The CyberWire Daily Podcast 9.29.23
Ep 1917 | 9.29.23

Malicious ads in a chatbot. A vulnerability gets some clarification. Cl0p switches from Tor to torrents. Influence operations as an adjunct to WMD. And NSA’s new AI Security Center.

Transcript

Dave Bittner: Malicious ads in a chatbot. Google provides clarification on a recent vulnerability. Cl0p switches from Tor to torrents. Influence operations as an adjunct to weapons of mass destruction. Our guest Jeffrey Wells, former Maryland cyber czar and partner at Sigma7 shares his thoughts on what the looming US government shutdown will mean for the nation’s cybersecurity. Tim Eades from Cyber Mentor Fund discussing the 3 who’s a cybersecurity entrepreneur needs to consider. And NSA has a new AI Security Center.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, September 29th, 2023.

Malicious ads in a chatbot.

Dave Bittner: Researchers at Malwarebytes warn that Microsoft’s AI chatbot Bing Chat can be abused to serve malicious ads. When the tool is used to search for a service, it may offer sponsored results similar to those seen at the top of a regular search engine query. In this case, Malwarebytes says “the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager).” The links led to spoofed websites designed to trick users into downloading malware.

A vulnerability gets some clarification.

Dave Bittner: Google has updated its account of a vulnerability, and issued a patch to address exploitation in the wild. TechCrunch reports that what had formerly been perceived as a vulnerability in Chromium is in fact a problem with the open-source libwebp library used by Chromium developers.

Dave Bittner: Researchers at Huntress are tracking CVE-2023-4863, a critical heap buffer overflow vulnerability in the libwebp library used by Chromium. Libwebp is widely used by applications for supporting the WebP image format. The vulnerability’s description says the flaw has been exploited by a “remote attacker to perform an out of bounds memory write via a crafted HTML page.”

Dave Bittner: Huntress notes, “A full list of affected software is still unknown at this time. Any software that uses the vulnerable library is likely affected. Due to the prolific use of libwebp as a software library, the attack surface of this vulnerability is likely extensive. The patch to libwebp 1.3.2 fixes this issue upstream of its implementation. However, any software that ships with libwebp is potentially vulnerable.”

Dave Bittner: The researchers add, “Right now, the most prudent step to take is to update any web browsers and ensure you have a solid software inventory that includes software versions. Being able to quickly identify where you have vulnerable versions of software as patches are released will greatly reduce your risk.”

Cl0p switches from Tor to torrents.

Dave Bittner: The Cl0p ransomware gang, Palo Alto Networks' Unit 42 reports, has moved away from posting stolen files to a Tor dump site in favor of releasing them in torrents. It's a quicker way of moving large amounts of data, and thus a faster way of pressuring victims into paying extortion demands, but speed and convenience come, as they so often do, at the cost of security.

Dave Bittner: Cl0p was an early criminal adopter of double-extortion ransomware attacks, stealing data and threatening their release to increase the pressure on victims. The threat of doxing is in addition to the classic ransomware approach of encrypting victims' data and offering a decryptor in exchange for ransom payment. (Many gangs now skip the encryption and move directly to the doxing.) Tor can be slow and relatively inaccessible, and Cl0p found it slowed down the gang's ability to crowd the large number of victims it accumulated during exploitation of MOVEit vulnerabilities. Hence the shift to torrents.

Dave Bittner: The downside for Cl0p is that the gang's operations are now more susceptible to inspection. "In this case, the result of this research is a handful of hosting servers out of Russia that hold enormous amounts of stolen victim data. We can expect much more to come in the following weeks."

Influence operations as an adjunct to nuclear, biological, and chemical preparation and deterrence.

Dave Bittner: The US Strategy for Countering Weapons of Mass Destruction published yesterday was informed in part by observation of Russia's war against Ukraine. "Competitors seek to achieve multi-domain effects through activities across cyber, space, and terrestrial domains with WMD-related information and advanced systems. Specifically, both the PRC {People's Republic of China] and Russia have obfuscated the truth and reinforced their preferred false narratives through disinformation. Russia has employed disinformation to deny Russian and Syrian chemical weapons use, justify its invasion of Ukraine, and falsely accuse the United States and Ukraine of violating the BWC. The PRC reiterates and reinforces Russian disinformation efforts and uses disinformation to justify territorial claims and to assert that the COVID-19 pandemic originated with the U.S. military. These actions result in a more complex and entangled problem set."

Dave Bittner: The strategy also notes that "the PRC and Russia have also proven adept at manipulating the information space to inhibit attribution of its activities, to reduce trust and confidence in the effectiveness of countermeasure, and to potentially slow decision-making following WMD use." China is seen as the "pacing threat," Russia as the "acute threat."

NSA will establish an AI Security Center.

Dave Bittner: And, finally, as artificial intelligence becomes increasingly important to national security, the US will form an organization devoted to the secure use of AI in national security systems and in the defense industrial base that supplies them.

Dave Bittner: The Director of the US National Security Agency, General Paul Nakasone, announced this week that NSA will establish a new AI Security Center. Its mission will be to help keep the US ahead of foreign peer competitors in the use of AI.

Dave Bittner: Breaking Defense quotes General Nakasone as saying, “The AI Security Center will become NSA’s focal point for leveraging foreign intelligence insights, contributing to the development of best practices, guidelines, principles, evaluation methodology and risk frameworks for AI security, with an end goal of promoting the secure development, integration and adoption of AI capabilities within our national security systems and our defense industrial base,”

Dave Bittner: General Nakasone offered a brief account of what AI security actually means. “AI security is about protecting AI systems from learning, doing and revealing the wrong thing. It is a set of practices to protect AI systems and lifecycles from digital attacks, theft and damage. We must build a robust understanding of AI vulnerabilities, foreign intelligence threats to these AI systems and ways to counter the threat in order to have AI security. We must also ensure that malicious foreign actors can’t steal America’s innovative AI capabilities to do so.”

Dave Bittner: Thus the AI Security Center has a protective mission. It will be housed within NSA’s Cybersecurity Collaboration Center, and it is expected to work closely with interagency and private sector partners. The Center’s size and leadership, the Record says, are yet to be announced.

Dave Bittner: In the meantime, welcome, then, to Fort Meade’s latest tenant.

Dave Bittner: Coming up after the break, Jeffrey Wells from Sigma7 shares his thoughts on what the looming US Government shutdown will mean for the nation's cybersecurity. Tim Eades from Cyber Mentor Fund explains the three who's a cybersecurity entrepreneur needs to consider. Stay with us. [ Music ] [ Music ] It is my pleasure to welcome to the show, Jeffrey Wells. He is a partner at Sigma7, also formerly Maryland's cyber czar, and a founding partner at NIST. Jeffrey, thank you so much for joining us.

Jeffrey Wells: Thanks, Dave. It's a pleasure to be here this morning.

Dave Bittner: So, as you and I get together here today, it is the morning of Friday, September 29th, and the potential government shutdown is looming large here. Can we start off with just your take? What are the odds that we're actually going to see a shutdown here, in your estimation?

Jeffrey Wells: I think we're 99% going to. Unless there's some sort of last-minute miracle, I think the shutdown is inevitable at this point.

Dave Bittner: Yeah.

Jeffrey Wells: Yeah. Everything I've seen and heard last night in DC, you know, it doesn't look like there's any movement.

Dave Bittner: Well, let's talk about the potential implications of that. For the folks who are tasked with defending our nation's cybersecurity, where does that leave us?

Jeffrey Wells: Unfortunately, it does not leave us in a great position. I think we can liken the shutdown as a tool. And its impact both on government and then the ripple effects to commerce and the risk, bit like extortionware at the moment. You know, it is -- this is going to hit CISA incredibly hard. Somebody told me last night that, you know, 80% of CISA employees will be furloughed, which leaves somewhere around 500 employees to maintain operations. And that's an incredible challenge for those 500 employees. But also, you know, they're not being paid during that period. Sure, at some point, when the government comes back into business and is operational, they'll, you know, they'll get back pay, most likely. But the morale of trying to defend and be responsible for sharing information and, you know, which CISA is in charge of cybersecurity and infrastructure security, that's a pretty heavy load for 500 individuals. And then that you start to think about that as a ripple effect is, you know, our national intelligence. NSA, you know, will have individuals that are furloughed. This happened back in, you know, 2017, 2018. And it's going to take an incredibly long time for business and government to recover because of the great work that, and I really do call it great work, that CISA and the US Government have done over the last couple of years to ensure that information sharing takes place. And with the shutdown, there will be no information sharing, or it's going to be incredibly challenging. And I think it's going to feel much like a ransomware or an extortionware attack where everyone is going to feel incredibly under-resourced, over-tasked, and incredibly tired, and underappreciated.

Dave Bittner: I've heard folks say that President Biden could come at this by making the folks at CISA part of critical infrastructure, saying -- similar to the way folks in the TSA work through a shutdown like this. Do you have any insights there?

Jeffrey Wells: Yeah, technically, he could. Not inside of CISA there. You know, the contingency plans and response plans that that CISA has, you know, is a bit of a challenge. And to understand completely what that would mean, you know, would he be able to say that all of them are or that, you know, more than those 500? Then I guess thinking a little bit bigger beyond CISA is, you know, what does the President or, you know, what can the White House really do is start deeming everything critical? And so the shutdown really doesn't happen. Or, you know, it becomes even more of a push and pull between the Hill and the White House for who's critical. And, you know, we've defined what critical is so that we can operate kind of on a skeleton crew. But I just sort of have kind of mixed feelings that sure, yeah, but when -- where do you stop with those exceptions? And, you know, it's not just CISA. It goes beyond, you know, CISA to FBI to really all of the information security operations across the government enterprise. And then, you know, to the ISACs and then kind of beyond to the federal funding that enables the information sharing and some of the operations. Again, where do you draw that line? I'm not the president or the work of the White House. Don't have to make those decisions. But, you know, I don't think that we should be in a position to make those decisions. We shouldn't be having to deal with this extortion, really, you know. And not to get political, but this is an extortion situation.

Dave Bittner: If I'm a bad actor or working for one of our adversaries out there, am I looking at this as a potential opportunity?

Jeffrey Wells: Yes. Putting on my chief evil officer hat, especially as a nation-state or criminal threat actor, I would be looking at this as a real opportunity to take advantage of the fact that, again, people will be under resourced both at the government level as well as the commercial level because, you know, that information is shared that, you know, this is an opportunity to expand on programs that, you know, are vulnerabilities that have already been taken advantage. You know, just think of, you know, kind of, I was thinking last night of volt typhoon, you know, times, you know, exponential growth over the next, you know, 10 days. If I was a, you know, a threat actor operating, you know, out of a particular country on the Black Sea, you know, I would be looking at ways to exploit this to my advantage. And there just are a lot of vulnerabilities that the government shutdown creates, again, coming back to resources and information, which are two of the greatest tools that organizations, both US Government and private sector, have at their ready to be able to address those. You know, I think if they've been sitting in environments while I heard someone mentioned to me this morning they were told not to look at their government-issued device while they were furloughed. You know, there were others who had said, kind of look at it occasionally to see if there's something urgent, you know, which -- You know, is that between, you know, three and four o'clock on a Friday? I don't know. But yeah, the guidance isn't, yeah, very clear. And so in this chaos, you know, could kind of come back to Sun Tzu or Clausewitzian, is let's take advantage of it. And I would be, you know, utilizing every tool in my APT toolkit to try to take advantage of our government shutdown.

Dave Bittner: Yeah, all right. Jeffrey Wells is a partner in Sigma7. He is former Maryland cyber czar and also a founding partner at NIST. Jeffrey, thank you so much for joining us.

Jeffrey Wells: Hey, thank you for having me, David. You have yourself a wonderful weekend. And let's hope this ends quickly. [ Music ]

Dave Bittner: And it is my pleasure to welcome back to the show, Tim Eades. He is the Co-Founder of the Cyber Mentor Fund and a serial entrepreneur. Tim, welcome back to the show.

Tim Eades: Dave, great to be here. I love doing these podcasts. It's fantastic.

Dave Bittner: Well, it's great to have you back. I know today we've got an interesting topic to share here. We're talking about the three W's, three who's, as you describe them. Unpack what we're talking about here today, Tim.

Tim Eades: Yeah, I mean, I've been an investor in cybersecurity companies and advising them for 20 years. Obviously, I just started my fourth one. And we have Cyber Mentor Fund that I'm a co-founder of. So we look at a bunch of different cybersecurity companies, and we see them kind of grow. We're seeing a trend of what some of them do wrong that I think is worth talking about. They kind of lose sight. The ones that lose their way lose sight of what I refer to as the three who's. And the three who's are these: Who's your economic buyer? Who's the guy who's going to write the check? Who's your technical recommender, right? Who actually gives the architectural blessing? And then who actually operates the product? Success is never a straight line in a startup. But if you lose sight of those three things, it's very, very difficult to build a company. Sometimes, you'll find them that the three who's are in, at a very large bank, in very different departments or very different organizations. In which case, it's very difficult to get a sales momentum, any sales momentum into your sales cycle into your business. But what we find is, if you keep, you know, who is your economic buyer, who is your technical recommender, and who's your operator top of mind, and don't say the CISO, right? The CISO does so much. Who in his organization owns it? Or, you know, or not. But you have to get those ownership principles or those three who's right. Otherwise, it's very difficult to build a business.

Dave Bittner: Does it come to pass sometimes that these three who's aren't aligned? That they could be in conflict with each other?

Tim Eades: Not so much conflict if they are, but they, if the sales -- if the sales team and the product team and the CEO and, you know, the startup doesn't know who they are, you'll get lost, right? You end up building products that are incomplete. You'll end up building things that are, you know, almost it has three heads as opposed to just one. And what you'll find is, let's say you're going to build a product that is in the firewall business, right? You know, you need the guy who buys the firewalls, the guy who sets the policy on the firewalls, and the guy who operates the firewalls. If you're in the identity business, and you are the identity access management, there's an identity access management architect, there's the identity access buyer, and there's the operator of the tools. You know, I know this sounds simple, but lots of startups lose that. And it's a real trick question when you're going to look to a startup and you're about to meet them or invest in them is, who are the three who's? And it's, particularly in the enterprise world, it's a great question to ask.

Dave Bittner: Can we dig in a little bit on this notion of who operates the product? Because that really strikes me as being key here. I can imagine the short-sighted view of saying, you know, we've got to make this sale. So we're going to target the person who purchases something. But then that might not be the same person who's working with it day to day.

Tim Eades: It very rarely is the same person in any organization of any real size. So, you know, if you don't know who the operator is, there's a guy that they could say no to your business. You don't know how familiar he is with the competitive products or the legacy products. But you've got to be, you know, live a day in the life. So, as you build the product, as you build the user interface, you want to make sure that the operator of the product has a fantastic experience. I mean, the best example of this, actually, if you go all the way back to the early days of Palo Alto Networks, Panorama, their user interface, was legendary. Because the people that just knew it, and loved it, and built it sprung to the early days for the same thing. But some of these people, some of the startups these days, can't answer the question, who is your day-to-day operator of the product?

Dave Bittner: How do you recommend that organizations kind of dial this in? Who do they focus on? How do they set their priorities?

Tim Eades: Well, it's up to the startup to understand as they go through their little phases of, you know, seed funding to A to B to C to D to keep this notion front and center, to keep the operator, what the three who's, in particular, the operator. Because what happens is that the operator level, in particular, they will share information between other operators. And they can give you really good operating feedback on how to operationalize the technology. So it's a good model if you can keep that sense.

Dave Bittner: All right. Well, it's certainly something interesting to consider. Tim Eades, thanks so much for joining us. [ Music ] [ Music ] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with David Liebenberg from Cisco Talos. We're discussing their discovery of cracked Microsoft Windows software being downloaded by enterprise users all over the world. That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Trey Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.