Cyber phases of two hybrid wars prominently feature influence operations. Rapid Reset is a novel and powerful DDoS vulnerability. Credential phishing resurgent. And a look back at Patch Tuesday.

Dave Bittner: Cyber operations in Hamas's war, Cryptocurrency as a source of funding, and Russian hacktivist auxiliaries shifting their focus. Not all influence operations involve disinformation. Rapid Reset is a Novel DDoS attack. A resurgent credential phishing campaign. Ann Johnson from Afternoon Cyber Tea speaks with Ram Shankar Siva Kumar and Dr. Hyrum Anderson about the promise, peril, and impact of AI. Our own Rick Howard talks cyber intelligence in the medical vertical with Taylor Lehmann of Google. And a quick look back at Patch Tuesday.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, October 11th, 2023.

Cyber operations in Hamas's war.

Dave Bittner: Hacktivists (and hacktivist auxiliaries) who've joined the war Hamas began against Israel Saturday have claimed widespread and substantial damage to important systems, but so far their activities haven't extended much farther than familiar distributed denial-of-service operations and site defacements. For example, Claims of attacks against, for example, electrical power distribution seem to be for the most part attention-getting brag. AnonGhost's compromise of the RedAlert app, designed to send attack warnings to smart phones, seems the most consequential of the cyber operations so far. Reuters summarizes the current state of hacktivist action in the war so far.

Dave Bittner: Most of the hacktivism has been conducted in the interest of Hamas, but at least one Israeli group--either a front group or a hacktivist auxiliary--has reemerged to take a role in the conflict. Predatory Sparrow, known for operations against Iran, has been observed probing Iranian sites and posting warning messages, CyberScoop reports. "You think this is scary?" the messaging said, in Farsi. "We're back. We hope you're following the events in Gaza." Iran has long been Hamas's patron, and is widely suspected of having provided both planning and logistical support to the Hamas operation.

Dave Bittner: Many have asked how Hamas achieved operational surprise Saturday. The reasons are surely complex, but some of the success must be charged to effective operations security. Hamas evaded Israeli cyber and electronic collection by simply "going dark," as Bloomberg puts it. They stayed off their devices and conducted business face-to-face in small cells.

Not all influence operations involve disinformation.

Dave Bittner: The most prominent cyber phases of the war so far have been influence operations, many of them conducted on behalf of Hamas, or of serving interests only tangentially related to the war. An example of the latter is the Russian narrative falsely asserting that Ukraine had supplied Hamas. Other bogus reports appearing online have included posting and mislabeling of old video and even video from online games as representing breaking events in the war.

Dave Bittner: Much of the influence doesn't involve disinformation. The New York Times has an overview of how Hamas has posted, often to X, the platform formerly known as Twitter, images of its atrocities against civilian victims in Israel. These are intended as both expressions of triumph and as incitement to further atrocities. 

Dave Bittner: X has been widely criticized for its failure to screen, filter, rate, or otherwise effectively moderate content. Changes to X's content moderation policies have, CNN reports, more-or-less adopted celebrity as a standard of newsworthiness, and largely abandoned attempts to expose coordinated inauthenticity. A European commissioner has written X to warn the platform that its failures in this respect may constitute a violation of the European Union's Digital Services Act. 

Dave Bittner: Content moderation is always in an uneasy relationship with free expression, but X seems to many to have slipped in the direction of the inflammatory and the misleading.

Cryptocurrency as a source of Hamas funding.

Dave Bittner: Lahav 433, Israeli police cyber unit, has frozen cryptocurrency assets connected to Hamas. Hamas has been actively soliciting donations in its social media accounts since attacking Israel on Saturday. Decentralized finance in general and cryptocurrencies in particular have long seen their clearest use case in the transmission of remittances, and such remittances have been flowing to Hamas for some time. Quartz reports that Bitcoin and Tether have been used to deliver millions to Hamas, which many governments, including the U.S. Government, have formally designated a terrorist organization. Citing research by Elliptic and BitOK, the Wall Street Journal reports that tens of millions of dollars in cryptocurrency have been delivered to Hamas, Palestinian Islamic Jihad, and Hezbollah since 2021. Hamas alone received some $21 million between 2021 and June of this year. The cryptocurrency accounts were used not only to raise money, but to move funds within the organization.

Russian hacktivist auxiliaries shift their focus from Ukraine to Gaza and Israel.

Dave Bittner: Hamas's attacks against Israeli civilians, with the horrific casualties they've produced and engendered, have shifted the attention of many hacktivists and hacktivist auxiliaries from their customary preoccupations (including Russia's war against Ukraine) to the new war in the Middle East. The Guardian, citing research by CyberCX, reports that early signs of this involve influence campaigns. "At least 30 groups ideologically aligned with Russia, Ukraine, India, Pakistan and Bangladesh had shifted their messaging on social media," the Guardian writes. The Russian auxiliaries can be expected to use the war between Israel and Hamas as a pretext to hit targets they're already interested in. KillNet and Anonymous Sudan are the most prominent such groups to have announced their support for Hamas.

Novel DDoS attack: Rapid Reset.

Dave Bittner: CISA, the US Cybersecurity and Infrastructure Security Agency, warns that a vulnerability affecting the HTTP/2 protocol (CVE-2023-44487) is being exploited in the wild to conduct very large distributed denial-of-service (DDoS) attacks. The vulnerability is known as "Rapid Reset." Some of the major vendors who’ve issued patches or mitigations against Rapid Reset include: Cloudflare, Google, AWS, NGINX, and Microsoft.

Dave Bittner: CISA also recommends that organizations review the agency's earlier guidance, "Understanding and Responding to Distributed Denial of Service Attacks."

Dave Bittner: The attacks are so far not attributed to any particular threat actor, the Washington Post reports, but they've been remarkable for their ability to generate large request floods from relatively modest botnets.

Resurgent credential phishing campaign.

Dave Bittner: Cofense is tracking a new phishing campaign that’s abusing LinkedIn Smart Links to evade security measures, BleepingComputer reports. Smart Links are a LinkedIn Sales Navigator feature designed to track engagement for marketing purposes. Cofense explains, “While Smart Links in phishing campaigns are nothing new, Cofense identified an anomaly of over 800 emails of various subject themes, such as financial, document, security, and general notification lures, reaching users’ inboxes across multiple industries containing over 80 unique LinkedIn Smart Links. These links can come from newly created or previously compromised LinkedIn business accounts.” The goal of the campaign is credential harvesting.

Patch Tuesday overview.

Dave Bittner: And finally, we end with a quick look at some of the more significant patches issued yesterday during October’s Patch Tuesday.

Dave Bittner: Microsoft has issued patches for more than one-hundred vulnerabilities affecting Windows, three of which are being exploited in the wild, SecurityWeek reports. One of the exploited flaws, CVE-2023-36563, affects WordPad, and “could allow the disclosure of NTLM hashes.” Another actively exploited bug (CVE-2023-41763) impacts Skype for Business, and could lead to privilege escalation.

Dave Bittner: Adobe has patched critical flaws affecting several of its products, including Adobe Commerce, Magento Open Source, and Photoshop, SecurityWeek says.

Dave Bittner: Citrix has issued patches for numerous vulnerabilities affecting NetScaler ADC, NetScaler Gateway, and Citrix Hypervisor.

Dave Bittner: So it’s a good time to review your systems and upgrade what needs upgrading.

Dave Bittner: Coming up after the break, Ann Johnson from the "Afternoon Cyber Tea" podcast speaks with Ram Shankar Siva Kumar and Dr. Hyrum Anderson about the promise, peril, and impact of AI. Our own Rick Howard talks cyber intelligence in the medical vertical with Taylor Lehmann of Google. Stay with us. The CyberWire's Chief Security Officer, Rick Howard, recently connected with Taylor Lehmann of Google at the mWISE 2023 Cybersecurity Conference. They discussed cyber intelligence in the medical vertical. Here's their conversation.

Rick Howard: A couple of weeks ago, Mandiant, now part of Google Cloud, hosted the mWISE Cyber Threat Intelligence Security Conference at the Washington D.C. Convention Center. I met with Taylor Lehmann, a Director in the Office of the CISO at Google Cloud, and the Alphabet Enterprise Health Security Officer. Taylor was a busy man at the Conference hosting panels and giving presentations. He spoke with Mustapha Kebbeh who came in as the CSO for a company called UKG, to clean up after a ransomware attack and discovered the cascading effect of the software supply chain. Brian Cincera, the CISO of Pfizer who, before the pandemic was just another CISO in the healthcare vertical, but after, was the CISO for a company that produced the COVID-19 vaccine that would potentially save the world. And, wow, what are the security implications of that? And finally, he brought in the Deputy CISOs of three large healthcare companies who focus on their internal supply chains. I started out by asking Taylor about the ransomware attack at UKG.

Taylor Lehmann: He started that role over a year ago, coming in after a pretty impactful breach that resulted in their systems going down for about six weeks. And having some interesting sort of effects on its customers, interesting in being not interesting cool, but interesting probably unforeseen. For example, timeclocks at hospitals didn't work. Actually, I didn't mention this earlier, but that New York MTA, the Metro Transit Authority that runs the subways, their timeclocks didn't work. Their employees ended up suing their employer.

Rick Howard: So, let me get this straight, they break into a hospital and break into the timeclock situation, and it affects all the timeclocks of that manufacturer, is that what happened?

Taylor Lehmann: Central Services appeared.

Rick Howard: Wow.

Taylor Lehmann: I don't have all the details, but the Central Services running all of that infrastructure were basically encrypted, taken over by a threat actor who was unhappy that they weren't able to, I'm sure they wanted to do more, but the thing that they could end up doing was taking these clocks and some other systems down, holding them for ransom, and then, causing these downstream impacts.

Rick Howard: So, Mr. Kebbeh comes in and he has to fix this after it's already been done.

Taylor Lehmann: That's the talk.

Rick Howard: Yeah.

Taylor Lehmann: Is how did you even begin to approach that.

Rick Howard: That is fascinating.

Taylor Lehmann: And so, what's still going on. And we go from everywhere from recovering from the attack to rebuilding customer trust. And it's an interesting story.

Rick Howard: So, the second thing, are you doing a presentation next? It's called Leadership in Defending the Planet's Healthcare System.

Taylor Lehmann: Yes.

Rick Howard: That's you mono e mono on the ground.

Taylor Lehmann: Yeah, so the secret to being good at conferences is not having slides or doing presentations, it's more getting other smart people to sit next to you. And then, be, hey, he's by proxy, this person's interesting so, therefore, I'm interesting.

Rick Howard: Really, yeah.

Taylor Lehmann: So, that's my whole strategy. So, hopefully, the podcast listeners won't copy me because it's mine. But, no.

Rick Howard: The secret is everybody does that. I'm just saying.

Taylor Lehmann: Yeah, I know, I wanted credit. No, so the talk this afternoon is with Brian Cincera who's the CISO at Pfizer. I've know Brian for years. He and I were on the Board of the Health-ISAC together pre-pandemic. And we worked on a couple of really interesting healthcare problems. Anyway, Brian and I are going to be talking about sort of framing the conversation starting in like March of 2020, if you recall what we were all doing.

Rick Howard: What?

Taylor Lehmann: Sheltering in place, hiding in our houses.

Rick Howard: Did something happen, I don't remember, yeah.

Taylor Lehmann: Yeah so, we were all sort of leaving RSA and the world shut down two weeks after that, and basically a month and a half later, Pfizer was sitting on this sort of first trials of what would then become the vaccine. And so, while it wasn't the first vaccine produced, it was probably the most sort of globally visible and impactful vaccine that was created. And of course, Pfizer had a big role to play in that. So, the topic Brian is really focused on, like take me back to that time where you went from not saving the world to basically having a medicine that eventually would.

Rick Howard: Wow.

Taylor Lehmann: And so, how did that change how you thought about your job? How did that change about your team and your role and your purpose? And then, bring me through what was it like? How did you see the attacks and threats change from what they were prior to people knowing you had that capability to then, you had it? And then, the manufacturing and all sort of the downstream things that you had to now think about to basically get shots into people's arms?

Rick Howard: Yeah, that raises the bar a little bit. Because we all think what we do is important, but here's a world-changing thing that your company's trying to do, and how do you protect that.

Taylor Lehmann: Yeah, there's a few of us in healthcare who think our job is basically to do that.

Rick Howard: Yeah.

Taylor Lehmann: Like that's why we choose this particular industry and this profession.

Rick Howard: Amazing.

Taylor Lehmann: Is because it impacts people's lives.

Rick Howard: The last thing we're going to do is called the Deep Blue End, what's that one?

Taylor Lehmann: Okay so, that's a fun one. I've got the Deputy CISOs from GSK, HCA Healthcare or GSK is GlaxoSmithKline, HCA Healthcare and 3M. And they all play a really interesting role in the healthcare supply chain. So, 3M manufacturing, technology, a lot of their equipment runs and automates infrastructure and manufacturing systems that produce drugs. HCA is basically the largest for-profit health system in the world. They treated the most patients during COVID out of any health system. And GlaxoSmithKline is a pharmaceutical company that produces drugs and therapies to treat people. So, the idea with that talk is to, how do these three important players in healthcare work together. What kinds of threats do they uniquely face? And then, as a group, that they all face, and how do they defend against it? And it's really a talk about how do these groups innovate through working with each other, and then, with their customers around solving healthcare problems at scale when they cross these three subsiders.

Dave Bittner: That's our own Rick Howard speaking with Taylor Lehmann from Google. Ann Johnson is host of "The Afternoon Cyber Tea" podcast right here on the CyberWire Podcast Network. In this excerpt from a recent episode, she speaks with Ram Shankar Siva Kumar and Dr. Hyrum Anderson about the promise, peril, and impact of AI.

Ann Johnson: Today I am joined by Dr. Hyrum Anderson and Ram Shankar Siva Kumar, who are co-authors, and congratulations, guys, the co-authors of the book "Not with a Bug, but with a Sticker." Hyrum is currently CTO at Robust Intelligence, an AI integrity platform and solutions provider. Hyrum's technical career has focused on security, having directed research projects at MIT Lincoln Laboratory, Sandia National Labs, FireEye, and as chief scientist at Endgame and principal architect of trustworthy machine learning at Microsoft. Hyrum also co-founded and co-organizes the Conference on Applied Machine Learning and Information Security, ML Security Evasion Competition, and the ML Model Attribution Challenge. That's a lot. Ram Shankar is a self-described data cowboy here at Microsoft with his work focusing on the intersection of machine learning and security. He is the founder of Microsoft's AI Red Team, which brings together an interdisciplinary group of researchers and engineers to proactively attack AI systems, and defend them from attacks. I am really excited to welcome both of you, Hyrum and Ram. Ram, I want to start with you on this question. You underscore some of the most impressive and important AI powered advances in business, in science, and society, because it's not just about technology, right? And I'm sure since the book's published, there have been even more groundbreaking discoveries. Can you help paint the picture of what AI might be able to do for the world? What massive changes and problems it can help solve?

Ram Shankar Siva Kumar: Absolutely. For me, as I was working with Hyrum on this book, it really, we think of Tesla and we think about Facebook and we think about Google as the forefront of folks who are working in AI systems. And we think of them as they're the ones who are commonly identified as the AI vanguards. But for me, it was super surprising to know that Hershey's is using AI to kind of like identify the ideal number of twists in Twizzlers. You've got McDonalds kind of using AI to optimize their supply chain. So, things that you may not think about your chicken nuggets is almost powered by AI, I would like to think so. But it really is no longer this piece of technology that's only relegated to the people who are creating it, but democratized completely across the board. And that's really the interesting aspect. We have invited this technology that we really don't understand what the risk is, but we see massive economic gains around it. And that is a very interesting proposition. Like here's something that people are still do not know what the consequences are, but has pervaded everything from the time that I wake up to the time that, from driving my car to work, to kind of like doing my work, and going back home and unwinding with Netflix. There's like every part of it is touched by this like transformational technology. And the question that Hyrum and I kind of try to tease out in the book is, great, this system is now absolutely essential to our world. What does it mean for an adversary to go after it?

Ann Johnson: So, Hyrum, a few pages later in the book, you're quick to point out the peril of AI. In an excerpt, "In AI We Overtrust", it's important, of course as AI goes more mainstream, that everyone from researchers and technologists to everyday people understand its limitations. From what it can and can't do, what it should and shouldn't do. Hyrum, can you help unpack that for our audience? Why is that healthy skepticism about AI so important? And why should we continue to have skepticism?

Hyrum Anderson: Yeah, Ann, thanks. And listen, Ram and I both are optimists, especially when it comes to the utility of AI to make a better world, to make a more convenient world for us. And so, when we talk about "In AI We Overtrust", I think that the basic thing to remember is that when AI is trained, it's trained to do one thing pretty good. And when it does that one thing pretty good, we often ascribe its ability in areas it was never designed to perform well in. So, this is one element of people relying on AI. We rely on it for one thing, an example would be relying on a robot to give directions, as was in our book. In a normal situation, it turns out that, because we gained this reliance and trust in this certain situation, we tend to overtrust it when we depart from the normal behavior that the robot was trained to do. So surprisingly, this automation bias that we have extends to AI in a way that we need to be careful about.

Dave Bittner: You can subscribe to "The Afternoon Cyber Tea" podcast wherever you get your podcasts and on our website thecyberwire.com And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500, and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.