Artificial intelligence could create “catastrophic risks” or be the answer to our technology prayers, world leaders say. The AI Executive Order issued Oct. 30 plans to establish new standards for AI safety and security, but others warn against rushing to regulate AI technology before it’s fully understood. Our State of Cybercrime team will break down the bipartisan legislation and answer all your AI questions about robots ruling the world.
In this episode of 'State of Cybercrime', the hosts discuss various topics including an executive order on Artificial Intelligence(AI) by President Biden promoting a balance between AI safety, security, privacy and innovation, as well as implications for American leadership in AI. They covered the disruptive Mozi Botnet, SolarWinds CISO's challenged with fraud and difficulties experienced by IT administrators patching vulnerabilities. They also touched on the continuous exploitations of Citrix and Confluence, and the emergence of cybercrime ring, Hunters International. An exploration of AI potentials and the need for legislation to prevent nefarious uses are also discussed.
00:30 Introduction and Welcome
01:04 Agenda for the Episode
02:03 Good News: Dismantling of Pirates
05:46 Good News: Disruption of Mozi Botnet
07:16 Danger Zone: SEC Charges SolarWinds CISO
12:25 Vulnerable Vulnerabilities: Citrix Vulnerabilities
15:34 Vulnerable Vulnerabilities: Confluence Vulnerability
17:02 AI Vey: President Biden's Executive Order on AI
18:51 AI Vey: UK Summit on AI
22:55 Conclusion
[00:00:00]
Matt Radolec: Hello everyone, and welcome to another episode of State of Cybercrime. We are super, super excited to have you here today. As always, to kick things off, I'm curious to see where everybody is watching from today. I'm at home in the Washington, D. C. area. What about you, David? Why don't you say hello to everybody and tell us where you're at.
David Gibson: Hello, everybody. I am currently in and around Connecticut. How about you, Dvir?
Dvir Sason: Hi, good morning. [00:01:00] How's everybody doing? I'm in Tel Aviv.
Matt Radolec: We are so stoked to have everybody here today.
And main topic today, we're definitely going to talk about an executive order, but I think we've got a few other things slated on the agenda as well.
We're going to go over our usual segments today. We're definitely going to cover some good news, as there does seem to always be some good news these days worth talking about. We'll jump on into the danger zone. We'll talk about some threat actors and some attacks that you should be aware of.
We'll talk about a few vulnerable vulnerabilities. And if I can get a drumroll, please. We've got a brand new segment today. called AI Vey, and I bet you guys can guess what that's going to be about. Hint, hint, it's AI. And as always, we'll have some time at the end for Q&A. So please stick around as we're always interested in getting feedback from our audience and doing a little Q&A at the end.
For those of you that are tuning in for the first time, we always like to kick off the show with some good news, as often Cybersecurity is seen entirely [00:02:00] as doom and gloom and there are a few good things to say.
David, why don't you start and tell us about it. What's going on with the
David Gibson: pirates?
We've had some dismantling of the Pirates. There is a or was an IP TV network that was distributing or streaming illegal content via subscription and when I read this, I thought, boy, piracy has really come a long way from when people were bootlegging VHS tapes and things like that and Napster and it's one thing to do one video, but to have a whole subscription service that was doing multiple channels, streaming video that looks like it was basically siphoned off people's set top boxes, I thought this was way bigger, and i n addition to having the arrests made from a whole bunch of people that were involved in this operation, there were some interesting assets seized as well, about 1.7 million dollars, 35 [00:03:00] servers, 55 computer systems, and an Audi A7 luxury car.
And so it made me wonder if they were streaming The Electric Company or Sesame Street. For those of you who remember one of these kids is doing his own thing, right? Or one of these things is not like the other. But, Dvir, I know, had an interesting take on the main developer for this. Was that, Dvir, you've been tracking this fellow for a while?
Dvir Sason: I've been tracking a guy who is responsible to a different type of operation, but it's basically the same type of activity. What they usually do is getting tons and tons of setup boxes as many as they could and turning each setup device to a different channel, and then taking the output from an analog device back to re encoding it as a digital signal, and then resharing everything as an accessible service and paid service. In that sense, I've been tracking a developer for the past four years, something like that, who is responsible for maintaining [00:04:00] and managing one of these platforms.
This is his actual resume from LinkedIn. This is 100 percent real, and you can see exactly what type of challenges he has been facing when it comes to technical difficulties and managing the team and scaling up the operations, and again, developing their own while making sure everything is smooth as possible, while trying to generate revenues as much as possible.
Matt Radolec: We're not looking at someone's resume who's like a real developer? They're a hacker developer?
Or maybe both?
Dvir Sason: This is an interesting bit because, again, he was operating from Eastern Europe, and he was absolutely 100% knew that he was again, doing copyright infringement, but when it comes to the actual development and what his day work was, is that project, was quite a long and extensive project in that specific platform and [00:05:00] site, which is still operating today, which is still being targeted by law enforcements worldwide, taking down domains and whatnot, and this actually shows us exactly how do they operate?
Now, we're talking about trying to charge customers with between 40 to 50 a month. It's not even pay per view, it's like actual 100 percent VOD, which you can watch as any film or series as you want, wherever, whenever. It's just that, it's just crazy. And I think this was a very good glimpse for me, even to understand exactly what he was doing, not even to talk about the nerve of actually posting it on his LinkedIn profile.
Matt Radolec: Now, that wasn't the only bit of good news that we have.
It also looks like that the Mozi botnet has gotten disrupted. Now, that the Mozi botnet, it's known for distributed denial of service attacks, primarily on IoT [00:06:00] devices.
It went active in August of 2023, following what appears to be the activation of a kill switch. So how Mozi worked is they targeted IoT devices that either were running vulnerable code or had weak passwords and then created a decentralized BitTorrent DHT network with all those zombie computers. There was a large amount of infections in Asia, predominantly in India and China, and it appears as though on September 27th, a UDP message got sent to all the bots ordering them to terminate.
Now, rumors on the internet, thus unconfirmed to date, suggest that maybe Chinese law enforcement actually cooperated with the founders of Mozi to bring the botnet down. But at least we have some more good news.
David Gibson: And there is some speculation also that it could have been done by the malware actors too because there is some evidence of persistence right, they're set up, I think it pings [00:07:00] a remote server as well, so I guess time will tell whether it's actually good news or not, maybe a little ambiguous.
Matt Radolec: Sure. Now I know that's probably not the only thing that people were hoping to hear about in this Good News segment, but we moved the next story to the Danger Zone, David.
And I thought this was going to be good news, and this was going to fit in the Good News segment, but first of all a lot's going on with the SEC charging the SolarWinds CISO with fraud.
Why is it in the danger zone, and what's going on there?
David Gibson: I think it's another one of these ambiguous, is it good news, is it bad news, maybe a little bit of both, I'm not sure.
I read through the complaint against the CISO, and I wouldn't describe being a CISO as a, as an easy job.
If anybody wants to chat in, if we have some CISOs that would disagree with that, please feel free to chat in and correct me, but in general, I think CISOs are up against a lot and they have a lot of pressure and you know, if I was a CISO now, I'd probably be looking for some insurance [00:08:00] potentially as well.
I read through the complaint and I think that the SEC has indicated that they may not be done, they may go after other executives, but the complaint really says the CISO knew and didn't do enough to notify on what was going on there and potentially misled investors if I read the complaint correctly, and I was curious.
Go ahead.
Matt Radolec: David, there were a couple of things I took away from it. One was around this joke that everyone keeps talking about. That there was some emails exchanged applying to maybe the humorous nature of the state of security. And so what it seems like that, at least from my perspective, again, as an outsider reading in, it seems like that this acknowledgment of the low resiliency by multiple parties It's the thing that if it was such common knowledge, why didn't the board know, and then thus why didn't investors know.
And as I think about this it's a statement from the [00:09:00] SEC, this is just my opinion, but it's a statement from the SEC that's not okay. And that in a vacuum, I agree with. Forget about the greater security community knowing that, but I do think a company's board of directors should know how fragile the thing at which makes them money might be. And I think that's where that's my takeaway though.
I mean, the CISO role is a tough role. I mean, We look at what happened with the Uber breach and the charges that came out of that related to what looks like a cover up. We talk, we covered that on a recent Data First Forum: Blockbuster Breaches, but the thing that it brings back to the forefront is, is this CISO role almost have a higher calling than just the board? Is there more to that role unlike any other? Is there some higher ethics that they have to adhere to? Because everyone's quick to say they shouldn't have done that. But then, what do you do instead? What would you have wanted this person to have done, is my question.
David Gibson: Yeah, [00:10:00] and I read through the 10 K from 2019, and that was standard language. Now that, in 2019, it was when they had been breached, but they didn't know it yet, right? So, and then I also read through the complaint a little bit, and one of the things that it cites is an email that Brown wrote that says it was very concerning that the attacker may have been looking to use SolarWinds Orion software in larger attacks because our backends are not that resilient, which seems like a warning to me.
So I'm really curious to see how this plays out, what was he supposed to do? I looked for investor conference transcripts to see if he had spoken anywhere else. I didn't find any there.
But I think you're dead on, Matt, right? What is the guidance? What are you supposed to disclose and to whom? And then, of course, misleading after the breach. I think that's a big part of it, and I almost wonder whether that was...
Matt Radolec: Just like covering it up, it's fraud.
I'm not one to say it's not. If a hacker says, pay me some money, and you say, yeah, but if you do it over here, nobody finds out about [00:11:00] it, that's a cover up. If you have a SolarWinds style incident and you go, Eh, it's a business email compromise, it's not a big deal, it's one intern, one password, right? That would also be misleading. But I think time's going to tell here.
Now, that wasn't the only thing worth mentioning in the Danger Zone. Now, some people believe that Hive is back and has re emerged as Hunters International. And it seems every episode... We announce the continuation of the never ending game of Whack a Mole that is played with rebranding cybercrime rings.
Today, it's Hive re emerges from hibernation. This was a David Gibson goad, how did I do? How did I do? As Hunter's International, anyway researchers found a significant code overlap between samples from Hive and samples from Hunter, though these allegations are denied by Hunter's International because all they're saying is yeah, but... We purchased the encryptor source code from Hive, but we're not Hive, this is not a rebrand. And the question I ask is does it really [00:12:00] matter? Because for the first victim to Hunters International in the UK, which was a school that had student data exfiltrated and encrypted, everything appended with this new dot locked extension, I don't know that they care if it was Hive or Hunters International, it's just cybercrime striking a den, and definitely a new variant that people should be concerned about.
David Gibson: Absolutely, it's like you said, Whac A Mole it seems like the same actors keep coming up.
Matt Radolec: Now, just like we play Whac A Mole with different threat actors, it seems like there are a handful of applications that get these mass exploits and vulnerabilities and one of those is Citrix. What's going on there, David?
David Gibson: Yeah, so the Netscaler the ADC and Gateway services, which are used for remote access I think to XenDesktop and XenApp environments mostly, which are like virtual desktop in some ways, a couple of vulnerabilities there. These are internet facing and this was interesting because there were a [00:13:00] combination of vulnerabilities, but one of which allowed the attackers to steal session cookies from memory, and that meant that they could use those cookies to log in and bypass any authentication. Then after that, there were more vulnerabilities, if I'm understanding correctly, for them to implant a backdoor, and then use this like any other compromised host on the environment. But one of the things that I think made this really tough was the cookies would survive the patching, right? In other words,
Matt Radolec: you had a hijacked session.
Dvir Sason: Yeah, session fixation.
David Gibson: Yeah. Yeah. So they basically came in and says you have to all kill all active and persistent sessions in order to protect yourself from this. So it sounds like Dvir maybe, it sounds like some people missed that step.
Dvir Sason: Yeah generally speaking Citrix has been targeted over and over since the end of 2019. If you remember the famous RCE that allowed thread actors to [00:14:00] massively scan and exploit Citrix gateways ADCs in scale. Generally speaking, from that moment on, Citrix became the target of continuous vulnerability exploitation in scale, and that is the case as well over here. When it comes to session fixation, that is the term for when the cookie or the session itself is not being expired after a certain amount of time, or when you try to manually try to kill the session, basically, from the server.
However It allows continuous access and invalidation to the cookies themselves, as long as you don't do it. It's given the threat actors is the key, but still unable to change the locks in that sense.
Matt Radolec: Yeah, and I think like the, first of all, we all had that aha moment at the same time. I wonder if half the audience did too, like we all realized, oh man, that means all those invalid tokens are still valid.
But we come across this a lot when we're helping our clients [00:15:00] investigate incidents in Office 365. They'll think that they got a user who was compromised and they'll say, oh we reset their password. And I'm like, awesome. Did you kill all the active sessions? No. And then you got to explain this concept of tokenization, especially in SaaS apps, where you get this token this authentication token that has a time to live. And it's good unless you invalidate that token. It doesn't matter what necessarily changes from a user profile perspective, and this is across all SaaS apps.
But guys, that wasn't the only vulnerable vulnerability from another app that gets commonly exploited.
We have to mention the fact that Confluence, yet again, has a pretty big vulnerability making some pretty big news.
If this is the first that you're hearing of it, you should definitely patch CVE 2023 22518 as this bug in Confluence Datacenter and Confluence Server could lead to data loss and destruction of data. And this is especially true if you have publicly accessible instances of Confluence. [00:16:00] It's super, super important that you upgrade those right away, and if you can't, that you use mitigations like backing things up, blocking off internet access, other forms of segmentation as this vulnerability is being actively exploited.
Just like the one on Citrix, if it's not abundantly clear to you guys that you should patch Citrix and Confluence now, you probably should.
And that will bring us to our final segment of today. And our brand new, brand new segment, our newest segment, AI Vey.
Though I'm sure many of you are tired of hearing anyone say anything related to AI, and you're probably all going oy vey, yourselves, we will cover the good, the bad, and the ugly happenings as it's related to AI, and our eventual demise to our robot overlords. Anything you want to add about this segment, David?
David Gibson: I'm just really excited to add a new segment here. I'm really excited for the the bumper that our AV team is is gonna put together as well.
Matt Radolec: Yeah, we got it. Because this isn't cool enough. AV team, if you're watching we need [00:17:00] animations, we need like bup sound effects. Anyway.
I'm sure our audience is thinking the same.
The president of the United States, President Biden issued an executive order that is laser focused on AI. They set new standards for AI safety, security, privacy, equal access to AI, and even civil rights.
The specifics of the Executive Order direct agencies to take actions to build developer tools, share test results, work with government entities, create standards, and even ensure AI systems are both protecting America's privacy and embolstering our commanding presence and strength from a national security standpoint.
The order aims to promote innovation, competition, and American leadership in the AI space, while emphasizing the role of a responsible government in oversight of things like AI.
Now I got to admit, I like what I'm reading. The balancing of Safe, [00:18:00] governed AI with using AI to bolster our workforce and our national security, at least here in the US, these are the things I hope we do. So I didn't see a whole lot of that obviously, with great power comes great responsibility. We don't want too much government overreach and oversight that leads to increasing costs and lack of access to innovation. But at least at the forefront, it doesn't look like that's what we're getting into.
David Gibson: Yeah, there's also investment too. It makes sure that there's funding for innovation and AI. I think there's more funding than the next seven countries combined in the U. S. And so it there's aspects of going further with AI, but also making sure that we can filter out the AI generated content from the real content.
There are a lot of potential abuses of AI as well.
Matt Radolec: And it's good that the US isn't the only one trying to do it. What's going on there?
There's another, a summit in the UK to tackle AI.
David Gibson: Yeah. I read about this and it's an interesting topic, I think. With AI, there's so much [00:19:00] we don't know, and so much we don't understand. I think there's so much potential, if we look at sci fi, there's also so much potential for destruction. And it reminded me of, okay if a group of leaders are going to come together like in this and start to talk about how do we mitigate some of the risks of AI and do AI safely, what did we do in past innovations and I first went to nuclear bombs and said, okay when was the first treaty there?
And it it looks like August 5th, 1963. It took eight years of difficult negotiations but there was finally the limited nuclear test ban treaty. And that led me to...
Matt Radolec: Space Exploration. That was the other big one, right? Yeah. When we agreed we weren't going to colonize and shoot each other from space?
David Gibson: That actually was more interesting, I thought, and actually like a more, a better comparison in some ways because with nuclear bombs, it's nuclear power encompasses a lot of potential for good positive stuff, but with Space, it's [00:20:00] a little bit more unknown, like with AI, and it led me to a really interesting piece out of the University of Cambridge by Verity Harding, but the treaty was created in 1967 to exactly what you said is to make space exploration the province of all mankind and to get a handle on it.
Now, of course that treaty with all the satellite stuff that's going on, I think is starting to be a little bit like it needs some updates those space treaties as well. But I think, I guess I'm curious if we asked our listeners, do people think AI is as transformative as space exploration and nuclear power. And I think in the end if AI is going to be transformative, that we're going to need to start having the conversations about it.
I think it may take a long time to figure out a treaty or figure out what we can all agree to, and I just hope that it doesn't take too long so that we're not negotiating a treaty with an AI entity itself.
Matt Radolec: Yeah, it's interesting, David, I'm going to [00:21:00] take the bait on your question, and I want to echo a concern from Eric in the chat.
I'd have concerns from Eric over censorship and generative AI leading to government propaganda that might exclude valid information. And from Cliff AI could be that transformative.
I keep coming back to that Spider Man quote, with great power comes great responsibility. As I think that one's gonna stand the test of time. Probably didn't actually come from Spider Man now that you think about it. But that's where it got famous, for me at least with Peter Parker.
And I do think that AI will be able to transform how we think about and work with computers in the same way that nuclear energy can transform the energy market.
I do feel like AI will have the power to be as devastating as nuclear warfare would be. If I think all those movies, the robots become self aware, and they start to make decisions, and they're not upheld by a moral code. I think that those are real risks. What if we [00:22:00] start to depend on them for, defense decisions, and they decide that we're the threat, just like in Terminator.
Carmen Cody says that might already be happening. And that's why we say AI Vey, right?
David Gibson: Go ahead,
Dvir Sason: No, I absolutely agree with you. I think boundaries should be set. Standards should be met. I think as the industry keeps on pushing hard forward in every type of company that starts using AI for any sort of reason, I think legislation is a must.
And again, I agree that it's transformative, but legislation and setting the boundaries and asking ourselves the question of what is allowed and what is wrong in the sense of using AI, and it's up to the government itself, or, of course the boundaries to be set in order to make sure that everything's aligned, and no power could be used for nefarious reasons and purposes.
Matt Radolec: And before, before we forget, I'll ask our co hosts to launch our feedback poll, [00:23:00] and we'll go through a few of the last comments on AI while they do that. We'll give everybody a chance just to give us some feedback. Again, the show is made possible by you guys, our audience, so we super appreciate you guys giving us some feedback while we read through the questions that came in the Q& A and some stuff in the chat.
We heard from Michael. Michael, I believe AI is more transformative for the masses than space exploration, at least today. Maybe together, even, they're exponential. I think about that AI and space exploration, like if we had an AI enabled space exploring drone, that could be pretty powerful. It was powered by nuclear power.
Yeah, and and it's either Ali or Ali, I hope that's okay. It's as transformative, except it is more difficult to track or monitor, unlike nuclear and space exploration, where there's a lot more physical artifacts. That's a great point. It does have a lot of opportunities to go unmonitored or unsupervised.
Yeah go ahead, David.
David Gibson: That is one danger I really see is we stop being able to tell what's [00:24:00] true, AI generated responses, right? There was an interesting article about how they hallucinate, right? There's a percentage of the data that is invalid.
And if we start to believe AI, no matter what, lose the ability to really question it or have any kind of recourse to the responses, then it just reminds me of Agent Smith saying, it's like when you allowed us to start thinking for you, it really became our civilization, and that's dangerous.
Matt Radolec: And uh, some closing thoughts here from Ginger and Scott or Stuart. Are the government entities reaching out to those that have the most knowledge to make the legislation make the sense? This is usually the gap between the legislators and those with the knowledge. And our closing comment from Scott.
Scott, I like this one. He who controls the remote to the TV controls what we watch. And I think that'll be a wrap for today's episode of State of Cybercrime. A big shout out to the co hosts David and Dvir, and to our audience. You guys are what make the show possible, so we appreciate it. We hope you tune in live for our [00:25:00] next episode as soon as we have one to share.
Thank you guys so much. Thank you. Thank you very much.