Hosts Matt Radolec and David Gibson explain how cybercriminals are manipulating AI models like ChatGPT to plant false memories and steal data, along with other cybercrime-related stories like Salt Typhoon. Salt Typhoon is a Chinese hacking group that has reportedly breached multiple key U.S. broadband providers, raising significant concerns about the security of sensitive communications data. The hackers may have had access to these networks for months, raising significant concerns about the security of sensitive communications data. More from Varonis ⬇️ Visit our website: https://www.varonis.com LinkedIn: https://www.linkedin.com/company/varonis X/Twitter: https://twitter.com/varonis Instagram: https://www.instagram.com/varonislife/ #Cybercrime #Podcast #DataSecurity
Hosts Matt Radolec and David Gibson explain how cybercriminals are manipulating AI models like ChatGPT to plant false memories and steal data, along with other cybercrime-related stories like Salt Typhoon.
Salt Typhoon is a Chinese hacking group that has reportedly breached multiple key U.S. broadband providers, raising significant concerns about the security of sensitive communications data.
The hackers may have had access to these networks for months, raising significant concerns about the security of sensitive communications data.
More from Varonis ⬇️
Visit our website: https://www.varonis.com
LinkedIn: https://www.linkedin.com/company/varonis
X/Twitter: https://twitter.com/varonis
Instagram: https://www.instagram.com/varonislife/
#Cybercrime #DataSecurity
WEBVTT
1
00:00:38.290 --> 00:00:43.719
Matthew Radolec: Well, Hello, everyone, and welcome back to another episode of state of cybercrime.
2
00:00:45.060 --> 00:00:46.759
David Gibson: Hey, everybody! How's it going.
3
00:00:46.840 --> 00:00:48.689
David Gibson: hey, Matt? Good to see you.
4
00:00:48.890 --> 00:01:12.379
Matthew Radolec: Hi, David! It's great to be here again, and to connect with our audience from all over the world one of the fun ways we like to start the show is, see where people are joining us from today. So looks like David's already. Beat us to the punch from London, hey, David from London, Jessica from Texas, Greg from Metro, Atlanta area, Chris from Pittsburgh, Jessica from Akron, Ohio.
5
00:01:12.430 --> 00:01:15.030
Matthew Radolec: where you talk? Where are we talking to you? From Mr. Gibson?
6
00:01:15.500 --> 00:01:16.919
David Gibson: I'm in Connecticut.
7
00:01:17.010 --> 00:01:18.180
David Gibson: How about you?
8
00:01:18.180 --> 00:01:29.159
Matthew Radolec: I'm at home in Maryland today. It looks like we're in our usual spots. We got some people from Ottawa, from Denver. We got someone from Lisbon, from Belfast, from Northern Ireland.
9
00:01:29.210 --> 00:01:31.559
Matthew Radolec: Wow! From all over the world. It it really does
10
00:01:32.250 --> 00:01:36.059
Matthew Radolec: connect with people on on such an important topic.
11
00:01:36.980 --> 00:01:41.370
David Gibson: Yeah, definitely, when we got a lot of cool topics today.
12
00:01:41.670 --> 00:01:46.210
Matthew Radolec: Yeah. Well, I guess we should probably get into it. Huh! We could sit here and talk to everybody for the whole time.
13
00:01:47.060 --> 00:01:49.410
David Gibson: Yes, we could, but let's do it.
14
00:01:51.150 --> 00:02:19.460
Matthew Radolec: So. Hello, everybody again. My name is Matt Relic. I'm joined by our co-host, David Gibson, and we are here for state of cybercrime. We're going to go over our usual segments today we're going to talk about and cover a little bit of good news, as there always often is some good news to share. We'll head on to our newest segment. AI of A, which is going to make you all say the same thing. We'll talk about some vulnerable vulnerabilities, jump on the highway to the danger zone, and I think I need to reshare it real quick to make sure that I'm sharing sound. So just give me one second.
15
00:02:19.460 --> 00:02:20.460
David Gibson: It's all.
16
00:02:20.460 --> 00:02:27.089
Matthew Radolec: They get real they would like to remind me while the show is going on. So let me take care of that really quick.
17
00:02:28.090 --> 00:02:31.030
Matthew Radolec: and there we go. Let's jump into our 1st segment.
18
00:02:34.620 --> 00:02:59.469
Matthew Radolec: Is there any good news, you know, oftentimes in cybersecurity it's all doom and gloom, and everybody, including us, only wants to talk about the things that are, you know, one step away from our demise to our robot overlords. But there often is a lot of good news to say in cyber, and that's why we always like to kick off the show with talking about some of that good news, and it seems, Dave, like we got something pretty big to talk about. What's going on here.
19
00:03:00.390 --> 00:03:18.879
David Gibson: So cooperation between the Us. Government and Microsoft, and they didn't take down all of Star Blizzard, which is also known as Callisto, or cold driver as well, and this is a hacking group linked to the Fsb. It's not taken down. But they did manage to disrupt 100
20
00:03:18.880 --> 00:03:31.819
David Gibson: or actually more than 100 hacker domains. Now, this group targets, military personnel government folks think tanks a lot of folks that have a relationship into politics.
21
00:03:31.820 --> 00:03:56.340
David Gibson: The way they work is, they pose as trusted individuals do a lot of research right to figure out who they might be able to fool people into clicking on a spear phishing link. So 2, I think, really positive things that came out of this, even though the group is going to spin back up rather quickly, as they always do. It's disrupted enough infrastructure in a short enough
22
00:03:56.340 --> 00:04:18.029
David Gibson: amount of time to slow them down a bit hopefully and giving the timing of the election. It's, you know, fortunate that they're able to do that at this time, and probably plan that way the other cool thing that I think came out of it is that Microsoft and the Government have learned to cooperate a little bit more quickly, so they may be able to take out more of these domains more quickly in the future.
23
00:04:18.730 --> 00:04:43.709
Matthew Radolec: Yeah. And we'd even start to think where maybe even, and I won't give too much of a hint to our AI vague segment that maybe AI will eventually be able to learn how to spot things like the Us. Government, or like Microsoft, is and help us to, you know, preemptively strike against some of these actor groups that are spinning up and spinning down domains and infrastructure to carry out their attacks. That's not the only good news we have, but it does. It must be an election year.
24
00:04:43.710 --> 00:05:08.679
Matthew Radolec: because it does seem like all the apt groups that have to deal with interfering with elections are coming on strong, as somebody might say. The Us. Department of Justice actually has charged 3 Iranian hackers for their involvement in a hack and leak campaign aimed at influencing the outcome of the 2024 election. Now, these hackers, reportedly, were a member of Iran's Islamic Revolution Guard Corps, or Irg.
25
00:05:08.680 --> 00:05:26.279
Matthew Radolec: that's known to be tasked with hacking into us government personnel. And you know, political campaigns and what the indictment alleges is that they, you know, infiltrated various different computer systems, stole sensitive information and leaked it in an effort to maybe manipulate public opinion and disrupt the electoral process.
26
00:05:27.500 --> 00:05:32.770
David Gibson: That's scary stuff, although I gotta say I'm not sure they need any help this year. I think we kind of got it right.
27
00:05:33.044 --> 00:05:56.969
Matthew Radolec: You know we try not to make the show about politics, David, and so I I almost don't want to respond to that. But I I don't know if it can get any worse in terms of interfering with the election, more so than what we're experiencing firsthand here in the States. Now, that's not the only bit of good news that we have, though somebody got taken down that was doing some stuff with some office, 3, 65 accounts. You want to talk about that.
28
00:05:57.210 --> 00:06:16.039
David Gibson: Yeah, yeah. Yeah. So Uk, national. Robert B. Westbrook was caught and he was charged for after he made allegedly 4 million dollars on by trading on insider information. So how he got this information was kind of the interesting part in the tie into our show.
29
00:06:16.398 --> 00:06:31.080
David Gibson: He was hacking executive mailboxes and getting in there, you know, setting up the forwarding rules so he could get the draft of the financial information, the earnings release, etc, and trade ahead of it. That information being public.
30
00:06:31.110 --> 00:06:58.639
David Gibson: and how he was able to get those passwords or get into those accounts, was by abusing some of the password, reset mechanisms that are in 365, particularly those when you're using information to reset your password. You know, verify your identity by answering all these questions. You know that probably only the real person would know. Well, he was able to guess those answers with
31
00:06:58.700 --> 00:07:26.320
David Gibson: online services, right? Like genealogy sites, etc, and some of the public information that's out there to actually get the password and then get into the accounts. He also was pretty pretty deliberate about covering his tracks, you know, paying for all these services with Bitcoin masking all this traffic with Vpns. Pretty sophisticated scheme and go good guys caught, charged and we'll see what happens. Now.
32
00:07:26.970 --> 00:07:51.720
Matthew Radolec: Yeah. And I think you know, if there's anything to take away from this, it's that trading on insider information is definitely a way to get you spotted by a lot of law enforcement agencies around the world. And Carrie from our chat. How did they figure it out? I think sometimes when we think of some of the most prolific, you know, sec investigations over time. Ultimately the evidence was declaring that someone knew something and made a move on the market
33
00:07:51.720 --> 00:08:05.059
Matthew Radolec: at a certain time, and there are mechanisms in the markets in the financial markets to find those events, and spot those events and investigate those events, and so probably not the best place for a cyber criminal to try to make a quick buck.
34
00:08:05.720 --> 00:08:17.580
David Gibson: Yeah. And also, you know, we're seeing over the you know, past few months, I'd say more stories that involve tracking and tracing the transactions of Bitcoin. So it seems.
35
00:08:17.580 --> 00:08:18.759
Matthew Radolec: In our last episode, actually.
36
00:08:18.760 --> 00:08:19.270
David Gibson: Coming through it.
37
00:08:19.270 --> 00:08:37.369
Matthew Radolec: We did cover that we covered. It was a South American authority, if I remember correctly, that was able to trace back over 15 million in Bitcoin that was being washed all back to the original source addresses. I don't know if one of our producers wants to drop a link to that episode. But that's pretty interesting. Now let's go on to our next segment.
38
00:08:37.480 --> 00:08:43.960
Matthew Radolec: I know one that's got you all saying AI and one thing that I I really noticed.
39
00:08:44.730 --> 00:09:09.660
Matthew Radolec: people are starting to speak up about the limitations of AI and Apple is one, you know, a company that usually is very pro privacy, and talks a lot and advocates a lot, for privacy is also now advocating in a publishing a study around some of the flaws in large language models like the ones that come from Meta and Openai. And what this research from Apple found is that these models really struggle
40
00:09:09.660 --> 00:09:34.160
Matthew Radolec: with basic reasoning tasks. And so what they've done to try to counteract that is, they've introduced this new benchmark that they call Gsm. Symbolic in order to measure the reasoning capabilities. And this Stemm, from what they found was that small changes in query wording can lead to different answers. Now we've covered on the show before that, you know, like Chat Gpt is non-determinative, meaning that 2 people can put in the exact same prompt
41
00:09:34.170 --> 00:09:56.730
Matthew Radolec: and receive different responses. But what the study from apple underlines is, how unreliable the results then be on whether or not you can then use those, or follow through some objective reasoning test, to say that those were reasonable conclusions to come to another side part about this study that I found really interesting is that they found, if they added in relevant information to a math problem
42
00:09:56.730 --> 00:10:12.680
Matthew Radolec: that drastically reduced the likelihood that the chatgpt or the co-pilot could serve up the correct answer to that math problem, whereas maybe a mathematician would have ignored the erroneous additions to the formula. Now, you know, as I walked through this, I thought to myself.
43
00:10:13.220 --> 00:10:29.040
Matthew Radolec: I still find, you know, Chat Gpt, and models from Openai and Copilots. I still find them to be helpful, you know, and I think, David, you had a pretty snarky comment around some people that might suffer from reasoning anything you wanted to add.
44
00:10:29.040 --> 00:10:42.479
David Gibson: Yeah, I was just thinking, you know, basic reasoning tasks are are difficult, gets confused easily by lots of information. I mean, it sounds like a lot of people I know right it, you know. It could be harder to tell AI from real people all the time
45
00:10:43.930 --> 00:10:45.500
David Gibson: now and.
46
00:10:45.500 --> 00:10:45.900
Matthew Radolec: Yeah. Go.
47
00:10:45.900 --> 00:10:51.430
David Gibson: Yeah, they they may not have reason right? But apparently they do have a memory.
48
00:10:52.034 --> 00:10:55.285
David Gibson: This story is, is really interesting.
49
00:10:55.930 --> 00:11:05.229
David Gibson: Researchers found a way to manipulate the Chat Gpt application at least the OS 10 applications memory.
50
00:11:05.250 --> 00:11:11.450
David Gibson: so that every prompt and response was logged to a server that they controlled.
51
00:11:11.500 --> 00:11:14.449
David Gibson: So I learned a lot in this story.
52
00:11:14.885 --> 00:11:17.649
David Gibson: Couple things. 1st of all, I didn't.
53
00:11:17.680 --> 00:11:23.700
David Gibson: you know. I I never really thought about it. But you can have Chat Gpt.
54
00:11:23.830 --> 00:11:28.169
David Gibson: analyze a website. So you can point to a URL within the prompt.
55
00:11:28.350 --> 00:11:33.549
David Gibson: Now, what this researcher did was had a malicious image
56
00:11:33.610 --> 00:11:36.629
David Gibson: that they directed the prompt to go look at.
57
00:11:36.910 --> 00:11:55.490
David Gibson: and that image implanted a memory in the application. Now, if you want to see what Chatgpt remembers about you. Go to profile like you click on your name in the application, go to settings and personalization and manage memory.
58
00:11:55.600 --> 00:12:18.600
David Gibson: and there's a whole list of things if you've if you've let it, you know. Remember stuff about you. And I don't remember saying, Yeah, go ahead. But I must have at some point because it it had when I looked at it. It's like, Oh, yeah, I've got all this stuff in there. But by using this technique the attacker managed to plant the code that's on this slide in the memory which would run
59
00:12:18.670 --> 00:12:44.040
David Gibson: every time you asked a question. So I didn't realize this was possible easily. I didn't realize this was possible, too, and and easy to do so. You know, kudos to the researcher, I think it opens up a whole lot of possibilities. And you know, I thought that was pretty interesting, you know, just if you're a chat Gpt user to to be able to go and see that.
60
00:12:45.200 --> 00:13:08.440
Matthew Radolec: We're also starting to see AI get used in attacks. And so in a campaign with the Async Rat Malware, that targeted victims, mostly in France hackers were able to leverage AI to customize the payload for various platforms. So think the malware was originally written for, say, windows, computers, and what AI is helping them do is develop a payload for Linux and Mac OS. X. Computers.
61
00:13:08.440 --> 00:13:23.829
Matthew Radolec: And what this represents is like a shift in the toolkit for cyber criminals. My prediction is is that AI generated malware will lower the technical acumen required by a person to become a cybercriminal, and I don't really know that anyone didn't see this coming.
62
00:13:23.830 --> 00:13:36.599
Matthew Radolec: you know. Nor do I think that. Do you really need AI to repackage malware for another operating system? But I guess it proves to be helpful, and if it lowers the bar for cyber criminals to become cyber criminals, it's definitely something we should be concerned about.
63
00:13:37.610 --> 00:13:47.578
David Gibson: Yeah, definitely. It's it. It, you know. Think about, you know, not just the OS, but probably the version of the OS. You know all the libraries loaded. There are all kinds of things that they could do.
64
00:13:48.230 --> 00:13:59.660
David Gibson: kind of speaking of AI powered malware radamanthus has been rewritten and re-released, and this malware uses AI
65
00:13:59.710 --> 00:14:10.809
David Gibson: to recognize specific information in images. So think of it! A little bit like ocr optical character recognition with a little AI sprinkled on top.
66
00:14:11.250 --> 00:14:17.550
David Gibson: But the interesting thing is, it was built to recognize seed phrases like those used in your
67
00:14:17.640 --> 00:14:46.679
David Gibson: crypto wallet. Right? So you know, that's that's kind of one of the key pieces of information to be able to steal the data there. It also steals information from cookies, financial information. Even the Cvc. Code of your credit card and the, you know. So it's a it's a way to get this important information about out of a victim. I thought. One of the really interesting things about it is the way it tricks users into installing the malware is by
68
00:14:47.380 --> 00:15:00.800
David Gibson: by posing as a capture capture. You know all these capture things that we're we're having to click through to prove we're human and they're getting harder and harder and a little bit weirder and weirder, I would say this one actually
69
00:15:00.990 --> 00:15:21.429
David Gibson: made you manually copy and execute Powershell code to prove you prove you were human human. And that's what installed the malware then running in that user's context. And so now is able to, you know, look at the images also, even bypass some of the newer security mechanisms like the one in chrome, the app bound encryption.
70
00:15:21.440 --> 00:15:24.280
David Gibson: So interesting story! There.
71
00:15:24.660 --> 00:15:32.730
Matthew Radolec: I I thought it was also interesting when I looked at this one, David, that some of this this code specifically is getting banned on various hacker Forums.
72
00:15:32.730 --> 00:15:33.110
David Gibson: Yeah.
73
00:15:33.110 --> 00:15:46.570
Matthew Radolec: Made me think like our hackers getting robbed from this because they're filling out the Captcha, and then at their crypto wallets are being emptied. You know the thieves stealing from thieves, and it's not a bad target, right? I mean, they probably do have pretty hefty crypto wallets.
74
00:15:46.890 --> 00:15:51.850
David Gibson: Yeah, I thought, I think that's pretty interesting. Don't use this. Don't use this. You'll lose all your crypto.
75
00:15:52.950 --> 00:16:01.159
Matthew Radolec: Now what's going on with the glasses, though? There's like the Meta glasses. Is this like something to deal with, like some researchers from Harvard, or something.
76
00:16:01.550 --> 00:16:22.960
David Gibson: Yeah, and I kind of got to give kudos to them. I mean, the story got legs, I think, you know, because there was this tie into the new meta ray-ban glasses. There they look pretty cool. And the idea is they wrote a program where they would record, you know. Take a picture of somebody and then get all the information about them. Really quickly.
77
00:16:23.318 --> 00:16:32.650
David Gibson: And the way this worked was is, it would take the video or image capture. Pipe it to Instagram, and then, along with the name.
78
00:16:32.650 --> 00:16:34.949
David Gibson: it would use all sorts of public
79
00:16:35.246 --> 00:16:54.230
David Gibson: records. And you know some of these services to get all sorts of information about the person. Kind of a dossier. And you know, it's kind of scary, you know. You could walk around, look at a person and see a whole manifest of everything that was available for them on the Internet. Or one of these, you know potentially, you know.
80
00:16:54.250 --> 00:17:15.420
David Gibson: think about the the other story right? Some of these services that have more personal information about you. But I I think one of the points that they made is it's it's not really about the glasses, you know. You think about how many times we're on camera every day, you know, walking by, or you know, if somebody takes a picture of you with a picture and a name.
81
00:17:15.650 --> 00:17:19.249
David Gibson: a lot of information that you would want private is.
82
00:17:19.880 --> 00:17:20.550
Matthew Radolec: Yeah, even if you.
83
00:17:20.550 --> 00:17:21.409
David Gibson: Pretty easily available.
84
00:17:21.410 --> 00:17:32.779
Matthew Radolec: Right like with your picture and your name. And you're gonna find me. You're gonna find a lot about the 2 of us. I'm sure, all the episodes of state of cybercrime, all the youtubes and times. We've spoken to various events at Verona, so they at least find all that out.
85
00:17:33.030 --> 00:17:37.530
David Gibson: Yeah, I was curious. If anybody on the on the Webinar is on Linkedin.
86
00:17:40.590 --> 00:17:42.889
Matthew Radolec: Maybe a few people I'd have to predict.
87
00:17:45.260 --> 00:17:55.649
Matthew Radolec: So in our next segment, vulnerable vulnerabilities, we'll talk about a couple of vulnerabilities that probably got you on the edge of your seat, including one in an automobile.
88
00:17:57.150 --> 00:18:10.269
David Gibson: Yeah, this one makes me really glad that my my car doesn't have any Internet connectivity. I know their computers in it. But at least, maybe it's a little bit tougher to to
89
00:18:10.500 --> 00:18:38.749
David Gibson: to have to to be hacked. But a lot of cars these days are Internet connected. I know some people have like software features that you have to pay for. That diagnostic information is collected can be, you know, preventive and apparently dealers have a little bit more access to your car software than you might realize, and researchers discovered that they could use the Kia's web. Kia's web portal
90
00:18:39.118 --> 00:18:56.890
David Gibson: to register themselves as a dealer pretty pretty easily then, with only a license plate or a vin number. They had dealer powers over the car so they could turn it on and off. Unlock the windows even like activate the horn figure out where the car is.
91
00:18:57.191 --> 00:19:23.440
David Gibson: So this, you know this is one of these web web portal vulnerabilities that I think you know has been fixed luckily, but you know it kind of reminds me of all the all the scary possibilities. With this it also reminded me of that old movie repo man. I don't know if anybody's actually seen that, but it seems like that that person's job got a lot easier now. Could just remotely, maybe even have the car drive itself back to the dealer. If you miss.
92
00:19:23.440 --> 00:19:26.899
Matthew Radolec: Yeah, I'm sure there's only a matter of time before the car drives itself back.
93
00:19:27.370 --> 00:19:28.540
David Gibson: Yeah, exactly.
94
00:19:28.540 --> 00:19:44.249
Matthew Radolec: Now that wasn't the only vulnerability that was pretty widespread. A critical vulnerability was also found in the Nvidia container toolkit. Now, this one's important, especially if you're running AI applications in the cloud known as Cve 2024, 0, 1, 3, 2,
95
00:19:44.250 --> 00:20:09.209
Matthew Radolec: 0, 1, 3, 2. This toolkit impacts all AI applications that rely on Gpus for processing, and what the flaw does is it allows attackers to perform what's called a container escape attack, potentially giving them full access to the host system, and so, once they're able to escape that container, they could execute commands, they could steal sensitive information or establish methods of persistency, and, according to wiz, more than a 3rd of cloud environments are likely
96
00:20:09.210 --> 00:20:12.730
Matthew Radolec: by this vulnerability, so it is quite widespread.
97
00:20:14.470 --> 00:20:15.900
David Gibson: That's a pretty scary one.
98
00:20:16.880 --> 00:20:17.570
David Gibson: But
99
00:20:18.850 --> 00:20:20.230
David Gibson: what's next?
100
00:20:21.670 --> 00:20:28.479
Matthew Radolec: Well, next we jump on the danger zone. We just talk about some threat actors or attacks that we think people should know about. And what's this gorilla botnet.
101
00:20:29.010 --> 00:20:52.690
David Gibson: This one is kind of reminds me of Mirai. But researchers found a new botnet family. It's called gorilla gorilla bot I think what's interesting about it is how busy it is. It's so many Ddos attacks every day over a hundred countries. It has the kitchen sink in terms of the capabilities. Right? You've got the
102
00:20:52.690 --> 00:21:07.349
David Gibson: the act floods Udp floods. It's even got a valve source engine flood which was sort of new to me right. But I guess that's something in the gaming engine there. Sin floods using lots of Udp connections with spoofed ips
103
00:21:07.774 --> 00:21:16.274
David Gibson: it. Also can spoof a fairly recent security flaw about a year old, I think, in Apache hadoop
104
00:21:16.700 --> 00:21:39.930
David Gibson: to achieve remote code or to do remote code execution. I assume that that is, to get more victims, more more nodes in the botnet. Gets persistence then downloads a script right? And it also provides for long term control over. IoT devices as well as some cloud host. So this one's pretty busy and pretty powerful. It looks like.
105
00:21:40.570 --> 00:22:04.920
Matthew Radolec: Yeah. And another one I thought was really interesting. And this one from Microsoft is about the embargo Ransomware group. So they've been identified and they're being tracked as storm 0 5 0 1. This alleged group with Russian ties has been targeting critical infrastructure and government entities across the Us. And Europe, and what I thought was interesting about it is this particular group has leveraged other ransomware toolkits in the past. So Black Cat
106
00:22:04.920 --> 00:22:29.819
Matthew Radolec: Hive Lockbit, now leveraging embargo, and what the actor does is they exploit, you know, weak credentials. They take over privileged accounts, they steal data, they drop their ransomware payload. And just for those that kind of track like, well, if I'm worried about that actor, I'm 1 of those kind of companies. Are there particular vulnerabilities that I should be concerned about. Yeah. Zoho manage engine citrix netscalar and cold fusion are all vulnerabilities. They've been known to leverage
107
00:22:29.820 --> 00:22:55.970
Matthew Radolec: and in terms of command and control. They're typically using, impact it and cobalt strike. And one of the things that they'll do when they do that is masquerade as legitimate windows processes, especially Powershell. And so your overall Powershell governance and just awareness for credential type attacks is definitely something. If you're, you know, a critical infrastructure or government entity in the Us. And Europe. And you're here today should think about. You know your threat actor profile is including storm 0 5 0 1.
108
00:22:57.530 --> 00:22:58.240
David Gibson: Calling.
109
00:22:59.150 --> 00:23:20.400
David Gibson: you know. Some just occurred to me, Matt. These exploits like this one I'm going to talk about, too, seem to be so complete and make use of so much of the past knowledge that I almost wonder whether you know how AI is helping people write. You know this kind of malware, because it seems like
110
00:23:20.400 --> 00:23:35.680
David Gibson: they're thinking of everything. This one is called perf control. Right? Name that way because of the unix or Linux command perf right that does the perf monitoring and things like that, and of course command and control. But this is some new Linux malware. That's pretty scary
111
00:23:36.338 --> 00:23:43.280
David Gibson: it's it's scary because it gets in by exploiting any of
112
00:23:43.340 --> 00:23:47.319
David Gibson: a combination of 20,000 or more known
113
00:23:47.340 --> 00:23:53.940
David Gibson: misconfigurations as well as a vulnerability in Rocket, Mq.
114
00:23:54.470 --> 00:24:01.170
David Gibson: But once it's there, it is really stealthy, and it's really hard to clean.
115
00:24:01.687 --> 00:24:23.720
David Gibson: Ultimately, what it's doing right now, and could certainly do a lot more seems to be crypto mining and also act as a proxy for hire. Right? So it becomes a proxy node that people can route traffic through for money, but people are only noticing it because their CPU is pegged, but not when they log in.
116
00:24:23.750 --> 00:24:51.300
David Gibson: it stops. Whatever it's doing to peg the CPU, the mining or whatnot when you log in. So it's definitely built for stealth. It uses unix sockets to communicate out to the Internet the binaries. They're packed, they're stripped, they're encrypted, basically makes them harder to to reverse engineer. It's watching for the different temp files to see for for
117
00:24:51.300 --> 00:25:10.440
David Gibson: see activity and kind of keep hiding itself, and it's really persistent as well. People are really struggling to erase it. There is. There are some iots I'm going to paste that link in the chat, but some Iocs to look at, but but one to definitely look at, and really.
118
00:25:10.440 --> 00:25:11.329
Matthew Radolec: Definitely a lot of
119
00:25:12.040 --> 00:25:16.230
Matthew Radolec: on the Internet, maybe that are running. Yeah, that version of Linux. Yeah.
120
00:25:16.706 --> 00:25:21.470
David Gibson: But there's some Iocs there. From aquasec
121
00:25:21.772 --> 00:25:32.000
David Gibson: that. If you're curious, you know, if you want to go look for those could do that, but also then patch the vulnerability and Rocket, Mq. Which is Cbe. 202-33-3246.
122
00:25:32.500 --> 00:25:45.619
Matthew Radolec: Now, before we go on to our last story and talk about salt typhoon, I wanted to comment on something that you talked about with like embargo and ransomware actors. You know the the barrier to entry for cyber criminal seems to be getting lower
123
00:25:45.620 --> 00:26:05.130
Matthew Radolec: right. AI could make these tools better. It does seem like the threat actor. Playbook is kind of one in the same. You just change the actor name and they go after credentials. They target privileged accounts. They go after data, crypt steal information, and AI might make that easier. But what it draws me back to, and I wonder if we have any pen testers in the audience. Now.
124
00:26:05.130 --> 00:26:10.040
Matthew Radolec: version 3 of metasploit there was a command called dB. Autopwn.
125
00:26:10.040 --> 00:26:26.060
Matthew Radolec: which basically tried every single exploit in the toolkit on every single target host that you had loaded, and I guess it's only a matter of time before AI gets smart enough to have their own version or some AI enabled, you know.
126
00:26:26.060 --> 00:26:45.070
Matthew Radolec: version of Metasploit has the ability to do something better than dB. Autopome, or at least maybe it performs some type of scan of the services, and then it tries to try all known exploits against those services. But I guess it's really only a matter of time, or some actor group that gets the motivation to create some type of AI enabled hacking toolkit.
127
00:26:46.100 --> 00:27:05.869
David Gibson: Yeah, I mean, I think it. It's not so much to me. I think it definitely will lower the barrier to entry, but it'll also make you know the people that are already there that much more sophisticated, that much more quickly. Right? Like, you could throw in that library and say, okay, what are the Dbs that we missed? Right, you know, and like, what are some vulnerabilities for these Dbs? You know it's a
128
00:27:05.920 --> 00:27:09.719
David Gibson: it. It definitely seems to be able to accelerate the development.
129
00:27:10.060 --> 00:27:20.710
Matthew Radolec: And I know a lot of people are here because they're thinking about that salt typhoon actor, this Chinese threat actor that got identified exploiting wiretap systems that were mandated by the
130
00:27:20.710 --> 00:27:44.279
Matthew Radolec: Kalia or the 1994 Communications Assistance for Law Enforcement Act, and what Kalia did was force telecommunications companies to make their systems accessible for lawful surveillance. Now, as a result and unintended consequences of this, they've also made it susceptible to attackers, too, and news recently broke. That salt typhoon has targeted us broadband providers potentially for months.
131
00:27:44.280 --> 00:28:08.700
Matthew Radolec: and really kind of what it brings up for me is these legally required backdoors might be causing more harm than good, especially if you think, in the macro sense, that, like us, intellectual property and Pii is falling into the hands of Chinese threat actors when I got into this, and I've even had conversations with some many of our customers that are concerned about this particular actor. I think the real danger here is that there probably were links, maybe, in your Mpls network
132
00:28:08.700 --> 00:28:33.620
Matthew Radolec: where you otherwise trusted that link, and maybe you didn't encrypt it or put security controls in place in that link I think often of like, let's say you have an office, say in New York City, and you have a data center in New Jersey. You might not encrypt that link because you trust the telcode that you have a dedicated link between the telecommunication provider that you use and contract between your office and your data center and encryption, you know, cost money for
133
00:28:33.620 --> 00:28:57.510
Matthew Radolec: also cost money to have the hardware that you need to encrypt it and unencrypted on both links. And so, if a threat actor was able to sniff that link and wiretap that link that does pose a real threat to anyone that used a telco provider. And I think this is why a lot of security researchers are kind of digging their teeth into this to figure out well what actions on objectives other than just knowing that these threat actors.
134
00:28:57.510 --> 00:29:10.539
Matthew Radolec: you know, misuse this wiretap functionality. What were they able to do with? It is a question that I don't think we know the answer to yet, and maybe we'll cover on another episode in the future of state of cybercrime.
135
00:29:11.990 --> 00:29:18.289
David Gibson: Yeah, definitely, those those private links always always be wary, that there may not be as private as you think. Guys.
136
00:29:18.290 --> 00:29:19.620
Matthew Radolec: How did you think? Yeah.
137
00:29:19.620 --> 00:29:20.320
David Gibson: Yeah.
138
00:29:20.620 --> 00:29:43.399
Matthew Radolec: Well, we had a ton of chat come in today from the show. A lot of people wanted to chime in on different stories, and we really appreciate all of the interaction that we get as ultimately the show is made possible by you, our audience. And so, while David and I take a quick look at the questions that have come in. I'm sure our producers might even want to air a poll before we break for today.
139
00:29:46.430 --> 00:29:51.499
Matthew Radolec: And let's just take a quick look, Dave, and see if there's any burning questions from the audience that we need to cover.
140
00:29:51.960 --> 00:29:56.470
David Gibson: Yeah, I I do. I do notice a lot of people on Linkedin. Thank you for that.
141
00:29:56.810 --> 00:29:57.490
Matthew Radolec: Yeah, and I.
142
00:29:57.490 --> 00:29:58.260
David Gibson: So, yeah.
143
00:29:58.260 --> 00:30:11.570
Matthew Radolec: One question that came in was from, and I don't know if we know the answer to this, but from Michael Owens was the the gentleman actually making the trades or selling the information that he got from from looking at the executives, emails.
144
00:30:12.120 --> 00:30:19.319
David Gibson: That's a good question. I don't know the answer to that one. But but you know we'll see what happens.
145
00:30:19.320 --> 00:30:43.720
Matthew Radolec: We'll look and see what the case as it comes to the courts, and maybe that information will be available on another episode. Well, I think that pretty much covers it for today. Everyone. Thank you so much for being here for state of cybercrime. It is made possible by you, our audience and by our lovely hosts, David Gibson and myself and our production team. So thanks so much for being here, and we look forward to connecting with you on the next episode of state, of cybercrime.
146
00:30:45.210 --> 00:30:46.319
David Gibson: Thanks, everybody.