Changelog: The calm before many AI storms
Steve Johnson / Unsplash
Welcome to Changelog for 8/20/23, published by Synack! Nathaniel Mott here with the latest updates on AI-augmented influence operations, ongoing scrutiny of Microsoft and more.
The payload
Threat actors can remind me of “Mean Girls”: Much like Gretchen Wieners keeps trying to make “fetch” happen, the groups behind influence operations keep trying to make generative artificial intelligence work in their campaigns. The difference is that these groups might succeed where the fictional Wieners couldn’t.
According to an Aug. 17 report from Mandiant, AI has proven ineffective when used in so-called “intrusion operations.” But when it comes to spreading false narratives to further a particular group’s agenda via influence operations, AI could be more useful thanks to the ability to generate misleading text, images and videos.
“We anticipate that generative AI tools will accelerate threat actor incorporation of AI into information operations and intrusion activity,” the Google Cloud-owned incident response firm said. “Mandiant judges that such technologies have the potential to significantly augment malicious operations in the future, enabling threat actors with limited resources and capabilities, similar to the advantages provided by exploit frameworks including Metasploit or Cobalt Strike.”
Although the company mentioned intrusion operations there--and said elsewhere that AI could assist with social engineering--Mandiant cautioned that “while there is certainly threat actor interest in this technology, adoption has been limited thus far, and may remain so in the near term.” But the report cites numerous examples of AI-generated content being used to spread misinformation on social media, and the tools used to create that content are only getting more sophisticated.
We’ve covered some of the security industry’s concerns about the rise of AI before, along with the ways defenders are looking to use AI. I worry misinformation could be the first malicious application of this technology to really cause a lot of harm.
The week, compiled
We might have to rename this section “Microsoft watch.”
Rep. Don Bacon (R-Neb.), a member of the House Armed Services Committee, said last week he was informed by the FBI that Chinese hackers accessed his email. (Along with accounts associated with the U.S. State Department and Department of Commerce, which we already knew.)David Trinks / Unsplash
“I thank the FBI for notifying me that the [Chinese Communist Party] hacked into my personal and campaign emails from May 15th to June 16th of this year,” Bacon tweeted on Aug. 14. “The CCP hackers utilized a vulnerability in the Microsoft software, and this was not due to ‘user error.’”
Much of the U.S. government’s public messaging about this hack has focused on Microsoft, not China, with the Department of Homeland Security announcing on Aug. 11 that the Cyber Safety Review Board’s next task would be the investigation of the Exchange hack.
Bacon switched that up a bit. “The Communist government in China are not our friends and are very active in conducting cyber espionage,” he said in a followup post. “I’ll work overtime to ensure Taiwan gets every $ of the $19B in weapons backlog they’ve ordered, and more.”
Alright. We’ll check in on the fallout of the Microsoft hack again next week, I assume, but here are some other stories that caught my eye in the meantime:
TechCrunch: The U.S. Cybersecurity and Infrastructure Security Agency added a vulnerability in ShareFile (CVE-2023-24489) to its Known Exploited Vulnerabilities catalog, meaning federal civilian executive branch agencies must apply the patch for that flaw by Sept. 6. The flaw received a CVSS score of 9.8 and can be exploited to “allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.”
RBN: Package repositories continue to carry security risks (see my report from 2021 for more on that). This time, the problem is flaws in PowerShell Gallery that “make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package,” according to AquaSec research published on Aug. 16.
Cyberint: Guard thy LinkedIn accounts, for Cyberint reported on Aug. 14 that “an ongoing and successful hacking campaign is targeting LinkedIn accounts,” with some victims reportedly being “pressured into paying a ransom to regain control or [facing] the permanent deletion of their accounts” after they’ve been compromised.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
People have been making jokes about forcing computers to “halt and catch fire” since the ‘60s. The halting part is achievable, but most computers won’t actually catch fire. Emphasis on “most,” though, as Dell learned when it had to recall 4.1 million laptop batteries in August 2006.
That recall, which remains the largest in the U.S. consumer electronics industry 17 years later, was prompted by Dell laptops quite literally catching fire. “Over the past two months, numerous stories have appeared documenting Dell laptops' habit of igniting,” The Register reported at the time. “You've got Dell laptop goes up in smoke, Dell probes incendiary laptop incident, Dell laptop smoked in Singapore and Dell said to have 'dozens' of burned laptop incidents on file.”
CNBC reported that the recall affected “around 15 percent of the batteries the company sold between mid-2004 and 2006.” A much smaller number actually caught fire, of course, but it turns out people tend to worry when they hear a product they carry around with them has a small chance of bursting into flame. (Especially when that product has the word “lap” in its name.) Samsung learned the same lesson the hard way when it recalled the Note 7 a decade later.
Local files
The Record: Ransomware gangs have been targeting U.S. schools before they reopen at the end of summer vacation, with the most recent high-profile victim being the K-12 school district for Cleveland, Tenn. Expect these kinds of stories to continue as more students head back to school--and as more ransomware gangs realize how poorly defended many districts are.
Wired: The U.S. Department of Health and Human Services announced on Aug. 17 that it was launching a program called the Digital Health Security project (or Digiheals) to, as Wired put it, “find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care.” More details can be found here.
The Register: The Clorox Company, which owns Pine-Sol, Glad and other household cleaning supply companies in addition to offering its namesake bleach products, told the Securities and Exchange Commission it recently suffered a security breach that disrupted some of its operations, though it reportedly declined to answer The Register’s questions about the incident, which is still being investigated.
Off-script
Wouldn’t it be nice to never think about Elon Musk again? Yeah, I think so too. Unfortunately, buying one of the world’s most popular social networks and proceeding to run it into the ground does tend to result in constant coverage, even if you disregard all of the other antics.
aaron vansieleghem / Unsplash
So here are two ways Musk has decided to further ruin the social network I refuse to call X:
- Adding a five-second delay when following links to specific websites. The Washington Post reported that this includes “Facebook, Instagram, Bluesky and Substack, as well as the Reuters wire service and the [New York Times].” So, essentially, social networks and news sites. Cool.
- Threatening to remove the block feature. Musk tweeted that blocking would be removed for everything but direct messages because “it makes no sense.” This after Musk reportedly abused his control over Twitter to remove himself from many users’ block lists in November 2022.
All of which is to say nothing of Twitter’s decline as a source of real-time information (particularly during emergencies, such as the Maui fire, among others) and the decision to split ad revenues with a user who shared child sexual abuse material on the platform.
Those problems are deeply concerning, and a sign of how much Twitter has changed since Musk took over the company. But the others are just plain childish, and it’s astounding to think someone would spend $44 billion to ruin a site people used to like over petty ego trips.