The international effort making digital spaces safer. - CyberWire Daily

Summary10 min read

CyberWire Daily: The International Effort Making Digital Spaces Safer
Hosted by N2K Networks
Release Date: December 2, 2024

Overview

In this episode of CyberWire Daily, host Dave Buettner delves into a series of significant developments in the cybersecurity landscape, emphasizing international collaborations and emerging threats. The episode highlights Interpol's extensive crackdown on cybercrime, exposes critical vulnerabilities in widely-used technologies, discusses evolving tactics of nation-state actors, and explores new initiatives aimed at safeguarding global digital infrastructure. A substantial portion of the episode features an in-depth interview with Marshall Heilman, CEO of dtech Systems, who shares insights into the challenges of preventing nation-state actors from infiltrating organizations through deceptive employment practices. The episode concludes with a critical look at OpenAI's potential shift towards advertising as a revenue stream.

Interpol’s Operation Hikey 5: A Major Cybercrime Crackdown

A standout achievement in international cybersecurity efforts was Interpol’s Operation Hikey 5, a comprehensive crackdown on cyber-enabled fraud spanning 40 countries from July to November 2024. This operation resulted in:

5,500+ Arrests: Targeting individuals involved in various cybercrimes.
$400 Million Seized: Including virtual assets and government-backed currencies.

The operation focused on multiple crime types, including voice phishing, romance scams, online sextortion, investment fraud, illegal gambling, business email compromise, and e-commerce fraud.

Key Successes:

East Asia Collaboration: South Korean and Chinese authorities dismantled a massive voice phishing network responsible for $1.1 billion in losses. Over 1,900 individuals were exploited by scammers impersonating police, leading to 27 arrests.
Singapore Interception: Singaporean police intercepted $39.3 million of a $42.3 million fraud scheme via business email compromise, apprehassing seven suspects and recovering an additional $2.6 million.

Notable Quote:

"International cooperation is paramount in combating the borderless threat of cybercrime," emphasized Interpol's Secretary General during the briefing. (05:45)

Interpol's Global Rapid Intervention of Payments (GRIP) initiative played a crucial role, enabling the swift halting of stolen funds in transit. Supported by the South Korean government, Operation Hikey 5 marked the fifth in the Hikey series, achieving record results with nearly double the number of cases solved and tripling the number of blocked virtual asset accounts compared to previous operations.

Vulnerabilities and Phishing Campaigns

Zabbix SQL Injection Vulnerability

Zabbix, an open-source enterprise network monitoring solution, disclosed a critical SQL injection vulnerability that potentially affects over 83,000 internet-exposed servers. This flaw allows attackers with API access to escalate privileges and compromise systems. Although patches were released in July 2024, users are urged to update immediately as no active exploitation has been reported.

Key Details:

Impact: Non-admin users can exploit the vulnerability to gain unauthorized access.
Recommendation: Immediate application of the provided patches.

Novel Phishing Campaign Exploiting Microsoft Word

A sophisticated phishing campaign has emerged, leveraging Microsoft Word's file recovery feature to bypass email security measures. Attackers distribute intentionally corrupted Word documents disguised as HR or payroll-related files. When opened, these documents prompt users to recover the file, presenting a phishing message that directs them to scan a QR code leading to a fake Microsoft login page to steal credentials.

Techniques Used:

Obfuscation: Base64 encoded strings and deceptive file names help evade antivirus detection.
Non-Malicious Attachments: Lack of malicious code aids in bypassing security software.

Security Recommendations:

Vigilance: Users should delete suspicious emails and verify unexpected messages with administrators.
Detection: Platforms like VirusTotal identify these threats, urging recipients to remain cautious.

Rockstar2FA Phishing Toolkit

Researchers from Trustwave have identified an advanced phishing toolkit named Rockstar2FA, which targets Microsoft 365 users by creating fake login pages to harvest credentials and bypass multifactor authentication (MFA) through adversary-in-the-middle techniques.

Key Features:

Service Model: Offered as a service for $200.
Security Evasion: Implements two FA bypass anti-bot protections, randomized codes, and Telegram bot integration.
Campaign Trends: Since August 2024, campaigns have utilized car-themed web pages and domains, garnering over 5,000 hits since May.

Impact:
These cost-effective kits facilitate credential theft, account takeovers, and business email compromises, making them highly attractive to cybercriminals.

Advantech Industrial Wireless Access Points Vulnerabilities

Nozomi Networks Labs uncovered 20 critical vulnerabilities in Advantech's industrial wireless access points, which are widely deployed in critical infrastructure settings. These vulnerabilities permit:

Remote Code Execution: With root privileges.
Denial of Service (DoS) Attacks: Disrupting network operations.
Lateral Movement: Allowing attackers to traverse networks without authentication.

Mitigation:
Advantech has released firmware updates addressing these issues, and users are advised to apply these patches promptly to secure their systems.

Evolving Tactics of North Korean Hacking Group Kim Suki

South Korean researchers have observed a strategic pivot by the North Korean hacking group Kim Suki, shifting from malware-based attacks to phishing-centric tactics to evade detection by endpoint response systems.

New Strategies:

Phishing Emphasis: Focused on researchers and organizations studying North Korea.
Impersonation: Emails masquerade as legitimate entities like financial institutions and public agencies.
Service Shift: Transitioned from Japanese to Russian email services, complicating detection efforts.
Domain Utilization: Utilizes free Korean domain registration services to create believable phishing sites themed around financial matters.

Detection Challenges:
Phishing attempts often exclude malware, making them harder to flag as threats. URLs are crafted without malicious content, relying on the credibility of the impersonated entity to deceive victims.

UN’s Initiative on Submarine Cable Security

Recognizing the critical importance of undersea cables, which handle over 99% of global data exchanges, the United Nations, together with the International Telecommunication Union (ITU) and the International Cable Protection Committee (ICPC), has established the International Advisory Body for Submarine Cable Resilience.

Objectives:

Enhance Protection: Implementing robust measures to safeguard submarine cables.
Promote Best Practices: Encouraging standardized approaches to cable security.
Ensure Timely Repairs: Facilitating rapid response to cable damage incidents.

Context:

Recent Incidents: Damage to cables connecting Finland, Germany, Sweden, and Lithuania is under investigation for potential sabotage.
Annual Damage Statistics: The ICPC reports 150 to 200 cable damage incidents each year, primarily due to ship anchors, fishing activities, or natural disasters, necessitating weekly repairs.

Operational Framework:

Membership: Comprises 40 members, co-chaired by Nigeria and Portugal.
Meetings: Twice annually, collaborating with industry experts.
US Initiatives: The United States is partnering with Pacific island nations to bolster cable security through various projects.

UK’s AI Security Research Lab LASER

The United Kingdom has inaugurated the Laboratory for AI Security Research (LASER), a pioneering initiative aimed at combating nation-state cyber threats, particularly those emanating from adversaries like Russia.

Funding and Support:

Initial Funding: $10.3 million from the UK government.
Additional Support: Anticipated from private sector partners.

Objectives:

AI Integration: Leveraging artificial intelligence to enhance cybersecurity and intelligence capabilities.
Collaborations: Partnering with organizations such as GCHQ, the Alan Turing Institute, and leading universities like Oxford and Queen’s University Belfast.
International Partnerships: Seeking alliances with NATO and Five Eyes allies to strengthen global cybersecurity defenses.

Leadership Perspective:

"AI plays a dual role in amplifying cyber threats and enabling advanced defense tools," stated Chancellor Pat McFadden. (20:30)

Significance:
LASER represents the UK’s commitment to addressing emerging AI-driven cyber challenges within a broader global strategy, reflecting the evolving nature of cyber threats and the necessity for advanced defensive measures.

Russian Arrests in Ransomware Affiliates

In a notable development, Russian authorities have arrested Mikhail Matveev, also known as Wazawaka, a high-profile ransomware affiliate linked to notorious groups such as Babuk, Conti, Darkside, Hive, and Lockbit.

Charges and Consequences:

Legal Charges: Under Russia's Article 273, for creating malware intended to extort commercial organizations by encrypting data and demanding ransoms.
Potential Penalties: Up to four years in prison or substantial fines upon conviction.

Background:

International Indictment: Previously indicted by the US in 2023, with a $10 million bounty offered by the State Department.
Criminal Activities: Involvement in major cyberattacks, including the 2021 ransomware attack on Washington, D.C.’s Metropolitan Police Department.

Implications: Despite Russia’s historical reluctance to prosecute domestic hackers targeting foreign entities, the arrest of Matveev and other members from groups like Revil and Sugar Locker may signal a strategic shift in the country's approach to cybercrime.

Notable Quote:

"This is a significant step, indicating possible changes in how Russia handles domestic cybercriminals," noted Dave Buettner. (22:10)

Interview with Marshall Heilman: Combating Nation-State Recruitment of Employees

In an enlightening segment, Marshall Heilman, CEO of dtech Systems, discusses the alarming trend of nation-state actors attempting to infiltrate organizations by posing as potential employees. Heilman outlines three primary categories of such deceptive practices:

Fake Nation-State Workers:
- Tactic: Individuals impersonate IT professionals from hostile nations (e.g., North Korea) to gain access to sensitive organizational data or install malicious software.
- Impact: Data theft or creating backdoors for further cyber intrusions.
Overextended Remote Employees:
- Tactic: Employees are hired across multiple organizations, resulting in divided attention and reduced productivity.
- Impact: Not inherently malicious but poses risks to organizational efficiency and data integrity.
Outsourced Malicious Employees:
- Tactic: Individuals are hired by multiple organizations and outsource their roles to external actors in other countries without the employing organization's knowledge.
- Impact: Undetected access and potential for significant harm to organizational security.

Personal Experience: Heilman recounts a specific incident where an applicant displayed multiple red flags:

Discrepancies Between Email and Name: The candidate's email did not match their purported identity. (17:08)
False Technological Claims: Claimed proficiency with technologies released after the stated experience period. (17:08)
Suspicious Background: The candidate's background suggested a call center environment rather than a professional setting. (17:08)

These combined indicators prompted Heilman and his team to terminate the hiring process.

Prevalence of the Issue: Heilman cites a 73% increase in discussions regarding this topic among senior executives, indicating a widespread and growing problem across industries.

Recommendations: Heilman emphasizes the necessity of closer collaboration between HR and IT departments to:

Verify Candidate Information: Cross-check names, email addresses, and phone numbers.
Conduct Thorough Background Checks: Identify discrepancies and validate credentials.
Utilize AI Tools: Detect AI-generated or modified profile pictures.
Monitor IP Addresses: Ensure candidates are connecting from legitimate locations.
Physical Verification: Confirm shipping addresses and, if feasible, arrange in-person meetings.

Notable Quotes:

"In today’s remote work environment, hiring processes must evolve to prevent malicious actors from gaining access to our organizations," remarked Marshall Heilman. (19:50)

"It's crucial to establish stringent verification protocols to safeguard against these deceptive recruitment practices," added Heilman. (21:15)

Heilman also references dtech Systems' blog post, "Insider Threat Advisory," which provides comprehensive guidelines for addressing potential insider threats at various employment stages.

OpenAI Considers Advertising as Revenue Stream

In a surprising development, OpenAI, the creator of ChatGPT, is exploring the integration of advertising into its platform as a means to bolster revenue streams. This move marks a significant shift from OpenAI's user-centric model towards a monetization strategy that could impact user experience.

Key Points:

Revenue Necessity: Despite an impressive valuation of $150 billion, OpenAI faces substantial operational costs, with a forecasted $5 billion expenditure.
Advertising Talent: The company is hiring veterans from Google and Meta, including its new Chief Product Officer, formerly an ad architect at Instagram.
User Experience Concerns: Integrating ads risks disrupting the seamless interaction that has endeared 250 million weekly users to ChatGPT.

Host’s Perspective: Dave Buettner expresses skepticism about the potential impact of advertising on user experience:

"Nothing ruins a seamless AI chat like a pop-up screaming about discount mattresses," he quips, highlighting concerns over intrusive ads. (23:45)

Company’s Stance: Sarah Fryer, OpenAI's CFO, assures that there are no active advertising plans yet and emphasizes a commitment to thoughtful implementation that doesn’t alienate users.

Implications: While advertising has proven lucrative for companies like Google, its application in AI-driven platforms like ChatGPT remains uncertain. The introduction of ads could potentially undermine the user-centric design, leading to diminished user satisfaction and engagement.

Conclusion

This episode of CyberWire Daily underscores the critical importance of international cooperation in combating cybercrime, the necessity of robust security measures to protect against evolving threats, and the challenges posed by nation-state actors infiltrating organizations through deceptive recruitment practices. Additionally, the potential monetization strategies of leading AI companies like OpenAI highlight the ongoing tension between revenue generation and user experience in the technology sector. As digital landscapes continue to evolve, the collective efforts of global institutions, private enterprises, and cybersecurity experts remain pivotal in ensuring safer digital spaces for all.

References:

For more detailed insights, listeners are encouraged to visit the CyberWire daily briefing.
Read Marshall Heilman’s in-depth analysis in the dtech Systems Insider Threat Advisory.

Loading summary

Transcript17 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network powered by N2K. Now a word about our sponsor, the Johns Hopkins University Information Security Institute. The JHU ISI is home to world class interdisciplinary experts dedicated to developing technologies to protect the world's vast online systems and infrastructure and working closely with US Government research agencies and industry partners. The Institute offers dual degree and joint programs in computer science and health informatics and has been designated as a Center of Academic Excellence in Cyber Research. Learn more at isijhu.edu a major cybercrime crackdown by Interpol nabs hundreds of suspects and millions in stolen funds Zabbix has disclosed a critical SQL injection vulnerability. A novel phishing campaign exploits Microsoft Word's file recovery feature. Researchers track the Rockstar 2 FA phishing toolkit. Critical vulnerabilities are found in Advantech's industrial wireless access points. North Korea's Kim Suki hacking group shifts their tactics. The UN forms an advisory body to address growing threats to critical undersea cable infrastructure. The UK is laser focused on AI security research. Russian authorities arrest the Wazawaka ransomware affiliate. Our guest is Marshall Heilman, CEO of dtech Systems, sharing his experience with a nation state actor's attempt to gain employment at his company and OpenAI opens the door for incredification. It's Monday, December 2, 2024. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Good day and Happy Monday to you all. If you are here in the US I hope you had a relaxing Thanksgiving break. It's good to be back. An international cybercrime crackdown led by Interpol targeted cyber enabled fraud across 40 countries between July and November of this year. Operation Hikey 5 resulted in over 5,500 arrests and the seizure of $400 million in stolen funds encompassing virtual assets and government backed currencies. It focused on crimes such as voice phishing, romance scams, online sextortion, investment fraud, illegal gambling, business email compromise and e commerce fraud. A notable achievement occurred in East Asia where South Korean and Chinese authorities dismantled a voice phishing network linked to $1.1 billion in losses. The scammers impersonating police victimized over 1900 individuals, leading to 27 arrests. In another high profile case, Singaporean police intercepted $39.3 million of a $42.3 million sum stolen through business email compromise. Seven suspects were apprehended and $2.6 million in additional funds recovered. Key to these successes was Interpol's Global Rapid Intervention of Payments initiative, enabling swift action to halt stolen funds in transit. This operation, supported by the South Korean government, is the fifth in the Hikey series, achieving record results compared to the previous operation, including nearly double the number of solved cases and tripling the blocked virtual asset accounts. Interpol's Secretary General emphasized the importance of international cooperation in combating the borderless threat of cybercrime, highlighting the devastating impacts on individuals and businesses alike. Open Source Enterprise Network monitoring solution Zabbix has disclosed a critical SQL injection vulnerability exploitable by non admin users with API access. It allows attackers to escalate privileges and Compromise systems. Over 83,000 Internet exposed servers are at risk. Patches were released in July and users should update immediately. No active exploitation has been reported. A novel phishing campaign exploits Microsoft Word's file recovery feature by using intentionally corrupted Word documents to bypass email security software. These attachments, disguised as HR or payroll related files, evade detection due to their damaged state but remain recoverable by Word. Once opened, the document prompts users to recover the file displaying a phishing message instructing them to scan a QR code which redirects to a fake Microsoft login page to steal credentials. The campaign, identified by any run, embeds base64 encoded strings and file names to obfuscate intent. The attachments lack malicious code, helping them avoid antivirus detection. On platforms like VirusTotal, recipients are urged to remain vigilant, delete suspicious emails, and confirm unexpected messages with administrators. To avoid falling victim to this tactic, researchers from Trustwave have linked the advanced phishing toolkit Rockstar2FA to a rise in adversary in the middle phishing attacks targeting Microsoft 365 users. This toolkit creates fake login pages to harvest credentials and bypass multifactor authentication using adversary in the middle techniques to intercept session cookies. Campaigns have escalated since August of this year, leveraging car themed web pages and domains with over 5,000 hits since May. Rockstar2FA, a phishing kit offered as a service for $200, features two FA Bypass Anti Bot protections, randomized codes, and telegram bot integration, making it attractive to cybercriminals. Phishing emails use themes like HR alerts, document sharing, and MFA lures, often evading detection by exploiting trusted platforms and obfuscation methods. Experts warn these cost effective kits enable credential theft, account takeovers and business email compromise. Researchers at Nozomi Networks Labs identified 20 critical vulnerabilities in Advantech's industrial wireless access points, widely used in critical infrastructure. The flaws allow remote code execution with root privileges and denial of service attacks. Even without authentication, vulnerabilities also enable lateral movement across networks and exploit wireless data packet management scripts. Firmware updates have been released to address the issues. South Korean researchers have uncovered a shift in the tactics of the North Korean hacking group Kim Suki, which now employs malware less phishing attacks to evade endpoint detection and response systems. These attacks focus on researchers and organizations studying North Korea using phishing emails that impersonate entities such as financial institutions and public agencies. A notable change is Kim Suki's switch from Japanese to Russian email services, making their campaigns harder to detect. They also leverage domains from free Korean registration services and fabricate phishing sites using themes tied to financial matters. These phishing Attempts often include URLs without malware, making them harder to flag as threats. The United nations, alongside the International Telecommunication Union and the International Cable Protection Committee, has formed the International Advisory Body for Submarine Cable Resilience to address growing threats to critical undersea cable infrastructure. Submarine cables handle over 99% of global data exchanges, making their security vital. The advisory body will focus on enhancing cable protection, promoting best practices and ensuring timely repairs. The initiative follows recent incidents, including damage to cables connecting Finland, Germany, Sweden and Lithuania under investigation for possible sabotage. The ICPC reports 150 to 200 annual cable damage incidents, mainly from ship anchors, fishing or natural disasters necessitating weekly repairs. The 40 member body, co chaired by Nigeria and Portugal, will meet twice annually, working with industry experts. The US has also launched projects to bolster cable security, including partnerships with Pacific island nations. The UK has launched the Laboratory for AI Security Research Laser, or maybe I should say Laboratory to combat nation state cyber threats, particularly from adversaries like Russia. Initially funded with $10.3 million from the government, the lab expects additional support from private sector partners. LASER aims to harness artificial intelligence to bolster cybersecurity and intelligence capabilities, collaborating with organizations like gchq, the Alan Turing Institute and top universities such as Oxford and Queen's University Belfast. The lab also seeks international partnerships, including with NATO and Five Eyes allies. Chancellor Pat McFadden highlighted AI's dual role in amplifying cyber threats and enabling advanced defense tools. Laser's creation reflects the UK's commitment to addressing emerging AI driven cyber challenges as part of a broader global strategy. Russian authorities have reportedly arrested Mikhail Matveev, also known as Wazawaka, a high profile ransomware affiliate linked to groups like Babuk, Conti, Darkside, Hive and Lockbit. Matveev faces charges under Russia's Article 273 for creating malware to extort commercial organizations by encrypting data and demanding ransomware. If convicted, he could face up to four years in prison or fines. MeTV, indicted by the US in 2023 and offered a $10 million bounty by the State Department, allegedly participated in major attacks, including the 2021 ransomware attack on Washington, D.C. s Metropolitan Police Department. Despite his crimes, he previously claimed to live freely in Russia. Russia rarely prosecutes domestic hackers, especially those targeting foreign entities, but recent arrests, including members of Revil and Sugar Locker, suggest a possible shift in strategy. I can't resist putting this out there. Waza Waka, a Russian threat actor. I mean, we've gotta go with Fozzie Bear, right?
[12:06]
Marshall Heilman
Waka Wak.
[12:16]
Dave Buettner
Coming up after the break, my conversation with Marshall Heilman from dtech Systems about his experience with a nation state actor attempting to gain employment at his company and OpenAI opens the door for.
[12:44]
Sponsor Representative
And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show.
[14:17]
Dave Buettner
And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? According to the latest Poneman research study, over 42% of CISOs have reported cyber attack on their executives in their personal lives and this becomes your problem because executives are easy targets at home for account takeover, credential theft and reputational harm. Close the at home security gap with Black Cloak's digital executive protection platform award winning 247365 protection for executives and their families learn more at BlackCloak I.O. marshall Heilman is CEO of D Tex Systems. We recently got together to chat about his experience with a nation state actor's attempt to gain employment at his company.
[15:21]
Marshall Heilman
So there's really three different aspects of this. From my perspective, what has gotten a lot of attention recently is the fake North Korean IT worker, right? There's been a bunch of articles that have come out of that. We know that it's affecting a large number of companies, especially high technology companies. And so essentially what is happening with these situations that there are North Korean workers getting hired into organizations in IT positions where they have significant access into an organization and then what these IT workers are then able to do is either take data to send back to their home country or in some cases they're able to install software that allows other entities from their home country to gain access to their organization to do whatever damages that they want to do. So that's really the first aspect of the safe worker. The second aspect that we see a lot of as well is where in today's remote world or remote environment, we see some employees going, getting hired at multiple companies. And so while they're not necessarily malicious in nature, what they're doing is not spending a lot of time working at the organization that's paying them because they're having to split their time between three or four jobs. So that's the second category. And the third category that we see are employees who get hired at an organization. Sometimes they'll get hired at 10, 12, 15 organizations and they outsource their job to somebody else in another country. And what you have then is a, you know, a worker that now has access into an organization that the organization has no control over. They don't know who that is, and it's not the person that they believe that they hired. And that is obviously malicious in nature. So from my perspective, those are the three main pillars of this particular issue that we see today.
[17:01]
Dave Buettner
Well, and on top of that, I mean, it's my understanding that you and your colleagues there had a run in with this sort of thing yourselves.
[17:09]
Marshall Heilman
We did, yes. Interestingly enough is right around the same time as the Know before article that came out that really, you know, launched this into mainstream. But yes, we had an individual who applied for a job and as we're going through the interview process, we spotted some, some discrepancies and ultimately there were enough discrepancies that we decided to shut down the interview process and not move forward with the candidate any further. Some, you know, some, some of the specifics around there that we saw is, you know, for one, what we noticed is that the email address that the individual used did not match the name that he used in a very, let's say, obvious sort of way. And so it was clear that there's something off there. And that could be a mistake, or it could just be someone has a funny email address. But in this particular case, paired with the other things we saw, it was a red flag for us. A second thing that we saw is this particular individual claimed to have used a technology in a certain year, but one of our interviewers correctly recognized that that particular technology had not been released until a couple years afterwards when the person said to use it. So that was obviously, obviously fake.
[18:14]
Dave Buettner
Right.
[18:15]
Marshall Heilman
The employee or this individual claimed to work at an organization and leverage certain technologies that really didn't make sense for the organization he said he was employed at to have used. So that set off another red flag. And then really, the final flag that we saw before we decided to terminate the interviews was this particular individual is using a geometric background. And as you know, on these calls, you can always see a little bit what's behind the person as they're moving around. And it was pretty obvious that they were in some type of a call center. They definitely were not sitting at a home office. And so when you put those four pieces of information together, what you have as a candidate is probably not who they say they are.
[18:51]
Dave Buettner
Wow. Do you have any sense for how widespread this actually is?
[18:57]
Marshall Heilman
So I personally, I don't. I know from talking with all the senior level executives that I speak with, it is an ongoing problem at pretty much every company I talk to. I know Amanda in the crowdstrike have done some reporting talking about just how widespread this problem actually is. I believe in the companies that we've spoken to, we've seen a 73% or so increase in the number of conversations around this particular topic at the organizations that we talk to on a regular basis. So I think it's probably more widespread than initially thought.
[19:28]
Dave Buettner
Well, what are your recommendations then? I mean, in this world where so many people want to work remotely, how do we enable that but also manage this potential problem?
[19:40]
Marshall Heilman
Yeah, and that's a great question. You know, remote work is fantastic. I'm a. I'm a remote worker myself. And so. And so I think, you know, finding the way to get this right is really important. So there's a couple obvious things we can do when it comes to looking at a candidate's resume. As I said, just trying to trying to match their name against their email address against the phone number they give. Like, you know, that's the basic thing. When you're doing a background check, make certain that there's no red flags or come back on the. On the background check. When an individual submits his picture or their picture, I should say, I think it's important to leverage some of the myriad of AI tools out there that exist nowadays to try and detect whether picture was AI generated or modified or not. Those are some things you can do when conducting an interview. I think it's really important to always have the camera on so you always see the person that you're talking to and you can match up who you see against the picture that they're using. It also allows you to see through their background whether they're sitting in an area that seems to be where they say they are or whether they're very obviously in a call center. If companies are comfortable with it, they can ask the individual not to leverage the background so they can see exactly where they are. I think it's important afterwards to look at the IP address that the individual connected from to see if they're on any known watch list. Is it a malicious IP address or is it an IP address? Maybe that is in Texas when the person claimed they're in Maine. And that seems like a very unlikely scenario and something you can ask the candidate to explain. And then once you've made a decision to hire the individual, you can do things like when you ship out the computer to the address to the persons listed, you want to make sure that the address you're shipping the computer to is the same one that they claim they're actually living at. If there's a discrepancy there, you obviously want to investigate why. You can also have, you know, if you have employees in the area where the individual is located, you can have them go and have a quick coffee or meet up with the individual to make certain that they, you know, the person that you are meeting is actually there locally and not in some other country or some other area. And I think to give even, even more detail, in a very logical fashion, we, we at Detects released a blog that we call an insider threat Advisory. And we discuss at each different phase of the process. So pre employment or interview phase, pre employment, early stages of employment, later stage of employment, what you can be looking for to make certain that you as a company don't fall victim to this type of malicious activity.
[22:00]
Dave Buettner
You know, it seems to me like this really requires close coordination between the folks on the HR team and the folks in it. I mean, perhaps even earlier in this process than it had previously traditionally demanded.
[22:18]
Marshall Heilman
Yeah, absolutely. And I think again, as you correctly pointed out, in today's world where we allow remote work more than we ever have in the past, I think we have to think about how we go about recruit and hire and onboard employees differently than we have in the past. And that does mean close collaboration between HR and IT to make certain that the companies are hiring the people that they believe they're hiring into the organization and that those employees are as productive as they expect and need them to be.
[22:44]
Dave Buettner
That's Marshall Heilman from DTEx Systems. You can read more about this incident in a blog post from DTEx will have a link in the show Notes do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000. And finally, it was bound to happen. OpenAI, the company that wowed us all with ChatGPT, is considering, wait for it, Advertising. Yes, folks, the tech darling that made us believe in the magic of AI might just join the dark side of Internet monetization, trading user delight for ad revenue The Financial Times reports that OpenAI's CFO Sarah Fryer confirmed the company is exploring ads as a potential revenue stream. While she insists there are no active plans yet, the writing on the wall is as clear as a programmatic banner ad. They're hiring ad veterans from Google and Meta, and their chief product officer is Instagram's former ad architect. Friar assures us they'll be thoughtful about ads, but isn't that what they all say? This isn't just a cash grab, It's a necessity. OpenAI may be pulling in $4 billion annually, but training cutting edge AI models is an expensive endeavor. They're burning through cash faster than you can say monetization strategy, and with a $5 billion spend forecast. Even their enviable $150 billion valuation needs some heavy lifting. To be fair, ads work wonders for companies like Google. But let's be real, nothing ruins a seamless AI chat like a pop up screaming about discount mattresses. OpenAI claims it'll be careful not to alienate its 250 million weekly users. Let's hope so, because once the ad floodgates open, there's no going back. After all, when has thoughtful advertising ever lived up to the promise? And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher, and I'm Dave Vintner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business. The hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc.