The beginning of an international consensus on AI governance may be emerging from Bletchley Park.
Dave Bittner: Bletchley Declaration represents a consensus starting point for AI governance. Lazarus Group prospects blockchain engineers with KANDYKORN. Boeing investigates ‘cyber incident’ affecting parts business. NodeStealer’s use in attacks against Facebook accounts. Citrix Bleed vulnerability exploited in the wild. MuddyWater spearphishes Israeli targets in the interest of Hamas. India to investigate alleged attacks on iPhones. Tim Starks from the Washington Post on the SEC’s case against Solar Winds. In today’s Threat Vector segment David Moulton from Unit 42 is joined by Matt Kraning of the Cortex Expanse Team for a look at Attack Surface Management. And Venomous Bear rolls out some new tools.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, November 2nd, 2023.
Bletchley Declaration represents a consensus starting point for AI governance.
Dave Bittner: This week British Prime Minister Rishi Sunak hosted an AI Safety Summit, convening about a hundred government leaders, tech executives, and scholars. The Summit is British-led but with broad international participation. The BBC explains that Prime Minister Sunak’s plan is to make the UK a global leader in AI safety, but the Summit reached broad consensus on AI governance. It was expressed in a draft agreement, the Bletchley Declaration, which outlined two general directions for further work:
Dave Bittner: The first involves research, so the civilized world can arrive at a proper understanding of AI risk. The Declaration describes this as, "[I]dentifying AI safety risks of shared concern, building a shared scientific and evidence-based understanding of these risks, and sustaining that understanding as capabilities continue to increase, in the context of a wider global approach to understanding the impact of AI in our societies."
Dave Bittner: The second builds on the first, and involves using the results of such research to develop policies that can manage the risks the science discovers. The Declaration calls this, “[B]uilding respective risk-based policies across our countries to ensure safety in light of such risks, collaborating as appropriate while recognising our approaches may differ based on national circumstances and applicable legal frameworks. This includes, alongside increased transparency by private actors developing frontier AI capabilities, appropriate evaluation metrics, tools for safety testing, and developing relevant public sector capability and scientific research.”
Dave Bittner: The twenty-eight signatories represent the world's major cyber powers, with the exception of Russia, Iran, and North Korea, who weren’t invited. China was there, however, and they signed on.
Lazarus Group prospects blockchain engineers with KANDYKORN.
Dave Bittner: Elastic Security Labs describes an attempt by North Korea’s Lazarus Group to target blockchain engineers with a newly observed strain of macOS malware called “KANDYKORN.” The malware was delivered “via a camouflaged Python application designed and advertised as an arbitrage bot targeted at blockchain engineers.”
Dave Bittner: The researchers note, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking. The target of this attack was the widely used application Discord. The Discord application is often configured by users as a login item and launched when the system boots, making it an attractive target for takeover. HLOADER is a self-signed binary written in Swift. The purpose of this loader is to execute both the legitimate Discord bundle and .log payload, the latter of which is used to execute Mach-O binary files from memory without writing them to disk.”
Dave Bittner: The campaign has been ongoing since April 2023, and “the tools and techniques are being continuously developed.”
Dave Bittner: Halloween may be over, but as any trick-or-treater can tell you, candy corn is forever.
Boeing investigates ‘cyber incident’ affecting parts business.
Dave Bittner: Boeing has disclosed a cyber incident that affected its parts and distribution business, Reuters reports. A Boeing spokesperson stated, “This issue does not affect flight safety. We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers.”
Dave Bittner: The company didn’t specify the nature of the incident, but Reuters notes that the LockBit cybercriminal group claimed last week that it had stolen “a tremendous amount” of data from Boeing, and would leak the data if the company didn’t pay the ransom by November 2nd. The gang has since removed this threat from its website.
Update: NodeStealer used in attacks against Facebook.
Dave Bittner: Researchers at Bitdefender are tracking evolutions in NodeStealer malware campaigns. NodeStealer is an infostealer discovered in January 2023 that’s designed to steal browser cookies and take over Facebook accounts. Threat actors are now using compromised Facebook Business accounts to serve malicious ads. The ads use lewd photos to entice users into downloading a file that purports to be a photo album, but will instantly install a new version of NodeStealer. The researchers note that this version of the malware has new features that allows criminals “to obtain unlawful entry into additional platforms (Gmail and Outlook), to steal crypto wallet balances, and download additional malicious payloads.”
Citrix Bleed vulnerability exploited in the wild.
Dave Bittner: SecurityWeek reports on the ongoing mass exploitation of the Citrix Bleed vulnerability (CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway. Citrix issued patches for the flaw on October 10th, and said last week, “We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”
Dave Bittner: Security researcher Kevin Beaumont says at least two ransomware groups are currently exploiting the vulnerability, and one group is “distributing a python script to automate the attack chain.”
MuddyWater spearphishes Israeli targets in the interest of Hamas.
Dave Bittner: DeepInstinct has posted research on a new campaign by the Iranian threat group MuddyWater that appears to represent involvement in the cyber phases of the war between Hamas and Israel. The precise infection mechanism is unknown, but DeepInstinct believes it to have been spearphishing.
Dave Bittner: DeepInstinct writes: "In this campaign, MuddyWater employs updated TTPs. These include a new public hosting service, employing a LNK file to initiate the infection, and utilizing intermediate malware that mimics the opening of a directory while executing a new remote administration tool." The goal appears to be espionage, although battlespace preparation for subsequent attacks can't be ruled out either.
India to investigate alleged attacks on iPhones.
Dave Bittner: The Indian Computer Emergency Response Team (CERT-In) will investigate numerous opposition leaders’ claims that they had been notified by Apple that their phones were targeted by state-sponsored attackers, NDTV reports. Apple confirmed that it sent the alerts, but said it “does not attribute the notifications to any specific state-sponsored attacker,” noting the possibility that the alerts may be false alarms.
Dave Bittner: According to TechCrunch, India’s IT Minister Ashwini Vaishnaw downplayed allegations that the Indian government was behind the attacks.
Dave Bittner: So far the investigation remains in its early stages, so espionage, political scandal, or nothing more than a false alarm all remain possibilities.
Venomous Bear deploys some new tools.
Dave Bittner: Finally, there are some other sightings of cyber bears, or, if your nomenclature rolls that way, snakes.
Dave Bittner: Turla, the threat group operated by Russia's FSB that's also known as "Venomous Bear," "Pensive Ursa," "Uroburos," or just plain "Snake," has long operated against Ukraine. Palo Alto Networks' Unit 42 has observed Pensive Ursa (their preferred name for the threat actor) using "an advanced and stealthy .NET backdoor" called "Kazuar."
Dave Bittner: The backdoor has been used against the Ukrainian defense sector, the Ukrainian CERT reported in July, where it's been used to obtain access to a range of sensitive access and information. It hijacks legitimate websites for command-and-control, which renders Kazuar resistant to takedowns, and it also has stealthy and anti-analysis features. Unit 42 offers an extensive account of the forty distinct commands Kazuar supports, and provides a list of indicators of compromise.
Dave Bittner: A Kazuar, by the way, is a cassowary, a big, flightless, solitary, and bad-tempered bird, so go ahead and add that to the malware bestiary.
Dave Bittner: Where’s the consistency, though? We know, we know, every research crew has its own nomenclature, and everyone’s cool with that, but our editorial staff has formula-evolving minds, and they obsess over this kind of thing. So, hey Fort Meade–how about taking the lead on this one, if only to get the staff off our backs? Russian threat actors should be bears, Chinese units pandas, Iranian ones cats, Indian ones elephants…infer the principle and go from there.
Dave Bittner: And, hey, where’s the patriotic pride? What about the good guys? Don’t they deserve mascots, too? For the Five Eyes…let’s see…eagle is too obvious for the Americans, but then America is sort of the world rattlesnake capital, so why not those? Happy Sidewinder, Goofy Mojave Green, like that.
Dave Bittner: For Canada, how about some loons? Friendly Loon, Diligent Loon.
Dave Bittner: For the United Kingdom, switch it up and use characters from the Wind in the Willows. Who wouldn’t like Honest Badger, or Tethered Mole? New Zealand? The Tuatara has a nice euponious ring to it. Kangaroos are too obvious for Australia, but, hey! What about the Cassowary? Oh, wait, already taken. Curse you, Venomous Bear…
Dave Bittner: Coming up after the break, Tim Starks from the Washington Post on the SEC's case against Solar Winds. In today's Threat Vector segment, David Moulton from Unit 42 is joined by Matt Kraning of the Cortex Expanse Team for a look at Attack Surface Management. Stay with us. [ Music ]
Matt Kraning: 20% of the cloud changes every month. That means that 20% of the exposures an organization has in a given month were not present the previous month in cloud. Unless you're actually doing something pretty much daily and continuously, you're actually missing almost all of your risks.
David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Matt Kraning. Matt is the CTO on the Cortex Expanse Team, and we'll be unpacking the findings from the latest Attack Surface Management report. Matt and his team are able to scan the entire Internet and find weaknesses and vulnerabilities that plague organizations with the Expanse technology they've invented. This report shines a light on the most worrisome problems the team has uncovered. Matt, your team just put out a new Attack Surface Management report. Can you describe what this report is and who it's for?
Matt Kraning: The report that we just put out is a survey of over 250 large organizations, and it analyzes the risks and configurations present on the IT that they deploy across the Internet. So this report is for senior security leaders, CISOs, CIOs, to understand the risks that are present in large organizations.
David Moulton: So, Matt, the report says that RDP (Remote Desktop Protocol) exposures are prevalent. What are these and why is that such a bad thing?
Matt Kraning: Remote Desktop Protocol (or RDP) is service that is very frequently run by organizations across many, in some cases all, of their laptops. But this allows legitimate IT administrators of an organization to remotely troubleshoot and diagnose problems. This is a great tool that lots of teams should use. Unfortunately, it also tends to contain a number of security issues associated with the protocol. And if this protocol is actually present on the public Internet, then anyone in the world can go in and do one of two things. One, you can just start guessing passwords. And if you don't have a great password policy, it's like leaving a laptop open in Central Park. In addition, if you're running older versions of this protocol -- which unfortunately are present on the Internet frequently -- there are also a number remote code execution exploits where even if you don't know a username-password combination, you can immediately gain access to the client machine and any sensitive data and credentials on that machine.
David Moulton: Matt, one of the things that stood out in the report was that 85% of the industries studied had RDP exposed for at least a quarter of the month. If you're a security practitioner or you're a CISO that's listening right now, do you see that as one of those things that they're surprised that it's that prevalent?
Matt Kraning: I think a number of people are not surprised that it happens frequently to other people, but are sometimes surprised that it's happening to them. And there's two different ways that I explain this. One, our own reporting with Unit 42 has found that in the case of ransomware attacks -- which can generate substantial business interruption, cost into the millions or multiple millions of dollars -- over 60% of the time, there's ransomware that we have to respond to, the actual origin of the ransomware is not phishing, it is actually remote desktop protocol system on the public Internet that was exploited. So there's substantial risk when these exist. I think what a lot of people are surprised on is just how often and how many organizations this occurs for. And this occurred in over 250 organizations with over 10,000 people each. These are large organizations typically with well-funded substantial both IT and IT security teams. And even then, we see these exposures happening regularly. And when we look at the cause of why this happens, ultimately, it's that IT security teams typically do not have total visibility over all of the assets that the organization owns and manages. So while they may be very secure and for the assets they know about and track regularly, there might not be RDP exposed on the Internet. There's another class of assets that usually is 30, 40, sometimes even 50% of the total assets of the organization that security's effectively blind to. And that's where a substantially higher fraction of their risk lies in the systems that they don't even know about.
David Moulton: The report shows that there are several paths of least resistance for attackers to exploit. And if they're so prevalent, why aren't we seeing more attacks against those exposures?
Matt Kraning: I think we see a number of attacks against this. So over the last 20 years, I think it's been a kind of unchallenged belief in security that employees are always the weakest link. And this goes back more than two decades. And I think for a large fraction of that time, it was true. And you saw both a very high investment in attackers in attacking employees, and then also in defenders inventing a variety of different technologies to protect employees. I think what we're now seeing is no longer the early days but now kind of the middle of attackers realizing that weakest link and the easiest way into organizations in a lot of cases is actually through unknown, unmanaged IT assets of the organization rather than trying to get around a number of different phishing and other end-point protection mechanisms. And when we look at some of the largest, worst breaches of the last decade, many of them were not phishing, they were actually exactly this: an asset getting exploited on the public Internet that was not known or at least not centrally known in a standardized way to the security team. I think some of the best examples of this are things like the WannaCry attacks. Then you also look at things like TJ Maxx going through HVAC systems. The Equifax hack as well, all these are examples of where the company in question lost hundreds of millions, or in some cases billions of dollars, and it wasn't somebody being phished, it was actually an IT asset that was on the public Internet that was usually unmanaged, had not been updated in a very long time. And the companies unfortunately had a very bad day in all of those cases. [ Music ]
David Moulton: Matt, thanks for joining me today on Threat Vector. It's amazing what you and your team have been able to discover and publish. For those listening, the latest Attack Surface Management report is available on the Expanse website. A link will be on our show notes. We'll be back on the CyberWire Daily in two weeks. But in the meantime, stay secure, stay vigilant, goodbye for now. [ Music ]
Dave Bittner: That's David Moulton, director of Thought Leadership for Unit 42, joined by Matt Kraning, CTO of the Cortex Expanse Team, with our Threat Vector segment. [ Music ] And it is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post. Tim, welcome back.
Tim Starks: My man, Dave.
Dave Bittner: Thank you, thank you. Really interesting reporting that you did on the 202 this week about the SEC's case against Solar Winds. Can you unpack your reporting here for us?
Tim Starks: I will try. This is a very, very big deal in so many ways. First off, we're starting from one of the biggest breaches that's ever happened, by many measures. With the Solar Winds, you know, we're talking about thousands of organizations; we're talking about at least nine agencies that were breached as a result of the Solar Winds attack. That's the beginning, that's the very start of it. The next thing that happens is that the SEC approaches Solar Winds and says, we're looking into, we're investigating this. They're also investigating the CISO at the organization. So that's a different thing.
Dave Bittner: Yeah.
Tim Starks: Then they actually go through with it, they actually do the investigation. They actually file the suit in the District Court of New York. And there's multiple levels of new about that. By the way, I'd never heard this term, censure [phonetic]. The term is related to the willingness or the cognizance of someone to deliberately lie to the SEC. So that's new. They're saying, we know that you know that you were lying about this. You were very aware of all your vulnerabilities, and you misrepresent yourself. That's another new level. And so there's just all these levels of newness to this that are really, really important in the cyber world that are really going to set precedence in a lot of ways for how regulators for how suits can proceed in the cyber world right now.
Dave Bittner: I think, needless to say, this has the attention of a lot of CISOs and their boards. If I'm a CISO looking at this, how do you suppose I should react to this news?
Tim Starks: Well, I think you should be a little scared. You know, the response from Solar Winds is obviously very defensive, right? I mean, Solar Winds is being prosecuted literally by the SEC. And so their reaction is naturally very defensive. But even before this suit actually happened, there was a little bit of a panic in the CISO world of like, oh, my God, if I talk about a vulnerability inside of my company, I might be subject to regulators. So, yeah, it's a thing that people should be very concerned about. Now, if you're on the SEC side -- and I'm trying to be both sides here -- you want that. You want people to be being better about the vulnerabilities you've discovered because you fear the SEC. You can say a lot internally about -- and, by the way, you should really read the entire complaint, because there's a lot of details about how much -- people were talking internally about how poor the security was. If you're in a company and you're talking about vulnerabilities and you're scared of vulnerabilities, maybe you should be scared of the SEC. That's the thing I would say.
Dave Bittner: Is this a case of the classical yarn about how the cover-up is worse than the crime?
Tim Starks: A little bit, yeah. Yeah, a little bit. I mean, I've talked to an attorney who has been at the SEC, who has represented companies in SEC enforcement actions. One of her responses was, everybody should be really careful about what they say, what they say internally. That again goes to the cover-up of the crime. If you were to have a vulnerability, you should obviously be concerned about it. But if you say it out loud or you say it in an email, that could be a problem. And that's one of the Solar Winds complaints, implicitly not explicitly, that if you are a CISO and you are aware of a vulnerability in your company, and you say it in an email or whatever to someone else in the company without addressing it, you could be vulnerable to SEC action. That's their sort of worst-case scenario of like, this is bad for America if you just even talk about a vulnerability inside your company.
Dave Bittner: I can see the SEC's point of view, that if you're aware of a vulnerability and you don't address it, that's a problem.
Tim Starks: Yeah. I mean, we are both accustomed to being devils advocates. You know, in a situation like this where the Solar Winds and the SEC have points of view, I think there are really strong arguments on both sides, actually, you know.
Dave Bittner: How is this going to play out from here?
Tim Starks: Really good question. You know, if you go back to 2014 -- and we all want to go back to 2014, don't we? [Laughing] Yahoo got hit with that very big breach back in the day. And in 2018, they eventually settled with the SEC. I mean, the likely scenario is that there will be some kind of settlement, to be honest. But if there's not, if Solar Winds really, really fights this -- and they could -- we could have some precedent-setting about what the requirements are for a company to know about a vulnerability and report the vulnerability. It could be a very big deal if it actually goes to court and it's actually settled -- sorry, not settled, but is actually litigated.
Dave Bittner: Yeah. All right, well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Do check out his reporting on the SEC's case against Solar Winds, it is well worth your time. Tim, thank you so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.