A Joint Advisory on LockBit. AI chatbots: the grammarians of tomorrow. KillNet makes a deal with the Devil (Sec). The private-sector’s piece in the hybrid war puzzle.
Dave Bittner: The Five Eyes, alongside a couple of allies, issue a LockBit advisory. AI aids in proofreading phishing attacks. Anonymous Sudan mounts nuisance-level DDoS attacks against US companies. France alleges a disinformation campaign conducted by Russian actors. KillNet says it's partnered with the less-well-known Devil Sec. The private cybersecurity industry's effect on the war in Ukraine. Carole Theriault ponders oversharing on social media. Our guest is Duncan Jones from Quantinuum on the threats of Harvest Now, Decrypt Later tactics. And a note on this month's Patch Tuesday.
Dave Bittner: I'm Dave Bittner with your CyberWire "Intel Briefing" for Wednesday, June 14, 2023.
Five Eyes (plus two) issue a LockBit advisory.
Dave Bittner: A Joint Cybersecurity Advisory on the LockBit advanced persistent threat group was issued this morning by cooperating agencies. In Australia, Canada, France, Germany, New Zealand, the United Kingdom, and the United States. The document warns of the group's prominence as the most active ransomware group and ransomware as a service provider of 2022. The advisory gives detailed and actionable information on how organizations can defend themselves against LockBit ransomware operators. Check out the advisory and see how you can apply it.
AI-generated phishing attacks.
Dave Bittner: Abnormal Security warns that attackers continue to abuse generative AI platforms like ChatGPT to craft convincing phishing e-mails. Abnormal has observed numerous types of phishing attacks that use grammatically correct AI-generated templates. The researchers observed the targeted BEC attack that was assisted by AI to impersonate vendors which are said to be among the most successful persona for attackers. After all, conversations about invoices and payments are commonplace between vendor and customer, and they're accustomed to seeing money change hands.
Anonymous Sudan mounts nuisance-level DDoS attacks against US companies.
Dave Bittner: Anonymous Sudan is continuing its DDoS attacks on US companies with a new campaign against shipper UPS. Their attack seems to have started around 6:00 PM Eastern Time on June 12th and continued for about two hours. Today, Anonymous Sudan attacked LinkedIn. As of right now, the hacktivists have paused their attack claiming they're satisfied with its results. The DDoS efforts are said to be intended to dissuade the US government from intervening in any way in the current Sudan crisis. And they follow US Secretary of State Antony Blinken's announcement that the US would be imposing visa restrictions and economic sanctions on Sudan.
France alleges Russian disinformation campaign.
Dave Bittner: French authorities report that Russian actors attempted to plant and amplify disinformation using in part spoofed pages misrepresenting themselves as major news outlets. Bloomberg reports that France's Ministry of Foreign Affairs uncovered a coordinated campaign using fake pages impersonating media outlets like Le Monde, 20 minutes, and Le Parisien, among others. Foreign Minister Catherine Colonna condemned the actions in a statement saying that they are unworthy of a permanent member of the United Nations Security Council. She continues saying that, "No attempt at manipulation will distract France from its support for Ukraine in the face of Russia's war of aggression."
KillNet says it's partnered with the less-well-known Devil Sec.
Dave Bittner: Turning to a familiar hactivist auxiliary acting in the cause of Russia, we've been reading KillNet's Telegram feed. KillNet spokesperson, Killmilk, announced today that after the group's most recent operational pause, it will begin cyber actions against Ukraine and NATO. KillNet brings with it a new partnership with Devil Sec, supposedly a Turkey-based ransomware group which seems to focus on targeting NATO countries, Israel, and Ukraine. Devil Sec's Telegram page was created in June 2022 but began hosting stories of Devil Sec's cyber activities only recently on May 26 of 2023. Devil Sec claims to have hacked the Bank of America, offering website data for the low, low price of $5,000. The group also claims to have stolen 1.5 million Kuwaiti citizenship documents on June 5th. Devil Sec advertises its tools for sale, as well as free downloads of various tools to utilize exploits. The vulnerability is described as a DOM-based reflected cross-site scripting vulnerability in Elementor's website builder plug-in. This partnership with Devil Sec, should it be real, appears to represent a change of pace for KillNet, which had previously focused on DDoS campaigns. In the moderately unlikely event that Devil Sec lives up to its own hype, the two cooperating groups could become more than just a nuisance if their partnership is real. And lasts long enough to actually be productive.
The private cybersecurity industry's effect on the war in Ukraine.
Dave Bittner: The war in Ukraine has people recognizing the actions of Western countries as sending ammunition and machines of war. But what many don't realize is that private industries have been just as instrumental to the defense of Ukraine as governmental arms support. Yesterday, the R Street Institute held a conference to discuss the impact of private cybersecurity firms on the war in Ukraine.
Patch Tuesday, June 2023.
Dave Bittner: And finally, a quick note about Patch Tuesday, which this month, fell yesterday. Microsoft and Adobe have both issued patches for critical vulnerabilities. Microsoft patched six critical flaws, none of which appear to have been exploited in the wild, SecurityWeek reports. Four of these bugs could lead to remote code execution, says Naked Security. Adobe has patched 12 vulnerabilities in Adobe Commerce that could lead to arbitrary code execution, security feature bypass, and arbitrary file system read. Magento Open Source is also affected by these flaws. As usual, apply the updates per vendor instructions.
Dave Bittner: Coming up after the break, Carole Theriault ponders oversharing on social media. Our guest is Duncan Jones from Quantinuum on the threats of Harvest Now, Decrypt Later tactics. Stay with us.
Dave Bittner: Quantum computers are growing more capable and practical, and with that comes growing concern that what is safely encrypted today, could be easily cracked tomorrow. A tactic sometimes referred to as Harvest Now, Decrypt Later. For a reality check on this, I spoke with Duncan Jones head of quantum cybersecurity at Quantinuum.
Duncan Jones: We recognize that in the not too distant future, perhaps about ten years from now, we could be in a position where quantum computers are able to break some of the encryption systems that we use today. Things like RSA, for example. Now the instinctive thought to have about that is, you know, "I should get myself ready, so that in ten years' time, I'm safe." But what people have begun to realize is that these attacks can occur retrospectively. And by that, I mean something as simple as this conversation now is being protected by algorithms that will vulnerable to attack by quantum computer. And nothing stops an attacker from recording this conversation that we're having. It will be an encrypted conversation, so today they can't break into it and understand what we were talking about. But in ten years' time, they would be able to do that, potentially, on a quantum computer. And so this is the idea of hacking now, as in getting access today to something that is encrypted with a vulnerable algorithm, and then decrypting it in the future on a quantum computer.
Dave Bittner: And so it kind of addresses that notion that if I encrypt everything at rest, if the bad guys get a hold of my data, it doesn't matter because it's encrypted. Well, that- it may not be a forward-looking thought.
Duncan Jones: Yeah, it violates the idea that simply by encrypting things, you're definitely safe. Now there is some nuance here because a lot of times when people think about encryption, they think about what's living on their hard disc being encrypted. And if somebody stole the hard disc, you know, their data is safe. And actually, in that setting, your data probably is safe against a quantum computer because we use different types of encryption for different use cases. So what is typically called data at rest encryption, which would be like the hard disc example, that tends to use algorithms that are safe against quantum computers. Things like AES, for which quantum computers will only gain a marginal advantage versus typical computers.
Dave Bittner: Hm.
Duncan Jones: It's more the data in transit use cases that are vulnerable. So this is when you share something with somebody else around the world. It doesn't just have to be, you know, a conversation like this. It could be a transmission of data from a in-country agent back to their, you know, the intelligence community in their homeland, for example. So there's some really important, sensitive stuff that moves around the world and it's that data that is at risk. But I agree that most people still think that is perfectly safe today, but maybe that's not a correct viewpoint to have.
Dave Bittner: Well, when I've heard folks talk about this, it primarily is about espionage. As you say, it's, you know, state secrets and that sort of thing. An adversary will gather up data with the hope that someday in the future, they'll be able to decrypt it. Should folks be concerned about this or to what degree should folks be concerned about this from a pure business point of view?
Duncan Jones: I think we should be realistic and recognize that to conduct an attack like this requires significant planning and resources. And it's not practical for somebody to record entire encrypted, you know, instant emissions from the United States with a view to decrypting it all later. So there's clearly going to be some degree of targeting to these attacks. I do think espionage type use cases are particularly at risk. But equally, many large organizations share sensitive information that will still have value in ten-plus years, and so I wouldn't rest easy if I was in the security team of a major organization. I think those teams should consider themselves potentially at risk, as well, for IP theft. Or for, you know, the same motivations that might lead somebody to try to deploy ransomware, for example, might encourage a more patient attacker to adopt this sort of approach, as well. So I would say governments, intelligence communities, and large organizations, should all be thinking about this. The typical person on the street or smaller businesses probably don't need to worry about it.
Dave Bittner: What are your recommendations then for organizations to approach this? How do they dial in an appropriate amount of concern?
Duncan Jones: Well, I think this first step many organizations haven't yet taken but do need to take is to assess their risk versus this threat. It doesn't require wholesale panic, but people do need to pause and reflect on do we have data that falls into that category of stuff that is really existential for our business. And would be damaging or super-valuable to somebody else if it was uncovered in ten to 15 years' time. So that's step one is just even to consider, "Am I in scope for this?" Assuming that you decide that you are, then there's really now a urgency coming to reason to act. One of the things that's holding people up at the moment is that the newer quantum-resistant algorithms that are being standardized right now are not yet standardized. So I was at RSA last week and listening to a chat from Mist, who was confirming their plans to release draft standards in this summer and final standards early next year. So it's very close but we're not there yet. So I would say that anybody who is nervous that they fall into scope for this sort of attack, they need to be paying very close attention to the standardization process. And they should probably start experimenting. So if they build their systems themselves, they need to start experimenting with these algorithms, trying to build them in, getting ready for that sort of change, because they need to change very soon. And if they buy in their systems and they rely on things from third parties, they should now, today, be knocking on the door of those vendors and asking them. What is their plan for moving to quantum-safe algorithms? What is the timeline? And really impressing upon them the urgency that they feel to start protecting their data with quantum-safe algorithms.
Dave Bittner: That's Duncan Jones from Quantinuum.
Dave Bittner: Be honest. Do you tend to overshare on social media? Lots of us do. Our UK correspondent, Carole Theriault, looks into this reality. She files this report.
Carole Theriault: So there I was perusing cybercrime news when I came across some research from the University of East Anglia in the UK about why we Internet users are so flipping vulnerable to cybercrime. Now according to this recent study, people tend to disclose more personal information online when asked the same question multiple times. And the worry is that that leaves us more vulnerable to identity theft and cybercrime. Now according to Dr. Piers Fleming, he's the lead researcher at the University of East Anglia's School of Psychology. We're continuously being bombarded with requests for our personal details, and it's true. Think about it. Comparison sites, travel bookings, insurance, mortgage, loan applications, subscription requests, dating sites, quizzes, customer surveys. It's endless. One, it's big money when it comes to advertisers and business partners. Two, it helps reduce fraud and increase organizational efficiency. And three, it can unearth friends that can significantly impact a company's bottom line. And let's be frank. If we are willing to share our personal information for free, why wouldn't these companies capitalize on it? The motivation behind this research from the University of East Anglia was to better understand the reasons why people share significant amount of personal information. Especially on social media platforms, without taking adequate measures to protect their account from unauthorized access. And it seems that according to the University's initial findings, the repeated request for personal information from advertisers, and markets, and social media experts. Are designed to increase our compliance. So my takeaway here is, well, nothing new, really, but it's a fresh way to look at an old problem. Don't overshare online, even if you feel blasé after every darn site online is pounding you with questions. Just think twice and make sure that the information you want to share is being shared with the people you want to have it. This was Carole Theriault for the CyberWire.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can e-mail us at cyberwire@ntk.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cyber security. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin, and senior producer, Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
