on these things and throwing everything possible at them to see if any weird stuff gets spit out? 

Malek Ben Salem: I think that's part of it. And definitely, you know, there are some AI-driven proposals that, you know, look at sanitizing the input or sanitizing the prompts to these chatbots. That's one approach. There is also another approach about sanitizing the output. So if something of a malicious prompt is detected before the chatbot returns the results to the end user, they can sanitize that or, you know, maybe ignore to give any response at all. They're not 100% bulletproof. I think they will be useful, but it's not going to be the full answer, and we need to really think about how these - we don't even know enough about how these chatbots are - you know, can leak information. You know, what are the possible prompts that would make them to act not as expected? And so we definitely need more research, but we definitely also need to start building or think about building some tools that could help us secure them. 

Dave Bittner: All right. That's interesting stuff. Malek Ben Salem, thank you for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Brigid O Gorman from Symantec's threat hunter team. We're discussing their report, "Billbug: State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.