CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 57: May 22 2023

Links

https://www.bleepingcomputer.com/news/security/cybersecurity-firm-dragos-discloses-cybersecurity-incident-extortion-attempt/

https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/

https://www.helpnetsecurity.com/2023/05/19/cti-dark-web

https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/

https://www.infosecurity-magazine.com/news/experts-warn-of-voice/

Cybersecurity firm Dragos discloses security incident and extortion attempt

  • Dragos
    • Industrial cybersecurity company
    • May 10th Announced victim of a cyber incident
  • Incident
    • known cybercriminal group attempted and failed at an extortion scheme against Dragos
    • No Dragos systems were breached, including anything related to the Dragos Platform
    • group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
    • attackers downloaded “general use data” and accessed 25 intel reports that were usually only available to customers.
    • 16 hours they had access to the employee’s account
      • threat actors failed to also access multiple Dragos systems
        • messaging
        • IT helpdesk
        • Financial
        • request for proposal (RFP)
        • employee recognition
        • marketing systems
          • due to role-based access control (RBAC) rules.
        • prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure
        • sent an extortion email to Dragos executives 11 hours into the attack
          • read 5 hours later because it was sent outside business hours.
        • Remediation
          • Five minutes after reading the extortion message
            • disabled the compromised user account
            • revoked all active sessions
            • blocked the cybercriminals’ infrastructure
          • Extortion
            • publicly disclose the incident in messages sent via public contacts and personal emails belonging to Dragos executives, senior employees, and their family members.

DarkBERT

  • Korea Advanced Institute of Science and Technology (KAIST)
    • data intelligence company S2W
  • Leverage Natural Language Processing (NLP)
    • deal with the threat landscape
  • DarkBERT
    • extensive pretraining on texts in English
      • approximately 6.1 million pages found on the dark web
        • researchers filtered out meaningless and irrelevant pages
      • efficacy was then compared to two popular NLP models
        • BERT, a masked-language model introduced by Google in 2018
        • RoBERTa, an AI approach developed by Facebook in 2019.
      • Use Case
        • Ransomware leak site detection
          • The three language models were tasked with identifying and classifying such sites, and DarkBERT outperformed the rest, “demonstrating [its advantages] in understanding the language of underground hacking forums on the dark web.”
        • Noteworthy thread detection
          • “Due to the difficulty of the task itself, the overall performance of DarkBERT for real-world noteworthy thread detection is not as good compared to those of the previous evaluations and tasks,” the researchers found.
          • the performance of DarkBERT over other language models shown here is significant and displays its potential in dark web domain tasks. By adding more training samples and incorporating additional features like author information, we believe that detection performance can be further improved.
        • Threat keyword inference
          • Researchers used the fill-mask function to identify keywords linked to (in this case) threats and drug sales on the dark web.
          • DarkBERT’s results in this particular tests were better than those of other tested variants.
        • Researchers found that DarkBERT outperforms other pretrained language models in all the tasks is has been presented with
          • “shows promise in its applicability on future research in the dark web
          • though more work and fine-tuning is required to make it more widely applicable.

BrutePrint, vulnerability to Brute Force Fingerprint Locks

  • Tencent Labs and Zhejiang University
    • Researchers presented a new attack called ‘BrutePrint,’ which brute-forces fingerprints on modern smartphones
    • Allow the bypass user authentication and take control of the device.
  • Attack
    • Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to a system
  • overcome existing safeguards on smartphones
    • attempt limits and liveness detection
    • zero-day vulnerabilities
      • Cancel-After-Match-Fail (CAMF)
      • Match-After-Lock (MAL).
    • fingerprint sensors’ Serial Peripheral Interface (SPI) were inadequately protected
      • allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images.
      • BrutePrint and SPI MITM attacks were tested against ten popular smartphone models
        • unlimited attempts on all Android and HarmonyOS (Huawei) devices
        • ten additional attempts on iOS devices.
      • How it Works
        • attacker needs physical access to the target device
        • access to a fingerprint database
          • can be acquired from academic datasets or biometric data leaks
        • necessary equipment
          • costing around $15.
        • fingerprint matches use a reference threshold instead of a specific value
          • manipulate the False Acceptance Rate (FAR) to increase the acceptance threshold and create matches more easily
        • CAMF injects a checksum error in the fingerprint data to stop the authentication process at a pre-mature point.
          • allows the attackers to try out fingerprints on the target device while its protection systems won’t register failed attempts, hence giving them infinite tries.
        • The MAL flaw enables the attackers to infer authentication results of the fingerprint images they try on the target device, even if the latter is in “lockout mode.”

Voice Cloning-as-a-Service

  • voice cloning-as-a-service (VCaaS)
    • surging threat actor interest
    • streamline deepfake-based fraud.
  • Recorded Future
    • “I Have No Mouth and I Must Do Crime”
      • Threat intelligence analysis of chatter on the cybercrime underground.
    • Deepfake audio technology can mimic the voice of a target
      • spread mis- and disinformation and enhance the effectiveness of social engineering in business email compromise (BEC)-style attacks
    • out-of-the-box voice cloning platforms are available on the dark web
      • Some are free to use with a registered account while others cost little more than $5 per month
      • call-back scams and voice phishing are frequently mentioned in the context of such tools.