Crimson Palace targets Asian organizations on behalf of the PRC. Europe’s AI Convention has lofty goals and legal loopholes. The NoName ransomware gang may be working as a RansomHub affiliate. Wisconsin Physicians Service Insurance Corporation, SLIM CD, and Acadian Ambulance Service each suffer significant data breaches. CISA adds three vulnerabilities to its Known Exploited Vulnerabilities Catalog. Researchers from Ben-Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers. In our latest Threat Vector segment, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. Sextortion scammers have gone to the dogs.
Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
Threat Vector Segment
In this segment of Threat Vector, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. Ryan delves into the practical applications of AI in tasks such as OSINT analysis, payload development, and evading endpoint detection systems. To listen to their full conversation, check out the episode here. You can catch new episodes of Threat Vector every Thursday on the N2K CyberWire network.
Selected Reading
Chinese Tag Team APTs Keep Stealing Asian Gov't Secrets (Dark Reading)
The AI Convention: Lofty Goals, Legal Loopholes, and National Security Caveats (SecurityWeek)
NoName ransomware gang deploying RansomHub malware in recent attacks (Bleeping Computer)
Wisconsin Insurer Discloses Data Breach Impacting 950,000 Individuals (SecurityWeek)
Payment Gateway SLIM CD Data Breach: 1.7 Million Users Impacted (HACKREAD)
Acadian Ambulance service is reporting data breach, exposing almost 3 Million people (Beyond Machines)
CISA Warns of Three Vulnerabilities That Are Actively Exploited in the Wild (Cyber Security News)
Researchers Detail Attacks on Air-Gapped Computers to Steal Data (Cyber Security News)
Sextortion scams now use your "cheating" spouse’s name as a lure (Bleeping Computer)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards needing a secure user-friendly file sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. Crimson Palace targets Asian organizations on behalf of the PRC. Europe's AI convention has lofty goals and legal loopholes. The no-name Ransomware Gang may be working as a ransom hub affiliate. Wisconsin Physicians Service Insurance Corporation, SlimCD and Acadian Ambulance Service each suffers significant data breaches. SISA adds three vulnerabilities to its known exploited vulnerabilities catalog. Researchers from Ben Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers. In our latest threat vector segment, David Molten, Director of Thought Leadership at Unit 42, sits down with Ryan Vargar, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. And sex-stortion scammers have gone to the dogs. This Tuesday, September 10, 2024, I'm Dave Vittner and this is your Cyberwire Intel Briefing. Thanks for joining us here. It is great to have you with us. Dark Reading has published an examination of Operation Crimson Palace, a sophisticated cyber campaign linked to the threat clusters working on behalf of the People's Republic of China. These clusters, tracked as Alpha, Bravo and Charlie, have been actively breaching public and private organizations in Asia, including a Southeast Asian government agency to steal strategic data. Each cluster has a specific role. Cluster Alpha focuses on initial access, performing network reconnaissance, establishing persistence and disabling security measures. Cluster Bravo manages the infrastructure, spreading across networks and setting up command and control channels, often hiding its activities within normal network traffic, making it hard to detect. Bravo has been particularly active in recent months, using compromised infrastructure from previous victims to stage further attacks. Cluster Charlie, the most active and advanced of the three, is responsible for maintaining access and exfiltrating data, known for its adaptability. Charlie frequently switches tactics when detected. After a run-in with cybersecurity researchers in 2023, Charlie began using open-source tools like Cobalt Strike to evade detection and deploy malware. It has shown a relentless ability to innovate, using numerous sideloading chains and shell code loaders to deliver its malicious payloads. Despite ongoing efforts to combat Crimson Palace, its clusters continue to evolve and pose a significant threat to organizations across Asia. Their persistence and creativity make them a formidable adversary in the cybersecurity landscape. The AI Convention, officially titled the Council of Europe Framework Convention on Artificial Intelligence and Human Rights Democracy and the Rule of Law, was signed on September 5th. It aims to protect human rights from potential misuse of AI, but faces challenges due to exemptions and broad language. Unlike the EU AI Act, this Convention focuses on safeguarding democracy and human rights, but allows countries to exempt AI activities tied to national security, which can be broadly defined during geopolitical tensions. Legal experts criticize its vague principles and lack of enforceability. The Convention imposes stricter obligations on public authorities than private industry, which only needs to address risks, though well-intentioned the Convention's exclusions and conflicting national interests limit its effectiveness. While it sets a positive framework for AI oversight, differing priorities between human rights, security, and economic competitiveness undermine its ability to fully protect against AI-related harm. The no-name Ransomware Gang, also known as Cosmic Beetle, has been active for over three years, targeting small and medium-sized businesses. Using custom tools from the Space Colon Malware family, the group gains network access through brute force and exploits old vulnerabilities like Eternal Blue and Zero Logon. Recently, no name shifted from the Scarab Encryptor to SC Ransom, a more versatile malware capable of encrypting files across various drives. SC Ransom's encryption process is complex, sometimes leading to errors that prevent file decryption even with correct keys. No name is experimenting with Lockbit 3.0's leaked Ransomware Builder to increase its visibility, setting up extortion sites similar to Lockbits. Though not fully confirmed, ESET believes no name may be working as a Ransom hub affiliate evidenced by overlapping malware and tactics, despite its shortcomings, SC Ransom continues to evolve, showing no name's persistence in the Ransomware scene. Number of organizations have announced significant data breaches. Wisconsin Physicians Service Insurance Corporation, WPS, is notifying approximately 950,000 individuals that their personal data was stolen in the 2023 Move It hack. The breach, orchestrated by the Clop Ransomware group, exploited a zero-day vulnerability in the Move It transfer software. WPS initially found no evidence of data theft, but later confirmed that personal information, including names, social security numbers, and Medicare details, was compromised. Although no fraud has been reported, WPS is offering affected individuals credit monitoring and identity protection services. Slim CD, a payment gateway provider, experienced a significant data breach between August 2023 and June 2024, compromising sensitive personal and credit card information of over 1.7 million customers. The stolen data includes names, addresses, credit card numbers, and expiration dates. Though the attack method remains undisclosed, experts suggest phishing or malware may be involved. Slim CD advises affected customers to monitor their accounts for suspicious activity and offers free credit monitoring services to mitigate the risks of identity theft and financial fraud. Acadian Ambulant Service, a Louisiana-based emergency care provider, reported a data breach affecting nearly 3 million individuals following a ransomware attack by the Daxon group in June of 2024. Sensitive information, including names, addresses, social security numbers, and medical details, was stolen and published on the dark web. Acadian detected the breach on June 21st and launched an investigation. The company disputes Daxon's claim that 10 million patients were affected, Acadian is offering free credit monitoring and faces multiple lawsuits over security negligence. The Cybersecurity and Infrastructure Security Agency has added three vulnerabilities to its known exploited vulnerabilities catalog, urging organizations to address them promptly. These vulnerabilities include an image magic improper input validation vulnerability. This is a flaw in the image processing library that allows remote code execution through crafted images. The second vulnerability is a Linux kernel pi stack buffer corruption. This allows a local attacker to escalate privileges using a buffer corruption vulnerability in the Linux kernel known to be exploited in ransomware campaigns. And finally, Sonic OS improper access control. This flaw allows unauthorized access to sonic wall firewalls, potentially causing a system crash. SISA advises organizations to apply patches or discontinue affected products if mitigations are unavailable with a remediation deadline for federal organizations of September 30th, 2024. Security researchers from Ben Gurion University in Israel have developed new techniques to exfiltrate data from air-gapped computers. Materials isolated from unsecured networks. Led by Dr. Mordecai Guri, the team exploited electromagnetic, acoustic, thermal, and optical emanations from computer components transmit data to nearby receivers. For example, the Rambo attack uses electromagnetic emissions from RAM to leak data, while air-fi generates Wi-Fi signals via DDR memory buses. Other techniques, like power supply, manipulate power supplies to create acoustic signals, and lead it go uses hard drive LEDs to encode data. Even subtle vibrations from computer fans can be detected by nearby smartphones. These attacks show that air gaps, though effective, are not foolproof. To defend against such sophisticated methods, organizations must apply stringent access controls, endpoint protection, and monitoring. Coming up after the break on our latest threat vector segment, a discussion of how AI is revolutionizing offensive security. Stay with us. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers, so I decided to try "Delete Me." I have to say, "Delete Me" is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind, knowing my data privacy is protected. "Delete Me's" team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for "Delete Me." Now at a special discount for our listeners, today, get 20% off your "Delete Me" plan when you go to joindeleteme.com/n2k and use promo code "n2k" at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code "n2k" at checkout. That's joindeleteme.com/n2k code "n2k." When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. In this week's threat vector segment, David Molten, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. An unskilled attacker attempting to do anything nowadays is able to be much more powerful than they were in a pre-AI era. Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Molten, Director of Thought Leadership. Today I'm speaking to Ryan Barger, Director of Offensive Security Services, about how they're using AI. Here's our conversation. Ryan Barger, welcome to Threat Vector, excited to have you here. Likewise, excited to be here. Thanks for having me. Let's get right into it. In offensive security, how is AI being leveraged to automate and enhance tasks that were previously manual or time consuming? It's interesting. A lot of what offensive security is is manually grinding through dead ends until after 99% of your dead ends, you finally find that one leeway that leads you further into an attack. We're doing with using AI is trying to help more quickly filter through those potential dead ends. Let me give you some examples. Areas where we're using it is inside of OSINT analysis as we're assessing open source information just sitting on the internet as we're doing payload developments and establishing new evasion techniques to get around defensive products. We're also using it to help establish and build our infrastructure, but that's just a small snippet of things. Additionally, from the overall management of an operation in offensive security for things like report rating and all of the things that go along with just doing a test event, we're trying to find a way to reduce that manual grind that is hacking and focus in on the areas that are really useful and increase efficiency. Ryan, for listeners that haven't heard the term offensive security, can you define that? Absolutely. It's crux, right? You could just dwell it down and say it's hacking, right? It's ethical hacking. I'm going to use the exact same techniques that an adversary uses to attempt to identify vulnerabilities and move through an environment usually after a specific set of objectives. That can range from phishing, making phone calls into organizations, trying to social engineer access all the way down to pivoting through an organization's domain, trying to access to a specific system that is specified by the customer to be their golden, their crown jewels. We move through a network and try and use the exact same techniques as an adversary to try and assess overall cyber risk. That's really the single sentence description. At the end of the day, I like to say that my mission objective is not just to emulate the adversary, but to help the CISO sleep at night. CISOs are aware that there's a risk in their network somewhere or at least they think there is. They send us after that perceived risk. We use all the techniques that a bad guy can use and we tell them at the end, go, yeah, that is a valid risk and here's some recommended remediations or otherwise they tell us, we tell them, no, actually, there's sufficient safeguards there to prevent it and then they can sleep at night. Rana, I often joke that the AI that we often talk about is artificial intelligence, but the Unit 42 team is the actual intelligence team. I like this idea that the future of off-set coming out of your teams has actual intelligence applied to the power and scale and speed of artificial intelligence. It's a concern, but it's one that is lessened when there's responsible folks on this side taking care of things. So I always like to ask, what's the most important thing a listener should remember? Remember from our conversation. So I think that everything has this core foundation of the fact that we are definitely living in an AI boom and I hit earlier on the fact that I can't picture what six months looks like, six months from now looks like and in the same way I can't picture what five years looks like. So I think we should just make our decisions, whether they be cyber security based, whether they be design based, whatever you're doing in your organizations, you should be aware of the fact that this is a rapidly changing landscape. Also we hit on here something, you know, a key takeaway is the fact that there's an increased efficacy on my side as an ethical hacker, but at the same point in time the adversaries also going to benefit from that same increased efficiency. So we're looking at a potentially more dangerous threat landscape. And so it's time to really pause and assess, have I done everything to do due diligence and preparation for a potential coming wave of more advanced cyber attacks. So have I deployed the right tooling? Have I done penetration tests from an independent authority to assess my network, right? Because at the end of the day, an AI driven, I use the theoretical AI driven worm, it's going to look for off the bat those top 10, 20 things that I'm going to look for as I'm moving through a network. And if it finds it, it's going to proliferate through. So have you done everything possible to try and identify that low hanging fruit and that allows for movement through your network? Have you done everything possible to try and increase detection? So your meantime to detection from a compromise is as quick as possible. Maybe even automated response, if you start seeing attack techniques, can your network respond accordingly? So I think the takeaway is you're in the middle of an AI boom, and don't go back and concentrate on the same problems you've always had. Make sure you're spending time to look forward and think about the problems that are coming, that theoretically could be, again, much more advanced. Thanks for listening to this segment of the Threat Vector podcast. If you want to hear the whole conversation, you can find the show and your podcast player. Search for Threat Vector by Palo Alto Networks. Each week, I interview leaders from across our industry and from Palo Alto Networks to get their insights on cybersecurity, the threat landscape, and the constant changes we face. See you there. Be sure to check out the complete Threat Vector podcast. You can find that right here on the N2K Cyberwire network or wherever you get your favorite podcasts. And finally, our love and marriage desk reports a new twist on the classic sex-stortion scam, which is now targeting spouses. Claiming their partner is cheating, even offering a link to proof. In typical fashion, the scammers demand money to keep these so-called secrets quiet. While you'd think no one would fall for such tricks, these scams have been quite profitable, pulling in over $50,000 a week when they first appeared in 2018. The latest scam, which surfaced about three weeks ago, has Reddit buzzing with confused spouses. Recipients report getting emails from sketchy domains using personal details not commonly shared online, like second-last names or even pet names. One poor soul received an email accusing their dog, Mr. Wiggles, of cheating. Yes, the dog. The source of these personal details is still unclear with some pointing fingers at a wedding planning site. While the emails are unsettling, they're just scams. If Mr. Wiggles gets accused again, just hit delete. Or Mr. Wiggles. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mix-service train-caster with original music and sound design by Elliott Peltzman, our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. After early and save at M-WISE.io/Cyberwire, that's M-WISE.io/Cyberwire. [Music] (gentle music)