A major Pig Butchering marketplace has ties to the Cambodian ruling family. Lulu Hypermarket suffers a data breach. GitLab patches critical flaws. Palo Alto Networks addresses BlastRadius. ViperSoftX malware variants grow ever more stealthy. A New Mexico man gets seven years for SWATting. State and local government employees are increasingly lured in by phishing attacks. Hackers impersonate live chat agents from Etsy and Upwork. The GOP’s official platform looks to roll back AI regulation. On today’s Threat Vector, David Moulton from Palo Alto Networks Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalon. NATO brings the social media influencers to Washington.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
Threat Vector Segment
In this segment of Threat Vector, hosted by David Moulton, Director of Thought Leadership at Palo Alto Networks Unit 42, he explores the evolving world of AI-generated malware with guests, Rem Dudas, Senior Threat Intelligence Analyst, and Bar Matalon, Threat Intelligence Team Lead. From exploring the vulnerabilities in AI models to discussing the potential implications for cybersecurity, this episode offers a deep dive into the challenges and opportunities posed by this emerging threat. You can listen to the full episode here.
Selected Reading
The $11 Billion Marketplace Enabling the Crypto Scam Economy (WIRED)
Hackers steal data of 200k Lulu customers in an alleged breach (CSO Online)
GitLab update addresses pipeline execution vulnerability (Developer Tech News)
Palo Alto Networks Addresses BlastRADIUS Vulnerability, Fixes Critical Bug in Expedition Tool (SecurityWeek)
ViperSoftX malware covertly runs PowerShell using AutoIT scripting (Bleeping Computer)
Man sentenced to 7 years for Westfield High School threat hoax (Current Publishing)
State, local governments facing deluge of phishing attacks (SC Media)
Hackers impersonate live chat support agents in new phishing scam (Cybernews)
2024 GOP platform would roll back tech regulations on AI, crypto (The Washington Post)
NATO's newest weapon is online content creators (The Washington Post)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. What's 2FA security on Kraken? Let's say I'm captaining my soccer team, and we're up by a goal against, I don't know, so does Springs FC. Do we relax? No way. Time to create an extra line of defense and protect that lead. That's like 2FA on Kraken, a surefire way to keep what you already have, safe and sound. Go to kraken.com and see what crypto can be. Not investment advice. Crypto trading involves risk of loss. Crypto currency services are provided to U.S. and U.S. territory customers by Payward Interactive Inc. PWI, DBA Kraken. You PWI's disclosures at kraken.com/legal/disposures. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPPA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. A major pig butchering marketplace has ties to the Cambodian ruling family. Lulu Hypermarket suffers a data breach, GitLab patches critical flaws, Palo Alto Networks addresses blast radius, Viper soft ex-malware variants grow ever more stealthy, a new Mexico man gets seven years for swatting. State and local government employees are increasingly lured in by phishing attacks. Hackers impersonate live chat agents from Etsy and Upwork. The GOP's official platform looks to roll back AI regulation. On today's threat vector, David Molten from Palo Alto Networks Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalan. And NATO brings the social media influencers to Washington. This Thursday, July 11, 2024, I'm Dave Bitner and this is your CyberWire Intel Briefing. Thank you for once again joining us. It is always great to have you here with us. A feature story in Wired from Andy Greenberg and Lily Hay Newman examines pig butchering crypto scams which have evolved into a vast criminal industry, stealing tens of billions annually. The scam ecosystem includes tools and services for targeting victims, laundering stolen funds, and even detaining human trafficking victims forced to work in scam operations. New research by Elliptic, a crypto-tracing firm reveals that a single Cambodian platform, Huion Guarantee, linked to the Cambodian ruling family, supports this industry. Huion Guarantee, launched in 2021, facilitates peer-to-peer transactions using tether cryptocurrency via Telegram. Elliptic traced $11 billion in transactions through Huion Guarantee with $3.4 billion in 2023 alone, primarily supporting pig butchering scams. The platform offers a range of illicit services including human trafficking tools, scam target data, fake investment websites, deep fake services, and money laundering. Elliptic's co-founder, Tom Robinson, describes Huion Guarantee as the largest public platform for illicit crypto transactions. The scam operations are often run from compounds in Southeast Asia where forced laborers live and work under harsh conditions. The report suggests that platforms like Huion Guarantee allow scammers to outsource various aspects of their operations, contributing to the increasing scale of these scams. Sean Gallagher from Sophos notes that pig butchering operations often use identical tools and infrastructure across different scams. Robinson proposes international sanctions against Huion's leadership to disrupt this criminal industry. He emphasizes the need to target such marketplaces to combat the growing threat of crypto scams. Lulu Hypermarket, based in Abu Dhabi, has reportedly suffered a significant data breach, exposing personal details of at least 196,000 customers. The hacker group Intel Broker claimed responsibility, initially leaking some customer details on breach forums. They announced plans to release the full database later, which includes millions of users and orders. Leaked details include email addresses and phone numbers, posing risks of phishing and identity theft. Lulu Hypermarket has not confirmed the breach or specified the types of data affected. Lulu Broker has a history of targeting major organizations and remains active on breach forums, now under Shiny Hunters Administration, Lulu customers are advised to stay vigilant. GitLab has issued critical security updates to fix multiple vulnerabilities, including a severe flaw with a CVSS score of 9.6, allowing attackers to run pipeline jobs as arbitrary users. The company urges immediate upgrades for both community and enterprise editions users. The critical flaw affects GitLab versions 15.8 to 17.1.1 and was reported through GitLab's Hacker One program. Palo Alto Networks released patches for multiple vulnerabilities, including a critical bug in its Expedition Migration Tool, allowing attackers to take over administrative accounts. This was fixed in Expedition version 1.2.92. Additionally, a high severity file upload issue in Panorama could lead to a denial of service condition requiring manual intervention. Medium severity flaws in Cortex-XDR and PanOS software were also addressed, preventing attackers from running untrusted code and tampering with the file system. The company provided an advisory on the blast radius vulnerability, which could enable attackers to bypass authentication and escalate privileges in PanOS firewalls using CHAP or PAP protocols. No exploitation of these vulnerabilities has been reported. Researchers at Trellix report the latest variants of Vipersoft X malware use the common language runtime to execute PowerShell commands within auto-it scripts evading detection. CLR, part of Microsoft's .NET framework, allows code execution in a trusted environment. Vipersoft X leverages this to load code within auto-it, commonly trusted by security solutions. The malware also incorporates modified offensive scripts for increased sophistication. Vipersoft X steals system details, cryptocurrency wallet data, and clipboard contents. Trellix emphasizes the need for comprehensive defensive strategies to detect, prevent, and respond to such sophisticated threats. James Thomas Andrew McCarty, age 21, from Kianta, New Mexico, was sentenced to seven years in federal prison for making hoax threats, including a call to Westfield High School in 2021 that led to a two-hour lockdown. McCarty pleaded guilty to making false calls and aggravated identity theft using real students' identities. His hoax calls targeted schools and governmental entities across multiple states, none of which were credible threats. McCarty also admitted to hacking a ring doorbell in Florida, causing a police response, which he live-streamed for his own amusement. The FBI and various local authorities assisted in the investigation. Fishing attacks on state and local government employees have surged by 360 percent from May 2023 to 2024, driven by the rise in business email compromise attacks, which increased by 70 percent, according to abnormal securities annual report. BEC attacks involve impersonating contractors or accounting employees to reroute payments to attackers. These attacks use social engineering tactics, avoiding clear indicators of compromise and often evading conventional security measures. State and local government agencies are particularly vulnerable due to their frequent interactions with local contractors and mandated transparency, which provides attackers with detailed information to craft convincing emails. Account takeover attacks also rose by 43 percent, highlighting "fishing as a reliable method for breaching networks." Limited cybersecurity resources in government entities increases the likelihood of undetected compromised accounts, posing significant risks. Hackers are posing as live chat agents for companies like Etsy and Upwork, tricking victims into providing credit card and banking information. This new fishing scam, detailed by cybersecurity firm PerceptionPoint, exploits users' trust in live chat support. Unlike typical scams, this involves real humans, giving real-time responses, making it harder to detect. Hackers create fake web pages mimicking platform's payment pages. When victims attempt to verify payments, they're redirected to a spoofed "stripe" page where they enter their credit card details, which are then stolen. The scam escalates with a live chat support feature on the fake stripe page, further extracting sensitive information. The Fishing Kit is described as sophisticated and versatile with reusable templates across multiple platforms. Users are advised to verify support communications, avoid unsolicited links or QR codes, check website URLs for legitimacy, and use multi-factor authentication. The Republican Party's new official platform proposed by Donald Trump emphasizes a laissez-faire approach to tech regulation. It advocates for boosting cryptocurrency and AI, opposing President Biden's crypto crackdown and repealing his executive order on AI. The platform promises to support cryptocurrency mining, self-custody of digital assets, and transactions free from government control. Let's argue this could harm consumers and promote fraud. The platform also highlights commercial space exploration, aiming to bolster that industry. Notably, it does not address Section 230 or antitrust enforcement. Consumer advocates and some tech industry voices express concerns about these policies, emphasizing the need for regulations to protect consumers and ensure responsible tech development. Coming up after the break, on today's threat vector, David Molten from Palo Alto Networks discusses the evolving threats of AI-generated malware with experts Ram Dudas and Bar Matalan. Stay with us. And now, a word from our sponsor, No Before. Where would InfoSec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an InfoSec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons No Before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Coaching security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank No Before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Some came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit CloudFlare.com to protect your business everywhere you do business. On the latest episode of the Threat Vector Podcast, host David Molten from Palo Alto Networks Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalon. Here's part of their conversation. Welcome to Threat Vector, the Palo Alto Networks Podcast, where we discuss pressing cybersecurity threats, cyber resilience, and uncover insights into the latest industry trends. I'm your host, David Molten, Director of Thought Leadership for Unit 42. In today's episode, we have a fascinating and critical discussion lined up as we dig into the world of AI-generated malware. Joining me are two exceptional guests from the Palo Alto Networks Cortex Research Group, Rem Dudas, Senior Threat Intelligence Analyst, and Bar Matalon, Threat Intelligence Team Lead. The rapid advancements in AI have brought about numerous benefits, but they've also introduced new and unprecedented challenges in the realm of cybersecurity. Over the past year and a half, we've seen generative AI models like Chet GPT rise to prominence offering powerful tools that anyone with an internet connection can access. While these tools have the potential for positive application, they also pose significant security risks when used maliciously. Rem Dudas have been at the forefront of researching these risks, conducting groundbreaking experiments to understand just how capable these AI models are in generating sophisticated malware. Today we'll be discussing their findings, the implications of AI-generated malware for the cybersecurity landscape and what organizations can do to protect themselves from these emerging threats. We'll explore questions such as can generative AI truly build malware? How difficult is it for a threat actor to leverage these tools? And what does this mean for the future of cybersecurity defense? Here's our conversation. So I think I'll start with you, Bar. Talk to me a little bit about yourself, your team, and what you've been up to. Yeah, so we're from the threat intelligence team in Cortex Research Group here at Palo Alto. And we are kind of the team that mainly focused on external sources. There are other teams that do telemetry, but we're focused on open source intelligence. And we track the threat landscape to find new campaigns, new malware, and our mission is to make sure that our customers are protected from these emerging threats. And let me ask you said open source in there. What is it about open source that either drew you in or is an organizational choice? It can be like open repositories where malware samples are uploaded to. But it can also be like reports published by other security companies. So we monitor these, we take the samples and the indicators that they mentioned and run them in our labs. Again, Cortex expects the art to see its coverage. Most of the time, yeah. Most of the time, Cortex does a great job. Sometimes there are some gaps, so our mission in the team is to hand it over to the other research teams and make sure we add this coverage as quickly as possible. Bottom line, can generative AI build malware? The simple answer is yes, and there is a bit of a longer version for that answer. It's a lot more complex than it seems at first, but it is possible. With a little bit of knowledge, with a little bit of prompting, how did you judge where generative AI and building malware was dangerous, or it starts to go into the realm of, this is a tool that a professional could use to go faster or build more creative malware. It took a while. It was a trial and error process, pretty much. We had a lot of attempts at first, and we didn't manage to generate much in the beginning. But after getting the hang of it, researching it a bit and learning what makes it tick, we started getting more frightening results. Is it possible to instruct AI to mimic another malware? That was the next stage of our research. Yes, it is. Our next stage was to test the ability of generative AI, the ability of generative AI in terms of impersonating threat actors and specific malware types. We used open source materials, so the bar touched upon this earlier, those articles regarding analysis of malware families and threat actors. We used a couple of those as a prompt or description for generative AI engine and asked it to impersonate the malware discussing these articles. We managed to do some pretty nasty things with that. What's the most important thing that a listener should remember from this conversation? It is possible to generate malware using AI, but it's not so easy. You need to have basic understanding of how coding works and how to compile such malware, and you have to bypass these guardrails that AI models have today. Let's plan on coming back to this conversation in, I think, six months, because I think that the pace of development in and around AI has caught me off guard. You guys into that? Yeah, sounds great. All right, Bar, Rem, thank you so much for coming on threat vector today and giving us your insights on the research that you've been running and the findings that you've talked about today. Thanks for having us, David. And, thank you very much. Thank you for joining today and stay tuned for more episodes of Threat Vector. If you like what you heard, please subscribe, wherever you listen, and leave us a review on Apple Podcasts. Your reviews and feedback really do help us understand what you want to hear about. Want to thank our executive producer, Michael Heller? I had a Threat Vector and Elliot Peltzman mixes our audio. We'll be back in two weeks. Until then, stay secure, stay vigilant, goodbye for now. Be sure to check out the Threat Vector podcast, wherever you get your favorite podcasts. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Use the at-home security gap with Black Cloak Concierge Cybersecurity and Privacy. Award-winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. And finally, NATO has decided to bring social media influencers to their Washington summit to improve their image among young people. That's right. 16 content creators from various countries, along with 27 invited by the US Defense and State Departments, are mingling with world leaders. These influencers, popular on platforms like TikTok, YouTube, and Instagram, met top officials, including at the Pentagon and the White House. The idea is to engage a generation born after the Cold War using people who make dance videos and how-to clips. Critics argue this approach is misguided. They say NATO, a critical defense alliance, seems more interested in viral videos than substantive engagement. Using influencers to promote NATO's mission might appeal to some, but it risks trivializing serious global security issues. Some say it feels like a desperate attempt to stay relevant, glossing over deeper challenges facing the alliance and its public perception. On the other hand, by leveraging influencers, NATO aims to combat misinformation and disinformation campaigns, particularly those propagated by hostile state actors. Influencers can play a role in disseminating accurate information and countering false narratives. It's a bit of a head scratcher, but if it fulfills NATO's strategic PR goals, it may also be the shape of things to come. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly-changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow. [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at mwise.io/cyberwire, that's mwise.io/cyberwire. [Music] (gentle music)
