Defending America against China's ominous onslaught.

Directors Wray and Easterly warn congress of threats from Chinese hackers. Myanmar authorities extradite pig butchering suspects. Automation remains a challenge. Snyk Security Labs plugs holes in “Leaky Vessels.” Pegasus spyware targets human rights groups in Jordan. Subtle-paws scratch at Ukrainian military personnel. White Phoenix brings your ransomed files back from the ashes. In today’s Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, speaks with MDR Senior Manager Oded Awaskar (OH-dead ah-WOZ-kar), about how AI might change the world of security operations and threat-hunting. A wee lil trick for bypassing Chat GPT guardrails.

Today is February 1st, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Directors Wray and Easterly warn congress of threats from Chinese hackers.

Yesterday, FBI director Christopher Wray and CISA director Jen Easterly both testified before the House Select Committee on the Chinese Communist Party.

FBI Director Wray highlighted the threat posed by Chinese hackers to American critical infrastructure. He emphasized that China's hackers are targeting essential services like water treatment plants, pipelines, and power grids, preparing to cause significant disruption in the U.S. if necessary. He stressed the seriousness of the threat to national security, pointing out that China's cyber activities extend beyond military and political targets, indicating a strategy that includes potential attacks on civilian infrastructure.

CISA director Jen Easterly echoed director Wray’s concerns. 

 

Staying with CISA for the moment, the agency has issued an urgent directive for U.S. federal agencies to disconnect Ivanti Connect Secure and Policy Secure VPN appliances by Saturday, in response to the exploitation of multiple vulnerabilities in these devices. Ivanti has patched some software versions and provided mitigation instructions for unpatched devices. They also advised a factory reset before patching to remove any attackers' persistence. Over 22,000 Ivanti ICS VPNs are exposed online, with about 390 hacked devices detected on January 31. 

CISA has also given federal agencies 21 days to mitigate a critical vulnerability affecting devices running certain OS versions on Apple devices. 

Myanmar authorities extradite pig butchering suspects.

Authorities in Myanmar have extradited 10 suspects to China for their involvement in organized cyber fraud, including leaders of three major crime families. These arrests follow China's increased efforts to dismantle cyber fraud operations along its border, particularly in the Kokang region of Myanmar. The suspects were part of criminal groups conducting large-scale telecommunications and network fraud, including what has come to be known as “pig butchering,” the specific targeting of high-value victims. This handover marks a significant step in bilateral cooperation against cybercrime in the region, which had become a center for various illicit activities, including forced labor in scam operations. Despite these efforts, experts warn of the potential shift of these criminal activities to other regions in Myanmar.

Automation remains a challenge. 

Security Week shares an interesting editorial from ThreatQuotient’s Marc Solomon, examining the challenges cybersecurity teams face when integrating automation. In Solomon’s view, the cybersecurity industry is rapidly evolving with complex threats, necessitating sophisticated security solutions incorporating automation, AI, and machine learning. However, the rapid pace and regulatory demands are overwhelming organizations, leading to high stress and burnout among cybersecurity professionals, particularly CISOs. Despite recognizing the importance of cybersecurity automation, many organizations face challenges in adoption, integration, and dissatisfaction with early solutions.

He says different roles within the industry have varied perceptions of automation’s importance and its impact on efficiency and compliance. A key focus now is on improving employee well-being through automation, reducing repetitive tasks and allowing for more meaningful work. Despite challenges, cybersecurity automation remains a strategic priority, with a shift towards low-code, AI-enhanced platforms expected to improve outcomes and provide stronger ROI, especially in areas like threat detection and response.

Snyk Security Labs plugs holes in “Leaky Vessels.”

Snyk Security Labs researcher Rory McNamara discovered four "Leaky Vessels" vulnerabilities in core container infrastructure components, which could enable attackers to escape from a container and gain unauthorized access to the host operating system. This access might lead to the compromise of sensitive data and further attacks. The team responsibly disclosed these vulnerabilities, with Docker subsequently forwarding one to the open source runC security group.

The vulnerabilities notably impact common container engine components and build tools. Snyk advises users to promptly update their systems with fixes from providers like Docker, Kubernetes, and cloud container services.

Pegasus spyware targets human rights groups in Jordan. 

Access Now, a digital rights group, reported that Israeli-made Pegasus spyware was used to hack at least 30 people in Jordan, including journalists, activists, and lawyers, from early 2020 to November 2022. The victims, identified by organizations like Human Rights Watch and Amnesty International, were primarily targeted for their roles in human rights and political activism. Although the Jordanian government has not commented and wasn't directly accused by Access Now, the University of Toronto’s Citizen Lab suggested that the spyware operators might be linked to the Jordanian government. The NSO Group, which developed Pegasus, claims it sells only to vetted agencies for combating terrorism and serious crime. However, there have been multiple instances of the spyware's misuse for politically motivated surveillance worldwide. The U.S. blacklisted NSO Group in 2021 following concerns about spyware abuse. Half of the targeted individuals in Jordan were journalists or media workers, with some experiencing repeated hacks.

Subtle-paws scratch at Ukrainian military personnel. 

The Securonix Threat Research team has identified a campaign targeting Ukraine using a new PowerShell-based backdoor, SUBTLE-PAWS, which evades detection by infecting USB drives. Likely linked to the Shuckworm group, the campaign targets Ukrainian military personnel and starts with victims executing a malicious shortcut (.lnk) file, leading to the execution of the SUBTLE-PAWS backdoor. The attack leverages compressed files, possibly distributed via phishing emails, containing references to Ukrainian cities and military terms.

The SUBTLE-PAWS backdoor operates through registry manipulation and establishes persistence on the victim's machine. It also includes a Command & Control (C2) mechanism that retrieves the C2 server address through various methods, including DNS queries and standard HTTP requests. The backdoor is designed to spread through removable media and employs stealth techniques like Base64 encoding and random sleep intervals for obfuscation.

Securonix recommends caution when downloading files from unknown sources and advises monitoring malware staging directories and deploying additional process-level logging. 

White Phoenix brings your ransomed files back from the ashes. 

Some good news in the fight against ransomware — CyberArk has introduced an online version of 'White Phoenix,' an open-source decryptor designed to counter ransomware using intermittent encryption. Originally available as a Python project on GitHub, the online tool caters to users unfamiliar with coding, offering a simple file upload and recovery process for file types like PDFs, Word, Excel, ZIPs, and PowerPoint, with a 10MB file size limit. Intermittent encryption, used by ransomware groups such as Blackcat and DarkBit, partially encrypts files, speeding up the attack but leaving some unencrypted data. White Phoenix leverages this by reconstructing text from these unencrypted sections. While the tool might not fully restore systems or work with all file types, it offers a viable option for recovering important files when other decryptors are unavailable. For handling sensitive data, CyberArk recommends using the GitHub version locally instead of uploading files to their servers.

 

On our Threat Vector segment today, host David Moulton speaks with Oded Awaskar (OH-dead ah-WOZ-kar) about threat-hunting and how AI and machine language might change the world of security operations and threat-hunting. 

 

Welcome back. If you’d like to hear David’s full conversation with Oded, tune in to his podcast Threat Vector every other Thursday on your favorite podcast app.  

A wee lil trick for bypassing Chat GPT guardrails. 

And finally, researchers from Brown University discovered that OpenAI's GPT-4 can be tricked into bypassing its safety guardrails by translating prompts into rare languages like Scots Gaelic. Normally, GPT-4 blocks harmful content requests, but by using Google Translate to switch the prompts to less common languages, the researchers found they could circumvent these restrictions in about 79% of cases. This method was less effective for more commonly used languages.

The study involved translating 520 harmful English prompts into these lesser-used languages, then back into English, and comparing the success rate against the same prompts in English, which were blocked 99% of the time. The translated prompts successfully bypassed safety mechanisms designed to prevent responses related to terrorism, financial crime, and misinformation, although GPT-4 sometimes generated nonsensical responses.

The findings indicate a potential risk in language models' ability to handle low-resource languages and suggest the need for developers to include these languages in safety evaluations. OpenAI acknowledged the research but has not specified any actions in response.

I checked in with our Gaelic Dialects desk, but all they sent back was a note with the phrase, "Ye cannae shove yer granny aff a bus" - which I’m told is a humorous and lighthearted reminder that you should respect your elders.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.