Commit 11_27_2023: Bringing 'secure by design' to AI
Growtika / Unsplash
Welcome to Commit 11_27_2023! README senior editor Nathaniel Mott back from the Thanksgiving break with the leading cybersecurity news of the last few days.
Reuters: U.S. and allies want AI to be ‘secure by design’
The U.S. Cybersecurity and Infrastructure Security Agency’s favorite phrase—“secure by design”—is catching on. Reuters today reported that “the United States, Britain and more than a dozen other countries on Sunday” announced an international agreement devoted to pushing companies to develop artificial intelligence systems that are, well, secure by design.
That sounds fine and dandy, but the announcement was clearly just the first step on a long journey. Reuters reported that “the agreement is non-binding and carries mostly general recommendations such as monitoring AI systems for abuse, protecting data from tampering and vetting software suppliers.” (Which, fittingly, broadly aligns with CISA’s advice for developing software that is secure by design.)
CyberScoop: WildCard hackers stand out from other Israel-targeting groups
An advanced persistent threat group that has targeted Israel for at least eight years, WildCard, has reportedly turned to increasingly sophisticated methods of distributing its regularly updated SysJoker malware. CyberScoop reported that the Intezer security firm described WildCard’s tactics, techniques and procedures as “unusually mature for the Israeli threat landscape.”
Part of that sophistication was evidenced by the SysJoker malware’s adoption of the Rust programming language. (Even malware can’t escape the “rewrite it in rust” movement.) As I reported last year, this can make the malware more difficult for reverse engineers to analyze, though I suspect the situation has improved as Rust’s popularity has continued to rise.
The Record: Ukraine claims responsibility for Rosaviatsia operation
Ukraine has claimed responsibility for a “complex special operation in cyberspace” targeting Russia’s civil aviation agency, Rosaviatsia, in what The Record said “appears to be the first time that Ukraine’s government has taken responsibility for a cyber operation against a Russian target” since Russia invaded the country in February 2022.
So far the operation mostly appears to be serving as propaganda, with Ukraine claiming that documents obtained via the Rosaviatsia hack revealed that Russia “is trying to hide the endless pile of problems with civil aviation, endangering its residents” in the process. (Though it’s worth noting that the authenticity of these documents hasn’t been confirmed.)
BleepingComputer: HSE keeps the lights on despite ransomware attack
Holding Slovenske Elektrarne (HSE) had some good news and some bad news last week. The bad news was the revelation of a ransomware attack on what BleepingComputer described as “Slovenia's largest power generation company” that accounts “for roughly 60% of domestic production.” The good news was that the attack reportedly didn’t affect power production.
BleepingComputer said that local media have attributed the attack to Rhysida. CISA and the FBI recently published a warning in which they said its eponymous malware is “an emerging ransomware variant” that “has predominately [sic] been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.”
Ars Technica: Mirai returns, spreads via connected device zero-days
Mirai, the infamous botnet-orchestrating malware that Wired just did a big feature about, is never going away. Ars Technica reported last week that “miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks” and they are, of course, using Mirai to do so.
This latest campaign was discovered by Akamai, whose researchers have reportedly disclosed the relevant zero-days to the companies that make the devices being compromised, the identities of which are being kept under wraps for fear of someone else exploiting the vulnerabilities between their disclosure and the release of the associated security patches.