Changelog: AI will improve security—right after it stops making it worse
Markus Winkler / Unsplash
Welcome to Changelog for 10/5/23, published by Synack! README senior editor Nathaniel Mott here from the hotter-than-expected outskirts of upstate New York with the week’s cybersecurity news.
The payload
The annual Microsoft Digital Defense Report (MDDR) was published today with a breakdown of everything from cybercrime and nation-state attacks to artificial intelligence and supply chain security.
Takeaways from this behemoth of a report will vary. The Register highlighted Microsoft’s claim that 80-90% of ransomware attacks reported between July 2022 and June 2023 began with unmanaged devices—which are owned and operated by employees rather than organizations themselves—connected to the target network. CyberScoop, meanwhile, focused on indicators that “Iranian cyber operations targeting Western entities are growing more sophisticated and effective” over time.
I’m still making my way through the report, so I’ll discuss the section I jumped to: securing open source software. This mostly comes down to GitHub making “supply chain security tools easy and convenient for developers to use as they code” and using a combination of AI and large language models to “enhance human decision-making and analysis and revolutionize how organizations manage supply chain risks.” Which is an interesting juxtaposition, since GitHub’s adoption of AI is making software less secure.
In the report “Security Weaknesses of Copilot Generated Code in GitHub,” researchers from Wuhan University, Massey University and RMIT University found that of 435 code snippets generated by Copilot in publicly available projects, 35.8% were insecure in some way. This led them to conclude “that developers should be careful when adding code generated by Copilot (and similar AI code generation tools) and should also run appropriate security checks as they accept the suggested code.”
This is a common refrain with AI: its proponents make bold claims about what it can do, but in practice, there are noteworthy deficiencies that we’re expected to deal with until a new version of that particular tool is released. In the future, we’re told, AI will help developers produce more software with fewer vulnerabilities. In the present, more than a third of the code generated by these tools is insecure. Is that a worthwhile tradeoff, given there’s no guarantee that future will ever materialize?
Beats me. In the meantime, I’ll just go melt some eggs to snack on while I finish the rest of the report.
The week, compiled
“What is dead may never die.” Aside from a poignant example of profound disappointment, that line’s pretty much the only thing I took from “Game of Thrones,” and it’s front-of-mind this morning because of a Cisco Talos report indicating that the FBI didn’t actually dispatch the Qakbot malware in August.
TechCrunch reported that Qakbot “had infected more than 700,000 machines worldwide to cause hundreds of millions of dollars of damage” by the time the FBI conducted Operation Duck Hunt, which U.S. Attorney Martin Estrada called “the most significant technological and financial operation ever led by the Department of Justice against a botnet.” Clearly the malware’s operators were ducked… right?
Wrong. Cisco Talos said today that the “threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.” The company also said it believes the group might be able to rebuild the infrastructure associated with the Qakbot malware itself for use in future attacks.
“As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers,” Cisco Talos said. “Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”
It’s worth noting there has been some pushback on Cisco Talos’ attribution of this activity to Qakbot, so it’s possible that the group is getting the credit for attacks conducted by another threat actor. I suppose whether or not that’s comforting depends on how much you care about Qakbot in particular versus duck-like attacks in general. Additional information is available via the Cisco Talos report.
Rajvir Kaur / Unsplash
Now onto the week in README:.
Commit 10_02_2023: It’s Cybersecurity Awareness Month—and that’s the last time I’m going to acknowledge it. This week kicked off with reports of remote code execution-enabling vulnerabilities in the open source mail transfer agent Exim and Progress Software’s WS_FTP file-transfer software, the NSA’s plans to establish a center devoted to AI and Amazon making a bunch of people think they’d been hacked.
Commit 10_03_2023: Ransomware, ransomware, ransomware. This Commit featured reports on ransomware attacks affecting Pinal County, Arizona; Fauquier County Public Schools in Virginia; and the Motel One hotel chain, as well as Microsoft updating several of its apps to defend against critical vulnerabilities in open source libraries and security flaws in multiple versions of Arm’s GPU drivers.
And the other stories that caught my eye this week:
The Record: Secureworks said in its 2023 State of the Threat report that cybercriminals have dramatically increased the speed with which they deploy ransomware on compromised networks. Rather than unleashing the cryptographic hounds about 4.5 days after gaining that initial access, ransomware gangs are said to be taking action within 24 hours of finding that first foothold on a victim’s network.
BleepingComputer: Other threat actors proved willing to play the long game, with Checkmarx reporting that groups uploading malicious packages to PyPI have employed increasingly sophisticated tactics as the year has progressed, all so they can gather information from developers. This can work, too, with the report saying that hundreds of malicious packages saw more than 75,000 downloads in total.
TechCrunch: What’s a zero-day worth? TechCrunch reported that at least for vulnerabilities in WhatsApp for Android, the going rate was between $1.7 and $8 million dollars in 2021, and the price is said to have risen in the years since. That pales in comparison to zero-days in other software—how’s $20 million for iOS and Android vulns sound?—but still demonstrates how lucrative the exploit market can be.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
I find most distributed denial-of-service (DDoS) attacks boring, especially if they don’t use novel techniques. There are exceptions, however, and the October 2016 attack on Dyn is one of ‘em.
So what made the DDoS attack on Dyn any different? It wasn’t the method of attack. Someone merely used the Mirai botnet, which was reportedly started as part of “a dorm room Minecraft scam,” to bombard the company’s domain name system (DNS) infrastructure with too much traffic for it to handle. Yawn.
No. The attack on Dyn was noteworthy because it brought down some of the world’s most popular websites—The Guardian reported at the time that the attack made “Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the U.S.” unreachable for the better part of a day.
There are entire industries devoted to making sure their customers’ websites don’t go down, so as frustrating as these outages can be, it’s at least somewhat interesting to know that someone can still disrupt these services. Failing that, most DDoS attacks seem more like a nuisance than anything else. (At least from the outside; I feel for the people charged with handling these low-effort attacks.)
Local storage
CISA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the NSA put out a report on Identity and Access Management on Oct. 4 that “ focuses on technical gaps and challenges related to adoption and secure employment of [multi-factor authentication] and [single sign-on] technology.”
DFP: A ransomware attack on McLaren Health Care in Michigan may have resulted in some patient information being compromised, according to The Detroit Free Press, which said that ALPHV / BlackCat claimed to have made off with 6TB of data that purportedly includes details about 2.5 million of patients of the 14 hospitals operated by the company.
Off-script
It’s officially spooky season. Everyone celebrates in their own way—some people set up increasingly tall skeletons, others stock up on the objectively worst candy in mass production and still others plan elaborate Halloween costumes that will put every ghost in a cut-up sheet to shame. As for me? I’m returning to an eight-year-old game that’s only available on a single last-generation console.
That’s right. I’m replaying Bloodborne.
Altınay Dinç / Unsplash
Anyone who’s played the game before knows exactly why the advent of spooky season offers the perfect excuse to replay Bloodborne. It’s perhaps the greatest depiction of gothic horror in any medium, with a gripping narrative and backstory told in the drip-drip-drip style for which From Software is known, all of which you can miss in the thrill of the hunt for the blood-starved beasts haunting this waking nightmare.
Even if you aren’t interested in playing the game, I recommend watching some videos about it. You want spooky? Bloodborne’s got spooky. Werewolves? Yep. Vampires? Kinda! Eldritch horrors beyond human comprehension? Well, I wouldn’t want to spoil anything, but yeah. I wouldn’t last a minute in this setting without going mad. Every frame of this game—all 30 of them per second—is an ode to all things horror.
Now is the perfect time to (re) experience Bloodborne yourself. Put up your decorations, buy your candy, don your costumes. Then, when you’re ready for something truly cursed, head to Yharnam. If you’re anything like me, it’ll become as much a part of spooky season as pumpkin spice lattes.