Government to name witness in encrypted chat sting - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: Government to Name Witness in Encrypted Chat Sting

Host: CISO Series
Episode Title: Government to Name Witness in Encrypted Chat Sting
Release Date: December 24, 2024

1. Leveraging Large Language Models (LLMs) to Generate Malware Variants

Timestamp: 00:07

Rich Stroffolino opens the episode by discussing a groundbreaking analysis from Palo Alto Networks' Unit 42. The research explores how threat actors are utilizing Large Language Models (LLMs) to generate new variants of existing malware. By iteratively rewriting malware samples through techniques such as variable renaming, string splitting, junk code insertion, removal of unnecessary white spaces, and complete code reimplementation, malicious actors aim to evade detection systems.

Key Insights:

Objective: To degrade the effectiveness of malware classification systems while making the code appear more naturally written to human reviewers.
Palo Alto's Response: Generated tens of thousands of malware variants to enhance their detection algorithms, resulting in a 10% improvement in detection rates.

Notable Quote:
"The idea is that these smaller changes could degrade the overall effectiveness of malware classification systems while also making the code look more naturally written when reviewed by humans."
— Rich Stroffolino [00:07]

2. WhatsApp Holds NSO Group Liable for Pegasus Spyware Attacks

Timestamp: 02:15

Five years following the initial lawsuit, Meta-owned WhatsApp has successfully held the Israeli spyware vendor NSO Group accountable for deploying Pegasus Spyware on over 1,000 devices. The U.S. federal judge ruled in favor of WhatsApp, citing violations of the Computer Fraud and Abuse Act and California's Computer Data Access and Fraud Act.

Key Points:

NSO's Defense: Claimed lack of responsibility for how its customers use its products.
Next Steps: A jury trial scheduled for March 3, 2025, will determine the extent of damages.

Notable Quote:
"NSO has always held that it's not responsible for how its customers use its products."
— Rich Stroffolino [02:15]

3. OpenAI Fined €15 Million by Italy's Data Protection Authority

Timestamp: 04:30

OpenAI faces a hefty fine of 15 million euros imposed by Italy's Data Protection Authority due to multiple privacy violations. The fines address failures such as:

Unreported Security Breach: Occurred in March 2023.
Lack of Age Verification Mechanisms: For users interacting with ChatGPT.
GDPR Violations: Inadequate legal notices regarding the use of personal data for training the chatbot.

Regulatory Actions:

Communications Campaign: OpenAI is mandated to undertake a six-month campaign to educate Europeans about data usage, rights to opt-out, and data deletion.
Appeal: OpenAI has announced plans to appeal the fine.

Context:
In March 2023, Italy had temporarily banned ChatGPT over similar data protection concerns.

Notable Quote:
"OpenAI said it will appeal the fine."
— Rich Stroffolino [04:30]

4. Apple's Approach to Spyware Victims: Redirecting to Nonprofits

Timestamp: 05:10

Apple's iOS includes features that notify users when spyware is detected on their devices, directing them to additional resources. However, as highlighted by TechCrunch, these resources primarily point users to the nonprofit AccessNow, rather than offering direct analysis by Apple security engineers.

Key Discussions:

User Recommendations: Apple advises activating lockdown mode to restrict features commonly exploited by spyware.
Transparency vs. Action: While directing victims to a specialized nonprofit enhances transparency about spyware attacks, some experts argue Apple could do more.

Expert Opinion:
Eva Galperin, Director of Cybersecurity at EFF, suggests that Apple could:

Provide more detailed reports on detected spyware attacks.
Take direct legal action in response to such threats.

Notable Quote:
"Sending these victims to a nonprofit provides a great deal of transparency in the scope of spyware attacks. However, Apple could provide more detailed reports on these attacks directly, as well as take direct legal action in response."
— Eva Galperin, Director of Cybersecurity at EFF [05:10]

5. Microsoft Resolves Office 365 Deactivation Errors

Timestamp: 05:50

Addressing a recent issue, Microsoft has implemented a server-side patch to fix erroneous deactivation warnings in Office 365 applications. This bug, which arose when users changed licenses or subscription settings, caused unnecessary product deactivation alerts.

Mitigation Steps for Users:

Sign Out and Restart: Logging out of all Microsoft 365 apps and restarting the applications will resolve the issue until the patch is applied.

Humorous Note:
Rich humorously refers to the fix as a "Christmas miracle," highlighting the timely resolution during the holiday season.

Notable Quote:
"That's a Christmas miracle."
— Rich Stroffolino [05:50]

6. Operation Trojan Shield: Government to Name Witness in Encrypted Chat Sting

Timestamp: 06:10

The episode delves into the intricate details of Operation Trojan Shield, a joint effort between the US FBI and the Australian Federal Police. Between 2018 and 2021, authorities operated an encrypted messaging app named ANAM, marketed to cybercriminals, which included a backdoor for law enforcement to monitor criminal communications across over 100 countries.

Key Developments:

Defendants' Motion: Four defendants seek to unveil the identity of the individual behind the pseudonym AFGHU, who managed ANAM.
Government Stance: Court filings indicate that the US Government will disclose AFGHU's identity under discovery rules. If AFGHU is called as a witness, their name may become public during open court proceedings.

Background:
AFGHU previously ran secure phone services through Phantom Secure and Sky, making them a pivotal figure in Operation Trojan Shield.

Notable Quote:
"Between 2018 and 2021, the US FBI and the Australian Federal Police operated an encrypted messaging app marketed towards cybercriminals called Anam as part of Operation Trojan Shield."
— Rich Stroffolino [06:10]

7. North Korean Hacker Group's Evolving Malware Tactics

Timestamp: 06:20

The cybersecurity firm ASEC has raised alarms about the North Korean-linked group Andarial, which is targeting nuclear-related organizations using sophisticated malware such as Small Tiger. This malware exploits domestic asset management and documentation centralization solutions within the targeted organizations.

Additional Insights:

Kaspersky's Findings: The Lazarus Group, also linked to North Korea, continues to develop advanced malware, including a downloader named Cookie Time and a modular malware plugin system called Cookie Plus. These tools demonstrate improved delivery methods and persistent infiltration strategies.

Notable Quote:
"Researchers at Kaspersky released new findings that the North Korean linked Lazarus Group continues to develop sophisticated new malware such as a downloader, loader and backdoor, demonstrating the group's evolved delivery and improved persistent methods."
— Rich Stroffolino [06:20]

Closing Remarks

Rich Stroffolino wraps up the episode by reminding listeners of the continuous updates available at cisoseries.com and extends holiday greetings.

Notable Quote:
"Reporting for the CISO series, I'm Rich Stroffolino reminding you and yours to have a super sparkly happy holiday."
— Rich Stroffolino [06:33]

Conclusion

This episode of Cyber Security Headlines by CISO Series provides a comprehensive overview of significant developments in the cybersecurity landscape as of December 2024. From advancements in malware generation using AI to legal battles against spyware vendors, and privacy enforcement against AI models, the discussions highlight the dynamic and evolving nature of information security. Additionally, the detailed analysis of government operations against cybercriminals and the persistent threats posed by sophisticated hacker groups underscore the continuous challenges faced by cybersecurity professionals.

For in-depth coverage of these stories and more, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the Cybersecurity ho ho headlines for Tuesday, December 24, 2024. I'm Rich Stroffolino using LLMs to generate malware Variants an analysis by Palo Alto Networks Unit 42 looked at the ability of threat actors to rewrite existing malware with LLMs. The researchers use models to rewrite known malware samples iteratively, using techniques like variable renaming, string splitting, junk code insertion, removal of unnecessary white spaces, and a complete reimplementation of the code. The idea is that these smaller changes could degrade the overall effectiveness of malware classification systems while also making the code look more naturally written when reviewed by humans. To combat this, Palo Alto generated tens of thousands of variants to better train its own detection algorithms, reporting it saw a 10% detection rate improvement. NSO liable for WhatsApp hacks Five years ago, Meta owned WhatsApp filed a lawsuit against the Israeli spyware vendor NSO Group, alleging it violated the Computer Fraud and Abuse act and California's Computer Data Access and Fraud act by deploying Pegasus Spyware on over 1,000 devices. Now, a US federal judge ruled in favor of WhatsApp, finding NSO is liable for violating these laws. NSO has always held that it's not responsible for how its customers use its products. A jury trial to determine damages will be held on March 3, 2025. OpenAI fined for privacy violations Italy's Data Protection Authority fined OpenAI 15 million euros for privacy violations. The fines were issued for not alerting people of a security breach from March 2023, not providing mechanisms for age verification for ChatGPT and for GDPR violations as a result of not giving adequate legal notice to European citizens when using their personal information to train the chatbot. On top of the fine, Italian regulators ordered the company to carry out a six month long communications campaign to promote further understanding of how it uses the information to train ChatGPT and let Europeans know their rights to opt out or delete collected data. OpenAI said it will appeal the fine. Back in March 2023, Italy temporarily banned ChatGPT in the country over data protection concerns. Apple sends spyware victims to a nonprofit for years, Apple's iOS has supported sending users alerts when spyware is detected on a device. As part of this notification, Apple points users to additional resources. But as TechCrunch pointed out, this doesn't actually include an offer for analysis by Apple security engineers. Instead, Apple directs users to contact the nonprofit AccessNow, which specializes in helping those in civil society targeted by spyware. Apple also recommends users with suspected spyware on their device turn on lockdown mode, which limits features commonly exploited by spyware security experts. Speaking to TechCrunch said sending these victims to a nonprofit provides a great deal of transparency in the scope of spyware attacks. However, EFF Director of Cybersecurity Eva Galperin did say Apple could provide more detailed reports on these attacks directly, as well as take direct legal action in response. And now, thanks to Today's episode sponsor ThreatLocker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operations are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com Microsoft fixes deactivation Errors Yesterday we discussed an issue with Microsoft 365 Office apps sending out erroneous product deactivated warnings. The company acknowledged the problem caused by a bug when changing licenses or subscription settings. Now Microsoft said it's deployed a server side patch to resolve the issue if users haven't received that update yet. Microsoft also provided a mitigation signing out of all Microsoft 365 apps and restarting will resolve the issue. Truly a bug fix. That's a Christmas miracle. Government to Name Witness in Encrypted chat sting between 2018 and 2021, the US FBI and the Australian Federal Police operated and distributed an encrypted messaging app marketed towards cybercriminals called Anam as part of Operation Trojan Shield. ANAM included a backdoor that allowed law enforcement to implicate criminal organizations in over 100 countries. This app was run by an individual under the pseudonym AFGHU who approached the government about the app after running secure phone services Phantom Secure and Sky in the past. Now, four defendants in cases using evidence from ANAM filed a motion to reveal the identity of afghu. Court filings show the US Government will provide the identity under discovery rules, but if called As a witness, AFCU's name may also be revealed in open court. Do not leave Cookie plus out for Santa. The cybersecurity firm ASEC warned that it found the North Korean linked group Andarial is targeting a nuclear related organization with small tiger malware. This seeks to exploit domestic asset management and documentation centralization solutions used at the organization. Separately, researchers at Kaspersky released new findings that the North Korean linked Lazarus Group continues to develop sophisticated new malware such as a downloader, loader and backdoor, demonstrating the group's evolved delivery and improved persistent methods. This includes the downloader Cookie Time and the modular malware plugin system called Cookie Plus. Reporting for the CISO series, I'm Rich Stroffelino reminding you and yours to have a super sparkly happy holiday.
[06:34]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.