The CyberWire Daily Podcast 2.21.23
Ep 1764 | 2.21.23

GoDaddy's compromise. Twitter disables SMS authentication for all but blue-checked users. Deutsche DDoS. Is Bing channeling Tay?


Unidentified Person: You're listening to the CyberWire network powered by N2K.

Dave Bittner: GoDaddy has discovered a compromise of its systems. Twitter disables SMS authentication for those not subscribed to Twitter Blue. Last week's cyber incident impacting German airports was confirmed to be DDoS. The consequences of cyber irregular participation in cyber wars. Semiconductor tech giant Applied Materials seize significant financial losses from a cyberattack. Joe Carrigan on scammers dangling fake job offers to students. Our guests are Max Shuftan and Monisha Bush from the SANS Institute on the reopening of their HBCU Cyber Academy application window. And is Bing channeling Tay? 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 23, 2023. 

GoDaddy's compromise.

Dave Bittner: GoDaddy has disclosed its discovery of a December 2022 breach that resulted in a threat actor redirecting customer websites to malicious domains, BleepingComputer reports. The threat actor was reportedly able to install malware on GoDaddy's cPanel shared hosting environment, and the company added that they have evidence and law enforcement has confirmed that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. GoDaddy also stated in an SEC filing that it believes the same threat actor was responsible for security incidents the company disclosed in 2020 and 2021. 

Twitter disables SMS authentication for all but blue-checked users.

Dave Bittner: Twitter's decision last week to revoke SMS Tech says two-factor authentication modality for all but paying Twitter Blue subscribers has been poorly received. Twitter explained, while historically a popular form of 2FA, unfortunately, we have seen phone number-based 2FA be used and abused by bad actors. So starting today, we will no longer allow accounts to enroll in the text message and SMS method of 2FA unless they are Twitter Blue subscribers. The Verge points out that the move away from SMS 2FA may be a cost control measure since it costs a little bit of money to send an SMS. It's true enough that SMS text authentication is not the best 2FA method, but it's way better than nothing. And it's likely, as experts point out to NPR and Wired, that people who've used it as their default will not replace it with anything. And besides, why should subscribers paying for their blue check be expected to be content with an inferior method of authentication? Or are they paying for convenience? 

Deutsche DDoS.

Dave Bittner: It's now been confirmed that the cyber incident German airports at Düsseldorf, Nüremberg, Erfurt-Weimar and Dortmund sustained last week was indeed a distributed denial-of-service attack. Spiegel reports that the attack lasted about an hour, and that Russian hacktivists claimed responsibility. The Register, which dismissed the incident as "script kiddies up to shenanigans," points out that it spared the three largest German airports (Berlin, Frankfurt, and Munich). The Record reports that Anonymous Russia counted coup in its Telegram channel with a snarky, and, again, non-flying weather in Germany; what's up? - followed by links to outage reports at each affected airport. 

Dave Bittner: Spiegel also reported that Lufthansa, Germany's national airline, had experienced service disruptions earlier in the week on Wednesday and that preliminary investigations suggested that the cause might have been broken and fiber optic cables supplying the airline's network. But the Russian hacktivist auxiliary Killnet has since claimed responsibility for that incident in a communique published by the Russian outlet Gazeta. Killnet said, we killed the corporate network of Lufthansa employees with 3 million fat data packet requests per second. It was an experiment on rats, which was successful. Now we know how to stop the work of any airport in the world. The attack was retaliation, the KillMilk section of the group said, for Germany's decision to furnish Ukraine with Leopard tanks. The auxiliaries asked rhetorically, who else wants to supply weapons to Ukraine? 

Cyber wars and cyber irregulars.

Dave Bittner: One consequence of the growing tendency of auxiliaries, hacktivists, privateers and other irregulars to participate in wartime cyber operations appears to be an extension of combatant status to actors who would otherwise be considered noncombatants. The Record reports that last week, Mauro Vignati, adviser on the digital technologies of warfare to the International Committee of the Red Cross, addressed the Munich Cyber Security Conference on the risk that this trend could undermine protections noncombatants currently are entitled to under the laws of armed conflict. 

Dave Bittner: Vignati said, while individuals may be physically removed from the theater of hostilities, they are only one click away from the digital battlefield. He cautioned governments to restrain themselves from encouraging civilians to participate in offensive cyber operations, stating, encouraging civilian participation in cyberactivities during armed conflict could undermine the protection of civilians who must be spared from the effects of armed conflict. That's why ICRC strongly recommends states to reverse the trend of civilianization of the digital battlefield. 

Dave Bittner: It's worth noting that participation by irregulars in combat doesn't deprive them of all protections under the laws of armed conflict. They exchange the protections afforded noncombatants for the less extensive but still significant protections combatants enjoy. The International Committee of the Red Cross has a convenient summary of the relevant distinctions on their website. 

Cyber risk as business risk: the Applied Materials incident.

Dave Bittner: Semiconductor technology giant Applied Materials estimates financial losses of $250 million in sales this quarter due to a cyberattack, the Silicon Valley Business Journal reported Friday. A ransomware attack impacted one of the company’s suppliers, deduced by industry analysts to be MKS Instruments, the Record wrote last week. In a recent earnings report released from Applied Materials, the company anticipates the second fiscal quarter of this year to net $6.4 billion and cites ongoing supply chain challenges and a negative estimated impact of $250 million from the incident. 

Is Bing channeling Tay?

Dave Bittner: And finally, do you remember Tay? We do. Tay was a Twitter chatbot Microsoft researchers launched back in 2016 in a trial of how well an artificially intelligent system could interact with humans - and do so as if it had a personality. Tay's personality was generally described as approximating a teenager with attitude or, as The Verge quoted Microsoft, an "AI fam from the internet that's got zero chill." Anyhoo, the experiment produced a personality that was basically a jerk. And because it was trained on human tweets, it learned to be a really major jerk in less than 24 hours. 

Dave Bittner: Tay was an experiment and so not a failure, since things are learned even from negative results - still more from unpleasant potty-mouthed results. But now, by some account, Bing's incorporation of ChatGPT seems to be following a related disinhibited path. Jensen Harris tweeted his experience with the new Bing as, a wild story in which I probe what Bing's chatbot is capable of if you take away the rules. It gave wrong facts, wrote raunchy jokes, ordered a pizza, taught me how to rob a bank, burglarize a house, hotwire a car, and also cheated at a game of hangman - not that there's anything wrong with ordering pizza, all things being equal. 

Dave Bittner: Gary Marcus on Substack has an extended meditation on what's been going on with Bing. He writes, anyone who watched the last week unfold will realize that the new Bing has - or had - a tendency to get really wild, from declaring a love that it didn't really have to encouraging people to get divorced to blackmailing them to teaching people how to commit crimes, and so on. 

Dave Bittner: In full disclosure, Microsoft is a CyberWire partner. If we really wanted to find the kinds of stuff that Harris and Marcus learned from Bing, we'd probably just Google it, or maybe ask the rational folks you find over on Nextdoor. 

Dave Bittner: But here's a question. Are bad behavior, error, wrongheaded advice, criminal complicity and so on inevitable features of AI trained on a large corpus of human-produced content? Discuss among yourselves. Extra credit if you work the transmission of original sin into your explanation. Class dismissed. 

Dave Bittner: Coming up after the break, Joe Carrigan on scammers dangling fake job offers to students. Our guests are Max Shuftan and Monisha Bush from the SANS Institute on the reopening of their HBCU Cyber Academy application window. Stick around. 

Dave Bittner: The SANS Institute recently announced the reopening of the HBCU Cyber Academy application window through March 1, 2023. The HBCU Cyber Academy is an opportunity for students at historically Black colleges and universities to gain hands-on cybersecurity training and real-world experience free of charge. For details on this offering, I spoke with Max Shuftan, director of Mission Programs and Partnerships at SANS, and Monisha Bush, U.S. Missions Programs and Partnerships coordinator for SANS. Max Shuftan starts us off. 

Max Shuftan: SANS has been focused on initiatives to grow the cybersecurity workforce and diversify it since 2015 through what we call academies, or really reskilling programs, in which individuals who have strong aptitude for learning security can receive training, hands-on skills development, learning key knowledge and pursue industry certifications to empower them to start careers in the field. We've helped reskill several thousand students across the globe over the last 7 1/2 years, especially growing in the last three to four years. And as part of that, we've started the SANS effort to build a bridge with HBCUs and help talent from HBCUs come into cybersecurity. So at that point, I'll turn it over to Mo to talk a little more about that. 

Monisha Bush: Yes. Thanks, Max. Speaking of bridges, as a part of the SANS HBCU mission, we did gather a committee together where our mission is to create that bridge to diversify cybersecurity with innovative Black talent from historically Black colleges and universities. So we came up with this idea to kind of peek into this niche area and see if we can provide opportunities for HBCU students and alumni to be able to take part of one of these academies that we kind of already had a really successful student path with some of our other academies. 

Monisha Bush: We began with a pilot academy back in 2020, and it was with the University of Virgin Islands. And we - I'm sorry. Excuse me. That was in 2021 we established our first partnership with the University of Virgin Islands. It was very much successful. They - I think we had a cohort of about five individuals who were very successful in obtaining all three GIAC certifications. And we even have a few success stories from those individuals in which they were able to find careers within less than three months. 

Dave Bittner: When we're talking about historically Black colleges and universities, where have they sat in terms of the offerings that they've had available to their students? 

Monisha Bush: I would definitely say that we've seen and just try - when we're trying to come together and engage in partnerships with these HBCUs, a lot of them did have cyber curriculums, but not in the way that we've seen in a lot of other universities, which is why we thought, hey, this would be a great idea to offer the type of program and curriculum that we - what - that we are offering towards these HBCU academies where it was just HBCU-focused. 

Dave Bittner: Max, what is in it for SANS here? I mean, the opportunity to provide this - this is an opportunity you're providing free of charge. 

Max Shuftan: Correct. It is a scholarship-based program - the HBCU Academy - funded by SANS. For us, it's about having an impact on a community that we felt was underserved, similar to our Women's Academy and Diversity Academy, you know, trying to help launch careers in cyber. And as Mo said in her answer, you know, certainly there are computer science programs, especially across HBCUs, and those are great at helping individuals get into IT and computing jobs, tech support jobs, etc. 

Max Shuftan: But what we saw the academy as having the ability to do is help some of those individuals kind of springboard or launch on a fast track into cybersecurity. Rather, they're working their way through the IT side, you know, finding the individuals with the really high potential and helping them go through the industry training that, you know, a professional might get 10 years into their career and move into a cybersecurity specialist or security engineer-type job now. You know, so at the end of the day it's definitely about that community partnership. And certainly we do want to, you know, raise awareness of SANS as an opportunity for skills development across individuals in the tech and computer science space. 

Dave Bittner: Monisha, I'm curious - you mentioned that you all had completed a pilot program here. What was the feedback from the folks who've been through that program? 

Monisha Bush: Oh, we got some very, very, very positive feedback, to say the least. One of our very, very first graduates - his name is Rex (ph); shout out to Rex - he - I mean, he couldn't have been one of the better candidates to represent our pilot academy from the University of Virgin Islands. He was a computer science major, and as being a part of the first HBCU Academy, he did express that it taught him the skills and the life lessons that kind of actually helped him land his first dream job. He is actually a security engineer for a government agency, and we couldn't be more proud of Rex. 

Dave Bittner: Monisha, what's the future for this? As you experience the success here, are you looking to expand to even more opportunities at more universities? 

Monisha Bush: So glad that you asked that, Dave. So the continuation of actually building these direct relationships with the HBCUs is probably number one. We want to get the word out there that SANS has this type of program available, and we are definitely open to any of the HBCUs out there that are willing and open to partnering with SANS. We are expanding on our nationwide HBCU Cyber Academy. We are now in the second year of our actual annual cyber academy. We do have applications that are open right now, and they will be closing at the end of this month - excuse me - they will be closing March 1 - sponsoring more cyber competitions like our cyber wars and growing our initiatives that are more HBCU focused, like maybe New2Cyber or some of our SANS summit tracks to kind of have a more HBCU focus and just kind of continually creating that community for past, current and future alumni of the academy for our HBCU students. 

Dave Bittner: That's Monisha Bush from the SANS Institute, along with her colleague Max Shuftan. You can find out more about the HBCU Cyber Academy on the SANS website. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article that caught my eye here - this is from the folks over at Avanan - article written by Jeremy Fuchs, and it's titled "Hackers Dangling Fake Job Offers to Students." Joe, you've spent some time in academia... 

Joe Carrigan: Yes., I have. 

Dave Bittner: ...Over there at Johns Hopkins. 

Joe Carrigan: Yes, I have. 

Dave Bittner: What do we need to know about this scam that's going on here? 

Joe Carrigan: So this scam is really just a simple phishing scam. What's interesting is that it is coming from a valid email account, so it - in this particular case that Avanan is talking about. So these guys have gone to the trouble of breaking into somebody's email account, and rather than performing a business email compromise attack and making tons of money, they're just going out and phishing students, which is interesting. I don't know what the status of the email account is right now, but it doesn't matter. 

Dave Bittner: Yeah. 

Joe Carrigan: What's important is that this is coming from a legitimate company, is coming from a legitimate email. So it's probably just making it through all of the spam filters and is looking like a job offer. And the only thing they're trying to do is harvest credentials from these students. 

Dave Bittner: Oh. 

Joe Carrigan: OK? So they're offering a job that pays. It says $450. It doesn't say per week or whatever it says. It's a remote, part-time, $450 job opportunity. 

Dave Bittner: OK. 

Joe Carrigan: When they - there's a link in the email that is not connected to the company at all. And it just takes you to a place where they harvest your credentials. They don't tell you which credentials they're looking for. I would assume it's either Google or Yahoo or something. All of these accounts have value on these dark web marketplace - these dark markets. 

Dave Bittner: Right. 

Joe Carrigan: So these can be turned around and sold. And if you're - having your email compromised can be devastating, particularly because somebody can go into your email, look through your email, find out what accounts they have - you have there as well. Maybe your bank gets reset, your bank password gets reset by having an email sent to that email account. 

Dave Bittner: Yeah. 

Joe Carrigan: They can also take over maybe your streaming services, which they can then, again, turn around and sell, right? 

Dave Bittner: Yeah. 

Joe Carrigan: All these things are just ways for people to go about making money. What's interesting is they're going after college students. They're soliciting - they probably have a mailing list of college students... 

Dave Bittner: Right. 

Joe Carrigan: ...Of new college students... 

Dave Bittner: Right. 

Joe Carrigan: ...That is probably available somewhere, whether from a legitimate source or a dark source. Who knows? 

Dave Bittner: Yeah. 

Joe Carrigan: And they are targeting these people because they know, hey, college students like to have money to do things on the weekends, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And... 

Dave Bittner: It's interesting to me that they're going after college students because, as you say, college students - yes, college students, in general, need money... 

Joe Carrigan: Right. 

Dave Bittner: ...And are willing and able to pick up little side jobs like this. 

Joe Carrigan: Yup. 

Dave Bittner: But what I - what leaves me scratching my head is college students are not known for having a lot of money (laughter). 

Joe Carrigan: Right. Right. 

Dave Bittner: Right? So what's the - so it's interesting to me that they're targeting them. What do you make of that? 

Joe Carrigan: That is a great point. Well, the credential itself does have value. 

Dave Bittner: Yeah. 

Joe Carrigan: These guys might not be going after tons of money. And they're probably coming from a country where the average income of per capita is a lot lower than the U.S. 

Dave Bittner: Right. 

Joe Carrigan: So that's one of the things we need to think about constantly when we're talking about cybercrime, is a lot of these guys - if they can make $5,000 a year doing this kind of thing, they're living pretty well in their country. 

Dave Bittner: Yeah. 

Joe Carrigan: They're in the top 1% of income earners in that country. It's - well, maybe not 1% - I - you know, you get the idea. 

Dave Bittner: Yeah. 

Joe Carrigan: My numbers might be off, but the idea stands. So, you know, it doesn't matter that it's a college student. If the college student has a bank account with a hundred dollars in it, that's a score; that's a find. Plus, all these different - you know, all these different accounts that you can have access to can be sold off for money. And that's how these guys monetize it. So I think that's what's going on here. If they're just doing credential harvesting, like this article is talking about, then they are monetizing that by selling access to those accounts. 

Dave Bittner: I'm curious, you know, at Johns Hopkins, do they have programs to try to get students up to speed on this sort of thing? As you onboard students, is cybersecurity a topic? 

Joe Carrigan: Campus security does run - or the campus police do run a - or is it - you know, it's campus security. They run a program for freshmens - freshmen that come in - freshmens? - freshmen that come in that - and they also have all kinds of outreach programs. And I've worked with them before on that. Although, you know, I don't have the opportunity to do that as much anymore because my duties at Harbor Labs are full-time duties, and I'm kind of part time at Hopkins still. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: So - but, yeah, there is a program in place that does that, and a lot of universities have that. It's universal. It's not just at universities. It's going to be everywhere. I mean, we talk about "Hacking Humans" about this kind of thing all the time. 

Dave Bittner: Yeah. 

Joe Carrigan: People are targeted all the time. And you just have to be aware that anything that seems too good to be true probably is. Be mindful of where you're going when you're being asked to log in. If some - if you are already logged into your email account and something's asking you to log in again, that should raise a red flag every single time. 

Dave Bittner: Yeah. Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening. We'll see you back here tomorrow.