Bringing AI up right–realizing its potential without its becoming a threat. (And how deepfakes might be an informational fleet-in-being.)
Dave Bittner: The Hive ransomware gang may be back, and rebranded. Coinminers exploit AWS IAM credentials. LockBit claims to have obtained sensitive information from Boeing. Ukrainian auxiliaries disrupt Internet service in Russian-occupied territory, while internet and telecoms are down in Gaza. Deepfakes have an effect even when they're not used. Joe Carrigan explains executive impersonations on social media. Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm, ForAllSecure, discussing spooky zero days and vulnerabilities. And President Biden releases a US Executive Order on artificial intelligence.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, October 30th, 2023.
Dave Bittner: We begin with some notes from gangland. Cue the sirens and police whistles, please.
Hive ransomware gang may be back, and rebranded.
Dave Bittner: BleepingComputer reports that a new ransomware-as-a-service operation called “Hunters International” has surfaced, and may represent a rebranding of the Hive ransomware gang. Hive’s ransomware racket was shuttered in January 2023 after their operation was infiltrated and disrupted by the FBI and other law enforcement agencies.
Dave Bittner: Researchers have found that more than 60% of the code used by Hunters International overlaps with ransomware used by Hive. The Hunters group has denied connections to the Hive gang, however, stating, “All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them.”
Coinminers exploit AWS IAM credentials.
Dave Bittner: Palo Alto Networks’ Unit 42 is tracking a campaign dubbed “EleKtra-Leak,” which is performing “automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories.” The researchers note, “[T]he threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. We believe these operations have been active for at least two years and are still active today.”
Dave Bittner: Unit 42 adds, “We found that the actor was able to detect and use the exposed IAM credentials within five minutes of their initial exposure on GitHub. This finding specifically highlights how threat actors can leverage cloud automation techniques to achieve their goals of expanding their cryptojacking operations.”
LockBit claims to have obtained sensitive information from Boeing.
Dave Bittner: The Russian ransomware gang LockBit claims to have compromised Boeing systems and taken "a tremendous amount" of sensitive information from the aerospace firm. Boeing said, according to Reuters, that it's evaluating the claims. LockBit says that if it's not paid by November 2nd, the gang will begin dumping the data publicly.
Dave Bittner: Citing security researcher Brett Callow, Security Affairs points out that LockBit has in the past not distinguished between a company and a company's vendors, and that from what's known so far, this could be a third-party incident, assuming that it turns out to be anything at all. LockBit claims to have gained access to Boeing data by exploiting a zero-day, but, again, those claims remain uncorroborated.
Dave Bittner: We’ll be watching to see how the story develops. But LockBit, assuming that they’re not just posturing and beating their chest, seems to be unusually aggressive in this case.
Ukrainian auxiliaries disrupt Internet service in Russian-occupied territory.
Dave Bittner: The Record reports that the IT Army of Ukraine conducted DDoS attacks against three Russian ISPs (Internet service providers) operating in Russian-occupied Ukrainian territory: Miranda-media, Krimtelekom, and MirTelekom. Service was up and down beginning Friday, with disruptions lasting longest in occupied Crimea. The IT Army is a true, avowed auxiliary service of the Ukrainian government, and not a deniable front group like those Russia has typically marshaled. In this case, Euromaidan Press notes that the DDoS action against the Russian ISPs was reported on 27 October by Ukraine’s Minister of Digital Transformation.
Internet and telecoms in Gaza are interrupted.
Dave Bittner: Internet and mobile telecommunications service in Gaza are largely down, the AP reports. It's in part a kinetic disruption, with infrastructure knocked out by Israeli airstrikes and artillery preparation, but some of the shutdown has been done remotely. Those aspects of the interruption showed, according to the Washington Post, some intermittent easing Sunday. Service interruptions are inconvenient for Hamas, but the service interruptions are even harder on civilians in Gaza, who are deprived not only of news, warnings, and emergency services WIRED writes, but also of means of communicating with family. Elon Musk promised Saturday to provide Starlink connectivity to internationally recognized humanitarian organizations operating in the region. It will take some time to deliver the terminals.
Dave Bittner: Israelis in the region are also seeking "proof-of-life" for the more than two-hundred hostages taken in Hamas's initial assault, and they're looking in their desperation at such data as cellphone pings. Bloomberg reports that Israel's government is said to have recruited both NSO Group and Candiru, spyware vendors who've both been sanctioned by the US and are in bad odor elsewhere, to the war effort, possibly employing them in the search for hostages.
Dave Bittner: Cyberattacks proper have declined in frequency during the war, but have, according to Axios, increased their global reach. The Russian hacktivist front group Anonymous Sudan has said it's been working against Israel, as SecurityScorecard researchers reported, and it's also claimed it's targeting organizations in Kenya because of Kenya's support of Israel. Two other pro-Palestinian groups, Dark Storm Team and Irox Team claim respectively (again without substantiation) to have hit Snapchat (to punish the US for its support of Israel) and various companies in Brazil (also to punish support for Israel). The hacktivists and hacktivist auxiliaries have for the most part confined their operations to distributed denial-of-service (DDoS) action.
Deepfakes have an effect even when they're not used.
Dave Bittner: Deepfakes have themselves played a negligible role in disinformation campaigns during the Israel-Hamas war, but their mere possibility has tended to cast doubt on any evidence that's presented in digital form. The New York Times describes how a potential threat has had actual effects on the climate of opinion with respect to the current war. Thus consumers of information seem to have grown less apt to receive audio and video as primitive evidence. In some respects this may be reassuring–perhaps consumers of Internet content are developing healthy critical habits–but in other respects it’s disturbing–when all content is suspect, we’ve taken up residence on the Grassy Knoll. (Conspiracy buffs will get the reference, sheeple.)
Dave Bittner: So it seems the mere possibility of deepfakes has become the informational equivalent of what theorists of naval warfare call a “fleet in being.” That is, a force that need never leave port in order to have an effect on the war. It’s an asymmetric tactic, the kind of thing a weaker force might do to influence its stronger opponent.
Dave Bittner: In the case of deepfakes, we might say that the deep hooey and bunkum need never arrive at any port. Like Port 80, for example. It’s enough, apparently, that people know, well, you know…it might.
The US Executive Order on artificial intelligence is out.
Dave Bittner: And, finally, US President Biden just this morning issued an executive order (EO) on artificial intelligence (AI). Initially available to the public in the form of a White House Fact Sheet, the EO "establishes new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more." The closing "and more" is seriously intended. The EO is complex and far-ranging, touching on both the risks and opportunities the family of emerging technologies presents.
Dave Bittner: Many of the provisions of the EO have little to do directly with cybersecurity proper, but those that do include a call for new standards that would promote AI safety and security, development of watermarks for AI-generated content that would help consumers assess the authenticity of the information therein, protections against AI-enabled threats to personal privacy, and guidance for government agencies’ responsible use of AI.
Dave Bittner: Interest in regulating or at least guiding the development and use of AI isn’t confined to the US. The UK is hosting a much-anticipated AI summit this week, and the United Nations has announced the formation of an AI governance advisory committee.
Dave Bittner: Be sure to join us this Thursday for our Caveat podcast, where we’ll be talking with David Brumley, cybersecurity professor at Carnegie Mellon and CEO of the software security firm, ForAllSecure. He’ll be giving us his perspective on the EO and its implications.
Dave Bittner: Coming up after the break, Joe Carrigan explains executive impersonations on social media. Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm For All Secure, discussing spooky zero days and vulnerabilities. Stay with us if you dare. [ Music ] On the eve of Halloween we thought it might be fun to ponder some of the most spooky exploits out there, the ones that go bump in the night and make cybersecurity experts' skin crawl. For that I checked in with David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm For All Secure. So forgive me for being a little bit on the nose here, but with Halloween looming I thought it might be fun to check in with you and talk about some of the scariest and spookiest cyber criminals and tactics that you have your eye on this year. What do you got for us here, David?
David Brumley: Well, I think the scariest and the spookiest are what I call zero click exploits. Have you heard of those?
Dave Bittner: Yes. Yes. But please explain for folks who might not be familiar.
David Brumley: Zero click exploits are really spooky. What it is is an attacker can actually exploit an iPhone just by sending you a message. You don't have to read it. You don't have to look at it. They just send it to you and they break into your phone. So that's pretty spooky.
Dave Bittner: I'd say so. And is this something that has been recognized and patched or are we still dealing with this?
David Brumley: This is something that periodically crops up. The most recent one was what's called the WebP vulnerability. WebP is an image format that Google came up with. It's lossless meaning it preserves the image details perfectly. But there was a bug in the implementation both on IOS as well as Chrome over about the last month actually. And attackers were using this to break into iPhones. In fact, that's how we discovered it. We didn't know about the bug, but people were breaking into people's phones and some greater researchers figured it out.
Dave Bittner: It's an interesting case because I think it speaks to the desire to support legacy file formats which, you know, I think it's safe to say this image format is, but that that can come with some security risks.
David Brumley: It comes with new security risks. Actually this is a newer file format, believe it or not. It's more web centric.
Dave Bittner: Okay.
David Brumley: And so you really only see it really in the web context. But it's something that more and more devices are looking at. But you're spot on that as we increase the number of formats -- you know every time you see a new computer they boast like the latest low energy Bluetooth or the fastest MP3 decoding or MP4. Each one of those formats introduces new risks because that software hasn't been as heavily tested.
Dave Bittner: Yeah. It's also interesting to me because I guess in my mind I categorize as an image format as being something that's kind of benign. But this proves that that's not necessarily the case.
David Brumley: I mean that's what makes it so spooky. I agree with you. You wouldn't think of an image format as being something that would lead to someone taking over your computer. Let alone not even interacting with it. But things have gotten so advanced, they're so optimized for being high quality and yet also being small, that they're quite complicated. And that's why bugs arise.
Dave Bittner: Yeah. What other things do you have your eye on here? What keeps you up at night?
David Brumley: Well, I mean on the commercial side it's always these zero click exploits. And they pop up maybe two a year or so. So there's -- we haven't seen the last. We're going to continue to see more of them. I think the other thing that keeps me up that's spooky is just when we look at the world today and how much conflict's going on. The sorts of things that we've seen in cyber attacks in the past in war, and one that always comes to mind is actually when Russia attacked the Ukraine power grid in 2016, what made that really spooky to me is the Russian operators actually took over the computers and were moving the mouse around to shut down sub stations. And of course the operators were trying like mad to stop it, but the Russians had taken control of their computers and the operators could do nothing about it. So what's so spooky is they were kind of making them watch as they shut down the grid. Right? You could see the mouse moving on your screen doing these malicious actions. And so that sort of thing is pretty spooky to me where this element of not just cyber compromise, but almost psychological warfare has been a growing part of the cyber scene.
Dave Bittner: It's like that old horror movie from when I was a kid, you know. The call is coming from inside the house. Right? It messes with your mind.
David Brumley: Absolutely. And of course I would be remiss not to mention the threat of AI. What AI has done has made it so easy for attackers to be able to impersonate real people and do it so effectively that I find myself even looking at messages being like, you know, who is this? Oh, I must know this person. Even though it's some scam. So I think that's one of the spooky things that unfortunately isn't going away any time soon.
Dave Bittner: Yeah. You're right. I mean it really points to the need for greater scrutiny when we're evaluating these things coming at us. It used to be that a phishing message was often marked with, you know -- bad grammar was a tell-tale sign. But I guess those days are gone.
David Brumley: Yeah. It's no longer, you know, ''We've been trying to get in touch with you about your car warranty." It's, "Hi, David. How are you doing? What's it been like over the last two years? I saw that you, you know, went to Hawaii for vacation."
Dave Bittner: Right.
David Brumley: And that sort of detail really makes me think I know the person and just don't have their phone number in my phone for some reason. But it's just scammers using incredibly advanced algorithms to learn a lot of information and spam people.
Dave Bittner: Yeah. As we're coming up on the end of this year and looking forward to the next, any thoughts or words of wisdom for folks out there who are assigned the task of trying to make us safer?
David Brumley: Well, first I mean I think everyone needs to take a minute and be thankful for their IT and security people. They've got an incredibly hard job trying to prevent these attacks and track down attackers. And it's also an incredibly thankless job. It kind of seems like you can only lose. So I think that's one of the things as we're going forward. Just make sure you take time to appreciate everything that they do. The second part of that is of course do everything you can yourself to make sure you're secure. As we're going online and doing holiday shopping and all those booking trips, you just have to be vigilant that you're not reusing passwords, that your computer's up to date. All those things that we ask you to do every year you need to do every year. And it's not going to be something that we're going to stop asking people to do.
Dave Bittner: All right. Well, David Brumley is a cybersecurity professor at Carnegie Mellon and also CEO of the software security firm For All Secure. David, thanks so much for joining us. [ Music ] And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting article came by. This is from the folks over at Security Boulevard. This article's written by Sam Bakken and it's titled "Addressing Executive and Social Media Impersonation: Protecting Leaders that Lack an Online Presence." What's going on here, Joe?
Joe Carrigan: So this is talking about a number of people who have been impersonated online. Yet another reason social media is terrible. There's no guarantee that the person you're looking at whose profile you're looking at is actually that person. There are these verification programs that Facebook has and Twitter has the get verified or X now, I guess -- right? Still want to call it Twitter. They have the get verified fee that's $7 a month, but that's pretty simple to get around.
Dave Bittner: Right.
Joe Carrigan: But what if you don't have a social media account? Like what if you don't have any footprint with Facebook? Which I think would be smart if you were an executive. Right? That that's someplace where you don't -- you don't put yourself out there so that you don't get attacked that way. I would say, you know, once you get to that level of importance for an organization, you walk away from the things that might expose you to certain risks.
Dave Bittner: I wonder, though, like do you -- do you -- is it better to not have a profile or to have a profile that you can say, "Hey, this is the official profile of this person" even if it's not active?
Joe Carrigan: That's right. That's a good point. I would -- I would err on that -- on that -- to that side. And I would have some social media person managing a platform.
Dave Bittner: Right.
Joe Carrigan: Or managing the profile on all the platforms.
Dave Bittner: Right.
Joe Carrigan: Which I think that's a better way to do it. But one of the problems is if you don't have an account on these platforms, how do you report a fraudulent account? You don't have an in with them. Right?
Dave Bittner: Right. Right.
Joe Carrigan: Now there are companies out there who specialize in helping you to take down these fraudulent companies or fraudulent profiles. There are companies like Zero Fox and Black Cloak.
Dave Bittner: Yeah.
Joe Carrigan: That do this. That's their business model.
Dave Bittner: Right.
Joe Carrigan: And they're -- they're good at it. They have relationships with the social media companies. You can set up with these companies alerts that fire off when someone sets up an impersonation for your company or your executives or even your managers. And then they will begin the process of taking it down with the social media company and the social media companies listen to these people.
Dave Bittner: Right.
Joe Carrigan: This article also talks about how X and Linked In are better at taking down fraudulent sites or fraudulent profiles. Meta, not so much. Not surprised by that.
Dave Bittner: Yeah.
Joe Carrigan: They speculate that the reason they're doing -- that Meta takes longer to take down these accounts is because Meta's focusing on its own verification system and the verification of their -- once they have a verified account, they're going to take care of the verified accounts because, you know, they've put their word behind the verification.
Dave Bittner: I see.
Joe Carrigan: But in order to get the verified account you have to take a picture of yourself in the mirror with a government issued ID. I don't know if I want to give that information to Facebook. To Meta. I don't know I trust them with that.
Dave Bittner: Right.
Joe Carrigan: So yeah. If I were a C level executive I would definitely consider using a company who specializes in this kind of relationship.
Dave Bittner: Yeah.
Joe Carrigan: Because you're going to be screaming into the void by yourself.
Dave Bittner: Yeah. That's right. That's right. They list off some proactive measures to prevent this sort of impersonation. Anything catch your eye here?
Joe Carrigan: Well, one of the things they say is what we talked about earlier, and that's setting up an account and keeping control of it. You probably have a social media manager handle that. That way you don't have to worry about it. You don't have to worry about, you know, the old midnight tweet that comes out when you're feeling punchy. You know. You don't even have access to it.
Dave Bittner: [Laughs] right.
Joe Carrigan: That's probably the best thing.
Dave Bittner: Yeah. But do that land grab.
Joe Carrigan: Do that land grab. Get out there in front of it. Also there's some -- they have some links to some verification services from these different -- these different providers. So you can actually get verified with companies like Meta, Linked In, and Twitter. X.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: When can we stop saying Twitter or X formerly Twitter? I don't know. Terrible name.
Dave Bittner: It's just yeah. X is just a bad name. That's the bottom line as far as I'm concerned. So it's -- it's frustrating because I have to, you know -- I have to say it a couple times a day. I have to say X, the platform formerly known as Twitter. It's where we are, Joe.
Joe Carrigan: Yeah.
Dave Bittner: All right. Well, again this article is from the folks over at Security Boulevard. It is addressing executive and social media impersonation. Joe Carrigan, thanks for joining us.
Joe Carrigan: My pleasure, Dave. [ Music ]
Dave Bittner: And that's the CyberWire. For links to all of today's stories check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment. I join Jason and Brian on their show for a lively discussion of the latest news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.