Opening up on hidden secrets.

OpenAI insiders describe a culture of recklessness and secrecy. Concerns over Uganda’s biometric ID system. Sophos uncovers a Chinese cyberespionage operation called Crimson Palace. Poland aims to sure up cyber defenses against Russia. Zyxel warns of critical vulnerabilities in legacy NAS products. Arctic Wolf tracks an amateurish ransomware variant named Fog. A TikTok zero-day targets high profile accounts. Cisco patches a Webex vulnerability that exposed German government meetings. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, diving into Domain 7, Security Operations. A Canadian data breach leads to a class action payday.

Today is Wednesday June 5th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

OpenAI insiders describe a culture of recklessness and secrecy. 

A group of OpenAI insiders, including nine current and former employees, is exposing what they describe as a culture of recklessness and secrecy at the company, The New York Times reports.  The insiders claim OpenAI prioritizes profits over safety in its race to develop artificial general intelligence (AGI). The insiders accuse the company of using restrictive nondisparagement agreements to silence concerns.

Former researcher Daniel Kokotajlo, a leading whistleblower, criticized OpenAI for its aggressive pursuit of AGI without sufficient safety measures. The group recently published an open letter calling for greater transparency and protections for whistleblowers in AI companies. They demand an end to restrictive agreements and advocate for a culture that allows open criticism and anonymous reporting of safety issues.

OpenAI is also dealing with several controversies, including legal battles over copyright infringement and backlash from its recent voice assistant launch. The company has faced internal turmoil, including the departure of senior AI researchers Ilya Sutskever and Jan Leike, who left due to concerns over safety being neglected in favor of rapid development.

OpenAI has responded, claiming a commitment to safety and transparency and announcing new safety initiatives. The whistleblowers, however, remain skeptical and are urging regulatory oversight to ensure responsible development of powerful AI systems.

Concerns over Uganda’s biometric ID system. 

Bloomberg reports on Uganda’s biometric identification system. Introduced to enhance security, has become a powerful tool for state surveillance, targeting critics and opposition. This system collects citizens' biometric data, including faces, fingerprints, and irises, and is tied to various essential services, allowing extensive monitoring.

In December 2020, human rights lawyer Nick Opiyo was detained by armed security forces. Accused of money laundering, Opiyo believes his arrest was due to his work at the nonprofit Chapter Four, documenting extrajudicial killings by state security forces before the 2021 elections. His possessions were confiscated, and he was interrogated for days before being released. The charges were dropped nine months later.

Opiyo’s case highlights the misuse of the biometric system for political repression. Despite international criticism, President Museveni continues to leverage this system to consolidate power. As Uganda prepares for the 2026 elections, the government plans to roll out a new ID system, further entrenching surveillance capabilities. Opiyo remains committed to advocating for human rights amidst increasing authoritarianism.

Sophos uncovers a Chinese cyberespionage operation called Crimson Palace. 

A prolonged cyberespionage campaign has targeted a government agency in a country clashing with China over the South China Sea. Researchers at Sophos uncovered the operation, dubbed "Crimson Palace," attributing it to Chinese state-sponsored hacking clusters. The attackers targeted documents with intelligence value, including military strategies. Sophos does not name the targeted nation in their research.

Sophos identified three hacking clusters—Alpha, Bravo, and Charlie—each showing coordinated activity. Cluster Alpha linked to BackdoorDiplomacy and TA428, while Cluster Charlie connected to Earth Longzhi (APT41). Cluster Bravo used a new backdoor, "CCoreDoor." The campaign utilized DLL sideloading and evasive techniques. Despite blocking known implants, Cluster Charlie resumed hacking with greater intensity. The activity corresponded to Chinese working hours, reinforcing the attribution to Chinese state interests.

Elsewhere in the region, Palau is a small island country located in the western Pacific Ocean, part of the larger island group of Micronesia and one of Taiwan’s few diplomatic allies. Earlier today, Palau's President Surangel Whipps accused China of a major cyberattack on the country. Over 20,000 government documents were stolen in March, shortly after Palau signed a 20-year economic and security deal with the US. The documents appeared on the dark web, with the ransomware group DragonForce claiming responsibility. Whipps suggested the attack had ties to China, as there was no financial motive, branding it "harassment" and a bid to weaken Palau’s international relationships. Taiwan, Japan, and the US have offered to help strengthen Palau's digital defenses. This incident highlights ongoing tensions, with China denying involvement and condemning cyberattacks.

Poland aims to sure up cyber defenses against Russia. 

Poland will invest nearly $760 million to bolster its defenses against ongoing Russian cyberattacks, according to Digital Minister Krzysztof Gawkowski. The new Cyber Shield program aims to enhance the resilience of critical infrastructure and government services. This follows a false article about military mobilization published by hackers on Poland's state news agency, PAP, which is believed to be the work of Russia-sponsored hackers.

Gawkowski highlighted the increase in cyberattacks, particularly ahead of the upcoming EU parliamentary elections, and emphasized Russia's goal to destabilize Poland and the EU. The recent cyber incidents include espionage campaigns targeting Polish government institutions, attributed to Russian hacker group APT28.

Zyxel warns of critical vulnerabilities in legacy NAS products. 

Networking device manufacturer Zyxel has warned of three critical vulnerabilities in discontinued NAS products NAS326 and NAS542, which can lead to command injection and arbitrary code execution. These flaws can be exploited without authentication. Despite discontinuation in December 2023, Zyxel released patches for extended support customers. The vulnerabilities were reported by Outpost24's Timothy Hjort, who highlighted that successful exploitation could allow attackers persistent root access and code execution on the devices.

Arctic Wolf tracks an amateurish ransomware variant named Fog. 

Arctic Wolf’s incident response team identified a new ransomware variant named Fog, targeting the education and recreation sectors in the US. The ransomware uses compromised VPN credentials for infection, gaining remote access through unidentified VPN gateway vendors. The attack initializes by querying system details to configure a multi-threaded encryption routine, utilizing Windows APIs for encryption. After encrypting files, a ransom note is left on the disk.

Fog's methods are considered amateurish, focusing on quick paydays without deep system infiltration or data exfiltration. Arctic Wolf has shared indicators of compromise (IoC) and incorporated targeted detection capabilities within its managed detection and response (MDR) services to mitigate these attacks. The identity of the threat actors remains unknown.

A TikTok zero-day targets high profile accounts. 

Threat actors exploited a zero-day vulnerability in TikTok's direct messages feature to hijack high-profile accounts, including those of CNN, Paris Hilton, and Sony. The malware spreads by simply opening a direct message within the app. TikTok spokesperson Alex Haurek stated that their security team has stopped the attack and is working with affected users to restore access. The extent of the impact remains unclear. No technical details about the vulnerability were disclosed.

Cisco patches a Webex vulnerability that exposed German government meetings. 

Cisco released a security advisory after media reports that vulnerabilities in the German government’s Webex meetings exposed sensitive information. German publication Zeit Online reported that an insecure direct object reference (IDOR) vulnerability allowed adversaries to access internal meeting links by altering link numbers. This exposed details of sensitive meetings, including military discussions. High-ranking officials’ personal meeting rooms were also unprotected. In response, the German government blocked access and took Webex offline. Cisco patched the vulnerabilities by May 28, 2024, and has not observed further unauthorized attempts since.

 

Coming up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe dive into Domain 7 which focuses on Security Operations. You can check out a sample question in our show notes. We’ll be right back

Welcome back. Thanks Sam and Joe. Don’t forget, we’ve got details on the course Joe is using to prepare for his CISSP and today’s sample question in our show notes. 

 

A Canadian data breach leads to a class action payday. 

And finally, an unusually satisfying end to a protracted class action lawsuit. 

We’ve all been there. You get a letter in the mail telling you you're part of a class action suit against a company that’s wronged you. Excited, you envision a massive payday. Will it be a new car? A dream vacation? Then, months later, another letter arrives. Congratulations! Your settlement is a crisp $2.50 – not enough for a coffee, but just enough to remind you that yes, you were wronged. Meanwhile, the lawyers? They're driving off into the sunset in their new convertibles, funded by your 'victory.'

This leads us to 79 unlucky customers of ICBC, the Insurance Corporation of British Columbia, Canada.  A rogue employee, Candy Elaine Rheaume, sold their personal info to some not-so-nice folks. And by not-nice, I mean gangsters. As a result, 13 homes were hit with arson and shootings.

ICBC argued that a mere $500 per person would suffice as compensation. However, a B.C. judge disagreed, awarding $15,000 each to the victims, emphasizing the gravity of the breach. The court also ruled ICBC vicariously liable after multiple appeals. The court stressed the importance of protecting personal data, especially as large organizations collect and store vast amounts of it.

Lawyers for the class action will receive 35% of the total damages, but it’s nice to see that rare case where plaintiffs will walk away with a meaningful windfall. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.