The CyberWire Daily Podcast 9.23.24
Ep 2156 | 9.23.24

Can connected cars jeopardize national security?

Transcript

The US is set to propose a ban on Chinese software and hardware in connected cars. Dell investigates a breach of employee data. Unit 42 uncovers a North Korean PondRAT and a red team tool called Splinter. Marko Polo malware targets cryptocurrency influencers, gamers, and developers. An Iranian state-sponsored threat group targets Middle Eastern governments and telecommunications.The alleged Snowflake hacker remains active and at large. German officials quantify fallout from the CrowdStrike incident. Apple’s latest macOS update has led to widespread issues with cybersecurity software and network connectivity. Our guest is Vincenzo Ciancaglini, Senior Threat Researcher from Trend Micro, talking about the uptick in cybercrime driven by the generative AI explosion. Supercharging your graphing calculator.

Today is Monday September 23rd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US set to propose a ban on Chinese software and hardware in connected cars. 

The U.S. Commerce Department is set to propose a ban on Chinese software and hardware in connected and autonomous vehicles, citing national security risks, according to sources. Reuters reports the proposed regulation aims to prevent Chinese-made vehicles with critical communication or autonomous systems from being imported or sold in the U.S. This move reflects growing concerns about the data collection practices of Chinese companies on U.S. drivers and infrastructure, as well as the potential for foreign control of vehicles connected to the internet.

This proposal is part of the Biden administration’s broader efforts to limit Chinese technology in sensitive industries. Recent actions include raising tariffs on Chinese electric vehicles (EVs), batteries, and minerals. Commerce Secretary Gina Raimondo emphasized the potential dangers of millions of connected cars being compromised. In February, President Biden ordered an investigation into whether Chinese vehicle imports pose security risks due to connected-car technology.

The new rules would take effect in phases, starting with software in 2027 and hardware by 2029. The restrictions will target vehicles with Bluetooth, satellite, and wireless features, including autonomous cars. The proposal allows for public comments before finalization.

Automakers like General Motors, Toyota, and Volkswagen warned that such changes would require significant time due to the complexity of pre-production testing. The regulation would also extend to other foreign adversaries, such as Russia, and is aimed at safeguarding U.S. vehicle supply chains.

Dell investigates a breach of employee data. 

Dell is investigating claims of a data breach after a hacker, “grep,” leaked information for over 10,000 employees. The hacker alleged that the breach occurred earlier this month, exposing internal employee and partner details, including unique identifiers, full names, employment status, and internal ID strings. While only a small sample of the data was shared for free, the full database is allegedly available for purchase on a hacking forum. Dell confirmed to BleepingComputer that their security team is investigating the claims. This is not the first time grep has made such allegations, as they also claimed responsibility for a breach of French IT giant Capgemini earlier in September. Earlier in 2024, Dell also faced a breach involving 49 million customer records.

Unit 42 uncovers a North Korean PondRAT and a red team tool called Splinter. 

Researchers from Palo Alto Networks’ Unit 42 uncovered a North Korean-linked malware campaign distributing PondRAT through poisoned Python packages. The threat actor, Gleaming Pisces (also known as Citrine Sleet), previously deployed macOS malware POOLRAT, and PondRAT appears to be a lighter variant. The attackers uploaded malicious packages to the PyPI repository to compromise developers’ systems, targeting supply chains and their customers. Gleaming Pisces, active since 2018, is known for sophisticated attacks on the cryptocurrency industry.

PondRAT shares code similarities with POOLRAT, including overlapping structures and encryption keys, linking this campaign to previous AppleJeus operations. Once installed, the malware runs bash commands to download and execute the RAT, posing a significant detection risk to organizations. PondRAT’s functionality is more limited but still poses a serious threat.

Additionally, Palo Alto Networks discovered a new post-exploitation red team tool called Splinter using Advanced WildFire’s memory scanning tools. Splinter, developed in Rust, was found on customer systems and is used for tasks such as executing commands, uploading and downloading files, and gathering information from cloud services. Although its capabilities are less advanced than tools like Cobalt Strike, Splinter can still pose a serious threat if misused by criminals.

The discovery highlights the growing number of red-teaming tools available, emphasizing the need for continuous detection and prevention measures.

Marko Polo malware targets cryptocurrency influencers, gamers, and developers. 

Recorded Future’s Insikt Group has uncovered a massive malware operation, attributed to the cybercriminal group “Marko Polo.” The effort spans 30 campaigns targeting various demographics and system platforms. The group spreads 50 malware payloads, including AMOS, Stealc, and Rhadamanthys, via malvertising, spearphishing, and brand impersonation. These campaigns have compromised tens of thousands of devices globally, leading to significant financial losses and privacy risks.

Marko Polo targets high-value individuals like cryptocurrency influencers, gamers, and developers, using fake job offers and project collaborations to trick victims into downloading malware. Impersonated brands include Fortnite, Zoom, and RuneScape, among others. The malware impacts both Windows and macOS systems, with tools designed to steal data, including browser info, crypto wallets, and even Apple Keychain passwords.

An Iranian state-sponsored threat group targets Middle Eastern governments and telecommunications.

An Iranian state-sponsored threat group, UNC1860, likely linked to Iran’s Ministry of Intelligence and Security (MOIS), is acting as an initial access broker for cyberattacks targeting Middle Eastern governments and telecommunications. According to Mandiant researchers, UNC1860 specializes in deploying backdoors and custom tools that provide persistent access to high-priority networks. One notable tactic is repurposing a Windows kernel mode driver from Iranian antivirus software to evade detection.

UNC1860 supports espionage and network attack operations and shares similarities with other Iranian threat groups like APT34. The group uses custom malware controllers, web shells, and droppers, allowing other Iranian actors to continue exploiting compromised networks. Their custom coding, including encryption techniques, aids in bypassing security tools, posing a significant threat to consumer privacy and business continuity across the region.

The alleged Snowflake hacker remains active and at large. 

The hacker known as “Judische,” responsible for much of the Snowflake customer data theft earlier this year, remains active, according to Mandiant’s senior threat analyst, Austin Larsen. Speaking at the SentinelOne LABScon security conference, Larsen revealed that Judische continues to target software-as-a-service providers. The hacker, a 26-year-old software engineer from Ontario, Canada, allegedly played a key role in the April breach of up to 165 Snowflake customers using stolen credentials. While only “dozens” of companies were extorted, victims include AT&T, Ticketmaster, and Santander. Judische and associates have extorted up to $2.7 million. The hacker collaborated with John Binns, who was arrested after an AT&T data breach and remains in Turkish custody. Both hackers are part of a cybercriminal network called “The Com,” involved in hacking, extortion, and other illegal activities.

German officials quantify fallout from the CrowdStrike incident. 

A recent survey by Germany’s Federal Office for Information Security (BSI) and Bitkom revealed the impact of a massive worldwide outage caused by a faulty CrowdStrike update on German companies. Of the 311 companies polled, 62% were directly affected, and 48% were indirectly impacted, leading to disruptions in business operations. On average, it took affected companies 10 hours to fully resume operations and two days to resolve the issue.

The incident highlighted the importance of emergency preparedness, with 62% of affected companies having an emergency plan, most of which worked effectively. In response, many companies are enhancing their cybersecurity measures, including revising IT emergency plans, improving patch management, and implementing zero-trust architecture. Additionally, 10% of companies are considering changing their cybersecurity providers, and 30% are diversifying their IT security solutions.

Apple’s latest macOS update has led to widespread issues with cybersecurity software and network connectivity.

Apple’s macOS 15 Sequoia update has led to widespread issues with cybersecurity software and network connectivity. Users reported problems with tools from CrowdStrike, ESET, Microsoft, and SentinelOne. CrowdStrike advised customers to avoid updating, noting Apple was informed of the compatibility problems, but a fix is not expected. MIT also warned users that CrowdStrike Falcon is unsupported on Sequoia. ESET acknowledged network issues and recommended updating to supported versions. Microsoft reported network crashes with its Network Protection feature, advising against upgrading for now. The update also disrupted VPN, RDP connections, and web browsers. Security researchers noted that modifying firewall settings could resolve connectivity problems but warned it could increase security risks. Patrick Wardle, a well-known researcher specializing in Apple product security, stated that several individuals had notified Apple about these issues prior to the release of macOS 15 Sequoia, but Apple chose to ship the update anyway. 

 

Up next, we talk about the uptick in cybercrime driven by the generative AI explosion with Senior Threat Researcher from Trend Micro Vincenzo Ciancaglini.

We’ll be right back.

Welcome back. You can find a link to Trend Micro’s blog in our show notes. 

Supercharging your graphing calculator. 

And finally, when I was in college back around 1990 or so one of my roommates was an Electrical Engineering major. He told the tale of a clever group of double-E majors who programmed their HP calculators to use the built-in infrared transmitters and receivers to enable a local text chat network. Essentially, anyone in the same room could send and receive messages with each other. This was years before wireless protocols like WiFi or Bluetooth became commonplace. It was a clever hack, and legend has it that it also proved extremely useful when these old-school hackers found themselves in the same room taking an exam. 

Fast forward to today, where YouTube creator “ChromaLock” shared a video detailing how he modified a Texas Instruments TI-84 graphing calculator to connect to the internet and access OpenAI’s ChatGPT, potentially aiding students in cheating on exams. Titled “I Made The Ultimate Cheating Device,” the video showcases a custom hardware modification using a Wi-Fi-enabled microcontroller to interface with the calculator. The device allows users to input problems and receive ChatGPT responses on the calculator’s screen.

ChromaLock designed a custom circuit board, called “TI-32,” and created software to integrate the calculator with ChatGPT. He encountered several engineering challenges, including voltage and signal integrity issues, before finalizing the design. The modified calculator can also download apps like image browsers and cheat sheets, all while remaining undetectable.

While the project highlights technical ingenuity, using such a device during tests would likely be considered academic dishonesty, and students should be cautious of potential consequences. 

 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.