An AI arms race.

Microsoft highlights adversaries experiments with AI LLMs. A misconfiguration exposes a decades worth of emails. SentinelOne describes Kryptina ransomware as a service. The European Court of Human Rights rules against backdoors. Senator Wyden calls out a location data broker. GoldFactory steals facial scans to bypass bank security. The Glow fertility app exposes the data of twenty five million users. Qakbot returns. Our Guest Rob Boyce from Accenture talks about tailored extortion. And hacking the airport taxi line leads to prison.

Today is February 15, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft highlights adversaries experiments with AI LLMs. 

In a recent study released by Microsoft, researchers have observed advanced threat actors from nations including China, Iran, North Korea, and Russia experimenting with large language models (LLMs). No substantial misuse for carrying out notable cyberattacks has been documented yet, but this exploration into AI by some of the world's most formidable cyber powers raises concerns over potential applications in cyberattacks, disinformation campaigns, and the creation of sophisticated spearphishing emails. However, Microsoft's findings, in partnership with OpenAI, indicate that the direst predictions about AI exploitation in cyber warfare have not come to fruition.

The investigation, which is a joint effort between Microsoft and OpenAI, details activities like the Russian hacking group Fancy Bear delving into satellite communication protocols and technologies, suggesting a preliminary interest in leveraging LLMs for gathering in-depth technical knowledge possibly to support cyber operations.

The report highlights the use of LLMs by Iranian and North Korean hackers to generate deceptive spearphishing emails, designed to direct victims to malicious websites. For instance, Iranian hackers, identified as Crimson Sandstorm, created emails impersonating an international development agency and targeted prominent feminists with a fake website on feminism.

Additionally, the report highlights attempts by hackers from the monitored countries to employ LLMs for generating and refining malicious scripts and code, although with mixed success. A notable example includes the Chinese hacking group Chromium, which utilized LLMs to enhance scripting for cyber operations, while another group, Sodium, faced limitations due to the model's built-in safeguards against generating harmful code.

Microsoft's report not only provides a snapshot of current LLM usage by state-backed hackers but also outlines a set of principles aimed at preventing AI abuse. These include efforts to identify and disrupt malicious use of LLMs, notify other AI providers of potential abuses, and maintain transparency about threats. 

A misconfiguration exposes a decades worth of emails. 

Krebs on Security reports that U.S. Internet Corp., based in Minnesota, inadvertently exposed over a decade's worth of internal and client emails from its Securence email filtering service, affecting thousands of domains and inboxes, including those of state and local governments. The security lapse, revealed by cybersecurity firm Hold Security, allowed anyone with internet access to view these emails in plain text. The exposure was quickly addressed after KrebsOnSecurity contacted U.S. Internet's CEO, Travis Carter. However, the company's explanation, attributing the issue to a misconfigured Ansible playbook for their IMAP servers, did little to clarify how such a significant oversight occurred. Additionally, Securence's link scrubbing service was found to be manipulated by hackers to redirect to malicious sites, further compromising security. Despite the immediate rectification of the exposed inboxes, U.S. Internet has yet to publicly acknowledge the breach or detail the extent of the exposure.

SentinelOne describes Kryptina ransomware as a service. 

SentinelOne has published research on the Kryptina Ransomware-as-a-Service (RaaS) offering. Initially launched as a commercial product on underground forums in December 2023, Kryptina has now transitioned to an open-source crimeware project. Aimed at Linux systems, Kryptina was designed to be a lightweight, customizable solution for cybercriminals, featuring both 32 and 64-bit compatibility and payment options through Monero and Bitcoin. Despite initial attempts to sell it, the creator released the source code publicly, potentially due to a lack of buyers or to gain notoriety within the cybercriminal community. This shift to open-source could significantly impact the prevalence and diversity of ransomware attacks on Linux systems by lowering entry barriers for low-skilled attackers and encouraging the development of new variants. Kryptina's capabilities include file encryption using the AES256 algorithm, secure deletion of files to hinder recovery, and a web interface for campaign management and victim communication. 

The European Court of Human Rights rules against backdoors.

The European Court of Human Rights (ECHR) ruled that weakening end-to-end encryption poses a disproportionate risk to human rights. This decision challenges the European Commission's plans to mandate backdoors for law enforcement in email and messaging services. The ruling followed a case where Russia demanded Telegram provide access to encrypted messages to combat terrorism. Telegram argued it was technically impossible to comply without compromising all users' privacy. The ECHR agreed, stating that confidentiality in communications is crucial for private life and correspondence. Privacy advocates argue that creating backdoors not only risks mass surveillance but also undermines security for all users by potentially allowing criminals access. The ECHR's stance sends a clear message against compromising encryption, emphasizing the need for alternatives in law enforcement tactics rather than weakening digital security measures.

Senator Wyden calls out a location data broker. 

An investigation by Senator Ron Wyden alleges that online data broker Near Intelligence tracked visits to nearly 600 Planned Parenthood locations across 48 states for a massive anti-abortion ad campaign. This revelation has raised concerns about the potential use of such data by states to prosecute women post the Supreme Court's abortion ruling. Wyden has called for investigations by the FTC and SEC into Near Intelligence. The company's promotional materials claim to have data on 1.6 billion individuals worldwide. This campaign's scale, unprecedented in its use of location data for targeting reproductive health clinics, has sparked criticism and calls for tighter privacy regulations. Wyden also highlighted concerns about what he says are Near's misleading claims to investors. The company filed for bankruptcy last December, and Wyden is urging the FTC to block the sale of the collected data amidst Near's bankruptcy proceedings.

GoldFactory steals facial scans to bypass bank security. 

A Chinese-speaking cybercrime group, known as GoldFactory, has launched a sophisticated attack targeting iOS users. Their malware, GoldPickaxe.iOS, is designed to steal facial scans to infiltrate and extract money from bank accounts, focusing primarily on users in Thailand and possibly Vietnam. This malware masquerades as the Thai government's official digital pensions app, exploiting biometric verification checks to bypass banking app security measures. Researchers from Group-IB highlighted the malware's capability to collect biometric data, ID documents, intercept SMS, and proxy traffic, making it notably advanced in comparison to its Android counterpart. The malware's rapid development to circumvent new facial biometric security measures implemented in Thailand underscores the cybercriminal group's skill and adaptability. We note that despite reports implying that this is some sort of bypass of Apple FaceID hardware, it appears to be more of a case of social engineering to convince users to upload photos of their faces. 

The Glow fertility app exposes the data of twenty five million users. 

A vulnerability in the online forum of the fertility tracking app Glow exposed personal data of approximately 25 million users. Discovered by security researcher Ovi Liber,  the bug revealed users' names, age groups, locations, unique user identifiers, and any uploaded images. Liber found the data leakage through Glow’s developer API, which was mistakenly accessible to the public, and reported the issue to Glow in October. The company fixed the leak about a week later. Despite the fix, Glow has not publicly discussed the bug's impact. This incident follows previous privacy concerns with Glow, including a 2016 Consumer Reports finding of accessible user data and a 2020 fine from California’s Attorney General for inadequate data protection.

Qakbot returns.

The Qakbot malware, also known as QBot, has seen new activity with developers experimenting with fresh builds since mid-December. This follows its takedown by law enforcement last August. This malware, traditionally spread through email campaigns, has been a vector for various malicious payloads, including ransomware, affecting over 700,000 systems and causing financial damages of over $58 million. Despite the disruption of its command and control servers, its spam delivery infrastructure remained intact, leading to a resurgence. Recent samples observed by Sophos X-Ops use fake Adobe installers and enhanced obfuscation techniques to evade detection, including checks for antivirus software and virtualized environments. 

 

Coming up, we’ve got Rob Boyce from Accenture talking about tailored extortion where actors shift to pure data extortion, with old and new tactics.

 

Hacking the taxi line leads to prison. 

And finally, two individuals from Queens, New York, have been sentenced to prison, after having been convicted of running a sophisticated hacking operation to manipulate the taxi dispatch system at Kennedy Airport. Daniel Abayev, the orchestrator, received a four-year sentence, while Peter Leyman, responsible for collecting fees, was sentenced to two years. The duo, in collaboration with Russian hackers, launched their scheme in November 2019, utilizing malware introduced via a flash drive to gain unauthorized access to the Taxi dispatch system. This intrusion enabled them to offer line-skipping services to taxi drivers for a $10 fee, disrupting the airport's orderly queue system and facilitating up to 1,000 fraudulent taxi trips daily. The hacking operation not only breached the dispatch system's security but reportedly also resulted in over $3.4 million in losses to the Port Authority. 

These guys tried to cook up a cybercriminal express lane, but their final destination was prison. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.