The CyberWire Daily Podcast 11.22.23
Ep 1953 | 11.22.23

On the eve of the holiday season, officials in many countries issue warnings and take action against cybercrime.


Tre Hester: CISA issues joint Cybersecurity Advisory on Citrix Bleed. Law enforcement takes down "pig butchering" operations. Altman will return to OpenAI. Israeli honeypots deployed during the war. A renaissance in electronic warfare. And a response in the form of countermeasures. Ihab Shraim, Chief Technology Officer at CSC, shares how the growing popularity of AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world. And online safety during the holidays.

Tre Hester: I’m the fabulous Tré Hester with your CyberWire intel briefing for Wednesday, November 22nd, 2023. 

CISA issues joint Cybersecurity Advisory on Citrix Bleed.

Tre Hester: The authorities in Australia and the US have issued some advice about the Citrix Bleed vulnerability. 

Tre Hester: The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) yesterday released a joint Cybersecurity Advisory outlining LockBit 3.0 ransomware affiliates’ exploitation of the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. CISA notes that both cybercriminal and nation-state threat actors are exploiting the vulnerability, which received a patch in October.

Tre Hester: The advisory is worth your attention. Give it a look. 

Law enforcement takes down "pig butchering" operations.

Tre Hester: In separate operations, authorities in the US and China took action against pig-butchering gangs. 

Tre Hester: The US Department of Justice seized almost $9 million in Tether alt-coin that had been accumulated in the course of pig-butchering investment scams. 

Tre Hester: Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division said, “Through this significant seizure, we disrupted the financial infrastructure of an organized network of scammers who stole millions from victims across the United States. These scammers prey on ordinary investors by creating websites that tell victims their investments are working to make them money. The truth is that these international criminal actors are simply stealing cryptocurrency and leaving victims with nothing.” 

Tre Hester: Tether worked closely with investigators to identify the fraud (which had some seventy victims) and to secure the stolen assets.

Tre Hester: The other enforcement action was on the other side of the globe. The Wall Street Journal reports that Chinese authorities went after the criminal operators themselves. Working with both the government of neighboring Myanmar and with the warlords who control the effectively autonomous regions along the Chinese border, they've arrested 31,000 alleged gang members since September. Much of the pig butcher affects Chinese citizens, and Chinese expatriate criminals figure prominently in the gangs who conduct it.

Tre Hester: Pig butchering is protracted fraud that prospects and exploits targets over a long approach, metaphorically fattening them up for financial slaughter. The marks are almost always lured by either love or money, by either catphishing romance scams or by the promise of wealth through sure-thing speculation. Of course, the romance is all faked, and the sure-thing investments are sure-thing losers.

Altman will return to OpenAI.

Tre Hester: So meet the new boss, the same as the old boss. No, actually, literally: he’s the same boss, back again.

Tre Hester: Details remain to be worked out, but last night OpenAI announced that its former CEO, Sam Altman, fired last Friday, would return to his old job. The move appears to have involved compromise on both sides. 

Tre Hester: The Wall Street Journal reports that the company will get a new board, initially consisting of three members: Bret Taylor, former co-CEO of Salesforce, Larry Summers, former Treasury secretary and president of Harvard University, and Adam D’Angelo. D'Angelo is the only member of OpenAi's board to retain a seat on the new board, which Taylor will chair. 

Tre Hester: The board may be expanded with six more members, but who they might be is undetermined. Altman will not be on the initial board, according to the Information, and he has agreed to an internal investigation of whatever conduct the previous board interpreted as a lack of candor.

Tre Hester: As of late yesterday afternoon, Bloomberg reported, Altman was still in talks with his old company's board about his possible reinstatement. If he were to return, sources then said, it would be as both CEO and a member of a transitional board. He will have the CEO job back, but not a seat on the board. "Discussions are happening between Altman, CEO Emmett Shear and at least one board member, Adam D’Angelo, said the people, who asked not to be identified because the deliberations are private and they may not come to fruition. The talks also involve some of OpenAI’s investors, many of whom are pushing for his reinstatement, one of the people said." Shear, who had been the second interim CEO to serve at OpenAI since Altman was dismissed Friday, is said to have indicated that he wouldn't stay unless the board can give him a clear account of why it fired Altman in the first place.

Tre Hester: The New York Times reported that the company's board was divided before the firing. OpenAI seems to have been troubled by a deep and evidently irreconcilable disagreement between sanguine utopians (represented by Altman) who saw artificial intelligence as fundamentally benign, and sought to push it to market as fast as possible, and melancholic dystopians who were more alive to the potential dangers of the technology. That tendency was represented by, at least, board member Helen Toner, who had published a paper that appeared critical of OpenAI's approach to safety.

A renaissance in electronic warfare.

Tre Hester: Turning from crime and commerce to hybrid war, the New York Times writes that electronic warfare has been a relative strength of the Russian army. 

Tre Hester: That army’s ability to jam drones in particular, and to successfully geolocate radio-frequency emitters accurately enough for targeting has presented a contrast with that army's otherwise lackluster tactical performance. Ukraine and its suppliers are adapting, using hackathons and what the Times characterizes as a start-up mentality to respond to demonstrated Russian capabilities. But the full spectrum of Russian electronic attack and collection capabilities remains a problem Ukraine has yet to fully solve.

And a response in the form of countermeasures.

Tre Hester: So GPS signals have been a common target of Russian jamming. This is most commonly thought of in terms of interference with positioning, but GPS signals are also a source of precision timing. 

Tre Hester: Disruption of timing can interfere fatally with elements of the power grid, and thus they're expected to figure prominently on Russian electronic attack target lists this winter. CNN reports that Cisco has developed and delivered switches that give Ukrenergo [yook-REN-air-go], Ukraine's power authority, redundant timing to compensate for any GPS interference. The switches, placed in electrical power substations, ensure those substations' connectivity with the utility's networks even in the absence of GPS.

Tre Hester: Interference with GPS isn't confined to jamming, and it isn't confined to Russia's war against Ukraine, either. Commercial aircraft are experiencing meaconing--spoofed GPS signals intended to mislead aircraft positioning and navigation systems--during flights in the Middle East. WIRED reports that the incidents appear to be centered on Baghdad, Cairo, and Tel Aviv. Who's behind the activity is unknown, as is its motive, but in terms of capability and opportunity speculation has centered on Iran and Israel.

Guest spot

Tre Hester: Today’s guest is Ihab Shraim (EE-hab Shraim). Dave Bittner recently spoke with CSC’s Chief Technology Officer about how the growing popularity of AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world. Let’s check out their discussion.

Online security during the holidays.

Tre Hester: And, finally, Thanksgiving traditionally in the United States marks the beginning of the holiday season. This, of course, also marks a season of buying and selling, and also of charitable giving. Since so much getting and spending and giving are now online, the security industry has some advice for all to keep in mind, from Black Friday this week through Cyber Monday and Giving Tuesday next week, and on into the New Year. We won’t be publishing tomorrow or Friday, and we hope you’ll be observing the holiday as well. But in the meantime, check out N2K Cyber’s compendium of advice on the holidays. You’ll find it near the top of the stories on our website. And, of course, a happy Thanksgiving to all.

Tre Hester: Coming up after the break, Dave Bittner sits down with Ihab Shraim, Chief Technology Officer at CSC, to discuss how AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world. Stick around. [ Music ] Our own Dave Bittner sits down with the Ihab Shraim, Chief Technology Officer at CSC, to discuss how the growing popularity of AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world. Here's Dave.

Dave Bittner: So today we're talking about the recent domain security report that you all put out and some interesting findings here when it comes to AI. Can we start off with some high-level stuff here? Can you give us a little overview of what prompts the creation of this report?

Ihab Shraim: We are, in the backend, a registrar, and we are in the brand protection services as well as the anti-fraud protection services, and we offer these services for our customers, and what we notice is that there is lack of focus on anything outside for, say, the demark of a corporation. As you know, the demark of any corporation could extend to the -- to someone's remote site or house or any remote fields, data centers, etc. Having said that, we embarked a few years ago on building this Global 2000 Security Report to highlight the importance of domain security on the internet. We think it's a blind spot for a lot of security professionals, not because they are not focusing on it. It's because they're focusing on defending the enterprise, nd they do a very good job, say, within the perimeter of the enterprise, but outside the enterprise, we see a lot of gaps, and this is the missing link and that's what CSC is trying to highlight in the industry.

Dave Bittner: Well, let's go through some of the highlights together here. What are some of the things from the report that really caught your attention?

Ihab Shraim: Very, very good question. We've noticed that 43% of the dot-ai domains are registered to third parties, and that's really critical because, as you know, on the domain name industry, we get new extensions all the time. For example, the traditional ones where dot-com, dot-net, dot-org, dot-biz, dot-us, etc. Well, that's now extended to everything. It could be dot-ai, dot-live, dot-app, and so forth. The most recent one is dot-ai, or artificial intelligence, and having 43% to be registered by third party, meaning the brand owner does not own that domain name that belongs to them. For example, if I were to say company XYZ is operating online, is operating properly online, everything is fine. However, is owned by a third party and that could be a malicious party. It could be a bad actor, a cybercriminal. It could be a fraudster. Brand owners must own these domain names because that's their online presence. That's their reputation, and therefore, this is an alarming find that we have seen. We've also seen about 21% of the subdomain names don't resolve to anything. So what does that mean? When a subdomain name doesn't resolve to anything, it means it's prone to be hijacked by cybercriminals. In fact, if you looked at this phenomenon, or this problem, it took place in the past several years where people were hijacking, meaning cybercriminals were hijacking subdomain names that are legit in the cloud infrastructures. Why? Because in general, for example, a marketing team would launch a new campaign to -- for a new product they are releasing, and by removing the content, they think, you know, that -- on the website, that everything is fine, but in reality, the subdomain name itself still in the DNS zone and it's found to be hijacked, and that's what we are trying to highlight with our report.

Dave Bittner: What are your recommendations here? I mean, should it be a general cost of doing business that an organization should buy up all of these domains?

Ihab Shraim: We believe that the main security should be an integral part of the security posture of any company, any corporation operating online, as well as the government sector. What do we mean by that? You have to think in terms of augmenting that data, not through a multitude of vendors. You have to have full access by the security professionals and the CISO to the domain name portfolio, and the domain name portfolio for a lot of companies is global. It will include what's called the "gTLD," a global top-level domain like dot-com, dot-net, and so forth, or ccTLD, like dot-uk or dot-ru. You have to manage that portfolio and watch it, meaning monitor it, continuously monitoring it by a professional team. That will -- this allow any social engineering attacks on that -- on the portfolio, DNS hijacked, any domain name hijacked, domain name shadowing. It prevents a lot of phishing attacks, and we recommend that not only to have an enterprise-level class registrar, which is way different than a retail-class registrar, an enterprise-class registrar will have the teams that are working 24 by 7 to protect that domain name from add, modify, and delete. It has to be fully authorized, fully authenticated, and, of course, those teams are well trained. Another thing that we would like to heavily recommend as part of the security posture is to look at your DNS as something that you must watch. You have DNS zones that are not cleaned for, say, 20, 30 years, and this is not neglect. This is part of how the corporation grows. There's acquisitions and so forth. So these are what we call the "blind spots," the neglected areas, and they are the exposed surfaces to the internet by which cybercriminals try to take advantage of. Of course, we have many other recommendations, such as how do you look at your domain name registrations, modifications, and drops on a daily basis, and if you see something that is suspicious, it has to be investigated. And last but not least, we heavily recommend the ability to have the mitigation piece. The mitigation piece is composed of three parts on -- in the industry. The first part is takedown enforcement capable to take down any malicious site anywhere around the world. The second one, UDRP filings by which you can file a UDRP to regain control of that critical domain name that must belong to the brand owner. And thirdly, it's the ability to block across the internet, for example, you block across browsers, you share data with your partners, with ISPs, and telco providers.

Dave Bittner: So those are the tools available. I mean, if I'm someone who discovers that my domain that someone has spun up, there are things that I can do to set that right?

Ihab Shraim: Yes, there are so many tools in our arsenal today that allows us to, as soon as this domain name is registered, it automatically gets highlighted and alerts our teams. For example, for our customer base, we immediately alert the brand owner that this domain name got registered not by you, by someone else, and if the domain name is dormant, meaning it doesn't have a website associated with it or it doesn't have an MX record, one of the things that I would like to highlight is that if you see an MX record and there is no website, it tells you that someone is going to do something. What is that thing? Could be a phishing campaign or a mal -- a phishing augmented was a malware campaign, or it could be something very, very, very suspicious that will appear very soon. So dormant domain names are critical -- a critical part of what we look for on a daily basis and that should be integrated in the modern security operation center by which it tells you what to do next, and then if you are seeing, if you put it in monitoring, continuous monitoring, as soon as the website is on, the website must be investigated, and if it's, say, a phishing site, you immediately take action with the mitigation arm of enforcement by conducting an actual takedown. Now, of course, you domain cast, which is you share that data, that suspicious domain name that it's associated with, that, say, phishing site. You share it with your partners, your telco providers, the ISPs, browser carriers, and so forth. We have built that -- the largest network of blocking to block malicious URL-based behaviors that involves with phishing problem.

Tre Hester: That's Dave Bittner sitting down with Ihab Shraim, Chief Technology Officer at CSC. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. This show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening, and see you back here next week. [ Music ]