“Better Minecraft” improves gameplay, while also lifting your data. Hallucinations, defamation, and legal malpractice, oh my! Asylum Ambuscade and other wartime notes.

Dave Bittner: Barracuda Networks urges replacement of their gear. Fractureiser infects Minecraft mods. ChatGPT sees a court date over hallucinations and defamation. Asylum Ambuscade engages in both crime and espionage. The US delivers Ukraine Starlink connectivity. DDoS attacks hit the Swiss parliament's website. My conversation with Eric Goldstein, executive assistant director for Cybersecurity at CISA. Our guest is Delilah Schwartz from Cybersixgill, discussing how the Dark Web is evolving with new technologies like ChatGPT. And BEC crooks see their day in court.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Friday, June 9, 2023.

Barracuda urges replacement of gear.

Dave Bittner: Barracuda Networks is urging customers to immediately replace its email security gateways (ESGs) due to a security vulnerability (CVE-2023-2868). The company says the vulnerability, which has been exploited in the wild, “existed in a module which initially screens the attachments of incoming emails.” The earliest evidence of exploitation was in October 2022. CSO reports that the Australian Capital Territory government has disclosed that it was breached via the flaw. Rapid7 notes that moving from a patch to a need for total device replacement is "fairly stunning," as it insinuates that the attackers have persistence at a level that requires more than an entire device wipe. The vulnerability's description says that it stems from an incomplete sanitizing of tape archive processing. The description says that "The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive." This can allow for an attacker to perform a remote execution of system commands.

Fractureiser in the wild.

Dave Bittner: Minecraft mods were discovered to contain malware called Fractureiser in a pseudo-supply chain attack. It's described as pseudo because the affected mods are not advertised as supported media by Minecraft; it's an attack on the modder supply chain. Bitdefender released a report describing the attack, explaining that several Minecraft mods hosted on popular modding hubs Curseforge and Bukkit contained infostealing malware, which caused accounts to be compromised and used to update and publish malware-lined versions of mods and plugins. As BleepingComputer reports, "Several CurseForge and Bukkit accounts were compromised and used to inject malicious code into plugins and mods, which were then adopted by popular modpacks such as 'Better Minecraft,' which has over 4.6 million downloads." BleepingComputer further notes that the infected updates were archived, but nonetheless sent out to users, to remain undetected for as long as possible. This attack has a similar ring to it as the recent MOVEit and C3X supply chain attacks, as the attackers targeted developers upstream of their intended victims. This allows them to reach a much wider target base than, say, targeting each user on CurseForge and Bukkit individually.

Hallucinations, defamation, and legal malpractice.

Dave Bittner: Georgia radio host Mark Walters is suing OpenAI LLC for defamation after ChatGPT allegedly generated an answer that falsely stated that Walters had been sued for fraud and embezzlement, Bloomberg Law reports. The "hallucinated" result was generated for a journalist covering a case unrelated to Walters. The lawsuit describes ChatGPT's allegations as "false and malicious," with intent to "injure Walter's reputation and expose him to public hatred, contempt, or ridicule." In a separate case, two lawyers are facing potential sanctions in the Southern District of New York after they used phony legal research generated by ChatGPT, the Associated Press reports. The lawyer who included the fictitious research in their court filing apologized, stating that he "did not comprehend that ChatGPT could fabricate cases."

Asylum Ambuscade engages in both crime and espionage.

Dave Bittner: ESET reports that a Belarusian threat group, "Asylum Ambuscade," active since 2020 at least, has been engaged in what ESET regards as an unusual mixture of cybercrime and cyberespionage. It's described by ESET as a crimeware group targeting bank customers and cryptocurrency traders in a variety of regions that include North America and Europe. Espionage, ESET writes, has also been observed "against government entities in Europe and Central Asia." The group's tools are often developed in script languages that include AutoHotkey, JavaScript, Lua, and Python, among others. Proofpoint last year announced its discovery of Asylum Ambuscade's activities against organizations providing aid to Ukrainian refugees and against European governments generally sympathetic to Ukraine's cause, and that it was primarily an espionage group. ESET's assessment, however, is that Asylum Ambuscade is originally and primarily a criminal group.

US delivers Ukraine Starlink connectivity.

Dave Bittner: The US Department of Defense is buying Starlink connectivity to bolster the resilience of Ukraine's communications. Citing concerns about operational security, the Department has declined to provide details of the Starlink support. SpaceX had footed the bill for awhile, but the Pentagon has relieved the company of that particular loss-leader.

DDoS attack on Swiss parliament's website.

Dave Bittner: Switzerland's parliament came under DDoS attacks Wednesday and Thursday of this week, Netzwoche reports. There's no clear attribution, but coincidentally or not, the attack followed an announcement that Ukrainian President Zelenskyy would address the Swiss lawmakers in a virtual conference next week.

BEC arrests.

Dave Bittner: And finally, the US attorneys for the Southern District of Texas and the Southern District of New York have announced that 11 people in several states are now in custody and facing charges of criminal involvement in business email compromise attacks. All 11 have been charged with conspiracy to commit wire fraud and money laundering. The US attorneys say that the schemes cost victims millions in losses. The announcement explains, "The charges stem primarily from business email compromise schemes. Conspirators allegedly posed as legitimate businesses and fraudulently diverted money from victim bank accounts into accounts they controlled. According to the charges, they gained access to business email accounts and spoofed email addresses to deceive victims into believing they were making legitimate payments." So it's a sadly familiar story. The crooks pose as a legitimate business charging for legitimate services provided, and then inveigle the purchaser of those services into diverting payment to an account the crooks control, and once the money is there, it's laundered and then gone, baby gone. The alleged crooks operated mostly from Houston and Los Angeles, but their alleged crimes hit people in a variety of locations, including Edison Township of Middlesex County, New Jersey. The collars were the work of the FBI and the Edison Police Department, so bravo to both of them in a nice example of Federal and local partnership. And to Federal and local partnership among the prosecutors as well -- the US attorney for the Southern District of Texas particularly thanks the Middlesex County District Attorney. Well done all around.

Dave Bittner: Coming up after the break, my conversation with Eric Goldstein, executive assistant director for cybersecurity at CISA. Our guest is Delilah Schwartz from Cybersixgill, discussing how the Dark Web is evolving with new technologies like ChatGPT. Stick around.

Dave Bittner: Delilah Schwartz is a security strategist from Israeli cyber intelligence firm Cybersixgill. I reached out to her for insights on how the Dark Web is evolving with new threats from technologies like ChatGPT.

Delilah Schwartz: I think on a whole, cyber criminals and criminals in general tend to be the early adopters of new technology and innovation in general. And that's been the case with this new trend of generative AI tools like ChatGPT and other similar technologies. As soon as ChatGPT was released by OpenAI late last year, we immediately saw a massive rush of discourse about this on the cyber criminal underground across the Deep and Dark Web with malicious threat actors quick to discuss the various ways that they could have used these new technologies for their own malicious purposes.

Dave Bittner: And what are some of the specific things that you see them adopting?

Delilah Schwartz: Well, immediately and initially, there was a lot of talk about the get-rich-quick scams. And that might be through fraudulent work. It might be through manipulating gaming and gambling scams or other types of online gaming technologies. We also saw threat actors discussing how to use ChatGPT to create Dark Web marketplaces that were able to process crypto currency as a form of payment. And also, in the same breath, we heard cyber criminals quick to discuss the ways that they could use this human language emulation technology to curate highly articulate spear phishing and phishing emails for social engineering purposes, and also to create malware, which I was able to do myself with some very well-worded prompts to ChatGPT. Though it did have a little caveat at the bottom of the info-stealing malware that it created for me that it was for educational purposes only. We've seen a lot of discourse across the forums of the Deep and Dark Web on how cyber criminals can abuse ChatGPT in those words to launch various different attacks and to automate different parts of the attack chain, whether it be creating fine-tuning malware, finding software vulnerabilities and enterprise networks, and various other tactics and techniques to sort of optimize the existing capabilities of these cyber criminals. That said, as well through my own research, I was quick to identify the fact that ChatGPT, with the right prompts and the right cyber criminal guiding those prompts and really fine-tuning the directions given to the model, could actually serve to streamline the entire attack chain, even with ransomware attacks from pre-ransomware activity and all the way to the very end of the attack chain.

Dave Bittner: Can we dig into that some? What are some of the elements here that come into play?

Delilah Schwartz: So ChatGPT will tell you itself that it is a language model. It's not designed to write scripts or to fast-track any types of the technology production process. But because it is trained upon such a large corpus of data, it does have coding expertise; it does know how to create new websites or code for websites. It can also test for vulnerabilities in software and sort of identify the weak spots in an enterprise network's attack surface. Using ChatGPT, it just sort of accelerates the process for initial access. So that might be creating, as I did, an info-stealing malware, and even the spear phishing email with the link to download the malware in the first place. It might involve testing for the vulnerabilities and weak spots in an organization's systems. It might also be through establishing access through various other botnets or other types of compromising. It might be through comprised credentials and similar other types of access vectors. After that access has been gained, the pre-ransomware activity -- that initial access -- is granted to those cyber criminals. It can also then support the process of moving laterally, escalating privileges, gaining access, identifying the most valuable systems and data. And then again, with the right guidance -- and this requires quite sophisticated cyber criminal expertise -- to then help to support and fine-tune the actual malware to drive the ransomware. And that involves high sophistication in encryption, cryptography, and all sorts of other very niche cyber criminal expertise. But again, with ChatGPT, you can really optimize and accelerate that entire process using the chatbot automation. It's quite amazing really.

Dave Bittner: So to what degree do you think that this is lowering the barrier of entry for cyber criminals versus, as you say, kind of accelerating the capabilities of folks who already have some expertise in this field? Or perhaps it's both?

Delilah Schwartz: It is both. And it's both because the democratization of these generative AI tools. It's not just that they're contributing to the lower barriers of entry. It's that in tandem with a multitude of other different factors and trends that we've been noticing across the underground in recent years. That includes these initial access broken markets, which is where threat actors buy and sell their initial foothold into an enterprise's network. Also through the rise of as-a-service, and particularly ransom as-a-service, where these established, sophisticated threat actors license out their ransomware technology and infrastructure to less expert affiliates, sort of the novice cyber criminals, to then use and distribute almost as they're peddlers or foot soldiers. Which allows them to then scale their operations. It's this, the democratization by AI tools, is only one part of this trend that we've been witnessing in recent years. It's similar to saying that a 3D printer isn't going to print for you the entire gun, but it will print for you the barrel, the trigger, and, you know, all the other different components that you need to make a gun. And if you know how to put it together, or if you've made one part and someone else's 3D printer has made another part, you put it together, it's in a workable gun that you can use to then go out on the street and shoot someone. The same is with this attack chain, in particular, I was speaking about in my report, the ransomware attack chain. Generally, AI tools are not going to allow any cyber criminal to completely curate the ransomware attack chain from A-Z. But it does allow and enable lesser skilled cyber criminals to take part in forms of cybercrime that in the past were only accessible to those with higher levels of expertise. Sort of allows them to then dip their toes in this world of cybercrime and to be involved in that collaborative effort of an attack, as it quite often is. Whereas there's not usually one cyber criminal that's responsible for every component of an attack chain. There's a lot of people have their expertise in different fields. And it allows these lesser skilled cyber criminals to take part in the wider cybercrime enterprise and makes even the novice cyber criminals be involved in very intense and highly damaging attacks.

Dave Bittner: That's Delilah Schwartz from Cybersixgill.

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "interview selects," where you'll get access to this and many more extended interviews.

Dave Bittner: And I'm pleased to welcome back to the show Eric Goldstein. He is executive assistant director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, welcome back to the show. I want to focus today on this notion of stopping the threat itself -- that particular direction that you all come to this mission from. Can we start with some high-level stuff here? I mean, how do you and your colleagues there at CISA come at it from this direction?

Eric Goldstein: Absolutely, Dave. First of all, it's great to be back with you and the team. You know, one of the biggest challenges that we face in cybersecurity as a community, as a nation, is really stepping back and answering the question, what are adversaries doing on American networks today? How are they breaking into American networks? How are they achieving their goals? Where are they focusing their efforts? And so many organizations, public and private, have pieces of that puzzle; have the ability to identify that activity targeting certain networks. And of course, there's cyber security companies doing extraordinary work in this space, but none of us have the full tapestry. Which really makes it hard for us to say, is the problem getting better and getting worse? And so one of our real focus areas is advancing what we call "operational visibility." Which is our ability to work with the community to really get that broad understanding of, what are adversaries focusing on; how are they achieving their goals; and then how can we stop them? And that's a combination of us getting visibility at CISA through our own detections, our own sensors, but most critically, by partnering with those who have national, even global visibility, and sharing those insights so together we can make that tapestry be a reality and actually drive investment in the right controls.

Dave Bittner: Can you give us a sense for the spectrum of the cyber threat landscape that you all are keeping an eye on here?

Eric Goldstein: Absolutely. You know, it really has to be divided, I think, by intent. We see nation-state adversaries -- of course, Russia, China, Iran among them -- who are seeking intrusions for geopolitical gain, to gain some advantage over the United States, over our allies. We, of course, have seen Russian and Chinese actors in particular take advantage of geopolitical events -- of course, in Russia's case, proximate to their criminal invasion of Ukraine -- to target entities around the world; to get access even to the stage of the possibility of future malicious acts. And then, of course, we have actors who are motivated more financially. The North Korean government is, of course, in this category, as are the myriad of criminal groups, many of which have engaged in ransomware, encryption, or exfiltration across far too many networks in this country and around the world. But we've seen really across the board that very few of these intrusions, whether a nation-state tried to achieve strategic gain or criminal group seeking financial gain, very few of these intrusions are using, for example, chains of zero-day vulnerabilities, never before seen trade craft. Most of these intrusions are really using known exploited vulnerabilities, known trade craft, misconfigurations, reused credentials. And so we know that if we can figure out the most common ways that adversaries are targeting American networks, then we can much more effectively, first of all, detect adversaries, reduce their dwell time, reduce impact of intrusions, but also drive investment in the most effective detections and controls to reduce their effectiveness over time and increase their marginal costs.

Dave Bittner: What about disruption itself, your ability to get out there and interfere with these threat actors?

Eric Goldstein: Yeah, it is such a great question, Dave. You know, the US government, of course, brings a variety of tools to the table. And the tool that CISA brings is cyber defense, right? We are focused on protecting and securing American organizations. But we work hand and gloves with our partners across government who have the ability to impose disruptive costs on our adversaries, whether our partners at US Cyber Command or in federal law enforcement, like the FBI and the US Secret Service. One thing we try to do is, when we get information about intrusion targeting an American network, sharing that information really quickly, with the permission of the victim, with our partners in government who have those authorities. The idea being that if we can build this flywheel of defense to offense such that an adversary targeting an American network sees consequences from their actions -- for example, the infrastructure being taken down hours after their intrusion being undertaken -- well, that also imposes costs. And so our idea is to make America the costliest possible target in cyberspace, whether through better defense, by turning attacks on America into actions taken against our adversaries abroad, or by other means, whether financial sanctions or diplomacy, so our adversaries simply think that American organizations are too hard a target and they do something else with their time.

Dave Bittner: How about incident response? So when something does happen, what role can CISA play after the fact?

Eric Goldstein: There's a few different roles, Dave. The first is, we do maintain that an outstanding incident response and threat hunting team that we deploy on both government and private sector networks almost always we're deploying in tandem with a private sector or third-party incident response team. And we know that, frankly, in this country, most organizations, the vast majority, are going to contact a third-party IR team for their response. That is absolutely terrific, and we encourage them to do so. At CISA, our goal really is threefold in incident response. The first goal is to make sure that if an organization needs help from the government, we are there to stand ready. We do a lot of this work with federal agencies and with state and local partners who might need unique help from the federal government, or if this organization that's being targeted by, for example, a nation-state adversary, or experiencing some unique impact. But the second and third goals are equally important. The second goal is to make sure that we are gleaning technical information from incident response around the nation, around the world, that we can rapidly share to safeguard others. So in that regard, we work really closely with third-party private sector IR firms to learn what they are learning, and with permission of their customers, glean some of that information that we can then use to populate our cybersecurity advisories, our information sharing. And the third, of course, is to understand trends in adversary activity so that when we publish guidance, we publish direction, it is actually informed on what adversaries are doing on American networks and indeed networks around the world. So that if we are saying, these controls, these mitigations are most important, that's grounded in reality; that's grounded in what we are seeing in the incident response space, and we are driving investment toward the right mitigations that reduce the most risk.

Dave Bittner: Eric Goldstein is executive assistant director for Cybersecurity at CISA. Eric, thanks so much for joining us.

Eric Goldstein: Thanks so much, Dave. Always a pleasure.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Allen West from Akamai. We're discussing "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here next week.