The CyberWire Daily Podcast 5.3.23
Ep 1815 | 5.3.23

Iran integrates influence and cyber operations. ChatGPT use and misuse. Trends in the cyber underworld. Hybrid warfare and cyber insurance war clauses.

Transcript

Dave Bittner: Iran integrates influence and cyber operations. ChatGPT use and misuse. Phishing reports increased significantly so far in 2023, while HTML attacks double. An update on the Discord Papers. Cyberstrikes against civilian targets. My conversation with our own Simone Petrella on emerging cyber workforce strategies. Tim Starks from the Washington Post joins me with reflections on the RSA conference. And, turns out, a war clause cannot be invoked in denying damage claims in the NotPetya attacks.

Dave Bittner: I'm Dave Bittner, with your Cyberwire "Intel Briefing" for Wednesday, May 3rd, 2023.

Iran integrates influence and cyber operations.

Dave Bittner: Microsoft has observed Iran making increasingly sophisticated attempts at influence operations. Microsoft says, "We detected these efforts rapidly accelerating since June 2022. We attributed 24 unique cyber-enabled influence operations to the Iranian government last year, including 17 from June to December, compared to just seven in 2021. We assess that most of Iran's cyber-enabled influence operations are being run by Emennet Pasargad, which we track as Cotton Sandstorm (formerly NEPTUNIUM), an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US presidential elections."

Dave Bittner: The new playbook is predictable, but it's no less effective for all of its templated quality. The campaign begins with a cyber-persona announcing and usually exaggerating a low-grade cyberattack. That announcement is then picked up, distributed, and amplified by inauthentic persona, using the targeted audience's native language. Microsoft says the goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties with a particular focus on sewing panic and fear among Israeli citizens.

ChatGPT use and misuse.

Dave Bittner: OpenAI has confirmed a data breach in its ChatGPT system, Security Week reports. The breach was enabled by a flaw in the system. The rapidly growing chatbot contained a vulnerability in its open-source library, allowing outside users to see others' chat histories. The breach took the chatbot offline until the company's patch was released. Although the patch was quick and the exploit appears minor, this vulnerability may have allowed others, malicious or otherwise, to see payment information, names and email addresses of other users using the service, for a few hours.

Dave Bittner: In a separate development. Samsung has completely barred employees from using generative AI systems like ChatGPT on company devices and networks after it was found that the tech giant's employees had uploaded sensitive internal data to the platform. Bloomberg reports that the South Korean tech giant fears the implications of the chatbot's data being stored on external servers. That storage could take the ability to secure such data out of Samsung's hands and could allow disclosure of shared information to unauthorized parties. Samsung strictures against using ChatGPT and its systems isn't, we should note, a case of any more general reluctance to be involved with AI. Samsung has also shared plans to create its own internal AI tools.

Phishing reports increased by 34% in Q12023.

Dave Bittner: Cofense released its 2023 first quarter fishing intelligence trends review today. They report a 20% increase in active threat reports in the first quarter when compared to last quarter, and a 34% increase when compared to the first quarter of 2022. Threat actors are updating their delivery systems. They are, for example, now including OneNote files. YouTube has become a surprising target of abuse by threat actors, and threat actors will use redirects to point to phishing pages. Cofense says, "The top malware families and types remained mostly consistent to that of the fourth quarter. However, the most significant changes in malware types was a 38% increase in the use of keyloggers."

Dave Bittner: Researchers explain that Qakbot remained the most successful malware family reaching inboxes 185% more often than Emotet, despite Emotet's extremely high dissemination volume. Telegram bot usage for exfiltration increased very sharply, nearly 400% during the first quarter of '23. Cofense states, "Further, telegram bot API usage continued to rise tremendously in the first quarter, already surpassing all of 2022 by 310%. The use of Telegram bots has already reached new highs this quarter compared to all of last year, and is expected to hold these levels or even go beyond." Cofense expects an increase in phishing attempts as we enter the summer months.

HTML attacks double in one year.

Dave Bittner: Barracuda released a study this morning indicating that HTML attacks have doubled since last year. The researchers note that not only is the total number of attacks increasing, but the number of unique attacks seems to be increasing as well. Barracuda states, "On March 23rd, almost 9 in 10 of the total 475,938 malicious HTML artifacts were unique, which means that almost every single attack was different. HTML attacks are commonly seen in phishing campaigns when users download HTML attachments from emails. Barracuda recommends that organizations adopt email protections to spot and block malicious HTML attachments, that they train their personnel to spot phishing emails, that they implement MFA and consider a zero-trust security model, and that they prepare an incident response plan that includes ways of disrupting a campaign should it penetrate your organization.

Discord Papers update.

Dave Bittner: Ukrainian President Zelensky said he did not receive a briefing from the US on the leaks in the Discord papers. He found out about them from news reports, according to The Washington Post. In fairness to the White House, the leaks do seem to have caught U.S. authorities off guard, and news outlets were among those who discovered the leaks at roughly the same time the officials did.

Cyberstrikes against civilian targets.

Dave Bittner: CERT-UA reports that Russia continues to attempt cyberattacks against civilian infrastructure. Ukrinform quotes Volodymyr Kondrashov, spokesman for the State Service of Special Communications and Information Protection, "Where are the attacks coming from? CERT-UA, which is manually engaged in prevention, detection, and response to cyberattacks and cyber incidents, monitors the activities of more than 80 groups, most of which are hacker groups from the Russian Federation, whose 90% of the members are Russian military operatives. That is, we see that Russia uses the same tactics in cyberspace as it does on the conventional battlefield, that is, it tries to attack civilian infrastructure."

War clause can't be invoked in NotPetya case: New Jersey court.

Dave Bittner: A New Jersey Court ruled Monday that Merck may be entitled to a payout from their insurers following a 2017 cyberattack against the company, Fierce Pharma reports. The June 2017 cyberattack was conducted by NotPetya, a group with ties to Russia.

Dave Bittner: The attack initially hit Ukrainian targets, but soon spread indiscriminately around the world. The pseudoransomware was first distributed through accounting software. In Merck's case, and Merck was not the only Western company affected, Bloomberg Law reports that in Merck's case, NotPetya infected more than 40,000 machines in the pharmaceutical giant's network. The U.S. government attributed the attack to Russian intelligence services, and charged six Russian officers in connection with the incident. The indicted officers are of course presently out of reach.

Dave Bittner: Merck's insurers disputed a payout of $1.4 billion to the company on the basis of the "hostile/warlike action" exclusion clause within their policies, the Wall Street Journal writes. However, the Appeals Court this week said that the exclusion clause should not apply to a non-military affiliated company, despite the nature of its origin. It's a win for Merck, but more litigation can, of course, be expected.

Dave Bittner: And finally, our Cyberwire Associate Producer Liz Irvin was with us for the first time at the RSA Conference this year, and she shared her mic with conference goers walking the show floor. She files this report.

Liz Irvin: We're here in the beautiful San Francisco at the RSA conference for 2023. My name is Liz Irvin, and this is my "Woman on the Street Walk and Talk" with cyber professionals around the world. So what was it like walking down those escalators or walking down those steps for the first time seeing all of the panels and all of the booths? Just was it overwhelming at first?

Ameesha Patel: I think it's great. I think it's such a big scale. So we have like trade shows In London, but I think it's honestly it's a speck in the dust compared to RSA. It's amazing. People are here. They're so generous with all their information that they want to give, and I'm learning so much.

Frances Schroeder: Yeah, definitely. At first, it's definitely very overwhelming, but we've just seen so many friendly faces who have come up to us and greeted us.

Damien Lewke: I've loved it. RSA is always kind of like a back-to-school reunion, right? Having been in the industry for about eight years, it's really cool getting a chance to connect with some old friends, but it's really interesting to see some of the new and interesting problems that people are solving.

Liz Irvin: So how are you comparing this year to the past years that you've been here? Is it better or worse? Like, what are you finding for this year?

Kyla Guru: I think what makes it so special this year is being here with my super cybergirl squad and having a whole community of young women that are empowered and energized around this topic, so it's a little bit of a different vibe but, you know, RSA is just the magic that it was a few years ago, too.

Regina Menezes: I am enjoying it.

Liz Irvin: Yeah?

Regina Menezes: Since after COVID, it's nice to be back and be back to normal it feels like.

Crystle-Day Villanueva: So the first year that I came, we were very much in our first year as a startup, so we had a much smaller booth. We really had to fight to get attention. Like today, we're a bit more established, and we have a lot more integrations and partnerships, so seeing that growth between the first year and now is spectacular.

Liz Irvin: So what is your favorite thing on the show floor that you've seen so far today?

Brian Kanoski: There's been a lot. Actually, there was a nerd wall over there that all these old Star Wars comics and there was an AT-AC Lego piece which got us to go to your booth, your guys' Legos here. And you can win those, so that was been- that was really cool and really neat to see.

Jim Popel: Oh, apart from the cool F1 cars and the Indy cars, just talking to people, just like there's no one thing but, you know, you've got your guys here that secure IoT, and you've got the guys that are securing AI and it's really looking to the future, so I can't pick one thing. It's just all really great, and great to be in San Francisco.

Liz Irvin: I'm sure you've heard of the abbreviation for Chief Information Security Officer. How do you pronounce that abbreviation?

Brian Kanoski: I pronounce it CISO.

Crystle-Day Villanueva: I would say CISO?

Frances Schroeder: I say CISO.

Damien Lewke: CISO.

Liz Irvin: CISO, okay, all right-

Damien Lewke: Well, it should be CISO.

Liz Irvin: CISO?

Damien Lewke: Because it -- CISA, CISO.

Liz Irvin: Okay.

Damien Lewke: CISO. I learned something today.

Dave Bittner: That's Liz Irvin, our N2K Networks Associate Producer reporting from the show floor of last week's RSA Conference in San Francisco. Coming up after the break, my conversation with our own Simone Petrella on emerging cyber workforce strategies, and Tim Starks from the Washington Post joins me with reflections on the RSA Conference. Stay with us.

Dave Bittner:And it is my pleasure to welcome back to the show Simone Petrella. She is the president of NTK Networks, and my boss.

Simone Petrella: Ah.

Dave Bittner: Welcome back, Simone.

Simone Petrella: It's so good to see you, Dave.

Dave Bittner: Like I could say no.

Simone Petrella:I forced you into it.

Dave Bittner: That's right, that's right. Twist my arm. So you and I are freshly back from the RSA Conference, and I wanted to touch base with you on trends that you were tracking and things you saw when it comes to strategic workforce development. I think particularly at RSA, it's so easy to talk about the tech side of things, but it strikes me that we're facing a lot of interesting challenges when it comes to the workforce. What did you see?

Simone Petrella: Yeah, I think it was- first of all, it was wonderful to be back out at RSA and kind of see it in full effect and all the tech solutions on display. I think one of the main takeaways I had was that, you know, strategic workforce development training, how do we deal with the talent issue, is still one of the top three priority areas across the board. However, we're still stuck in this discrete challenge of the limitations of the solutions that we're using to actually fix the problem.

Dave Bittner: How so?

Simone Petrella:What do I mean by that?

Dave Bittner: Yeah.

Simone Petrella: Basically, it's something we all like to talk to. We give a lot of lip service to it, but then when the rubber meets the road, I'd say that it's pretty fragmented and how we're actually addressing the problem. I think there's more desire to talk about it than to really invest significant resources or time into it, like you do in the technologies, you know?

Dave Bittner: Help me understand here, because in my perception, it feels as though organizations are quick to hire what I describe as the fully baked individual, the person who has been at this a while, comes to the table with a lot of skills, can hit the ground running, but they're not so quick to hire that person who's going to need a little bit of care and feeding. Do you think that's an accurate perception on my part?

Simone Petrella: I do. I think that it is something that we've struggled with for years, and this year is no exception. A good number of the folks that I spoke to, security leaders and CISOs, would talk about how they were really focused on more experienced roles, the roles that they wanted to prioritize and fill required a level of experience, and so they just essentially had no need for the entry, or the midlevel roles that could actually come up the ranks in security, and part of the reason they didn't want those is because they're automating those functions and want to retain the rest for the more experienced talent.

Dave Bittner: So how do the new people coming out of school get trained up?

Simone Petrella: Oh, that's a great question, Dave. I guess they can't. We're all-

Dave Bittner: Well, I mean, we're joking about it, but it's a real, can we go so far as to say, peril for the industry?

Simone Petrella:  I absolutely think it's a peril, because we're not investing in training the workforce of the future, and if they can't get to that place of experience because they haven't gotten a chance to get their foot in the door, then you're never going- you're actually going to continue to squeeze the already limited supply of this talent we have. It is a truly classic economic problem of supply and demand, but we're putting the squeeze on ourselves when we think about future forecasting.

Dave Bittner: So where do you think we have to go then, based on what you've heard? Any insights on potential solutions?

Simone Petrella:  Well, one thing I think is really interesting, that was unique to this year than in prior years, because this has obviously been an important topic for a number of years now, perhaps more than the last five, was that while there's still a recognition that the talent issue is real, there is a reality of the market, meaning the broader economy today, because it is softening, because we're kind of teetering on the edge of what people are saying will become a recession, we're not sure, but that has resulted in the effect of reduced attrition across cybersecurity roles. Companies are either not hiring as many positions as they had, and because when costs go up and budgets also tighten, what do people do? They stay put in their jobs. So there's an interesting opportunity, from my perspective, in that companies are experiencing all-time low attrition in their cybersecurity workforces, but that also means that they are now in a position to actually invest and keep those folks they have in a way to develop them that they may not have been as willing to do when they were operating under the world of I don't want to invest time and resources into, you know, new employee X, Y, or Z because they're going to leave me in a year and a half.

Dave Bittner: So rather than folks bouncing around chasing after bonuses, being poached away, perhaps it makes more sense to invest in these people, since there's a greater likelihood that they're going to stick with us for a while.

Simone Petrella: Exactly, and as a lot of people say, the age-old adage is, you know, the fear is, well, if I train them, what happens if they leave? This is truly an example of well, what if you don't train them and they stay?

Dave Bittner: That's right. That's right, but I would suspect too, I mean, are we discounting the amount of loyalty that might be- that someone might gain from having a company where they feel like they're investing in them?

Simone Petrella: Absolutely. I think organizations have a really untapped opportunity to encourage and develop their institutional talent because the hardest thing to actually upskill anyone on is knowledge of the business, knowledge of the enterprise, knowledge of the particular unique risks in that enterprise, and being able to develop people into new roles, but allow them to carry that institutional knowledge with them, is actually a net security positive for those organizations.

Dave Bittner: Is this a bit of a wake-up call. I mean, do you feel like this message is getting out either organically or just by necessity?

Simone Petrella: I think it's still an uphill battle. I think that measuring and executing on human capital is still one of the hardest things for us to, as an industry, really wrap our heads around because it takes a lot of work, and it is, I think, very tempting to look to a technology solution to automate something, make our lives more efficient, and essentially, ignore the bigger more challenging, more high-touch requirement that's ultimately like necessary to have successful human talent and capacity.

Dave Bittner: Yeah, I mean, kind of understand it in such a tech-centric vertical that you'd have that impulse, but ultimately, I guess it's short-sighted.

Simone Petrella: I think so, and especially if we want to continue to have new folks come into the field, we have to give them an opportunity to actually see themselves in these roles. Otherwise, they'll bail out and you're stuck with kind of a recurrence of not having the most -- the best and the brightest kind of come into the field.

Dave Bittner: Yeah. All right. Well, Simon Petrella, from N2K Networks, thanks so much for joining us.

Simone Petrella: Thanks for letting me hijack you, Dave.

Dave Bittner: It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post. Tim, great to have you back.

Tim Starks: How are you, Dave?

Dave Bittner: So you and I were both out in San Francisco at the RSA Conference, and although we did not cross paths while we were out there, I'm looking forward to getting your insights from the show. Any high-level thoughts to start with?

Tim Starks: Gosh, you know, I- it's kind of a funny thing that happens when you're on the East Coast and you go out to the West Coast and end up talking to a bunch of people from the East Coast.

Dave Bittner: Agreed, agreed.

Tim Starks: So, you know, partially because I'm a little focused on policy, the highlights for me were sitting down with Rob Joyce from the NSA, and that was something I did alone with him, and then also sitting down with Kemba Walden, the Acting National Cyber Director. That was part of a panel with the media. Those were the things that really stuck out to me. Rob Joyce had a lot to say about a lot of things. You know, he also gave a very interesting presentation that I wrote about again this week, mentioning his thoughts on AI, but when we talked, you know, we talked about China, we talked about Russia, we talked about the Discord leaks.

Tim Starks: Kemba Walden also likely, you know, covered the waterfront. The thing that stuck out to me with her conversation was what they're doing on space cybersecurity. I'm constantly trying to look for a way to work a joke about cyberspace but space cyber. I can never make it happen in my column. So, you know, those are the big things for me. Obviously, went to a lot of meetings, wrote a bunch of things about it for the newsletter last week, and again, like I said, spilling over to this week.

Dave Bittner: Going into the conference, I think a big question for me was, to what degree are we going to see everything influenced by ChatGPT? And, you know, I made the joke, I think on our show a couple of times that I thought maybe half of the booths would say ChatGPT-enabled, and the other half would say we protect you from things that are ChatGPT-enabled.

Tim Starks: That's a legit good joke. I- there really was a ton of announcements from companies saying, you know, generative AI, generative AI.

Dave Bittner: Great.

Tim Starks: But also, you know, people have been warning on the other side about how risky this is but, you know, one of the things that was interesting to me about it was, it's not something where people can really, really give you a really solid answer about why, why they're worried about it. I think, you know, one of the best answers, and this was, you know, something that Denise [inaudible] told me a few weeks back, when I asked her like, "What are you actually worried about?" because she mentioned it as this big, big threat that she was really, really worried about. And she said, "Well, I'm not an AI expert. I'm more worried about the fact that similar to the advent of social media, similar to the way we're- she's worried about secure by design, people need to be thinking about, cybersecurity with it now, before it gets to that point of it's taken over our lives in a lot of ways, and we haven't- we don't realize how much harm has been done."

Tim Starks: So I think that's- I think that might be the best answer, even though it's an answer that says we don't know. There are obviously real risks that people are talking about that, you know, I think the one that's most persuasive to me right now is that- is the ability of these things to write phishing pitches, emails, or disinformation. Those are the things that most- are most convincing to me right now because I, you know, I've written before about how right now, it's not actually very good at writing, say, malware. It might be later, but right now, it doesn't seem that good at that.

Dave Bittner: One of the things that struck me was that I was having a conversation with Ann Johnson from Microsoft, and she was talking about how Microsoft is embracing these large language models, and it struck me that with the big companies, the leaders in the field going all in on this, does that leave the smaller players not really having much of a choice as to whether or not they follow that path? Like it's, you know, if the big players are going to do it, then to be competitive, do you have to do it or is it possible to have it be a differentiator to say no, we're not doing that?

Tim Starks: Hm, you know, I think one of the best answers I've heard to that kind of question, not that precise question was, you know, AI isn't by itself going to change anything on the defensive side of things. I mean, you mentioned Microsoft. Google had an announcement too, so you're talking big, big, big, big companies. What [inaudible] people say is that if you have AI and humans working together, you're going to be better off than people just using one or the other.

Dave Bittner: Yeah, that's fascinating. Again, what it reminds me of is years ago, I remember reading an article about chess competitions, you know, the people at the highest level of chess, and someone said that- someone who knew about these things said that, you know, computers can pretty much beat top chess folks routinely these days, but if you team up a human with a computer, they can routinely beat the computer by itself. And I think that's an interesting- you know, that connects to this, to what you're saying, I think.

Tim Starks: I mean, another thing I think, you know, I think part of it- maybe I'm just being a little too skeptical here. I think part of it is marketing. I mean, everybody's talking about this, so why not jump on the bandwagon and say yeah, we're doing it too?

Dave Bittner: Yeah, I agree. I think that's a big part of it, too. It's an easy thing to try to differentiate yourself from the competitors, and if you already have a head start behind the scenes, why would you not do that? I mean, we're seeing things from folks within organizations like Google, who are, you know, there's stories coming out from them saying, maybe we're going a little too fast here.

Tim Starks: Yeah, I mean, the big godfather, his name is escaping me, but yeah, saying slow down. I mean, you know-

Dave Bittner: Yeah.

Tim Starks: I've- sorry if I've used this line on you before, Dave, but on this issue of AI, I'm somewhere between, you know, growing up being afraid of the Terminator and Cyberdyne Systems and all of that, but also looking at the, you know, there's an essay that one of my favorite writers, Ted Chiang wrote for The New Yorker not that long ago, which really sounds like he's not of the mind that this is actually that big of a deal. And he's a very thoughtful science writer, science-fiction and science writer, who, you know, was saying that this is a little bit- using this ChatCPT stuff is a little bit like a copy of a copy of a copy, and you'll start having these- that's why we have these artifacts or what we call hallucinations.

Tim Starks: He seemed a little bit of the mind that this was just a different way of the internet working. I might be oversimplifying his point, because he's way smarter than I am, but I think there's a range there of how scary this could be versus how people might be overreacting.

Dave Bittner: Yeah. Well, as folks in the media love to say, time will tell, right?

Tim Starks: Yes.

Dave Bittner: All right. Well, Tim, thanks for taking the time for us today. It's great catching up with you.

Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.

Dave Bittner: N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow.