CyberWire Daily: "Cats and RATS are all the rage" Summary

Release Date: January 29, 2025
Host: Dave Buettner, N2K Networks
Guest: Ivan Novikov, CEO at Walarm

1. AI-Enhanced Cyber Attacks

Overview:
The episode begins with an alarming report from The Wall Street Journal about state-linked hacking groups from China and Iran utilizing AI, specifically Google's Gemini Chatbot, to bolster their cyberattack capabilities. These groups are leveraging AI for tasks such as writing malicious code, identifying system vulnerabilities, and researching potential targets.

Key Points:

• Use of AI in Cyberattacks:

  • “These groups leverage AI for tasks like writing malicious code, identifying vulnerabilities and researching targets.” – Dave Buettner [02:30]

• Country-Specific Tactics:

  • Chinese and Iranian groups use Gemini more extensively, treating it as a research tool.
  • North Korean hackers employ AI for creating convincing job application cover letters to aid espionage.
  • Russian groups have limited AI usage, primarily for coding tasks.

• Skepticism Among Cybercriminals:

  • Despite the potential, many cybercriminals remain skeptical about the practical applications of generative AI.
  • “Many cybercriminals see AI as overhyped and unsuitable for complex operations.” – Dave Buettner [05:15]

• US Intelligence Perspective:

  • AI is becoming integral to global cyber and military strategies.
  • “AI is becoming a crucial factor in global cyber and military strategies.” – Dave Buettner [06:00]

• Concerns Over Open Source AI:

  • China’s release of Deep Seek AI with open-source code raises worries about unregulated misuse.

2. Security Vulnerabilities and Data Leaks

Structchat Data Leak:
A significant breach was reported in an AI-powered messaging tool for Slack and Discord, Structchat. An exposed Apache Kafka broker streamed sensitive user data without security measures, affecting over 1,000 users across 200 companies within an hour.

• “This information could be exploited for phishing, identity theft, or corporate espionage.” – Dave Buettner [07:20]

Smiths Group Cyber Attack:
British engineering firm Smiths Group experienced a cyberattack resulting in unauthorized system access. The company responded by isolating affected systems and collaborating with cybersecurity experts, though the exact nature of the attack remains unclear.

Rockwell Automation Vulnerabilities:
Rockwell Automation released advisories on six critical and high-severity vulnerabilities in their Factory Talks software. Potential exploits include remote command execution and system configuration access.

• “Organizations are urged to apply patches to protect industrial automation systems from potential threats.” – Dave Buettner [09:45]

Apple CPU Side Channel Vulnerabilities:
Researchers discovered new side channel vulnerabilities in Apple’s M2 and A15 CPUs, potentially allowing attackers to leak sensitive information through web browsers.

• “These attacks exploit flaws in speculative execution, the same underlying issue behind Spectre and Meltdown.” – Dave Buettner [11:30]

3. Emergence of the Hellcat Ransomware Gang

Characteristics and Tactics:
The Hellcat ransomware gang, emerging in 2024, employs a ransomware-as-a-service model with a unique approach combining financial extortion and psychological pressure.

• “Hellcat uses psychological pressure alongside standard double extortion, threatening to leak stolen data if ransoms aren't paid.” – Dave Buettner [12:10]

Notable Attacks:
Targets include Schneider Electric, a US university, a French energy company, and an Iraqi city government. Hellcat is known for humiliating victims by demanding unconventional ransom payments, such as $125,000 in baguettes.

• “Their approach signals a potential evolution in cyber extortion, blending traditional financial motives with psychological warfare.” – Dave Buettner [13:05]

4. Spark RAT and Fleshstealer Malware

Spark RAT on macOS and Government Entities:
Researchers uncovered ongoing operations of Spark RAT, a remote access trojan targeting macOS users and government organizations. Distributed via fake meeting platforms and gaming sites, Spark RAT is linked to North Korean cyber campaigns.

• “Analysts recommend monitoring HTTP headers, JSON error messages, and network traffic for detection.” – Dave Buettner [14:20]

Fleshstealer Malware Analysis:
Fleshstealer, a credential-stealing malware written in C, employs encryption to evade detection and self-terminates in debugging environments. It targets Chromium and Mozilla-based browsers to extract credentials and crypto wallet data.

• “Fleshstealer is lightweight and offers 24/7 support for cybercriminals with logs decrypted directly on its web-based control panel.” – Dave Buettner [15:10]

5. Exploitation of Government Websites for Phishing

Methodology:
Cybercriminals have been exploiting vulnerabilities in government websites, using trusted domains as platforms to host phishing pages, act as command and control servers, and redirect users to malicious destinations.

• “Victims seeing a trusted government address click without hesitation only to land on pages designed to steal their credentials.” – Dave Buettner [16:30]

Impact Regions:
The United States, Brazil, and Colombia are among the most affected, with US government domains accounting for 9% of total cases.

• “Their strategy is methodical, their execution precise.” – Dave Buettner [17:00]

6. Interview with Ivan Novikov, CEO at Walarm

US Ruling on Connected Car Tech:
Ivan Novikov discusses the recent US Commerce Department ruling that bars certain Chinese and Russian connected car technologies from being imported into the US. This move aims to protect both personal and government privacy by securing the vast electronic networks within modern vehicles.

• “They want to protect privacy at a personal level and also kind of government privacy.” – Ivan Novikov [16:05]

Cyber Risks in Connected Cars:
Novikov emphasizes the vulnerabilities in APIs that connect cars to the cloud, highlighting that while no vendor can claim absolute security, focus should be on securing dealership and cloud infrastructure.

• “All of them vulnerable. There is a few things that I have to point that we call this kind of attack Surface.” – Ivan Novikov [20:31]

Future of Automotive Cybersecurity:
Novikov predicts that attackers will prioritize hacking cloud systems and dealership APIs over individual cars due to the scalability and impact of such breaches.

• “The cloud itself and a dealership with the first thing and then cloud of this automakers.” – Ivan Novikov [21:15]

7. Innovative QR Code Manipulations

Optical Illusion QR Codes:
The episode concludes with a discussion on novel QR code manipulations inspired by optical illusions. Researchers like Guy Dupont and Christian Walther have developed QR codes that direct users to different URLs based on the viewing angle or distance.

• “Depending on the distance your camera is from the QR code, you will be directed to one of two unrelated URLs.” – Dave Buettner [25:00]

Implications:
This technique opens new avenues for both creative uses and potential malicious applications, highlighting the evolving nature of cybersecurity challenges.

Conclusion

The "Cats and RATS are all the rage" episode of CyberWire Daily delves deep into the intersection of AI and cybersecurity, the rise of sophisticated malware gangs, vulnerabilities in modern technologies, and innovative yet potentially exploitable techniques in QR code usage. With insights from industry experts like Ivan Novikov, the episode underscores the ever-evolving landscape of cyber threats and the critical need for robust security measures.

Notable Quotes:

• “AI is becoming a crucial factor in global cyber and military strategies.” – Dave Buettner [06:00]
• “Their approach signals a potential evolution in cyber extortion, blending traditional financial motives with psychological warfare.” – Dave Buettner [13:05]
• “Victims seeing a trusted government address click without hesitation only to land on pages designed to steal their credentials.” – Dave Buettner [16:30]

For more detailed insights and updates, listeners are encouraged to visit CyberWire Intel Briefing.

Produced by Liz Stokes, mixed by Trey Hester, with original music and sound design by Elliott Peltzman. Executive Producer: Jennifer Ibin. Executive Editor: Brandon Karp. President: Simone Petrella. Publisher: Peter Kilpe.