Trump Scales Back Biden's Product Security Demands

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Push Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

An executive order signed by US President Donald Trump has scaled back the US government's cyber security ambitions. It has dropped a range of provisions that would encourage organisations to adopt more stringent security standards. 

The order largely takes aim at directives issued in January of this year by then-President Joe Biden. One part of that January order, stipulated that the government "identify a coordinated set of practical and effective security practices to require when it procures software" and that vendors follow those practices. Trump's order keeps the standards development part, but ditches the need for vendors to actually adhere to them.

Biden's order also strongly emphasised the rollout of post-quantum cryptography (PQC), encryption systems that are not susceptible to attacks by quantum computers. Rather than being told to transition to PQC as soon as practicable, federal agencies have now been instructed to prepare to transition to PQC. 

So, Trump's order doesn't abandon the initiatives entirely, but it removes incentives that would drive federal agencies and private sector vendors to update their security practices.

So it's less full speed ahead and more steady as she goes. 

Axios has a summary of the changes and Eric Geller posted a paragraph by paragraph comparison of the two executive orders on Bluesky.

The White House fact sheet accompanying Trump's order says Biden imposed "unproven and burdensome software accounting processes that prioritised compliance checklists over genuine security investments". 

Biden's improvement efforts are unproven, but that's because they were long-term efforts intended to shift software development incentives over time. They were never going to pay off overnight.   

To us, it seems the animating principle behind President Biden's cyber security policy was: the free market alone does not result in secure products, so the federal government needs to step in to actively encourage improvement.

In this order at least, the Trump administration has abandoned that principle. That is a shame. 

North Korea Is Using AI to Power Its Fake IT Worker Scams 

Two reports from AI giants OpenAI and Anthropic suggest that attempts to use LLMs for influence campaigns and cyber operations are falling flat, but AI is turbocharging fake IT worker scams. 

A case study in last week's OpenAI report looks at how its tools were utilised in a North Korean IT worker scam. In February, OpenAI said its technology was being used manually in "each step of the recruitment process with different deceptive practices, all designed to be mutually supporting". 

Now, it says the activity has become highly automated. A group of "core operators" are using AI to automate resumé creation and "systematically fabricate detailed resumes aligned to various tech job descriptions, personas, and industry norms". The operators use looping scripts to generate consistent work histories, educational backgrounds and references. 

These "core operators" also used AI to help build tools to track and manage job applications, research remote-work setups that could circumvent corporate security measures, and to help recruit people in North America to run laptop farms. 

OpenAI says a different set of "contractor operators" use AI to help complete job application tasks such as real-time interview questions and coding assignments. 

The company "cannot independently assess the success of these operations", but by all accounts the North Korean IT worker scam is pretty successful. Given how much those responsible have ramped up their use of AI, we're willing to bet it has been a valuable addition to North Korea's toolkit. 

By contrast, in the cyber operations that OpenAI identified, threat actors used AI to speed up development work and operational workflows. Overall it appears that AI technologies were simply a nice-to-have. 

Anthropic's report gave some interesting details about other malicious activity that's falling flat. It looked at an influence-as-a-service provider that was using Anthropic's Claude model to manage four distinct campaigns. It says Claude:

1. Maintained detailed political alignment guidelines for each personaž
2. Evaluated whether drafted content aligned with each persona's political viewpoints
3. Decided how to react to content posted by other users according to
the persona's legend
4. Generated appropriate responses in the persona's
voice and native language
5. Created prompts for image generation tools and evaluated their outputs, deciding whether the
images were aligned with the instructions or
should be regenerated. 

The AI tech allowed the threat actor to "maintain continuity across platforms" and "establish consistent engagement platforms mimicking authentic human behaviour". It sounds good on paper, but according to Anthropic, the campaigns had "limited viral impact".

Reading between the lines of both these reports, it seems like you can use AI to fool some people sometimes. When your targets are recruitment managers and potential scam victims, that "sometimes" is still valuable. 

But, to steal a line from Bob Marley, you can't fool all the people all the time.

These Guys Are Going to Die Lol

A classified document stolen from Russia's FSB has wound up in the hands of The New York Times thanks to an online group looking to promote its espionage-as-a-service offering. The document also happens to be interesting. 

It appears to be from an FSB counterintelligence unit and warns that China is a serious threat to Russia's national security. Per The New York Times: 

Its officers say that Beijing is increasingly trying to recruit Russian spies and get its hands on sensitive military technology, at times by luring disaffected Russian scientists.

The intelligence officers say that China is spying on the Russian military's operations in Ukraine to learn about Western weapons and warfare. They fear that Chinese academics are laying the groundwork to make claims on Russian territory. And they have warned that Chinese intelligence agents are carrying out espionage in the Arctic using mining firms and university research centers as cover.

This is not surprising, although it is interesting to hear it directly from Russian intelligence sources. The Times says the "threats are laid out in an eight-page internal FSB planning document… that sets priorities for fending off Chinese espionage". 

Incredibly, the document was provided to The Times by an online crime group known as Ares Leaks. In November, the group advertised on Telegram that it had classified documents from the FSB for sale. The New York Times says that it does not pay sources or buy stolen documents, but will take documents "that are provided without cost or strings attached". 

In this case, Ares Leaks provided snapshots of Russian intelligence documents and, most important, a complete FSB counterintelligence document about China. More documents were available, the group said, for a negotiable price paid in the cryptocurrency Monero. 

The document appeared legitimate according to six Western intelligence agencies The New York Times consulted. 

Cyber security firm Analyst1 told The Times that Ares Leaks originally sold hacked corporate databases and now also sells sensitive government documents. It advertises to buy government or military information from a variety of governments including Russia, China, France, Britain and Japan. It previously advertised US secrets for sale.

We're not sure it’s the best idea to sell Russian state secrets on Telegram. There are constant rumours that Russian intelligence agencies have access to the service, including a new report this week that links the messenger's infrastructure with companies that work for the Russian defence and intelligence sector. These guys are highly likely to come down with a serious case of the windows.

We think buying stolen material from this group will actually be tempting to all sorts of governments across the geopolitical spectrum, even if it's unlikely to be a game changer for competent intelligence services. That could make it a nice little earner for Ares Leaks, which is offering the entire cache of Russian documents for USD$120,000. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Nine Chinese cyber scammers convicted in Nigeria: The nine were sentenced to a year each in prison for their roles in recruiting and training young Nigerians to carry out online frauds such as romance and investment scams. The nine were arrested together with 780 other suspected scammers in a raid of a Lagos commercial premises. The Record has further coverage.
2. Spyware maker Paragon Solutions cuts ties with Italian government: The Israeli spyware maker cut ties with the Italian government after reports the government had targeted journalists and activists. Paragon says the Italian government refused its help investigating the alleged abuses. It is good to see consequences after reports of abuse. Further coverage at TechCrunch.   
3. DanaBot flaw used in takedown: Researchers from security firm Zscaler have described a DanaBot command and control server memory leak that they used to get unique visibility into the internal operations of the malware. This information was used in the Operation Endgame takedown a few weeks ago.  

Sponsor Section

In this sponsored interview, Casey Ellis interviews Push Security co-founder and Chief Product Officer Jacques Louw about how good phishing crews have gotten at evading detection.

Attackers are hiding their payloads behind legitimate bot-detection tools to stop things like email security gateways from seeing them, as well as locking up phishing pages behind OAuth challenges.

Push sees all this because it’s installed as a browser plugin and sees what users see.

In this on-demand webinar, Push Security VP of R&D Luke Jennings walks you through the common TTPs used by the Scattered Spider group this year and how you can defend against them.

Shorts

The SEC's Edgar Hack

Bloomberg has an interesting long read about the hack of the US Securities and Exchange Commission's Edgar database. A Ukrainian criminal group breached the database and made money by trading on information that had not yet been made public.

The main hacker involved, Ukrainian woman Olga Kuprina (aka Ghost in the Shell), cooperated with the Department of Justice. She has since resettled in the United States and now works in cyber threat intelligence.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq  take a deep dive into the hackers of Unit 29155, Russian military intelligence’s sabotage and assassination group. 

Or watch it on YouTube!

From Risky Bulletin:

SentinelOne avoids a Chinese APT hack: Cybersecurity firm SentinelOne says it narrowly avoided getting hacked by Chinese government hackers after an APT breached one of its IT vendors that handled hardware logistics for its employees.

The company said it detected and stopped the intrusion before it reached its network.

The incident took place at the start of the year, months after SentinelOne also observed extensive reconnaissance of its internet-exposed servers.

SentinelOne linked the attacks to a cluster of activity linked to Chinese state hackers. Activity from the same cluster, which SentinelOne called PurpleHaze, also hit a South Asian government organization, a European media organization, and over 70 other organizations across different sectors.

[more on Risky Bulletin]

EU launches private DNS service: The EU launched last week its own DNS service, with versions for government agencies, telcos, and home users.

The DNS4EU service is designed to provide a secure and privacy-focused DNS resolver for the EU bloc as an alternative to US and other foreign services.

DNS4EU is more than a regular DNS resolver. It comes with built-in DNS filters for malicious and malware-linked domains that prevent users from connecting to known bad sites.

[more on Risky Bulletin]

APTeens go after Salesforce data: A new hacking group that spawned out of TheCom has breached over 20 companies and stolen their Salesforce data for extortion attempts.

The group, which Google calls UNC6040, operates by calling employees at large companies and posing as their IT support—a now tried and tested technique that's being abused by multiple other threat actors.

The end goal is to get victims to install a modified version of the Salesforce Data Loader app that grants the group's members access to a company's Salesforce backend databases. Once approved, UNC6040 then silently exfiltrates data, which they later use to extort companies by posing as a more famous hacking group and data leaker named ShinyHunters.

[more on Risky Bulletin]