Transcript
going to go through a lot of our usual segments today. My name is Matt Redlock, and I'm joined by my co-host. I am David Gibson, located in a small island off of South America called North America. And we promise we are not AI deepfakes of ourselves, and you're genuinely experiencing us today. So with that, let's crack straight into it. So for those of you joining us for the first time today, we always like to start off the show with covering some good news. As often, cybersecurity is all doom and gloom, and there often is a lot of good things to say. And we actually do have a lot to say about some of the recent attacks on the retail industry. So four arrests were made in connection with the attacks on Marks & Spencer, Co-op, and Harrods. Damages from those attacks were estimated to be between about 270 million and 440 million pounds, or around half a million dollars. Charges against the two 19-year-old, one 17-year-old male, and 20-year-old woman included things like violating the Computer Misuse Act, blackmail, money laundering, and participating in organized crime. The suspects were purportedly linked to Scattered Spider, who's widely known for social engineering attacks and ransomware attacks. And Marks & Spencer even confirmed that the attack was related to an attacker group called Dragon Force, where the group's members are mostly known as young native English speakers who are really skilled at impersonation and social engineering, often posing as help desk employees of these companies in order to breach those systems. So another win for the good guys. Yeah, I think it's interesting that it looks like a lot of these folks are kind of cannon fodder, these young English-speaking kids, because they get their voice on tape, and they make it just easier to identify an arrest at that point. And what's going on, David, with Silk Typhoon? And you told me something earlier related to Half Neon. We were only talking about that more than anything else, I feel like. Yeah, I know. This brought back some memories. I remember early in the days of scared cybercrime, we talked a lot about some of the on-prem exchange vulnerabilities and like proxy logon, proxy shell, things like that. There was an arrest by the name of a fellow by the name of Zhu Sui. I think I'm pronouncing that completely incorrectly. But he was arrested in Milan and charged for his alleged role in that activity, the Half Neon, as well as some of his activity in Silk Typhoon. We've covered Silk Typhoon in shows over the years as well. He is disputing the charges. He's claiming a case of mistaken identity and that his phone was stolen in 2020. He's one of many folks that are allegedly involved in these attacks, where the Chinese government looks to be outsourcing some of this cyber activity to third parties and things like that. So he looks to be associated with those. So could be one for the good guys if this turns out to be true. And another arrest was made, well, in this case, it's actually a guilty plea got entered. So Cameron, I couldn't know if I could pronounce his way genius or why genius, way genius, hard to say. But he went by- Let's keep going a few more times. Yeah, I know. A few more and we'll get it right. He went by the hacker named Keeber Phantom or Cyber Phantom, was known for being behind the attacks on large companies like AT&T and Snowflake, ultimately pled guilty to multiple charges, including wire fraud, extortion and aggravated identity theft. Cameron, while on active duty, attempted to extort more than half a million dollars from a telecom company by threatening to leak sensitive call records of high ranking public officials, selling information to foreign intelligence officials. And his sentencing is scheduled for October 6th, facing up to 27 years in prison. Now let's jump on to our next segment, is surely going to be saying AI Vey. Yeah, now this I think could have gone into the good news section because this is a tragedy narrowly averted. And it was tragedy narrowly averted by a combination of some threat intelligence and Google's big sleep security. This is not the big sleep image creation. I think there's a couple of different big sleeps out there, but this is big sleep security. It's an LLM that finds vulnerabilities in code. And what happened was some threat intelligence, Google's threat intelligence picked up some signs that attackers might be targeting a vulnerability in SQL lite, but they didn't know what the vulnerability was. So they pointed big sleep at it, found a vulnerability, accelerated some patch creations, some ER rules, snort rules, shared some IOCs, got everybody to sound the alarm. And it looks like this breach, this potential breach was avoided. So I kind of think this is some AI powered good news. What do you think? Yeah, but it'll still leave you saying AI Vey, because maybe it's something we should have designed around, but I'll take it as good news. In some true things leaving you saying AI Vey, a proof of concept of a new AI attack method was published called Echo Chamber. This is an attack on large language models like chat GPT and Gemini. What an attacker can do, or a security researcher in this case, is use subtle multi-turn prompts to slowly nudge the model towards inappropriate outputs. And this has a fairly high success rate in bypassing AI guardrails without actually ever directly inputting explicit prompts. So what the attack does is leverages emotional priming to later make the model produce harmful content. Some emotional priming, huh? Yeah, you got to make the AI feel things and then it'll do what you want. Yeah. How do you feel about your password, Matt? You know, David, I was thinking I wasn't going to give it up to you right now, but maybe we could chat GPT later. Let's play tic-tac-toe with some of our passwords. All right. So let's talk about DeepSeek. Germany has asked DeepSeek to remove its application from the Google Play and Apple App Stores. And this was after Germany concluded that DeepSeek wasn't protecting data in a way that was compliant with GDPR. And they had asked DeepSeek to remove itself from the App Store. And shocker, they didn't do that. So now, of course, we'll see what Apple and Google do in terms of handling the request made to remove the DeepSeek LLM or the application from their App Stores. So I think we'll see what happens. Clearly, there's a lot of personal data at stake here that could be up for grabs and accessed by Chinese government, for example. Not just the stuff that people are asking, things that people are asking, but probably device information. Anybody that's running a device, there's quite a bit of information that can be gleaned from those devices as well, I believe as well. Yeah. And speaking of deep AI that we should be talking about, there is a huge rise in deepfakes. Deepfakes are popping up everywhere. And if you're not paying attention to this string of high-profile deepfakes, please take this as a wake-up call that the era of deepfake fraud is upon us. Marco Rubio was impersonated by attackers that leveraged his likeness to contact foreign ministers, US governors, and members of Congress, even mimicking his voice and writing style over the messaging app Signal. This is a growing pattern of deepfake impersonations that target government officials, even including one that targeted the White House Chief of Staff, Susie Wiles. In another instance, Ripple CEO Brad Garlinghouse was impersonated on YouTube during a keynote speech where he published a QR code for XRP doubling event, which was obviously fraudulent. Ripple even previously sued YouTube in 2020 for failing to stop an impersonation scam that was ultimately settled out of court in 2021. And deepfake attacks are hitting companies too. A North Korea-linked attacker group of BlueNoruf used deepfake Zoom calls to impersonate company executives and trick a Web3 employee into installing Mac OS X malware. The attack began with a telegram message and a calendar link that redirected to a fake Zoom domain, leading to a staged group call with AI-generated persons. Victims were then prompted to install a fake Zoom extension, which downloaded a malicious Apple script disguised as a support tool. And what this leaves me thinking is there's a lot of new ways that someone could be social engineered. And it's really, whether it's through to commit fraud, or maybe to give up credentials or install malware, these are just new methods for attackers to trick your employees. And it really does make you think about if any one identity got compromised, how would you pick up on it? Or how would you limit the impact of that breach? Because deepfakes are upon us. Yeah, I'd say it's almost like we all need deepfake training to be able to spot it. Yeah, more security awareness training is definitely the answer, David. Now, speaking of things that we're all vulnerable to, there's a few vulnerabilities I know you wanted to talk about, including one with Citrix. Yep, a couple of zero days in Netscaler. HashFast. Because these are real, they're being exploited, they can lead to unauthorized remote code execution. So it's an out of bounds memory read. It's some pretty, I guess the severity is a 9.2 out of 10. So anybody that's running some of these, this is a little bit like Citrix Bleed vulnerability. It's the sequel. So there are some patches available for this, and I suggest you get rolling on those. Yeah, and you know, a billion, yeah, with a B, a billion devices and 350 million vehicles are vulnerable to a Bluetooth remote code execution vulnerability called Perfect Blue. Exploiting CVE-2024-45431 or CVE-2024-45434 does actually require physical proximity, or about a 10 meter distance to the victim device, and oftentimes also involves user interaction, like approving a Bluetooth pairing request. However, some devices were found to be patched, one, and others were found to be even vulnerable without having to be in proximity. So definitely something to talk about, to look for. It means that you have a vulnerable SDK for Bluetooth installed on that particular device. Yeah, and this is pretty scary, and it looks like some of the vulnerability depends on the implementation of Bluetooth, you know, whether you can pair, like, remotely or initiate pairing mode remotely, whether, like, the car needs to be on, and so there's a few different things here, but I think a lot of devices, you know, that are running the stack may be vulnerable. And what's going on with ServiceNow? Yeah, speaking of vulnerability, so ServiceNow, there's a vulnerability that was discovered by Verona's ThreatLabs, and we wrote about a vulnerability called CounterStrike, which there's an exploit where you can exploit misconfigured ACLs. For those of you that don't know, ServiceNow has really sophisticated permissions, and it can use a lot of conditional logic, and the way that Verona's ThreatLabs figured out kind of how to use those to extract data is there's a UI element that provides a record count in the UI, and basically of what you're querying, and that can be abused to basically glean confidential information kind of by a reference. So it's a counter, I see what you did there with CounterStrike, but some interesting things about this exploit is any user account can be, I think, just about, doesn't have to be privileged, can use this exploit. So there have been some patches for this, but Verona and ServiceNow both recommend that customers review custom and standard tables and apply some of the new security mechanisms to tighten this down. Good news is there's no known use of this in the wild. Now let's jump on to our final segment, the Danger Zone. We're going to cover a lot of the stories that I think is why some of you guys are here. Now, speaking of one, you know, Scattered Spider has expanded their targets again. You know, first we saw them on retail, then we saw them on insurance, now aviation. I'm wondering, you know, maybe you guys can tell us in the chat who you think that they'll target next, but it is suspected that Scattered Spider carried out an attack on Hawaiian Airlines and Qantas Airlines that disrupted its IT systems, even exposed frequent flyer data, however, didn't impact flight operations. So they're basically going vertical by vertical, even into the vertical verticals. Yeah. Oh, David. So what's going on with SharePoint, David? Ah, well, so, you know, again, I'm reminded of Hapnium, where, you know, we saw vulnerabilities with on-prem exchange. This has to do with a vulnerability in on-prem SharePoint, and calling it Toolshell. But if you have a publicly accessible on-prem SharePoint site, um, this is something we can, there's a link in Varonis, uh, there's a, yeah, thank you, Frank. There's also a link to Varonis's, uh, kind of recommendations here, but definitely want to mitigate, uh, this vulnerability. Um, the, uh, it's, it's not that hard to kind of, uh, trigger this exploit. They're uploading some malicious SharePoint payloads, you know, signing it with some stolen certs. Um, so there's some out of band security updates for Microsoft SharePoint, uh, because of course it's, I think it's end of life. Well, maybe not end of life, but certainly not, uh, as in heavy support as some of the other, um, you know, like SharePoint online, for example. Um, so you got to fix the CVEs and then rotate the machine keys using some specific set steps there that are documented in the article. And the reason that we know about this is several Chinese actors were linked to leveraging the zero-day attacks that David just mentioned to carry out, uh, attacks on the U.S. Nuclear Weapons Agency, the Department of Education, uh, Florida's Department of Revenue, and even the Rhode Island General Assembly. Uh, just, I guess, uh, seeing all this kind of come together here. Yeah. And I, you know, for me, and we talk about this sometimes, David, you know, it's clear that there are nation-state actors that might have these zero days in their arsenal, um, and, you know, it seems like it takes a, quite a number of agencies or entities getting breached in order for us to find out about them, which makes me wonder, how long were they leveraging it? Is this relatively new? You know, how did they find out? There's a lot of unanswered questions about this one. Yep. And what's going on with Salt Typhoon? I know everybody wants to hear about that. So, there's, uh, an attack on another communications company, Biosat, which is a satellite communications provider, um, and, uh, they are another victim of Salt Typhoon. And I think some of the things they have in common here, I mean, another communications company, um, the attacks aren't obviously disruptive. Uh, you know, once they're in, you know, they're gathering information, looking for more vulnerabilities, um, more persistence. I see it as kind of putting pieces into position. You know, it's, uh, it seems like, uh, kind of a long game in some ways, uh, in contrast to some of the smash and grab ransomware techniques that we've had. It's a, it's kind of the other extreme, get in very quietly, collect a lot of information. Establish persistence. Yeah, which is, uh, which is a little scary because you kind of wonder what the end, I mean, I'm not sure if we have to wonder what the end goal is, but it's, uh, like a fire sale is my hypothesis. Yeah. That's, uh, it's, uh, it's, it's not a, it's not a pleasant proposition. There was like a breach within a breach with this too, David, you want to talk about that? Yeah. So in June of this year, we learned about a, a hidden breach, a breach that actually took place for most of 2024. Uh, and this happened inside a state level unit of the national guard. Um, looks like the attackers were in for almost about nine months. Um, and they kind of followed the same playbook. They were in compromising credentials, you know, or getting credentials, network diagrams, maps, personal information. And what I thought was interesting is, uh, you know, we heard about it in June and it was discovered, uh, after kind of after the fact through a bunch of log analysis, um, and other, you know, investigation searching for IOCs that was prompted by some of the fed cybersecurity directives that came out in late 2024. Um, and so, you know, evidence of, you know, usual stealthy activity here looking, you know, exploding zero days, looking at the land. Yeah, exactly. Yeah. Yeah. So again, putting pieces together kind of, uh, very stealthy, not, not over, you know, obvious damage here. Um, and then, you know, what wasn't detected as it was happening was kind of detected only with analysis after the fact. So it kind of illustrates how stealthy these folks are. Um, and with that, as always, thanks everybody. The show is made possible by you, our audience. I know David and I love doing it and we can't wait to connect with you again.