The UK’s NCSC highlights evolving cyberattack techniques used by Chinese state-sponsored actors.A severe cyberattack targets Frankfurt University of Applied Sciences. Russian government agencies fall under the spell of CloudSorcerer. CISA looks to Hipcheck Open Source security vulnerabilities. Avast decrypts DoNex ransomware. Neiman Marcus data breach exposes over 31 million customers. Lookout spots GuardZoo spyware. Cybersecurity funding surges. Our guest is Caroline Wong, Chief Strategy Officer at Cobalt, to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. Scalpers Outsmart Ticketmaster’s Rotating Barcodes.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On our Industry Voices segment, Dave Bittner is joined by Caroline Wong, Chief Strategy Officer at Cobalt, to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. You can learn more about the state of pentesting from Cobalt’s State of Pentesting 2024 report here.
Selected Reading
The NCSC and partners issue alert about evolving techniques used by China state-sponsored cyber attacks (NCSC)
‘Serious hacker attack’ forces Frankfurt university to shut down IT systems (The Record)
New group exploits public cloud services to spy on Russian agencies, Kaspersky says (The Record)
Continued Progress Towards a Secure Open Source Ecosystem (CISA)
Decrypted: DoNex Ransomware and its Predecessors (Avast Threat Labs)
Neiman Marcus data breach: 31 million email addresses found exposed (Bleeping Computer)
GuardZoo spyware used by Houthis to target military personnel (Help Net Security)
Cybersecurity Funding Surges in Q2 2024: Pinpoint Search Group Report Highlights Year-Over-Year Growth (Pinpoint Search Group)
Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets (404 Media)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyber Wire Network, powered by N2K. Some decisions are easy, like playing your favorite song. Other decisions are hard, like choosing the right credit card. But that's mostly because the financial system is complicated. There's so many offers, rates, and products, but which one's best for you? That's why we've reinvented credit karma to do the hard work for you. We scan for the latest offers from our trusted partners to help you find the best financial hits for your unique situation. That way you can spend less time saying, huh, and more time doing well, anything. Download into a credit karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. The UK's NCSC highlights evolving cyber-attack techniques used by Chinese state-sponsored actors. A severe cyber-attack targets Frankfurt University of Applied Sciences. Russian government agencies fall under the spell of cloud sorcerer. SISA looks to hip-check open-source security vulnerabilities. A vast decrypts Dunex ransomware. Neiman Marcus Databreech exposes over 31 million customers. Look out, spots guard zoo spyware. Cybersecurity funding surges. Our guest is Caroline Wong, chief strategy officer at Cobalt, to discuss the state of pen testing and adapting to the impact of AI in cyber security. And scalpers outsmart Ticketmaster's rotating barcodes. It's Tuesday, July 9th, 2024. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. [Music] Thanks for joining us. As always, it is great to have you here with us. UK's National Cybersecurity Center, alongside partners including Australia's ASD and the US's SISA, issued an advisory on APT40, a Chinese state-sponsored cybergroup. APT40 targets entities in various countries, exploiting network vulnerabilities and public-facing applications. They use advanced techniques like rapid deployment of exploits for newly discovered vulnerabilities, reconnaissance, and web shells for persistent access. The advisory includes case studies highlighting their methods, such as credential harvesting and network scanning. Organizations are advised to implement stringent security measures like prompt patching, multi-factor authentication, and network segmentation to mitigate these threats. Frankfurt University of Applied Sciences experienced a severe cyber attack leading to a complete shutdown of its IT systems. The attack, which occurred on Saturday evening, compromised parts of the university's infrastructure despite high security measures. The incident has been reported to the police and relevant authorities. External access and some services have been disabled, affecting communications and safety systems like elevators. The extent of the damage is still unknown and its unclear when systems will be fully restored. On-site courses continue, but online enrollment and external communications are currently unavailable. Researchers at Kaspersky Lab have identified a new hacker group Cloud Sorcerer using advanced cyber espionage tools to target Russian government agencies. First observed in May, Cloud Sorcerer's techniques are similar to Cloud Wizard but utilize unique malware, indicating a new threat actor. Their custom malware leverages GitHub for command and control and services like Yandex Cloud and Dropbox for data collection. The malware's modular structure allows for various independent tasks such as data exfiltration and system manipulation. The initial access method remains unclear but overlaps with activity tracked by Proofpoint which observed related attacks on a US organization. In March, SISA held its inaugural open source software security summit to enhance OSS security. The event featured OSS leaders and a tabletop exercise to collaboratively respond to a hypothetical vulnerability in critical OSS. Now an article by Ava Black, Section Chief for Open Source Software Security at SISA focuses on increasing visibility into OSS usage and risks, vital for federal agencies and critical infrastructure. The agency is developing a framework to assess OSS trustworthiness considering project activity, product vulnerabilities, protection measures and policies. To scale this effort, SISA is funding a tool called hip check for automating these assessments. This initiative aims to fortify OSS security through transparency, collaboration and proactive security principles. By promoting the secure by design campaign and encouraging early and consistent security practices, SISA seeks to prevent exploitation of OSS by malicious actors. The collective effort of the cyber security and OSS communities is crucial for maintaining a robust and secure open source ecosystem, ultimately benefiting federal agencies, critical infrastructure and the public. Researchers at Avast discovered a cryptographic flaw in Dunex ransomware, allowing them to provide a decrypted to victims since March of this year. Announced at Recon 2024, the flaw had been kept secret for operational security. Dunex, initially called Muse, evolved through several rebrands before stabilizing in April. The ransomware targets the US, Italy and the Netherlands and uses advanced encryption methods. Avast's decryptor leverages the identified flaw to help victims recover their files without paying the ransom. The decryption process requires providing an original and an encrypted file for reference. Retailer Neiman Marcus disclosed a May 2024 data breach exposing over 31 million customer email addresses, according to an analysis by Troy Hunt of Have I Been Poned. Initially reported to affect just over 64,000 people, the breach also compromised names, contact info, birth dates, gift card info, partial credit card numbers, social security numbers and employee IDs. The breach was linked to the snowflake data theft attacks with data sold on hacking forums. A joint investigation revealed the attack targeted organizations without multi-factor authentication on snowflake accounts. Researchers at Lookout have identified Guard Zoo, an Android spyware targeting Middle Eastern military personnel through apps with military and religious themes. The spyware is linked to a hooty-aligned threat actor and primarily affects victims in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar and Turkey. Guard Zoo, derived from the dendroid rat, can act as a conduit to download additional malware, posing significant risks. Recent samples disguised as apps like Constitution of the Armed Forces, exposing sensitive military documents. This advanced surveillanceware poses a growing threat, emphasizing the need for heightened security measures. Pinpoint Search Group has published research analyzing cybersecurity vendor funding. In the second quarter of this year, the cybersecurity vendor landscape saw significant financial activity with a total of $4.3 billion raised over 92 funding rounds and 33 acquisitions. Key acquisitions included Cisco's purchase of armor blocks and Talis acquiring Tesserant. Notable funding rounds involved companies like Dig Security, which raised $100 million, and Syera securing $300 million. The report highlights a mix of seed and late-stage investments, reflecting a growing interest in sectors like AppSec, threat intel and data security. Examples include Sequoia raising $37.5 million in XDR and Blackpoint Cyber's $190 million for detection and response. Overall, the quarter underscores robust investor confidence in cybersecurity startups and established vendors, driven by increasing cyber threats and the need for advanced security solutions. [MUSIC] Coming up after the break, my conversation with Caroline Wong, Chief Strategy Officer at Cobalt. We're discussing the state of pen testing and adapting to the impact of AI and cybersecurity. Stay with us. [MUSIC] [MUSIC] And now, a word from our sponsor, no before. Where would InfoSec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an InfoSec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach. A real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. The existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach and we thank nobefore for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. On today's sponsored industry voices segment, my conversation with Caroline Wong, Chief Strategy Officer at Cobalt. We're discussing the state of pen testing and adapting to the impact of AI in cybersecurity. You know, one of the things that is so fun for me to talk about when it comes to artificial intelligence and cybersecurity is that there are all these different ways in which they interact with one another. So AI systems themselves can be thought of as targets or assets for conducting security testing, including manual penetration testing. Now, when I think about this model that we have of "the good people," and "the bad people," which might be more accurately characterized as people who build, operate and maintain software and intend for that software to work in a certain way. And then other people, whose objective is to abuse or misuse software, to get software to work in unintended ways, then we also see that artificial intelligence can help both parties. If I'm a malicious threat actor, I can use artificial intelligence to make my attacks faster and smarter and better. Now at Cobalt, we are lucky to have a front seat in terms of what's going on with artificial intelligence systems and pen testing in particular, having conducted several manual pen tests on artificial intelligence systems in the years 2022 and 2023. We actually have data that shows what the top common security vulnerabilities are that are found in these models. And perhaps it's no surprise that these are three categories in the OASP Top 10 for LLMs, which is at this moment, a bit of a work in progress. But it's exciting to see these things actually being found in real life, in live systems, in the wild, if you will. Well, let's dig in there. I mean, what are the findings that you all are seeing coming up here? Yeah, so the number one, two, and three vulnerability types that were the most commonly found during Cobalt pen tests for artificial intelligence systems include number one, prompt injection, including jailbreak, number two, denial of service, and number three, prompt leaking or sensitive information disclosure. Can we go into each one of those kind of one by one and how they apply here and the implications? I would love to. So first, let's talk about prompt injection. So injection, of course, is a theme when it comes to security vulnerabilities that we've known a lot about for a long, long time, sequel injection, you know, other types of injection. The idea here, of course, is that any AI system operates with an LLM, a large language model. And this really has to do with the component of information security, which has to do with both confidentiality as well as integrity. So, to the extent that a user should only be able to access certain data bits in the LLM, you know, prompt injection may allow an attacker to access more information than a user is supposed to based on their role. The other, I think, even more significant impact that we see here is that if an attacker can use prompt injection to actually change, modify, add, or delete data to an LLM, then that, of course, is a massive integrity violation, which is, which is very interesting. And I think that, naturally, you know, if an attacker is able to change the content within an LLM, then that will naturally have an impact on the results or the output of any queries to that AI system. Yeah, I mean, that's fascinating. Given how we hear time and time again how these systems are kind of black boxes. Let's move on to the model denial of service. What are we talking about here? Yeah, so this is simply, can the intended users access the system? Is it working when you try to use it? And I think one of the things that we know about these systems is that they have and require an enormous amount, not only of data, but also processing power. And so the ability for an attacker to come in and sort of muck up the system, you know, get it to slow down, get it to not work so that the users for whom it's intended are unable either to access or get it to work. That is certainly an availability problem. You know, again, when we're talking about that CIA triad, so not so dissimilar from any of our more commonly known, you know, network denial of service application denial of service. You know, I can't help but think about when my young son grabs my iPhone and tries the wrong passcode too many times. You know, he basically dosses me out of my phone, depending on how quickly I can wrestle it out of his hands because it's intended to prevent, you know, password guessing. Yeah, yeah, guess I won't be checking Facebook for the next hour. Or slack. Right. Well, yeah, you know, you got the good and the bad, right? So, well, let's talk about prompt leakage then. What does that entail? Yeah, so this one prompt leaking also called sensitive information disclosure. You know, this is what folks classically think of when it comes to any sort of vulnerability, security vulnerability. The LLM may actually provide confidential data, which it is not supposed to provide. So we're talking things like unauthorized access, privacy violations, your classic security breaches. Naturally, this is very highly associated with the C in the CIA triad, and this is, I think, for our pen testers, one of the most interesting and exciting security vulnerabilities to get to work. And in fact, they are getting it to work. I think there's this inherent tension that a lot of folks find themselves dealing with these days, which is that there's no denying the power of these tools and the utility of these tools. And so I think folks feel as though they have to implement them, they have to allow them in order to keep up with their competition or give their employees the tools that they need or desire to do their work. How do you reconcile that against properly securing the organization when this is so new and there's so many unknowns here. What a great question. I think that it is important for an organization to take a formal stance on how employees are expected to use or not use AI sort of within the corporate boundaries. One example at Cobalt is we actually have an internal private instance, which employees are encouraged to use for all of their purposes. But naturally, we don't want folks, no organization is going to want folks to be putting their code or any of their company IP out onto any of these public models. You know, I think that one of the things that I would encourage for listeners is simply to try this stuff out. Just try it out as a user. What I encourage is for folks to really have a little bit of fun with some of these consumer facing applications because in the workplace, you know, the use cases really ought to be defined at a policy level by the employer as consumers, as technologists. I think it's just a really fun place to be right now. And we have an opportunity just to play around with it and learn about it that way. Yeah. You know, looking at this year's state of pen testing report, one of the things that struck me was how the number of findings are increasing, but also the time to resolve findings are increasing. I'm wondering what insights do you gather from that data? Yeah. So one of the things that we're really proud of at Cobalt is that our offensive security platform, you know, having established P TAS pen testing as a service for many years now, we've always been quite interested, not only in helping our customers to find security vulnerabilities in their applications, networks, devices, what have you, but we're also really interested in helping organizations get those things fixed. And that is actually an entirely different business process. Primarily, security folks are going to be your pen test or offensive security buyers. When it's really developers who are going to be performing the remediation. And so Cobalt really strives to provide easy workflows for those different stakeholder groups to work effectively together. Now, one of the things that we have been able to observe is that in the past few years, and the report contains data from 2021, 2022, 2023, we are actually finding that the median time to fix is increasing. And this is worrisome. This does pose more risk to organizations. And it's unfortunately not surprising. You know, in addition to the pen test data that we always use for our state of pen testing reports, this year is actually our sixth installment. We also do a survey, and we survey nearly 1000 global information security professionals. And we're finding that in 2024, folks are still seeing budget cuts and reductions in headcount on security teams. And one of the areas that is really being impacted is remediation of security vulnerabilities. Wow. Before I let you go, in the time we have left here together, I want to touch on offensive security and organizations putting together strategies for their offensive security, but then also, how can AI fit into that? Yeah, so, you know, I wanted to start with sort of a very basic description, offensive versus defensive security, defensive security is a fence. I really think that in a time where resources, budget and time are scarce, looking at what our applications, what our networks, what our devices might look like from an attacker's point of view is really going to help organizations to focus those very limited time and resources. You know, one of the, one of the exciting engagements that we've launched this year is called digital risk assessment. And this is really an OSIN open source threat intelligence type of exercise that says, hey, pen tester, take a look at this organization and tell me what can you find out about it publicly, because naturally, any attacker who's going to go and hack an organization. That's the very first thing that they're going to do. And depending on what they find, it's going to affect the steps that they choose to take. And so we really encourage our customers to be informed as they can in terms of what their targets, what their applications, what their systems are going to look like from the viewpoint of an attacker. That's Caroline Wong, Chief Strategy Officer at Cobalt. You can learn more about the state of pen testing from Cobalt's state of pen testing 2024 report. We'll have a link in the show notes. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at-home security gap with Black Cloak concierge cybersecurity and privacy, award-winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. And finally, a report from 404 Media describes a lawsuit by online event ticketing company AXS, which reveals that ticket scalpers have found ways to circumvent anti-scalping measures put in place by platforms like Ticketmaster and AXS. By reverse engineering the ticket generation methods, scalpers can create genuine entry barcodes on their own infrastructure, effectively bypassing the untransferable restrictions. This allows them to sell and transfer these tickets, potentially undermining the security measures intended to prevent scalping. AXS accuses the scalpers of hacking and creating counterfeit tickets, although the tickets are often legitimate and scan correctly at events. Security researchers demonstrated how these barcodes, which rotate every few seconds for security, can be recreated if a token is extracted from the Ticketmaster app. This process has allowed scalpers to sell tickets through secondary markets like StubHub and SeatGeek using services such as secure.tickets and verified ticket.com, which operate in the shadows with little online presence. Fans can be left confused and concerned about the legitimacy of their purchases, but these methods usually result in valid tickets. Despite the efforts of Ticketmaster and AXS to control and restrict ticket transfers, scalpers have consistently found ways to exploit the systems, raising questions about the efficacy of current security measures and the ongoing battle between ticket platforms and scalpers. Ah, Ticketmaster. Seems their security is as transparent as their fees. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound designed by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [Music] [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. [MUSIC PLAYING] [MUSIC]
