AI regulations move forward in California. DDoS attacks are on the rise. CISA releases a joint Cybersecurity Advisory on the RansomHub ransomware. A persistent malware campaign has been targeting Roblox developers. Two European men are indicted for orchestrating a widespread “swatting” campaign. Critical vulnerabilities in an enterprise network monitoring solution could lead to system compromise. An Ohio judge issues a restraining order against a cybersecurity expert following a ransomware attack. Our guest is Dr. Zulfikar Ramzan, Chief Scientist at Aura, sharing his take on AI's growing role with online criminals. Admiral Hopper's lost lecture is lost no more.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Our guest is Dr. Zulfikar Ramzan, Chief Scientist at Aura, sharing his take on the RockYou2024 breach and AI's growing role with online criminals.
Selected Reading
California Advances Landmark Legislation to Regulate Large AI Models (SecurityWeek)
Radware Report Surfaces Increasing Waves of DDoS Attacks (Security Boulevard)
CISA and Partners Release Advisory on RansomHub Ransomware (CISA)
Year-Long Malware Campaign Exploits NPM to Attack Roblox Developers (HackRead)
2 Men From Europe Charged With 'Swatting' Plot Targeting Former US President and Members of Congress (SecurityWeek)
Critical Flaws in Progress Software WhatsUp Gold Expose Systems to Full Compromise (SecurityWeek)
Ahead of mandatory rules, CISA unveils new cyber incident reporting portal (Federal News Network)
Franklin County judge grants city request to suppress cyber expert's efforts to warn public (The Columbus Dispatch)
Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published (Schneier on Security)
Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (Part One, 1982) (YouTube)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. What do Mattel, Banana Republic, Butcherbox, and Glossier all have in common? They power their businesses with Shopify. Shopify is the most innovative and scaled commerce platform on the planet. Also, happens to have the best converting checkout on the planet. And that's no industry secret. That's Shopify. Learn more at Shopify.com/enterprise. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try "Delete Me." I have to say, "Delete Me" is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind, knowing my data privacy is protected. "Delete Me"'s team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for "Delete Me." Now, at a special discount for our listeners, today, get 20% off your "Delete Me" plan when you go to joindeleteme.com/entook and use promo code "entook" at checkout. The only way to get 20% off is to go to joindeleteme.com/entook and enter code "entook" at checkout. That's joindeleteme.com/entook code "entook" A.I. regulations move forward in California. DDoS attacks are on the rise. CISA releases a joint cybersecurity advisory on the Ransom Hub ransomware. A persistent malware campaign has been targeting Roblox developers. Two European men are indicted for orchestrating a widespread swatting campaign. Critical vulnerabilities in an enterprise network monitoring solution could lead to system compromise. An Ohio judge issues a restraining order against a cybersecurity expert following a ransomware attack. Our guest is Dr. Zulfakar Ramzan, Chief Scientist at ORA, sharing his take on A.I.'s growing role with online criminals. And Admiral Hopper's lost lecture is lost no more. It's Friday, August 30, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. Happy Friday, everyone, and thank you for joining us here today. California's efforts to establish groundbreaking safety regulations for large-scale A.I. systems advanced this week with a proposal passing a key vote in the assembly. The bill authored by Senator Scott Wiener aims to mitigate risks associated with A.I. such as the potential for catastrophic misuse by requiring companies to test their models and disclose safety protocols. Despite fierce opposition from major tech firms like OpenAI, Google, and Meta as well as some lawmakers, the measure narrowly passed and now awaits a final Senate vote before reaching Governor Gavin Newsom. The bill, which targets A.I. systems requiring over $100 million in data for training, represents a light touch approach, according to Wiener. Supporters argue it's a necessary step to prevent A.I. related disasters, while critics contend it's based on unrealistic fears and could stifle innovation. The outcome of this legislation could set a precedent for A.I. regulation across the U.S. A report by Radware highlights a significant rise in distributed denial of service attacks, with some lasting up to 100 hours over six days. Notably, a recent web DDoS attack campaign involved 10 waves, each lasting four to 20 hours, peaking at 4.7 million requests per second. The first quarter of 2024 saw a 137 percent increase in DDoS attacks, with new methods like HTTP/2 rapid reset contributing to this surge. Attackers are increasingly using cloud infrastructure, such as Telegram, to launch attacks, avoiding reliance on compromised IoT devices. Most attacks targeted organizations in Europe, the Middle East, and Africa, due to regional conflicts and events like the Paris 2024 Olympics. Additionally, malicious DNS queries and web application attacks have surged, while bad bot transactions rose by 61 percent year over year. SISA, in collaboration with the FBI, the MSI SAC, and HHS, has released a joint cybersecurity advisory on the Ransom Hub ransomware, formerly known as Cyclops and Night. The advisory provides indicators of compromise, tactics, techniques, and procedures, and detection methods related to Ransom Hub identified through recent FBI investigations. Ransom Hub, a Ransomware as a service variant, has attracted affiliates from other major Ransomware groups like Lockbit and Alpha. SISA urges network defenders to review the advisory and implement the recommended mitigations. Additionally, SISA has launched the SISA Services Portal, a streamlined platform for reporting cyber incidents as it prepares for new mandatory reporting requirements under the upcoming Cyber Incident Reporting for Critical Infrastructure Act, SERSIA. The Portal offers enhanced features, including the ability to save, update, and share reports and integrates with login.gov credentials. While incident reporting is currently voluntary, SERSIA will soon require organizations in critical infrastructure sectors to report major cyber incidents within 72 hours. SISA is upgrading its technology and expanding its workforce to handle the expected increase in incident reports, aiming to make the process as efficient and non-burdened some as possible for affected organizations. A persistent malware campaign has been targeting Roblox developers through malicious NPM packages, according to a report from checkmarks. Since August 2023, attackers have been publishing packages that mimic the popular noblox.js library to steal sensitive data and compromise systems. Despite multiple takedowns, new malicious packages continue to appear. The attackers use techniques like brand-jacking, combo-squatting, and star-jacking to create the illusion of legitimacy. The malware's capabilities include Discord token theft, system persistence, and deploying additional payloads like Quasar Rat. The malicious code, hidden in the post-install.js file, is heavily obfuscated and automatically executes when the package is installed. The malware manipulates the Windows registry to ensure it runs consistently and exfiltrates sensitive data to the attackers via a Discord webhook. Despite efforts to remove these packages, the attackers' GitHub repository remains active, posing an ongoing threat. Developers are advised to verify package authenticity to avoid such attacks. Two European men, Thomas Zabo from Romania and Nimanja Radovanovik from Serbia, were indicted for orchestrating a widespread swatting campaign that targeted around 100 people, including a former US president, members of Congress, and other public officials. The campaign, which spanned from December 2020 through January 2024, involved making fake emergency calls to prompt aggressive police response at the victim's homes. The swatting calls included threats of mass shootings, bombings, and other violent acts. Zabo and Radovanovik used various techniques to appear legitimate and coordinated their attacks through online chat groups. They're charged with conspiracy and numerous counts of making threats. The FBI reported a surge in swatting calls, some linked to court cases against former President Donald Trump. US officials are expected to seek the extradition of both men to face trial. Critical vulnerabilities in Progress Software's What's Up Gold, an enterprise network monitoring solution, could lead to system compromise. The software, essential for monitoring cloud and on-premise infrastructure, has over 1,200 instances accessible online, many potentially affected by a severe flaw with a CVSS score of 9.8. The vulnerability allows remote code execution due to improper input validation in the get file without zip method. Although a patch was released in May with version 23.1.3, and another in August with version 24.0.0, upgrading requires a manual process that may deter some administrators. The vulnerability has not been exploited yet, but the availability of proof-of-concept code makes it crucial for administrators to update to the latest version to avoid potential exploitation. Progress Software strongly advises upgrading to protect systems from unauthorized access and other risks. A judge in Franklin County, Ohio has issued a temporary restraining order against cybersecurity expert David L. Ross, Jr., who's been revealing the impact of a ransomware attack on Columbus City government. Ross, also known as Connor Goodwolf, alerted the public that sensitive information, including social security numbers and details about crime victims and police officers, was stolen and posted online after the city refused to pay a ransom. The order prohibits Ross from accessing or sharing these files. Ross argues that the city is trying to deflect blame for its own mishandling of the breach, while the city claims the order is necessary to protect public safety. Despite the restraining order, Ross plans to pursue legal action, claiming his First Amendment rights are being infringed. The situation has led to multiple lawsuits against the city for failing to protect personal data. Coming up after the break, Dr. Zulfakar Ramzan, Chief Scientist at ARRA, shares his cake on AI's growing role with online criminals. Stay with us. And now, a word from our sponsor, know-before. It's all connected, and we're not talking conspiracy theories when it comes to infosec tools effective integrations can make or break your security stack. The same should be true for security awareness training. Know-before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. Know-before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations, and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint identity, or web security vendors. Then, coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at know-before.com/security-coach. That's know-before.com/security-coach, and we thank know-before for sponsoring our show. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, Identity Continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, Identity Continuity uses smart health checks to monitor your IDP's availability, and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime. No lost revenue. No frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages, with Identity Continuity from Strata. Downtime is a thing of the past. Learn more at strata.io. Keep your business moving even when the unexpected happens. That's strata.io. Dr. Zulfakar Ramzan is Chief Scientist at Aura. I recently spoke with him about his take on AI's growing role with online criminals. The shorter it is, that Rocky 2024 is at this point, the largest single password compilation leak in history, comprising about 10 billion unique plaintext passwords. It is not a unique file on its own. It's got a long history dating back actually to about 2009, I believe. There was a website called Rocky, and that particular website was compromised by a SQL injection attack that led to about 32 million or so passwords getting compromised. And then based on that initial compromise, people have essentially kept adding to this one file and adding more and more passwords. And most notably, in 2021, there was a file called Rocky 2021, which contained about, I think, 8.4 billion passwords. And so this latest incarnation of Rocky is now 2024. It contains an additional 1.6 billion passwords getting us to about roughly 10 billion passwords. And that's kind of the gist of it. I guess it's not surprising that someone out there would be keeping a running tally of all of the accumulated passwords that have been vacuumed up over the years. But what is the real world significance of this sort of assembly of all of these passwords? For a scammer, what it basically entails is having access to a wide variety of passwords makes it easy to mount various kinds of attacks. The most notable attack is credential stuffing. That basically entails a scammer using tools and techniques for taking these large collections of passwords and essentially trying to brute force access to different accounts and different services using those passwords. And so what they'll try to do is they'll say, if I can get this password for you, can I try this password on different sites until I finally find something that matches or works? The tools and techniques for doing that fall under the concept of credential stuffing, which is probably the single most relevant attack implication of these types of attacks. In general, though, once you have access to passwords, you can start to do things like dictionary attacks on other password lists. So for example, if I can get a list of hash passwords for a compromise site, I can essentially cross-reference that list of hash passwords against the rocky list to see if there are any matches. And that would require me, essentially, computing hashes in one direction to identify similarities or exact matches. And if that happens, then I can go ahead and use those passwords and try to log in as you. And so in general, it just increases the exposure for the average person when it comes to their protection on various websites and services. You know, we've all been sort of captivated by this revolution we've seen in AI. Just having those sorts of AI tools make a password cache like this even more valuable? Certainly. I think one thing we are seeing with AI is the increase of automation and improving the way these attacks have taken place. Now having said that, I mean, the reality is that threat actors have been using automation for decades. They've been using automation in the context of coming up with new malware samples that don't fit under the paradigms of signatures of previous types of detection capabilities. We have seen the use of AI for doing automated attack creation, for identifying vulnerabilities, etc. But in general, those areas of AI applications have been in many cases preceded by a long history of automation tools in these areas. What I think right now is really unique with the use of AI in the concept of attacks is in areas like misinformation, so things like deepfakes. That comes up over and over again. Social engineering historically has been the single most common vector for being able to get through and get past the defenses of organizations. And deepfakes in particular only up the ante make it a lot more tricky and difficult for the average person to navigate correctly. Is this presenting opportunities? Is this AI revolution? I mean, for consumers themselves, but we hear about how the bad guys are making use of these tools. I mean, this is something you and your colleagues are working on as well, to bring this to the protection side of the equation. Absolutely. I mean, we have been laser focused on the application of AI in the context of defense in cybersecurity. This area, by the way, is again, not new. The first applications of AI that I was involved with date back to about 2010 in production environment, protecting millions of people. But in many cases, what we've seen is that trying to solve the vast panoply of cybersecurity problems manually, trying to keep up with the latest threats and variations on these threats is impossible to do if you're approaching the problem manually. And historically, that's how we approached it. We would look for different kinds of threats. We identified their characteristics. We developed signatures for those threats. And then we would look for those signatures or variations on those signatures in the real world to prevent people from getting and becoming victims. Nowadays, as we all know, the number of threat variations gotten so high, the number of different creative endeavors that attackers have engaged in have gotten so complex and so intricate to try to solve these problems using manual methods has really taken its toll. It no longer is the right way to approach the problem. It is good for certain parts of the problem space, but the overall broader part of that problem is that long tail, if you will, has to be attacked using more sophisticated techniques. And AI is a powerful tool in this regard. So, it's not just a situation where we're trying to apply AI just because it's a buzzword. It genuinely is the right tool for being able to do classification of behavior and transactions to identify whether or not those are malicious. And that's been a central focus for us. One of our key areas has been, however, applying AI in a much more horizontal fashion, not just looking at AI for point solutions in cyber security, but really building a holistic digital safety capability for families, cutting across all of these people care about from secure networking to secure transactions, to safeguarding all their messaging types of tools, for example, their email and their text messages and so on and so forth. Speaking of the Rocky 2024 breach, I mean, are there any recommendations or best practices for folks to prevent something like this from having a direct effect on them? Yeah. So the simplest thing I recommend to everybody is to choose a high entropy password. I'm using the words very specifically here of entropy because ultimately what attackers try to do is when they're trying to brute force a password in general, the way they approach it is they try passwords that it will make sense first. They don't just try to literally type in every character to see what would work. They often will start off with things that will be much more natural. So for example, dictionary words, dictionary words plus a number, simple sequences of letters and numbers that are not complicated, pretty easy to guess, and they'll build up from there to try different kinds of passwords and really find ones that match what they think your password is. Now, if you choose a password that's complicated enough and by complicated, I mean highest high entropy and there's different ways we can achieve that. The two ways you're going to achieve high entropy in a password are number one, making the password longer. So typically, as the password becomes longer, the complexity of cracking that password when once he's a hashtag password in a password file somewhere is exponential in the length of that password. So that's one thing to keep in mind. The second way you can make your passwords harder to crack and have higher entropy is to vary up the kinds of characters you use in your passwords rather than just using lowercase or just using uppercase, combination of uppercase, lowercase, numbers, symbols, etc. It helps a lot. A reason I mentioned both of those things is because many people often forget that this is really about making the password hard to determine and hard to figure out. And if you make the password longer, that's also a great way to do that. And sometimes a longer password can be easier to remember than a shorter one because you can base it off of a song lyric or maybe a quote that you know or a line in your favorite book. And based on that, you can come up with longer passwords that are harder to crack. So I think starting there, a lot of these problems would go away because it would be hard for anybody to achieve or identify your password purely from a hash of that password, which is how typical cyber criminals operate. So that's kind of the first big thing that I recommend to people. The second big thing is if you are using a site that offers two-factor authentication or multi-factor authentication, it's a great simple measure that gives you a step function increase in protection. So we highly recommend people to do that. And then, of course, in general, it's always good to take a holistic approach to deal in with all the different aspects of protecting yourself. So having things like identity protection, monitoring, doing dark web monitoring to identify whether or not your information is already on the dark web and updating your passwords accordingly, making sure that you have and do things like data broke or opt out so you don't end up in situations where the average person may get compromised. And of course, or does all of this for people, which is exciting? We have one free service, by the way, which I'd be remiss not to mention. If you go to aura.com/email scanner, we've got a free tool that will scan your inbox for scanned messages. And in many cases, these breaches are rooted in somebody falling for like a phishing attack somewhere. And so if we can identify scanned emails in your inbox, we can prevent you from inadvertently giving your credentials and sensitive information away to run actors. That's Dr. Zulfakar Ramzan, Chief Scientist at Aura. And now, a word from our sponsor, Cortex. Security teams face a barrage of more, more security tools create more complexity, more devices need protection, more specialized focus areas create more silos. The security landscape is changing fast. How can security operations transform to meet current threats? Cortex, by Palo Alto Networks, consolidates SecOps tools into an integrated platform and helps organizations stop threats at scale with AI, automation and analytics. Learn more at Palo Alto Networks.com/ Cortex. What do Mattel, Banana Republic, Butcherbox and Glossier all have in common? They power their businesses with Shopify. Shopify is the most innovative and scaled commerce platform on the planet. That also happens to have the best converting checkout on the planet. And that's no industry secret. That's Shopify. Learn more at Shopify.com/enterprise. And finally, you may recall that about a month ago, stories were circulating that the NSA had discovered archival videotapes of a presentation given by Admiral Grace Hopper in 1982 titled Future Possibilities, Data Hardware Software and People. A true pioneer and trailblazer, Admiral Hopper was known for her dry wit and compelling storytelling abilities. NSA claimed they didn't have the necessary equipment to transfer the old one-inch reels of analog videotape, but countless video archivists offered up their services. In the end, it's unclear who handled the transfer, but the good news is that the lecture is now available on YouTube, and needless to say, it's worth your time. We'll have a link in the show notes. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out this weekend's research Saturday, and my conversation with Tim Peck, senior threat researcher at Secureonics, who are discussing their work, threat actors behind the dev hopper campaign have retooled and are continuing to target software developers via social engineering. That's research Saturday. Check it out. We'd love to know if you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people, to make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Kelzmann. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carr. Simone Petrelle is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here next week. [Music] [BLANK_AUDIO]
