The CyberWire Daily Podcast 9.8.23
Ep 1902 | 9.8.23

Apple issues an emergency patch. Aerospace sector under attack. DPRK spearsphishes security researchers. Notes from the hybrid war, including Starlink’s judgments on jus in bello.

Transcript

Dave Bittner: Apple issues emergency patches. "Multiple nation-state actors" target the aerospace sector. The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack against Russian naval units last year. The International Criminal Court will prosecute cyber war crimes. Operation KleptoCapture extends to professional service providers. Malek Ben Salem of Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliott Champion from CSC on how cybercriminals are taking advantage of the Threads platform. And congratulations to the SINET 16.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, September 8th, 2023.

Apple issues emergency patches.

Dave Bittner: Yesterday Apple issued three emergency patches for a vulnerability that could be exploited to install spyware. The company said in its advisories, "A maliciously crafted attachment may result in arbitrary code execution," "Apple is aware of a report that this issue may have been actively exploited." The report of active exploitation came from the University of Toronto's Citizen Lab, which found evidence that NSO Group’s Pegasus spyware was being installed in vulnerable devices through a zero-click exploit the Lab calls "BLASTPASS." The attacks used PassKit attachments sent as iMessage images. These carried the malicious payload. The patches will protect users against BLASTPASS; so will enabling Apple's Lockdown Mode on the device.

Dave Bittner: Citizen Lab found BLASTPASS on the device used by "a Washington DC-based civil society organization with international offices. Both Apple and Citizen Lab characterize this threat as "mercenary spyware," that is, it's spyware sold to a variety of actors, especially government security services, without having any essential political motivation or governmental connections. They’re pure hired guns, like the Magnificent Seven, only not as nice, or as discriminating.

"Multiple nation-state actors" target the aerospace sector.

Dave Bittner: Several nation-state actors exploited two vulnerabilities to attack an organization in the aeronautical sector, according to a joint advisory released yesterday by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and US Cyber Command’s Cyber National Mission Force (CNMF). The threat actors gained access via vulnerabilities in Zoho ManageEngine ServiceDesk Plus and FortiOS SSL-VPN. The joint advisory includes an extensive description of the threat activity, advice on detection, and recommendations for mitigating risk. Patches for both exploits have been available since early this year.

Dave Bittner: The advisory notes, “CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors.” None of the agencies involved in the joint advisory have identified the threat actors involved in exploiting the two vulnerabilities. It's not clear whether the multiple APT actors represent different states or simply different agencies of the same state.

DPRK targets security researchers.

Dave Bittner: Google’s Threat Analysis Group warns that a North Korean threat actor has been targeting security researchers with at least one zero-day for the past several weeks. Google notified the affected vendor, and the zero-day is in the process of being patched. 

Dave Bittner: The Threat Analysis Group observes that, “Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.”

Dave Bittner: It’s a common approach, spearphishing with preparatory catphishing, and this time the poachers are after the gamekeepers.

SpaceX interrupted service to block a Ukrainian attack against Russian naval units last year.

Dave Bittner: The Washington Post reports, citing a new biography of Elon Musk by Walter Isaacson, that Mr. Musk directed SpaceX to interrupt local service to Ukraine in the Black Sea region with a view to interfering with a submarine drone attack against Russian targets last year. He relented in the face of appeals and protests by Ukrainian and US officials, but his actions reveal ambivalence about the war and about SpaceX's part in this and other conflicts. 

Dave Bittner: “'How am I in this war? Musk asked,' according to Isaacson. 'Starlink was not meant to be involved in wars. It was so people can watch Netflix and chill and get online for school and do peaceful things, not drone strikes.'” Mr. Musk is said to have feared that Ukrainian attacks would provoke Russian escalation, including, Computing writes, escalation to nuclear war.

Dave Bittner: Mr. Musk himself tweeted, or perhaps we should say “exed,” an explanation that, if SpaceX had continued Starlink service to Ukraine during an operation that might have sunk a significant fraction of the Black Sea Fleet, he himself would have been complicit in a major act of war. One might sympathize with a desire to stay out of a war, but the question is a complicated one. Here’s a follow-on question: does prevention of an attack on a naval unit render one responsible for the missiles that naval unit subsequently fired at cities? 

US and Ukrainian officials warn of heightened Russian offensive cyber activity.

Dave Bittner: Speaking at the 14th annual Billington CyberSecurity Summit in Washington, DC, this week, Ukrainian and US officials cautioned against thinking that Russian cyber operations were a diminishing threat. In fact, they said, Russian activity in cyberspace was picking up. Illia Vitiuk, head of cybersecurity for the Security Service of Ukraine (SBU), said that Ukrainian resilience was high. "But the problem," the Voice of America quotes him as saying, "is that our counterpart, Russia, our enemy, is constantly also evolving and searching for new ways [to attack]." The operators, Vitiuk said, aren't enthusiasts or script kiddies, but rather fully employed 9-to-5ers working directly for the Russian security and intelligence services.

Dave Bittner: The US Deputy Director of Central Intelligence, David Cohen, dismissed Russian denials of hostile action in cyberspace, and said that Moscow was increasing both its capabilities and efforts in that domain. "This is a pitched battle every day," he said. He also observed that the cyber war wasn't one-sided, and that "The Russians have been on the receiving end of a fair amount of cyberattacks being directed at them from a range of private sector actors. There have been attacks on the Russian government, some hack and leak attacks. There have been information space attacks on the TV and radio broadcasts."

Dave Bittner: So there’s much back-and-forth, but, it’s still worth noting, none of the devastating bolt from the blue attacks that were widely expected, especially from the Russian side.

The International Criminal Court will prosecute cyber war crimes.

Dave Bittner: The International Criminal Court (ICC) confirmed to WIRED that it now intends to prosecute cyber war crimes. An ICC representative said, “The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression, and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.”

Dave Bittner: ICC prosecutor Karim A.A. Khan explained the rationale for bringing cyber war crimes into the Court's jurisdiction in an essay, "Technology Will Not Exceed Our Humanity," published in Foreign Policy Analytics. He wrote: "Cyber warfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives. Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable. Consequently, as part of its investigations, my Office will collect and review evidence of such conduct. We are likewise mindful of the misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities." 

Dave Bittner: Khan notes that cyberspace is commonly perceived as an ambiguous gray zone, where serious harm can be worked while the actors remain below a threshold that would generally be recognized as war. The ICC is interested in clarifying that ambiguity.

Dave Bittner: The ICC doesn't explicitly mention Russia, or indeed any other actor, but WIRED reviews the many reasons for thinking that Russian activity is likely to provide the first cases. The GRU's role in pre-invasion attacks against Ukraine's power grid and in the NotPetya pseudoransomware incident are cited as examples of indiscriminate cyber warfare that may be construed as criminal.

Operation KleptoCapture extends to professional service providers.

Dave Bittner: The US Justice Department is expanding investigations under Operation KleptoCapture from its original targets--Russian oligarchs whose activities sustain Russia's war against Ukraine--to professional service providers--"lawyers, accountants and other facilitators"--who've helped the oligarchs evade sanctions. The Operation's inaugural director, Andrew Adams, who retired to private practice in July, told the Wall Street Journal that "the people who are on the list tend to be either key propagandists or tend to be people who are essentially pocketbooks for the Kremlin. Any ability to stifle the availability of that pocketbook is at least potentially useful, and I think in the mid- and long term, probably a worthwhile project."

SINET 16 announced.

Dave Bittner: And, finally, SINET has announced the 2013 winners of its annual SINET 16, a program that selects sixteen promising cybersecurity startups. You’ll find a full list of the winners in the CyberWire’s Daily Newsbriefing today. Check them out. We’ll just observe that SINET 16 winners have for years achieved a remarkable record of technical innovation and business success. Our congratulations to all sixteen of the young companies honored today.

Dave Bittner: Coming up after the break, Malek Ben Salem from Accenture ponders the long term reliability of LLM powered applications. Our guest is Elliott Champion from CSC on how cyber criminals are taking advantage of the Threads platform. Stick around. [ Music ] When Meta launched their Threads platform to great notice and fanfare, it was inevitable that crooks would be there to take advantage of the excitement. Elliott Champion is global product director for brand protection and anti-fraud at enterprise domain registrar CSC. He and his colleagues have been tracking fraud attempts related to the Threads platform.

Elliott Champion: I think Threads is really interesting because Threads in many ways is a continuation of what we've already seen from Meta in the past, but we're also seeing underlying technologies as we move into the future. Threads is a way of being able to maximize all of your potential reach to all of your different followers across the online space. Unfortunately that's also being taken up by bad actors and those using it to send various different threats to organizations and people across the internet.

Dave Bittner: And I know you and your colleagues at CSC have been tracking this. What are some of the things that you all are looking at?

Elliott Champion: Yep. So there's -- I think it's a really good time to talk about it as well because they're actually just releasing the browser version of Threads. It was previously just an app. So we were all using the app to search and research. But so we looked from June to July and we looked at the top 25 Interbrand lists. That's where we were looking at all of the brands that you and I know and love and interact with every day. And we were looking for different types of threats, any of these types that are there. What we found was that 84% of those brands had multiple different types of attacks ranging from brand fraud, URL, and other different redirect threats. So typically in traditional cases the many people would probably know would be the brand attack. So we have trademark infringements, copyrights, thus impersonations in some sort of way. They're indistinguishable from an official account. Then you then have fraud attacks. Those are phishing where they're aiming to collect data, information, or access. And then finally what was really interesting is also then how these networks interconnect with each other. So then how these then extend out into the domain name ecosystem through redirects or shortened URLs.

Dave Bittner: You know, whenever something new like this pops up and captures the public's imagination, the scammers aren't very far behind. Are we seeing the run of the mill kinds of things here or is there something specific about Threads that makes it particularly attractive?

Elliott Champion: I think, well, it's new, and I think a lot of bad actors are going to, as you say, always use the new innovations, the new tools that are at their disposal. And we are seeing the typical sets of different types of attacks. As I said, you know, the typical brand fraud attacks. Phishing attacks. What we've seen, though, is that they've really jumped into that space and tried to take hold of all of the kind of green space that's there to be able to be taken. All the profiles, the posts, any opportunity that they possibly can to take all of those. So we've seen a real push into official accounts. And then from those official accounts they've been taken up by the bad actors rather than the legitimate organizations.

Dave Bittner: So for folks who are tasked with defending their organizations against these sorts of things, what are your recommendations?

Elliott Champion: Yeah. So really I would suggest looking at a number of different ways of routinely monitoring and enforcing and making sure that you're looking for a variety of different types of attacks that are on these platforms. Social networks, it's really interesting. You see a typical life cycle of social networks where there's a new popular one and there's really no easy way of being able to get things taken down. The good thing about Meta and Threads is that they already have a really good solid IPR portal already there. So it's responsive, easy to use. Any brand owner can -- can sign up for that. And then that allows you to be able to do effective take down across ads, commerce, accounts, and various other posts. So from a brand and security perspective, it's a good platform.

Dave Bittner: That's a really interesting point because people go to Threads to consume the content that is there rather than, you know, bringing it in house.

Elliott Champion: Yeah. Absolutely. And I think that also ties into a lot of the broader implications that Threads has as well as this underlying technology. You know, Threads is going to be different because of what Meta wants it to be. They do not want it to be a copy of Instagram or Facebook. Their plans are to use the -- a completely different underlying protocol for the future of Web 3.

Dave Bittner: It's interesting too, as you mentioned, that I suppose Threads has an advantage here with all of the existing infrastructure and the lessons that Meta has learned along the way.

Elliott Champion: Yeah. Absolutely. And it's a really, really straightforward way of being able to get these things down. You know, you can imagine as a brand team or a security team you find these cases, these attacks, that you know are being weaponized through these platforms. You want to make sure that you can get them down as quickly as possible. And, as I say, through the typical life cycle of a network, you'll typically see a new platform that will come in. They don't have these procedures in place. Why would they not have these procedures in place? Well, it's not really their first priority. Their priority is to grow and to -- to gather as much attention as they possibly can, as many users and activity as possible. But the good thing about Threads is that they're essentially extending out their Meta's IPR portal. And, as I say, that's really responsive, easy to use. We find them as a -- as a really helpful partner in being able to remove content quickly.

Dave Bittner: Can we touch just quickly on the notion of brand protection itself? What sort of things should organizations be focused on here?

Elliott Champion: Yeah. I think it's really important that people look at various different types of monitoring and enforcing strategies. We covered monitoring earlier, making sure you're covering the domain and space, social media, and others. But it's also really important to make sure that you have effective enforcement strategies in place. Take downs are as much an art as a science. You want to look at lots of different ways that you can take down an individual website. That could be at the ISP level, the registrar level. You could be looking at the individual registrant information unless that's under privacy protection. You want to find the way of being able to neutralize these various different threats very quickly.

Dave Bittner: That's Elliott Champion from CSC. [ Music ] There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire pro and sign up for interview selects where you'll get access to this and many more extended interviews. [ Music ] And I'm pleased to be joined once again by Malek Ben Salem. She is the managing director for security and emerging technology at Accenture. Malek, it's great to have you back. We've been tracking these LLM powered applications, and certainly they've captured lots of people's imagination, but I've seen stories that there may be issues with the long term reliability of them. Sort of a -- I don't know. Collapsing under their own recursive weight, if you will. You've had your eye on this, haven't you?

Malek Ben Salem: Yes. Absolutely. I think there's a lot of excitement about the use of, you know, LLMs and leveraging them for potential or various use cases within enterprises. And a lot of focus has been on the accuracy of the output of these LLM models. And less focus has been given to how reliable they are over time. Most recently there has been research published around the performance of certain GPT XX models and the research has shown that the performance of those models has drifted, you know, between back in March and, you know, later in the year. So the ability to recognize prime numbers or the ability to, you know, come up with safe answers for certain questions has significantly changed. And in some cases for the better, and in other cases for the worst. But as -- as my clients are designing and thinking about use cases for deploying these LLM models, you know, as part of larger applications, they need to think through and plan and design for monitoring the capability of these models over time or the output of these models over time. That is something that we have been used to when using machine learning models, machine learning applications. We're used to this concept of concept drift. Right? Where -- where the evolution of data may invalidate the data model over time. And therefore we need to retrain the model or so over time if the performance degrades. Now with these LLM models most clients are consuming them from third party vendors. They don't have the control over those models. They cannot retrain them. But at the very least they need to pay attention to their performance over time. They need to recognize that it will change. And if it changes, what that means is, you know, if you're building an application around this LLM model, you may need to change the prompts that you're feeding to that model, that you're sending to that -- to that model in order to get the right output. So you need to be aware of those changes. The changes may not be changes to the model's capabilities themselves. I think some researchers -- some researchers noted this that, you know, the capability of the LLM or large language model may not change, but its behavior changes because of fine tuning the model to certain tasks, but for the end user, for my clients, who have no control over the underlying model, that's the same. It doesn't matter if the capability is changing or the behavior is changing. The end result is the same. And therefore they need, number one, to monitor for that change, and have processes in place to update their applications, to retest their applications, to change, you know, the prompts they're feeding to those models if needed in order to continue to get the benefit of the use of those models over time.

Dave Bittner: Yeah. It's really fascinating, isn't it? I mean we -- we talk about these being kind of black boxes, you know, that we're -- you know, folks aren't exactly sure how it's working under the hood, but we know it works. But I guess the point you're making is that people have to factor that into their risk model that there's some variability here.

Malek Ben Salem: Absolutely. Absolutely. They need to factor that into that risk model. They need to factor it into their application development model. And application maintenance model, if you will. There needs to be a focus on application maintenance as well.

Dave Bittner: I can't help thinking, you know, since this is new technology, is it -- is it in its toddler phase? Is it in its teenager phase? And I think about my own kids as teenagers. You know, I could ask them the same question and on any given day could get a different answer depending on their mood [laughs].

Malek Ben Salem: Good point. I like the analogy [laughs].

Dave Bittner: Yeah. Yeah. All right. Well, it's certainly interesting stuff and something to keep an eye on. Malek Ben Salem, thank you for joining us.

Malek Ben Salem: Thanks for having me.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's research Saturday and my conversation with Reece Baldwin from Kasada. We're discussing their work, "No Honor Among Thieves: Unpacking a New Open Bullet Malware Campaign." That's research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.