A quick look at some threats from China and North Korea, some engaged in collection, some in theft. BlackCat and other ransomware operators. And a view of cyberwar from Ukraine’s SSU.
Dave Bittner: Cyber threats trending from East Asia. The Lazarus Group is suspected in the CoinEx crypto theft. Pig butchering, enabled by cryptocurrency. BlackCat is active against Azure storage. a Ukrainian view of cyber warfare. A US-Canadian water commission deals with a ransomware attack. Eric Goldstein from CISA shares insights on cyber threats from China. Neil Serebryany of Calypso explains the policies, tools and safeguards in place to enable the safe use of generative AI. And more details emerge in the Las Vegas casinos’ ransomware incidents. Danny Ocean, call your office.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, September 18th, 2023.
Cyber threats trending from East Asia.
Dave Bittner: Microsoft describes the cyber capabilities of the Chinese and North Korean governments, finding that Chinese influence operations have grown more effective over the past year: “China-aligned social media networks have engaged directly with authentic users on social media, targeted specific candidates in content about US elections, and posed as American voters. Separately, China’s state-affiliated multilingual social media influencer initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.”
Dave Bittner: The researchers note that China’s cyber operations in 2023 have primarily focused on countries surrounding the South China Sea, the US defense industrial base (especially satellite communications and telecommunications infrastructure in Guam), and US critical infrastructure.
Dave Bittner: North Korean cyber operations have increased in sophistication over the past year, and Microsoft says Pyongyang’s threat actors seem particularly interested in stealing information related to maritime technology research.
Dave Bittner: A note in full disclosure: Microsoft is a CyberWire partner.
Lazarus Group suspected in CoinEx crypto theft.
Dave Bittner: Pyongyang is also interested in direct theft of funds, in this case, cryptocurrency. Researchers at Elliptic believe North Korea’s Lazarus Group is responsible for the theft of $31 million worth of cryptocurrency from CoinEx last week, the Record reports. Elliptic stated, “Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain....Elliptic has observed this mixing of funds from separate hacks before from Lazarus, most recently when funds stolen from Stake.com overlapped with funds stolen from Atomic Wallet.”
Pig butchering, enabled by cryptocurrency.
Dave Bittner: Sophos outlines a pig-butchering (or “sha zhu pan”) scam campaign that attempts to trick victims into investing cryptocurrency in a phony liquidity pool: “Fake pools use smart contracts that give the scammers access to their targets’ wallets. They may deposit cryptocurrencies into wallets to give the illusion of gains, or deposit counterfeit cryptocurrencies that have deceptive names and no inherent value. The websites used to link wallets in these scams will display data promising daily payouts, and showing the victim’s mounting but fake profits.”
Dave Bittner: The scammers in this case are targeting users of dating apps. Dating apps have been a common field for "pig-butchering," which is criminal cant for a long-running targeted scam in which the scammers cultivate a bogus online relationship with an individual victim, metaphorically fattening the victim up for the kill.
BlackCat active against Azure storage.
Dave Bittner: BleepingComputer reports that the BlackCat ransomware gang is using the newly discovered Sphynx encryptor in attacks against Azure cloud storage. Researchers at Sophos describe one of these attacks, observed in August:
Dave Bittner: “The threat actors were able to gain access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines....During the intrusion, the threat actors were observed leveraging various RMM tools (AnyDesk, Splashtop, and Atera), and using Chrome to access the target's installed LastPass vault via the browser extension, where they obtained the OTP for accessing the target's Sophos Central account, which is used by customers to manage their Sophos products.”
US-Canadian water commission deals with a ransomware attack.
Dave Bittner: There is in fact an ongoing ransomware attack against infrastructure, and while there’s no ocean in it, there’s plenty of water.
Dave Bittner: The International Joint Commission (ICJ), an organization that handles water issues along the Canada–United States border, has experienced a ransomware attack. The Commission has disclosed few details, telling the Record “The International Joint Commission has experienced a cyber security incident. The organization is taking measures to investigate and resolve the situation.”
Dave Bittner: The NoEscape ransomware gang claimed responsibility for the attack, saying it's taken 80 GB of sensitive data, which it will begin leaking if its demands aren't met. The data are said to include contracts, legal documents, personal information belonging to people associated with the ICJ, financial data, insurance information, geological files, and "much other confidential and sensitive information.”
Dave Bittner: NoEscape said in its leak notice (sounding more like a comic book villain than Danny Ocean ever did), “If management continues to remain silent and does not take the step to negotiate with us, all data will be published. We have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now, we will not disclose this data or operate with it, but if you continue to lie further, you know what awaits you."
A Ukrainian view of cyber warfare.
Dave Bittner: SIGNAL reports that Illia Vitiuk, head of the Cyber Security Department in the Security Service of Ukraine (SSU), offered a perspective on cyber warfare at the Billington CyberSecurity Summit. “What are the three main objectives of cyber attacks?" Vitiuk asked, rhetorically. "First, is to gather important intelligence; second, is destructive—when you destroy systems, digital systems and cause direct damage; and third, is psychological effect."
Dave Bittner: He also dismissed the notion that Russia's hacktivists were genuinely what they represent themselves to be. "All of these groups like Killnet, Anonymous and Cyber Army of Russia with Deep Rock, etc, etc., we do believe that these are all groups created or orchestrated by the [Russian intelligence agency] GRU.”
Dave Bittner: So the hacktivists, like so many front groups before them, are often run by the Russian security and intelligence units.
Casinos' vulnerability to social engineering highlighted in recent attacks.
Dave Bittner: The Las Vegas Review-Journal notes that the MGM ransomware incident was accomplished by fraud, not by sophisticated attack code. While this particular incident has been attributed to a cyber gang, and obviously had a significant effect on MGM Resorts' IT infrastructure, it's the latest in what's been a rough patch of fraud for Las Vegas resorts and casinos. The IT disruptions continued into the weekend (the Review-Journal in another article reports that MGM's slots were operating on a strictly cash basis on Saturday) MGM Resorts has restored much of its online presence. The company says many of its properties were unaffected by the incident, and that it's working to restore full service.
Dave Bittner: Wired argues that, while there seems to be an element of frivolity in the attention high-profile incidents like the attacks against MGM Resorts and Caesars Entertainment attract, nonetheless such attention drives awareness, response, and sometimes effective public policy. Wired quotes Lesley Carhart, director of incident response at Dragos, which specializes in industrial cybersecurity: “Attacks against casinos are dramatic and draw attention. We have whole movie and TV franchises about casino heists." Ocean’s Eleven is about a casino heist. No one is making movies about shutting down an assembly line. Carhart adds, “A lot of life-impacting attacks on critical infrastructure and health care occur far less visibly, and therefore, they aren't an easy draw for mass media. I do not think this is an issue with cybersecurity or even media in its entirety—it is a human psychology issue. We've had that problem for a long time in the industrial-control system cybersecurity space where attacks could really mean life or death, but are not a great story.”
Dave Bittner: Or at least not one that’s likely to be made into a movie starring…wait a minute, let me consult IMDB…Frank Sinatra as Danny Ocean, with Dean Martin, Sammy Davis Jr., Peter Lawford, Richard Conte, Joey Bishop, Henry Silva, Buddy Lester, Richard Benedict, Norman Fell, and Clem Harvey, and last but certainly not least Angie Dickinson. Sure, the remake with George Clooney and Julia Roberts is worth a look, but for our money? We’ll stick with the original.
Dave Bittner: Coming up after the break, Eric Goldstein from CISA shares insights on cyber threats from China, Neil Serebryany of Calypso explains the policies, tools, and safeguards in place to enable the safe use of generative AI. Stay with us. [ Music ] Ever since generative AI tools like ChatGPT captured the general public's imagination, enterprise security folks have been faced with the challenge of balancing users' desire to make use of what are potentially huge time-saving tools versus the security risks that come with them. Neil Serebryany is founder and CEO of Calypso AI. And I checked in with him for insights on finding the right balance.
Neil Serebryany: Everyone who had spent the last couple of years on the machine learning side of the house knew that the underlying frameworks and techniques, the transformer architecture, was not new in any way. It had been out for five years. But you finally had a product that just seemed magical to the broad public. And because the product seemed so magical, 10 times better than anything that had existed prior, it got to the fastest adoption of any product in human history. So a combination of excitement to see that happen and also the worry that comes with knowing of what this entire new risk surface means for everyone.
Dave Bittner: I can imagine, you know, you and your colleagues being kind of like Dr. Ian Malcolm in Jurassic Park, you know, with an understanding of what's going on, but also the worry of what could possibly happen here.
Neil Serebryany: Yeah, that's exactly right. We spent over four years now focused on the risks in AI. And it's been really interesting to see what's happened over the last couple of years. You know, at first, like most kind of cybersecurity oriented threats, the threat surface as well as the attacks were really occurring with some of the most sophisticated actors out there, really, what I would describe at this, you know, nation-state or near nation-state level. And in the last couple of years, we've gone from, you know, these really, really sophisticated organizations being the ones that are leveraging these tools to now communities on Twitter that are popularizing ways to jailbreak or evade these models and sort of the rise of the proverbial script kiddie in the context of AI attacks and AI risks.
Dave Bittner: You know, we've seen a spectrum of responses from organizations to these tools. You know, some of them are embracing them, and at the other end, some are outright banning them. What do you think is a reasonable approach here?
Neil Serebryany: So ultimately, it starts with what is the impact of the technology on your organization? On a medium to long-term basis, organizations are going to have to embrace these technologies for the sole reason that it increases productivity to such a degree, as the McKinsey study recently pointed out, in terms of the 4.5 trillion in worldwide economic impact a year, that they will need these tools, or their competitors will outpace them. In the short to medium-term, it's around how are you defining the security risks inside of your organization; how are you defining the mitigations, the controls that you want to put in place; and how are you rolling out these technologies in a secure way? So I would say a combination of the understanding that we need these technologies, combined with putting in place a smart risk posture.
Dave Bittner: It strikes me that this is the kind of technology that is really susceptible to shadow IT here. You know, if your employees see the potential here of them being able to be more efficient at their jobs, and the technical folks in the organization put up roadblocks, those employees are likely to find a way around that.
Neil Serebryany: Correct. And that's why what you need to do is is not just outright, you know, block these technologies but figure out how do you enable your employees and your teams to use them in a secure manner. I almost think of it, you know, to use another analogy here, as sort of, you know, when everyone started using smartphones, and suddenly you had all of these enterprise security questions around, my employees, you know, want to have their work email on their smartphones. How do I enable that? How do I allow that? How do I put in place the controls to be able to do that securely? Except that this is at a much more kind of massive and perhaps more kind of impact full-scale than folks using their own personal smartphones or iPads or other devices.
Dave Bittner: Do you have any practical tips for folks who are looking for ways to come at this; any words of wisdom?
Neil Serebryany: So a couple of words of wisdom. Number one: The most common risk posture that we've seen is to block ChatGPT and LLM usage entirely. Our recommendation would be, as you start your kind of phased unlock, to be able to start with individual groups or smaller subsets of employees inside of your organization and test out what are the controls, what are the risks, that you want to put in place. Meaning, go and, you know, crawl, walk, and then run, in terms of what you're doing inside of your organization. Two: Understand what the policies that you want to put in place are, and then figure out what the technical controls are -- whether they're products from external vendors like ours, or whether they're policy-driven. And then third: You know, also experiment with what are the use cases inside of your enterprise. Ultimately a lot of the value unlock from these technologies is going to come from the integration of these technologies into enterprise apps provided by external vendors and also enterprise apps that you're building internally. Understand what those are. Understand where the risks lie. And understand what you want your strategy to be.
Dave Bittner: That's Neil Serebryany from Calypso AI. [ Music ] And joining me once again is Eric Goldstein. He is executive assistant director at CISA. Eric, it's always my pleasure to welcome you back to the show. I would love to touch base with you today on the cyber threat that our nation sees from China, specifically, and some of the efforts that you and your colleagues there at CISA have taken on to address that.
Eric Goldstein: Thanks so much, Dave. It's really good to be here. And this is a really important topic, so it's a privilege to be on discussing it. And, you know, many of your listeners might've seen, with perhaps some alarm, a recent assessment by the Office of the Director of National Intelligence, which noted that China represents the broadest, most active and persistent cyber threat, and it's capable of launching cyberattacks that could disrupt critical infrastructure within the US. That's a pretty stark statement. And at CISA, as the nation's cyber defense agency, we are taking this really seriously on a number of fronts. With our partners, we recently released a report on Chinese actors living off the land. This was done with great work with our partners at NSA and other agencies. And the way to read this advisory is the extraordinary sophistication of Chinese actors and the threat that that poses to organizations across sectors. And then to read that in intersection with the intent that's described in the ODNI's Annual Threat Assessment. And so what we are confronting is an adversary that may have the intent to launch destructive attacks in the future against US assets, with an actor that is extraordinarily sophisticated and using techniques like living off the land, which are very hard to detect and in fact require a different approach to cybersecurity than just looking for known indicators of compromise -- malware and the like. And so that's why we have stood up a new Office of China Operations within CISA and hired an experienced leader, a gentleman named Andrew Scott, who brings to bear extraordinary expertise in this area, to ensure that we as an agency and we as a country have a strategy and roadmap against this possible threat.
Dave Bittner: And what will be some of the things that that office will be focused on?
Eric Goldstein: You know, really the main goal is to make sure that we are providing critical infrastructure entities across sectors, with a clear understanding of the threat as it evolves, the tactics, techniques, and procedures that we are seeing and anticipating, and then the specific steps that can be taken in response. And really importantly here, we know that cyber defense is not going to be the only tool that we have here. We know that we also need to focus on resilience. So we know we are not going to prevent every possible intrusion, and we need to focus on detecting more quickly, responding more quickly, and most importantly, ensuring that if there is an intrusion, we can recover critical functions as quickly as possible.
Dave Bittner: You know, I think a lot of folks when looking at Russia's invasion of Ukraine and the cyberattacks there, they're thinking that perhaps Russia underperformed relative to where we thought their capabilities were. I'm curious, how confident are you and your colleagues in your assessment of where we stand with China?
Eric Goldstein: You know, it is very hard to speculate the intent of any given adversary. But we do know that, as documented in the DNI's public Annual Threat Assessment, certainly the prospect exists that particularly around a future geopolitical conflict, Chinese cyber actors may have the intent and almost certainly have the capability to launch destructive attacks. And so it is our duty at CISA as well as every owner-operator's duty to make sure that we are prepared for that eventuality. And if it does not manifest, all to the better. If it does manifest, we have to say that we've done everything possible to be ready and ensure that the services upon which all Americans depend are secure and resilient under all conditions. That's why we brought in Andrew to lead a small team. It's a new position in the organization within our cybersecurity division intended to bring together and cohere all of our disparate activities against this threat to make sure that we're making needed progress.
Dave Bittner: All right, well, Eric Goldstein is executive assistant director at CISA. Eric, thanks so much for joining us.
Eric Goldstein: Thanks so much, Dave. And I'll just note, if listeners want to learn more, they can visit cisa.gov/china.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.