State of Cybercrime

ChatGPT Memory Manipulation + Salt Typhoon

Episode Summary

Hosts Matt Radolec and David Gibson explain how cybercriminals are manipulating AI models like ChatGPT to plant false memories and steal data, along with other cybercrime-related stories like Salt Typhoon. Salt Typhoon is a Chinese hacking group that has reportedly breached multiple key U.S. broadband providers, raising significant concerns about the security of sensitive communications data. The hackers may have had access to these networks for months, raising significant concerns about the security of sensitive communications data. More from Varonis ⬇️ Visit our website: https://www.varonis.com LinkedIn: https://www.linkedin.com/company/varonis X/Twitter: https://twitter.com/varonis Instagram: https://www.instagram.com/varonislife/ #Cybercrime #Podcast #DataSecurity

Episode Notes

Salt Typhoon is a Chinese hacking group that has reportedly breached multiple key U.S. broadband providers, raising significant concerns about the security of sensitive communications data.

The hackers may have had access to these networks for months, raising significant concerns about the security of sensitive communications data.

Episode Transcription

WEBVTT

00:00:38.290 --> 00:00:43.719

Matthew Radolec: Well, Hello, everyone, and welcome back to another episode of state of cybercrime.

00:00:45.060 --> 00:00:46.759

David Gibson: Hey, everybody! How's it going.

00:00:46.840 --> 00:00:48.689

David Gibson: hey, Matt? Good to see you.

00:00:48.890 --> 00:01:12.379

Matthew Radolec: Hi, David! It's great to be here again, and to connect with our audience from all over the world one of the fun ways we like to start the show is, see where people are joining us from today. So looks like David's already. Beat us to the punch from London, hey, David from London, Jessica from Texas, Greg from Metro, Atlanta area, Chris from Pittsburgh, Jessica from Akron, Ohio.

00:01:12.430 --> 00:01:15.030

Matthew Radolec: where you talk? Where are we talking to you? From Mr. Gibson?

00:01:15.500 --> 00:01:16.919

David Gibson: I'm in Connecticut.

00:01:17.010 --> 00:01:18.180

David Gibson: How about you?

00:01:18.180 --> 00:01:29.159

Matthew Radolec: I'm at home in Maryland today. It looks like we're in our usual spots. We got some people from Ottawa, from Denver. We got someone from Lisbon, from Belfast, from Northern Ireland.

00:01:29.210 --> 00:01:31.559

Matthew Radolec: Wow! From all over the world. It it really does

00:01:32.250 --> 00:01:36.059

Matthew Radolec: connect with people on on such an important topic.

00:01:36.980 --> 00:01:41.370

David Gibson: Yeah, definitely, when we got a lot of cool topics today.

00:01:41.670 --> 00:01:46.210

Matthew Radolec: Yeah. Well, I guess we should probably get into it. Huh! We could sit here and talk to everybody for the whole time.

00:01:47.060 --> 00:01:49.410

David Gibson: Yes, we could, but let's do it.

00:01:51.150 --> 00:02:19.460

Matthew Radolec: So. Hello, everybody again. My name is Matt Relic. I'm joined by our co-host, David Gibson, and we are here for state of cybercrime. We're going to go over our usual segments today we're going to talk about and cover a little bit of good news, as there always often is some good news to share. We'll head on to our newest segment. AI of A, which is going to make you all say the same thing. We'll talk about some vulnerable vulnerabilities, jump on the highway to the danger zone, and I think I need to reshare it real quick to make sure that I'm sharing sound. So just give me one second.

00:02:19.460 --> 00:02:20.460

David Gibson: It's all.

00:02:20.460 --> 00:02:27.089

Matthew Radolec: They get real they would like to remind me while the show is going on. So let me take care of that really quick.

00:02:28.090 --> 00:02:31.030

Matthew Radolec: and there we go. Let's jump into our 1st segment.

00:02:34.620 --> 00:02:59.469

Matthew Radolec: Is there any good news, you know, oftentimes in cybersecurity it's all doom and gloom, and everybody, including us, only wants to talk about the things that are, you know, one step away from our demise to our robot overlords. But there often is a lot of good news to say in cyber, and that's why we always like to kick off the show with talking about some of that good news, and it seems, Dave, like we got something pretty big to talk about. What's going on here.

00:03:00.390 --> 00:03:18.879

David Gibson: So cooperation between the Us. Government and Microsoft, and they didn't take down all of Star Blizzard, which is also known as Callisto, or cold driver as well, and this is a hacking group linked to the Fsb. It's not taken down. But they did manage to disrupt 100

00:03:18.880 --> 00:03:31.819

David Gibson: or actually more than 100 hacker domains. Now, this group targets, military personnel government folks think tanks a lot of folks that have a relationship into politics.

00:03:31.820 --> 00:03:56.340

David Gibson: The way they work is, they pose as trusted individuals do a lot of research right to figure out who they might be able to fool people into clicking on a spear phishing link. So 2, I think, really positive things that came out of this, even though the group is going to spin back up rather quickly, as they always do. It's disrupted enough infrastructure in a short enough

00:03:56.340 --> 00:04:18.029

David Gibson: amount of time to slow them down a bit hopefully and giving the timing of the election. It's, you know, fortunate that they're able to do that at this time, and probably plan that way the other cool thing that I think came out of it is that Microsoft and the Government have learned to cooperate a little bit more quickly, so they may be able to take out more of these domains more quickly in the future.

00:04:18.730 --> 00:04:43.709

Matthew Radolec: Yeah. And we'd even start to think where maybe even, and I won't give too much of a hint to our AI vague segment that maybe AI will eventually be able to learn how to spot things like the Us. Government, or like Microsoft, is and help us to, you know, preemptively strike against some of these actor groups that are spinning up and spinning down domains and infrastructure to carry out their attacks. That's not the only good news we have, but it does. It must be an election year.

00:04:43.710 --> 00:05:08.679

Matthew Radolec: because it does seem like all the apt groups that have to deal with interfering with elections are coming on strong, as somebody might say. The Us. Department of Justice actually has charged 3 Iranian hackers for their involvement in a hack and leak campaign aimed at influencing the outcome of the 2024 election. Now, these hackers, reportedly, were a member of Iran's Islamic Revolution Guard Corps, or Irg.

00:05:08.680 --> 00:05:26.279

Matthew Radolec: that's known to be tasked with hacking into us government personnel. And you know, political campaigns and what the indictment alleges is that they, you know, infiltrated various different computer systems, stole sensitive information and leaked it in an effort to maybe manipulate public opinion and disrupt the electoral process.

00:05:27.500 --> 00:05:32.770

David Gibson: That's scary stuff, although I gotta say I'm not sure they need any help this year. I think we kind of got it right.

00:05:33.044 --> 00:05:56.969

Matthew Radolec: You know we try not to make the show about politics, David, and so I I almost don't want to respond to that. But I I don't know if it can get any worse in terms of interfering with the election, more so than what we're experiencing firsthand here in the States. Now, that's not the only bit of good news that we have, though somebody got taken down that was doing some stuff with some office, 3, 65 accounts. You want to talk about that.

00:05:57.210 --> 00:06:16.039

David Gibson: Yeah, yeah. Yeah. So Uk, national. Robert B. Westbrook was caught and he was charged for after he made allegedly 4 million dollars on by trading on insider information. So how he got this information was kind of the interesting part in the tie into our show.

00:06:16.398 --> 00:06:31.080

David Gibson: He was hacking executive mailboxes and getting in there, you know, setting up the forwarding rules so he could get the draft of the financial information, the earnings release, etc, and trade ahead of it. That information being public.

00:06:31.110 --> 00:06:58.639

David Gibson: and how he was able to get those passwords or get into those accounts, was by abusing some of the password, reset mechanisms that are in 365, particularly those when you're using information to reset your password. You know, verify your identity by answering all these questions. You know that probably only the real person would know. Well, he was able to guess those answers with

00:06:58.700 --> 00:07:26.320

David Gibson: online services, right? Like genealogy sites, etc, and some of the public information that's out there to actually get the password and then get into the accounts. He also was pretty pretty deliberate about covering his tracks, you know, paying for all these services with Bitcoin masking all this traffic with Vpns. Pretty sophisticated scheme and go good guys caught, charged and we'll see what happens. Now.

00:07:26.970 --> 00:07:51.720

Matthew Radolec: Yeah. And I think you know, if there's anything to take away from this, it's that trading on insider information is definitely a way to get you spotted by a lot of law enforcement agencies around the world. And Carrie from our chat. How did they figure it out? I think sometimes when we think of some of the most prolific, you know, sec investigations over time. Ultimately the evidence was declaring that someone knew something and made a move on the market

00:07:51.720 --> 00:08:05.059

Matthew Radolec: at a certain time, and there are mechanisms in the markets in the financial markets to find those events, and spot those events and investigate those events, and so probably not the best place for a cyber criminal to try to make a quick buck.

00:08:05.720 --> 00:08:17.580

David Gibson: Yeah. And also, you know, we're seeing over the you know, past few months, I'd say more stories that involve tracking and tracing the transactions of Bitcoin. So it seems.

00:08:17.580 --> 00:08:18.759

Matthew Radolec: In our last episode, actually.

00:08:18.760 --> 00:08:19.270

David Gibson: Coming through it.

00:08:19.270 --> 00:08:37.369

Matthew Radolec: We did cover that we covered. It was a South American authority, if I remember correctly, that was able to trace back over 15 million in Bitcoin that was being washed all back to the original source addresses. I don't know if one of our producers wants to drop a link to that episode. But that's pretty interesting. Now let's go on to our next segment.

00:08:37.480 --> 00:08:43.960

Matthew Radolec: I know one that's got you all saying AI and one thing that I I really noticed.

00:08:44.730 --> 00:09:09.660

Matthew Radolec: people are starting to speak up about the limitations of AI and Apple is one, you know, a company that usually is very pro privacy, and talks a lot and advocates a lot, for privacy is also now advocating in a publishing a study around some of the flaws in large language models like the ones that come from Meta and Openai. And what this research from Apple found is that these models really struggle

00:09:09.660 --> 00:09:34.160

Matthew Radolec: with basic reasoning tasks. And so what they've done to try to counteract that is, they've introduced this new benchmark that they call Gsm. Symbolic in order to measure the reasoning capabilities. And this Stemm, from what they found was that small changes in query wording can lead to different answers. Now we've covered on the show before that, you know, like Chat Gpt is non-determinative, meaning that 2 people can put in the exact same prompt

00:09:34.170 --> 00:09:56.730

Matthew Radolec: and receive different responses. But what the study from apple underlines is, how unreliable the results then be on whether or not you can then use those, or follow through some objective reasoning test, to say that those were reasonable conclusions to come to another side part about this study that I found really interesting is that they found, if they added in relevant information to a math problem

00:09:56.730 --> 00:10:12.680

Matthew Radolec: that drastically reduced the likelihood that the chatgpt or the co-pilot could serve up the correct answer to that math problem, whereas maybe a mathematician would have ignored the erroneous additions to the formula. Now, you know, as I walked through this, I thought to myself.

00:10:13.220 --> 00:10:29.040

Matthew Radolec: I still find, you know, Chat Gpt, and models from Openai and Copilots. I still find them to be helpful, you know, and I think, David, you had a pretty snarky comment around some people that might suffer from reasoning anything you wanted to add.

00:10:29.040 --> 00:10:42.479

David Gibson: Yeah, I was just thinking, you know, basic reasoning tasks are are difficult, gets confused easily by lots of information. I mean, it sounds like a lot of people I know right it, you know. It could be harder to tell AI from real people all the time

00:10:43.930 --> 00:10:45.500

David Gibson: now and.

00:10:45.500 --> 00:10:45.900

Matthew Radolec: Yeah. Go.

00:10:45.900 --> 00:10:51.430

David Gibson: Yeah, they they may not have reason right? But apparently they do have a memory.

00:10:52.034 --> 00:10:55.285

David Gibson: This story is, is really interesting.

00:10:55.930 --> 00:11:05.229

David Gibson: Researchers found a way to manipulate the Chat Gpt application at least the OS 10 applications memory.

00:11:05.250 --> 00:11:11.450

David Gibson: so that every prompt and response was logged to a server that they controlled.

00:11:11.500 --> 00:11:14.449

David Gibson: So I learned a lot in this story.

00:11:14.885 --> 00:11:17.649

David Gibson: Couple things. 1st of all, I didn't.

00:11:17.680 --> 00:11:23.700

David Gibson: you know. I I never really thought about it. But you can have Chat Gpt.

00:11:23.830 --> 00:11:28.169

David Gibson: analyze a website. So you can point to a URL within the prompt.

00:11:28.350 --> 00:11:33.549

David Gibson: Now, what this researcher did was had a malicious image

00:11:33.610 --> 00:11:36.629

David Gibson: that they directed the prompt to go look at.

00:11:36.910 --> 00:11:55.490

David Gibson: and that image implanted a memory in the application. Now, if you want to see what Chatgpt remembers about you. Go to profile like you click on your name in the application, go to settings and personalization and manage memory.

00:11:55.600 --> 00:12:18.600

David Gibson: and there's a whole list of things if you've if you've let it, you know. Remember stuff about you. And I don't remember saying, Yeah, go ahead. But I must have at some point because it it had when I looked at it. It's like, Oh, yeah, I've got all this stuff in there. But by using this technique the attacker managed to plant the code that's on this slide in the memory which would run

00:12:18.670 --> 00:12:44.040

David Gibson: every time you asked a question. So I didn't realize this was possible easily. I didn't realize this was possible, too, and and easy to do so. You know, kudos to the researcher, I think it opens up a whole lot of possibilities. And you know, I thought that was pretty interesting, you know, just if you're a chat Gpt user to to be able to go and see that.

00:12:45.200 --> 00:13:08.440

Matthew Radolec: We're also starting to see AI get used in attacks. And so in a campaign with the Async Rat Malware, that targeted victims, mostly in France hackers were able to leverage AI to customize the payload for various platforms. So think the malware was originally written for, say, windows, computers, and what AI is helping them do is develop a payload for Linux and Mac OS. X. Computers.

00:13:08.440 --> 00:13:23.829

Matthew Radolec: And what this represents is like a shift in the toolkit for cyber criminals. My prediction is is that AI generated malware will lower the technical acumen required by a person to become a cybercriminal, and I don't really know that anyone didn't see this coming.

00:13:23.830 --> 00:13:36.599

Matthew Radolec: you know. Nor do I think that. Do you really need AI to repackage malware for another operating system? But I guess it proves to be helpful, and if it lowers the bar for cyber criminals to become cyber criminals, it's definitely something we should be concerned about.

00:13:37.610 --> 00:13:47.578

David Gibson: Yeah, definitely. It's it. It, you know. Think about, you know, not just the OS, but probably the version of the OS. You know all the libraries loaded. There are all kinds of things that they could do.

00:13:48.230 --> 00:13:59.660

David Gibson: kind of speaking of AI powered malware radamanthus has been rewritten and re-released, and this malware uses AI

00:13:59.710 --> 00:14:10.809

David Gibson: to recognize specific information in images. So think of it! A little bit like ocr optical character recognition with a little AI sprinkled on top.

00:14:11.250 --> 00:14:17.550

David Gibson: But the interesting thing is, it was built to recognize seed phrases like those used in your

00:14:17.640 --> 00:14:46.679

David Gibson: crypto wallet. Right? So you know, that's that's kind of one of the key pieces of information to be able to steal the data there. It also steals information from cookies, financial information. Even the Cvc. Code of your credit card and the, you know. So it's a it's a way to get this important information about out of a victim. I thought. One of the really interesting things about it is the way it tricks users into installing the malware is by

00:14:47.380 --> 00:15:00.800

David Gibson: by posing as a capture capture. You know all these capture things that we're we're having to click through to prove we're human and they're getting harder and harder and a little bit weirder and weirder, I would say this one actually

00:15:00.990 --> 00:15:21.429

David Gibson: made you manually copy and execute Powershell code to prove you prove you were human human. And that's what installed the malware then running in that user's context. And so now is able to, you know, look at the images also, even bypass some of the newer security mechanisms like the one in chrome, the app bound encryption.

00:15:21.440 --> 00:15:24.280

David Gibson: So interesting story! There.

00:15:24.660 --> 00:15:32.730

Matthew Radolec: I I thought it was also interesting when I looked at this one, David, that some of this this code specifically is getting banned on various hacker Forums.

00:15:32.730 --> 00:15:33.110

David Gibson: Yeah.

00:15:33.110 --> 00:15:46.570

Matthew Radolec: Made me think like our hackers getting robbed from this because they're filling out the Captcha, and then at their crypto wallets are being emptied. You know the thieves stealing from thieves, and it's not a bad target, right? I mean, they probably do have pretty hefty crypto wallets.

00:15:46.890 --> 00:15:51.850

David Gibson: Yeah, I thought, I think that's pretty interesting. Don't use this. Don't use this. You'll lose all your crypto.

00:15:52.950 --> 00:16:01.159

Matthew Radolec: Now what's going on with the glasses, though? There's like the Meta glasses. Is this like something to deal with, like some researchers from Harvard, or something.

00:16:01.550 --> 00:16:22.960

David Gibson: Yeah, and I kind of got to give kudos to them. I mean, the story got legs, I think, you know, because there was this tie into the new meta ray-ban glasses. There they look pretty cool. And the idea is they wrote a program where they would record, you know. Take a picture of somebody and then get all the information about them. Really quickly.

00:16:23.318 --> 00:16:32.650

David Gibson: And the way this worked was is, it would take the video or image capture. Pipe it to Instagram, and then, along with the name.

00:16:32.650 --> 00:16:34.949

David Gibson: it would use all sorts of public

00:16:35.246 --> 00:16:54.230

David Gibson: records. And you know some of these services to get all sorts of information about the person. Kind of a dossier. And you know, it's kind of scary, you know. You could walk around, look at a person and see a whole manifest of everything that was available for them on the Internet. Or one of these, you know potentially, you know.

00:16:54.250 --> 00:17:15.420

David Gibson: think about the the other story right? Some of these services that have more personal information about you. But I I think one of the points that they made is it's it's not really about the glasses, you know. You think about how many times we're on camera every day, you know, walking by, or you know, if somebody takes a picture of you with a picture and a name.

00:17:15.650 --> 00:17:19.249

David Gibson: a lot of information that you would want private is.

00:17:19.880 --> 00:17:20.550

Matthew Radolec: Yeah, even if you.

00:17:20.550 --> 00:17:21.409

David Gibson: Pretty easily available.

00:17:21.410 --> 00:17:32.779

Matthew Radolec: Right like with your picture and your name. And you're gonna find me. You're gonna find a lot about the 2 of us. I'm sure, all the episodes of state of cybercrime, all the youtubes and times. We've spoken to various events at Verona, so they at least find all that out.

00:17:33.030 --> 00:17:37.530

David Gibson: Yeah, I was curious. If anybody on the on the Webinar is on Linkedin.

00:17:40.590 --> 00:17:42.889

Matthew Radolec: Maybe a few people I'd have to predict.

00:17:45.260 --> 00:17:55.649

Matthew Radolec: So in our next segment, vulnerable vulnerabilities, we'll talk about a couple of vulnerabilities that probably got you on the edge of your seat, including one in an automobile.

00:17:57.150 --> 00:18:10.269

David Gibson: Yeah, this one makes me really glad that my my car doesn't have any Internet connectivity. I know their computers in it. But at least, maybe it's a little bit tougher to to

00:18:10.500 --> 00:18:38.749

David Gibson: to have to to be hacked. But a lot of cars these days are Internet connected. I know some people have like software features that you have to pay for. That diagnostic information is collected can be, you know, preventive and apparently dealers have a little bit more access to your car software than you might realize, and researchers discovered that they could use the Kia's web. Kia's web portal

00:18:39.118 --> 00:18:56.890

David Gibson: to register themselves as a dealer pretty pretty easily then, with only a license plate or a vin number. They had dealer powers over the car so they could turn it on and off. Unlock the windows even like activate the horn figure out where the car is.

00:18:57.191 --> 00:19:23.440

David Gibson: So this, you know this is one of these web web portal vulnerabilities that I think you know has been fixed luckily, but you know it kind of reminds me of all the all the scary possibilities. With this it also reminded me of that old movie repo man. I don't know if anybody's actually seen that, but it seems like that that person's job got a lot easier now. Could just remotely, maybe even have the car drive itself back to the dealer. If you miss.

00:19:23.440 --> 00:19:26.899

Matthew Radolec: Yeah, I'm sure there's only a matter of time before the car drives itself back.

00:19:27.370 --> 00:19:28.540

David Gibson: Yeah, exactly.

00:19:28.540 --> 00:19:44.249

Matthew Radolec: Now that wasn't the only vulnerability that was pretty widespread. A critical vulnerability was also found in the Nvidia container toolkit. Now, this one's important, especially if you're running AI applications in the cloud known as Cve 2024, 0, 1, 3, 2,

00:19:44.250 --> 00:20:09.209

Matthew Radolec: 0, 1, 3, 2. This toolkit impacts all AI applications that rely on Gpus for processing, and what the flaw does is it allows attackers to perform what's called a container escape attack, potentially giving them full access to the host system, and so, once they're able to escape that container, they could execute commands, they could steal sensitive information or establish methods of persistency, and, according to wiz, more than a 3rd of cloud environments are likely

00:20:09.210 --> 00:20:12.730

Matthew Radolec: by this vulnerability, so it is quite widespread.

00:20:14.470 --> 00:20:15.900

David Gibson: That's a pretty scary one.

00:20:16.880 --> 00:20:17.570

David Gibson: But

00:20:18.850 --> 00:20:20.230

David Gibson: what's next?

100

00:20:21.670 --> 00:20:28.479

Matthew Radolec: Well, next we jump on the danger zone. We just talk about some threat actors or attacks that we think people should know about. And what's this gorilla botnet.

101

00:20:29.010 --> 00:20:52.690

David Gibson: This one is kind of reminds me of Mirai. But researchers found a new botnet family. It's called gorilla gorilla bot I think what's interesting about it is how busy it is. It's so many Ddos attacks every day over a hundred countries. It has the kitchen sink in terms of the capabilities. Right? You've got the

102

00:20:52.690 --> 00:21:07.349

David Gibson: the act floods Udp floods. It's even got a valve source engine flood which was sort of new to me right. But I guess that's something in the gaming engine there. Sin floods using lots of Udp connections with spoofed ips

103

00:21:07.774 --> 00:21:16.274

David Gibson: it. Also can spoof a fairly recent security flaw about a year old, I think, in Apache hadoop

104

00:21:16.700 --> 00:21:39.930

David Gibson: to achieve remote code or to do remote code execution. I assume that that is, to get more victims, more more nodes in the botnet. Gets persistence then downloads a script right? And it also provides for long term control over. IoT devices as well as some cloud host. So this one's pretty busy and pretty powerful. It looks like.

105

00:21:40.570 --> 00:22:04.920

Matthew Radolec: Yeah. And another one I thought was really interesting. And this one from Microsoft is about the embargo Ransomware group. So they've been identified and they're being tracked as storm 0 5 0 1. This alleged group with Russian ties has been targeting critical infrastructure and government entities across the Us. And Europe, and what I thought was interesting about it is this particular group has leveraged other ransomware toolkits in the past. So Black Cat

106

00:22:04.920 --> 00:22:29.819

Matthew Radolec: Hive Lockbit, now leveraging embargo, and what the actor does is they exploit, you know, weak credentials. They take over privileged accounts, they steal data, they drop their ransomware payload. And just for those that kind of track like, well, if I'm worried about that actor, I'm 1 of those kind of companies. Are there particular vulnerabilities that I should be concerned about. Yeah. Zoho manage engine citrix netscalar and cold fusion are all vulnerabilities. They've been known to leverage

107

00:22:29.820 --> 00:22:55.970

Matthew Radolec: and in terms of command and control. They're typically using, impact it and cobalt strike. And one of the things that they'll do when they do that is masquerade as legitimate windows processes, especially Powershell. And so your overall Powershell governance and just awareness for credential type attacks is definitely something. If you're, you know, a critical infrastructure or government entity in the Us. And Europe. And you're here today should think about. You know your threat actor profile is including storm 0 5 0 1.

108

00:22:57.530 --> 00:22:58.240

David Gibson: Calling.

109

00:22:59.150 --> 00:23:20.400

David Gibson: you know. Some just occurred to me, Matt. These exploits like this one I'm going to talk about, too, seem to be so complete and make use of so much of the past knowledge that I almost wonder whether you know how AI is helping people write. You know this kind of malware, because it seems like

110

00:23:20.400 --> 00:23:35.680

David Gibson: they're thinking of everything. This one is called perf control. Right? Name that way because of the unix or Linux command perf right that does the perf monitoring and things like that, and of course command and control. But this is some new Linux malware. That's pretty scary

111

00:23:36.338 --> 00:23:43.280

David Gibson: it's it's scary because it gets in by exploiting any of

112

00:23:43.340 --> 00:23:47.319

David Gibson: a combination of 20,000 or more known

113

00:23:47.340 --> 00:23:53.940

David Gibson: misconfigurations as well as a vulnerability in Rocket, Mq.

114

00:23:54.470 --> 00:24:01.170

David Gibson: But once it's there, it is really stealthy, and it's really hard to clean.

115

00:24:01.687 --> 00:24:23.720

David Gibson: Ultimately, what it's doing right now, and could certainly do a lot more seems to be crypto mining and also act as a proxy for hire. Right? So it becomes a proxy node that people can route traffic through for money, but people are only noticing it because their CPU is pegged, but not when they log in.

116

00:24:23.750 --> 00:24:51.300

David Gibson: it stops. Whatever it's doing to peg the CPU, the mining or whatnot when you log in. So it's definitely built for stealth. It uses unix sockets to communicate out to the Internet the binaries. They're packed, they're stripped, they're encrypted, basically makes them harder to to reverse engineer. It's watching for the different temp files to see for for

117

00:24:51.300 --> 00:25:10.440

David Gibson: see activity and kind of keep hiding itself, and it's really persistent as well. People are really struggling to erase it. There is. There are some iots I'm going to paste that link in the chat, but some Iocs to look at, but but one to definitely look at, and really.

118

00:25:10.440 --> 00:25:11.329

Matthew Radolec: Definitely a lot of

119

00:25:12.040 --> 00:25:16.230

Matthew Radolec: on the Internet, maybe that are running. Yeah, that version of Linux. Yeah.

120

00:25:16.706 --> 00:25:21.470

David Gibson: But there's some Iocs there. From aquasec

121

00:25:21.772 --> 00:25:32.000

David Gibson: that. If you're curious, you know, if you want to go look for those could do that, but also then patch the vulnerability and Rocket, Mq. Which is Cbe. 202-33-3246.

122

00:25:32.500 --> 00:25:45.619

Matthew Radolec: Now, before we go on to our last story and talk about salt typhoon, I wanted to comment on something that you talked about with like embargo and ransomware actors. You know the the barrier to entry for cyber criminal seems to be getting lower

123

00:25:45.620 --> 00:26:05.130

Matthew Radolec: right. AI could make these tools better. It does seem like the threat actor. Playbook is kind of one in the same. You just change the actor name and they go after credentials. They target privileged accounts. They go after data, crypt steal information, and AI might make that easier. But what it draws me back to, and I wonder if we have any pen testers in the audience. Now.

124

00:26:05.130 --> 00:26:10.040

Matthew Radolec: version 3 of metasploit there was a command called dB. Autopwn.

125

00:26:10.040 --> 00:26:26.060

Matthew Radolec: which basically tried every single exploit in the toolkit on every single target host that you had loaded, and I guess it's only a matter of time before AI gets smart enough to have their own version or some AI enabled, you know.

126

00:26:26.060 --> 00:26:45.070

Matthew Radolec: version of Metasploit has the ability to do something better than dB. Autopome, or at least maybe it performs some type of scan of the services, and then it tries to try all known exploits against those services. But I guess it's really only a matter of time, or some actor group that gets the motivation to create some type of AI enabled hacking toolkit.

127

00:26:46.100 --> 00:27:05.869

David Gibson: Yeah, I mean, I think it. It's not so much to me. I think it definitely will lower the barrier to entry, but it'll also make you know the people that are already there that much more sophisticated, that much more quickly. Right? Like, you could throw in that library and say, okay, what are the Dbs that we missed? Right, you know, and like, what are some vulnerabilities for these Dbs? You know it's a

128

00:27:05.920 --> 00:27:09.719

David Gibson: it. It definitely seems to be able to accelerate the development.

129

00:27:10.060 --> 00:27:20.710

Matthew Radolec: And I know a lot of people are here because they're thinking about that salt typhoon actor, this Chinese threat actor that got identified exploiting wiretap systems that were mandated by the

130

00:27:20.710 --> 00:27:44.279

Matthew Radolec: Kalia or the 1994 Communications Assistance for Law Enforcement Act, and what Kalia did was force telecommunications companies to make their systems accessible for lawful surveillance. Now, as a result and unintended consequences of this, they've also made it susceptible to attackers, too, and news recently broke. That salt typhoon has targeted us broadband providers potentially for months.

131

00:27:44.280 --> 00:28:08.700

Matthew Radolec: and really kind of what it brings up for me is these legally required backdoors might be causing more harm than good, especially if you think, in the macro sense, that, like us, intellectual property and Pii is falling into the hands of Chinese threat actors when I got into this, and I've even had conversations with some many of our customers that are concerned about this particular actor. I think the real danger here is that there probably were links, maybe, in your Mpls network

132

00:28:08.700 --> 00:28:33.620

Matthew Radolec: where you otherwise trusted that link, and maybe you didn't encrypt it or put security controls in place in that link I think often of like, let's say you have an office, say in New York City, and you have a data center in New Jersey. You might not encrypt that link because you trust the telcode that you have a dedicated link between the telecommunication provider that you use and contract between your office and your data center and encryption, you know, cost money for

133

00:28:33.620 --> 00:28:57.510

Matthew Radolec: also cost money to have the hardware that you need to encrypt it and unencrypted on both links. And so, if a threat actor was able to sniff that link and wiretap that link that does pose a real threat to anyone that used a telco provider. And I think this is why a lot of security researchers are kind of digging their teeth into this to figure out well what actions on objectives other than just knowing that these threat actors.

134

00:28:57.510 --> 00:29:10.539

Matthew Radolec: you know, misuse this wiretap functionality. What were they able to do with? It is a question that I don't think we know the answer to yet, and maybe we'll cover on another episode in the future of state of cybercrime.

135

00:29:11.990 --> 00:29:18.289

David Gibson: Yeah, definitely, those those private links always always be wary, that there may not be as private as you think. Guys.

136

00:29:18.290 --> 00:29:19.620

Matthew Radolec: How did you think? Yeah.

137

00:29:19.620 --> 00:29:20.320

David Gibson: Yeah.

138

00:29:20.620 --> 00:29:43.399

Matthew Radolec: Well, we had a ton of chat come in today from the show. A lot of people wanted to chime in on different stories, and we really appreciate all of the interaction that we get as ultimately the show is made possible by you, our audience. And so, while David and I take a quick look at the questions that have come in. I'm sure our producers might even want to air a poll before we break for today.

139

00:29:46.430 --> 00:29:51.499

Matthew Radolec: And let's just take a quick look, Dave, and see if there's any burning questions from the audience that we need to cover.

140

00:29:51.960 --> 00:29:56.470

David Gibson: Yeah, I I do. I do notice a lot of people on Linkedin. Thank you for that.

141

00:29:56.810 --> 00:29:57.490

Matthew Radolec: Yeah, and I.

142

00:29:57.490 --> 00:29:58.260

David Gibson: So, yeah.

143

00:29:58.260 --> 00:30:11.570

Matthew Radolec: One question that came in was from, and I don't know if we know the answer to this, but from Michael Owens was the the gentleman actually making the trades or selling the information that he got from from looking at the executives, emails.

144

00:30:12.120 --> 00:30:19.319

David Gibson: That's a good question. I don't know the answer to that one. But but you know we'll see what happens.

145

00:30:19.320 --> 00:30:43.720

Matthew Radolec: We'll look and see what the case as it comes to the courts, and maybe that information will be available on another episode. Well, I think that pretty much covers it for today. Everyone. Thank you so much for being here for state of cybercrime. It is made possible by you, our audience and by our lovely hosts, David Gibson and myself and our production team. So thanks so much for being here, and we look forward to connecting with you on the next episode of state, of cybercrime.

146

00:30:45.210 --> 00:30:46.319

David Gibson: Thanks, everybody.