Are North Korean hackers going 'Seoul' searching?

South Korea investigates a substantial leak of military intelligence to the north. Google fixes a Workspace authentication weakness. Wiz identifies an API authentication vulnerability in Selenium Grid. The UK’s Science Secretary warns Britain is highly vulnerable to cyber threats. Global shipping faces a surge in cyber attacks. Apple has resolved the iCloud Private Relay outage. Google Chrome offers to scan encrypted archives for malware. Barath Raghavan and Bruce Schneier examine the brittleness of modern IT infrastructure. Guest Brian Gumbel, President and COO at Dataminr, joins us to discuss the convergence of cyber-physical realms. Rick Howard previews his latest CSO Perspectives episode on the state of Zero Trust. Teaching AI crawlers some manners. 

Today is Monday July 29th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

South Korea investigates a substantial leak of military intelligence to the north. 

South Korea is investigating a significant leak from its top military intelligence command. Local media reports claim the leak resulted in a substantial amount of sensitive information, including personal data of agents abroad, falling into North Korean hands. The military has vowed strict action against those responsible but has not confirmed the media claims, pending further investigation.

A breach of agents' personal data could severely impair South Korea's intelligence operations against the North. This incident is reminiscent of a 2018 breach where an active-duty officer sold classified information to foreign agents.

North and South Korea engage in intense intelligence and counterintelligence activities. North Korea has increasingly used hackers to infiltrate networks in the U.S., South Korea, and elsewhere, aiming to steal information or cryptocurrency. Recently, the U.S., Britain, and South Korea warned of a global cyber espionage campaign by North Korean hackers targeting military secrets to support its nuclear program. Additionally, a North Korean military intelligence operative has been indicted by the U.S. for hacking American entities, with a $10 million reward offered for his capture.

Google fixes a Workspace authentication weakness. 

Google recently resolved an authentication weakness in its Workspace account creation process that allowed attackers to bypass email verification. This vulnerability enabled cybercriminals to impersonate domain holders on third-party services using the "Sign in with Google" feature. A reader informed KrebsOnSecurity about receiving a notice regarding the creation of a potentially malicious Workspace account using their email.

Google identified a small-scale abuse campaign where attackers used a specially crafted request to circumvent email verification. These attackers aimed to access third-party applications rather than Google services directly. Google fixed the issue within 72 hours of discovery and implemented additional protections to prevent similar authentication bypasses.

Anu Yamunan, Google Workspace's director of abuse and safety protections, stated that the malicious activity started in late June, involving a few thousand Workspace accounts. The attackers used one email to sign in and a different one to verify a token, bypassing the domain validation process. Google emphasized that no previously associated domains were affected. This issue is separate from a recent problem involving cryptocurrency-based domain names compromised during their transition to Squarespace.

Wiz identifies an API authentication vulnerability in Selenium Grid. 

Selenium Grid, a widely used open-source testing framework for web applications, allows users to simulate interactions across various browsers and environments. According to Wiz, Selenium is found in 30% of cloud environments and has over 100 million pulls on Docker Hub. The Selenium WebDriver API automates browser interactions but lacks default authentication, making it vulnerable to cybercriminal abuse on internet-exposed instances.

Wiz identified over 30,000 exposed instances susceptible to attacks, leading Selenium Grid developers to warn users to secure their services. In the "SeleniumGreed" campaign, attackers exploited the WebDriver API to run Python with a reverse shell, deploying scripts to mine Monero cryptocurrency. This campaign, active for over a year, was first documented by Wiz.

Wiz shared their findings with GreyNoise, which confirmed other mining campaigns also target exposed Selenium Grid instances. Wiz provided indicators of compromise and recommendations for defenders.

The UK’s Science Secretary warns Britain is highly vulnerable to cyber threats. 

UK Science Secretary Peter Kyle has warned that Britain is highly vulnerable to cyber threats and future pandemics. He criticized deep public spending cuts under previous governments for weakening national resilience, particularly affecting the NHS and pandemic preparedness. Kyle, who assumed his role three weeks ago, highlighted internal conflicts within the Tory party as a barrier to effective threat management.

Kyle's concerns prompted the introduction of a new cybersecurity and resilience bill, replacing the anticipated AI bill. The National Cyber Security Centre noted increasing threats to critical infrastructure, emphasizing the urgency of the new bill to protect supply chains. Despite progress, the UK remains behind in countering these threats.

Kyle also stressed the need to improve pandemic readiness, citing the Covid inquiry’s report on the UK's flawed pandemic planning. Additionally, financial constraints are impacting projects and visa costs for overseas scientists, hindering research progress.

Global shipping faces a surge in cyber attacks. 

The shipping industry is experiencing a surge in cyber attacks, driven by geopolitical tensions and state-linked hackers targeting trade flows. Researchers at the Netherlands’ NHL Stenden University of Applied Sciences reported at least 64 cyber incidents in 2023, compared to three a decade earlier. Over 80% of attacks since 2001 have originated from Russia, China, North Korea, or Iran.

Conflicts from Ukraine to the Middle East have highlighted the vulnerability of global shipping, which transports over 80% of internationally traded goods. The industry, traditionally focused on physical threats, is now facing significant online piracy risks. Experts emphasize the sector's low IT investment and the increasing digitization of ships as key factors making it susceptible to cyber attacks. Notable incidents include the 2020 attack on Iran’s Rajaee Port and the 2017 NotPetya malware attack.

Apple has resolved the iCloud Private Relay outage. 

Apple has resolved the iCloud Private Relay outage, restoring service after over 48 hours of disruption. The outage, which began early Thursday and lasted until late Saturday, impacted web browsing for iCloud+ subscribers. Apple confirmed the issue on its System Status page. iCloud Private Relay enhances privacy by encrypting browsing data and routing it through two separate relay servers, one operated by Apple and the other by a third party. Apple says users can now re-enable the feature for continued privacy benefits.

Google Chrome offers to scan encrypted archives for malware. 

Cybercriminals increasingly use encrypted and password-protected files to deliver malware, evading security defenses. Google Chrome now offers two new protection mechanisms to counter this threat. When users with Enhanced Protection download a suspicious encrypted archive (.zip, .7z, .rar), Chrome prompts for the password and uploads the file and password to Google's Safe Browsing for a deep scan. According to Google, uploaded data is deleted after scanning and only used to improve download protections.

For users with Standard Protection, a prompt will also appear, but the file and password remain local, with only metadata checked. If malware is detected based on previous observations, users are still protected.

Google's analysis shows that deep scanning suspicious files significantly increases malware detection. Enhanced Protection users will now have all suspicious downloads automatically deep-scanned to reduce user friction. Users can opt-out for trusted files by using the “download anyway” option to maintain confidentiality. Chrome has also introduced more detailed warning messages for suspicious and dangerous files.

Barath Raghavan and Bruce Schneier examine the brittleness of modern IT infrastructure. 

In an essay for Lawfare, Barath Raghavan and Bruce Schneier explore the massive internet outage caused by CrowdStrike, which disrupted airlines, hospitals, banks, and other critical sectors, canceled nearly 7,000 flights and affected over 8.5 million Windows computers.

Raghavan and Schneier argue that this brittleness extends beyond technology, permeating food, electricity, finance, and transportation sectors, often due to globalization and consolidation. They emphasize that in IT, numerous small companies play essential roles, and market incentives drive them to minimize costs, sacrificing redundancy and careful planning. The CrowdStrike failure exemplifies this, where a buggy software update led to global disruptions, exposing the risks of deep interdependencies and hidden vulnerabilities.

The authors advocate for a shift in market incentives and regulatory approaches to foster resilience. They suggest that systems should be designed to handle failures, akin to ecological systems with deep complexity. They highlight Netflix’s Chaos Monkey tool as an example of building resilience through intentional failures, despite being perceived as costly and inefficient in the short term.

Raghavan and Schneier recommend regulations that focus on the processes of failure testing rather than specific checklists. They argue for embracing inefficiencies to construct robust systems, proposing continuous breaking and fixing as a method to achieve reliability and resilience. The essay concludes that to counter the trend of maximizing short-term profits, the economic incentives must shift towards building less brittle, more resilient systems.

 

Coming up, we’ve got Dataminr’s President and COO Brian Gumbel. Brian joins us to discuss the convergence of cyber-physical realms. 

We’ll be right back

Thanks, Brian for joining us and thank you to Night Dragon for that introduction. You can find out more about Brian and Dataminr in our show notes. 

Next up, I’ve got Rick Howard with a preview on this week’s CSO Perspectives about “The current state of zero trust.”

As always, thanks Rick. You can find links to both the CSO Perspectives episodes for N2K Pro subscribers and also a preview episode for those who are not yet subscribers.  

 

Teaching AI crawlers some manners. 

And finally, Read the Docs is a company that helps organize and automate  documentation for various online projects. In a blog post, Cofounder Eric Holscher highlights the increasing abuse of AI crawlers. AI products have aggressively crawled sites without respecting bandwidth limits, leading to substantial costs and disruptions. Notably, one crawler downloaded 73 TB of data in May 2024, costing over Read the Docs $5,000 in bandwidth, while another consumed 10 TB in June. These incidents underscore the need for AI companies to respect the sites they crawl. Holscher calls for better crawler practices, such as rate limiting and support for Etags and Last-Modified headers. To mitigate the issue, Read the Docs has blocked AI crawlers identified by Cloudflare and is improving monitoring and caching. Holscher urges AI companies to collaborate on more respectful crawling practices to prevent further issues. 

It’s easy to forget that bandwidth ain’t always free, and chewing through thousands of dollars worth of data at the expense of a modest open-source organization isn’t just irresponsible, it’s downright rude. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.