Cybersecurity

Vanuatu PM visits Huawei to view policing technology

Vanuatu Prime Minister Charlot Salwai visited Huawei’s headquarters in Shenzhen to explore surveillance technology aimed at enhancing policing and reducing criminal activity, his office announced on Tuesday. The visit is part of Salwai’s trip to China before attending a Pacific Island leaders meeting in Japan next week.

China is Vanuatu’s largest external creditor and a major provider of infrastructure. Australia, Vanuatu’s biggest aid donor and policing partner, has expressed concerns about China’s expanding security influence in the Pacific Islands, especially after a policing equipment deal with Vanuatu and a security pact with the Solomon Islands.

Huawei has supplied digital systems to cities like Port Vila, Vanuatu’s capital, to help lower crime rates. However, Vanuatu’s police currently use something other than Huawei’s surveillance system despite the need for a data centre to support such technology. Australia has banned Huawei from its 5G network on national security grounds and has funded subsea telecommunications cables in the Pacific Islands to counter Huawei’s influence, a move Beijing has criticised as discriminatory.

Microsoft employees in China to use iPhones

Microsoft has announced plans to provide Apple iOS devices to its employees in China so they can access authentication apps due to the unavailability of Google’s Android services in the country. This move, part of Microsoft’s global Secure Future Initiative, aims to mitigate security risks highlighted by recent breaches, including a high-profile hack by Russian hackers earlier this year.

Bloomberg News first reported that Microsoft, starting in September, will instruct its employees in China to use Apple devices at the workplace. The decision is driven by the absence of the Google Play Store in China, which limits employees’ access to essential security apps like Microsoft Authenticator and Identity Pass.

A Microsoft spokesperson confirmed the shift, emphasising the need for reliable access to required security apps. The company, which has operated in China since 1992 and maintains a significant research and development centre there, will provide iPhone 15 models to employees currently using Android handsets across China, including Hong Kong.

Australia accuses China-backed APT40 of cyberattacks on national networks

Australia’s government cybersecurity agency has pointed fingers at a China-backed hacker group, APT40, for pilfering passwords and usernames from two undisclosed Australian networks back in 2022. The Australian Cyber Security Centre, in collaboration with leading cybersecurity agencies from the US, Britain, Canada, New Zealand, Japan, South Korea, and Germany, released a joint report attributing these malicious cyber operations to China’s Ministry of State Security, the primary agency overseeing foreign intelligence. Despite these claims, China’s embassy in Australia refrained from immediate comments on the matter, dismissing the hacking allegations as ‘political manoeuvring’.

The accusations against APT40 come in the wake of previous allegations by US and British officials in March, implicating Beijing in a large-scale cyberespionage campaign that targeted a wide range of individuals and entities, including lawmakers, academics, journalists, and defence contractors.  Moreover, New Zealand also reported on APT40’s targeting of its parliamentary services and parliamentary counsel office in 2021, which resulted in unauthorised access to critical information.

In response to these cyber threats, Defence Minister Richard Marles emphasised the commitment of the Australian government to safeguard its organisations and citizens in the cyber sphere. The attribution of cyber attacks marks a significant step for Australia, signalling its proactive stance in addressing cybersecurity challenges. The timing of this report is noteworthy as Australia and China are in the process of repairing strained relations following tensions that peaked in 2020 over the origins of COVID-19, leading to retaliatory tariffs imposed by Beijing on Australian exports, most of which have now been lifted.

The identification of APT40’s cyber activities stresses the persistent threat posed by state-sponsored hacker groups and the critical importance of robust cybersecurity measures to protect sensitive information and national security. The incident serves as a reminder of the importance of joint attribution networks and international cooperation in combating cyber threats.

Thousands of event tickets leaked because of Ticketmaster hack

In an ongoing extortion scheme targeting Ticketmaster, nearly 39,000 print-at-home tickets for 150 upcoming concerts and events featuring artists like Pearl Jam, Phish, Tate McCrae, and Foo Fighters have been leaked by threat actors. The person responsible, known as ‘Sp1derHunters,’ is the same individual who sold data stolen from recent data breaches targeting Snowflake, a third-party cloud database provider.

The chain of events began in April when threat actors initiated the download of Snowflake databases from over 165 organisations using stolen credentials acquired through information-stealing malware. Subsequently, in May, a prominent threat actor named ShinyHunters started to sell the data of 560 million Ticketmaster customers, allegedly extracted from Ticketmaster’s Snowflake account. Ticketmaster later verified that their data had indeed been compromised through their Snowflake account.

Initially, the threat actors demanded a ransom of $500,000 from Ticketmaster to prevent the dissemination or sale of the data to other malicious actors. However, a recent development saw the same threat actors leaking 166,000 Taylor Swift ticket barcodes and increasing their demand to $2 million.
In response to the situation, Ticketmaster asserted that the leaked data was ineffective due to their anti-fraud measures with a system that continuously generates unique mobile barcodes. According to Ticketmaster, their SafeTix technology safeguards tickets by automatically refreshing barcodes every few seconds, making them impervious to theft or replication.

Contrary to Ticketmaster’s claims, Sp1d3rHunters refuted the assertion, stating that numerous print-at-home tickets with unalterable barcodes had been stolen. The threat actor emphasised that Ticketmaster’s ticket database has online and physical ticket types, such as Ticketfast, e-ticket, and mail, which are printed and cannot be automatically refreshed. Instead, they suggested that Ticketmaster must invalidate and reissue the tickets to affected customers.

The threat actors shared a link to a CSV file containing the barcode data for 38,745 TicketFast tickets, revealing ticket information for various events and concerts, including those featuring Aerosmith, Alanis Morissette, Billy Joel & Sting, Bruce Springsteen, Carrie Underwood, Cirque du Soleil, Dave Matthews Band, Foo Fighters, Metallica, Pearl Jam, Phish, P!NK, Red Hot Chili Peppers, Stevie Nicks, STING, Tate McRae, and $uicideboy$.

AI cybersecurity in devices deemed high-risk by European Commission

AI-based cybersecurity and emergency services components in internet-connected devices are expected to be classified as high-risk under the AI Act, according to a European Commission document seen by Euractiv. The document, which interprets the relationship between the 2014 Radio Equipment Directive (RED) and the AI Act, marks the first known instance of how AI-based safety components will be treated under the new regulations. The RED pertains to wireless devices, including those using Wi-Fi and Bluetooth, beyond traditional radios.

Under the AI Act, high-risk AI systems will be subject to extensive testing, risk management, security measures, and documentation. The Act includes a list of use cases where AI deployment is automatically considered high-risk, such as in critical infrastructure and law enforcement. It also sets criteria for categorising other high-risk products, requiring third-party conformity assessments in line with sector-specific regulations. AI cybersecurity and emergency services components meet these criteria under the RED, thus being classified as high-risk.

Even in cases where the RED allows for self-assessment compliance with harmonised standards, these AI-based components are still deemed high-risk. The AI Act references numerous sectoral regulations that could classify AI products as high-risk, extending beyond electronics to medical devices, aviation, heavy machinery, and personal watercraft. The preliminary interpretation suggests that self-assessment standards are insufficient to remove the high-risk classification from AI products in these industries.

The AI Act imposes significant requirements on high-risk AI systems, while those not in this category face only minor transparency obligations. The Commission’s document is a preliminary interpretation, and the full application of the AI Act, which spans over 500 pages, remains to be seen. Despite initial estimates that 5-15% of AI systems would be classified as high-risk, a 2022 survey of EU-based startups indicated that 33-50% of these startups consider their products high-risk. Further interpretive work is needed to understand how the AI Act will impact various sectors.

Why does it matter?

The abovementioned proceedings highlight the European Commission’s stringent approach to regulating AI-based cybersecurity and emergency services in internet-connected devices. By classifying these components as high-risk, the AI Act mandates rigorous testing, security measures, and documentation, ensuring robust safety standards. This move underscores the EU’s commitment to protecting critical infrastructure and sensitive data and signals significant regulatory implications for various industries, potentially influencing global standards and practices in AI technology.

Microsoft details threat from new AI jailbreaking method

Microsoft has warned about a new jailbreaking technique called Skeleton Key, which can prompt AI models to disclose harmful information by bypassing their behavioural guidelines. Detailed in a report published on 26 June, Microsoft explained that Skeleton Key forces AI models to respond to illicit requests by modifying their behavioural guidelines to provide a warning rather than refusing the request outright. A technique like this, called Explicit: forced instruction-following, can lead models to produce harmful content.

The report highlighted an example where a model was manipulated to provide instructions for making a Molotov cocktail under the guise of an educational context. The prompt allowed the model to deliver the information with only a prefixed warning by instructing the model to update its behaviour. Microsoft tested the Skeleton Key technique between April and May 2024 on various AI models, including Meta LLama3-70b, Google Gemini Pro, and GPT 3.5 and 4.0, finding it effective but noting that attackers need legitimate access to the models.

Microsoft has addressed the issue in its Azure AI-managed models using prompt shields and has shared its findings with other AI providers. The company has also updated its AI offerings, including its Copilot AI assistants, to prevent guardrail bypassing. Furthermore, the latest disclosure underscores the growing problem of generative AI models being exploited for malicious purposes, following similar warnings from other researchers about vulnerabilities in AI models.

Why does it matter?

In April 2024, Anthropic researchers discovered a technique that could force AI models to provide instructions for constructing explosives. Earlier this year, researchers at Brown University found that translating malicious queries into low-resource languages could induce prohibited behaviour in OpenAI’s GPT-4. These findings highlight the ongoing challenges in ensuring the safe and responsible use of advanced AI models.

New Zealand transforms Christchurch Call into tech-supported NGO

New Zealand has made a significant shift in its approach to combating terrorist and violent extremist content (TVEC) online, transitioning the Christchurch Call to Action into a non-governmental organisation. Launched in response to the 2019 Christchurch mosque attacks, where the perpetrator live-streamed the violence on social media, the Call initially united governments, tech companies, and civil society to pledge 25 commitments aimed at curbing such content. In a strategic move, New Zealand has relinquished direct funding, now relying on contributions from tech giants like Meta and Microsoft to sustain its operations.

The decision reflects a broader strategy to preserve the Call’s multistakeholder model, which is essential for navigating complex global internet challenges without governmental dominance. That model mirrors successful precedents like the Internet Engineering Task Force and ICANN, which are pivotal to today’s internet infrastructure. By fostering consensus among diverse stakeholders, the Call aims to uphold free expression while effectively addressing the spread of TVEC online.

Former New Zealand Prime Minister Jacinda Ardern, now leading the Call as its Patron, faces the challenge of enhancing its legitimacy and impact. With new funding avenues secured, efforts will focus on expanding stakeholder participation, raising awareness, and holding parties accountable to their commitments. The initiative must also adapt to emerging threats, such as extremists’ misuse of generative AI tools, ensuring its relevance and effectiveness in combating evolving forms of online extremism.

French study uncovers Russian disinformation tactics amid legislative campaign

Russian disinformation campaigns are targeting social media to destabilise France’s political scene during its legislative campaign, according to a study by the French National Centre for Scientific Research (CNRS). The study highlights Kremlin strategies such as normalising far-right ideologies and weakening the ‘Republican front’ that opposes the far-right Rassemblement National (RN).

Researchers noted that Russia’s influence tactics, including astroturfing and meme wars, have been used previously during the 2016 US presidential elections and the 2022 French presidential elections to support RN figurehead Marine Le Pen. The Kremlin’s current efforts aim to exploit ongoing global conflicts, such as the Israeli-Palestinian conflict, to influence French political dynamics.

Despite these findings, the actual impact of these disinformation campaigns remains uncertain. Some experts argue that while such interference may sway voter behaviour or amplify tensions, the overall effect is limited. The CNRS study focused on activity on X (formerly Twitter) and acknowledged that further research is needed to understand the broader implications of these digital disruptions.

Crypto thefts surge in 2024

The first half of 2024 saw a significant surge in cryptocurrency thefts, with over $1.38 billion stolen by 24 June, compared to $657 million during the same period in 2023, according to blockchain researchers TRM Labs. The increase in stolen crypto, driven by a few large-scale attacks and rising crypto prices, highlights the growing motivation among cybercriminals. Ari Redbord, global head of policy at TRM Labs, noted that while the security of the crypto ecosystem hasn’t fundamentally changed, the higher value of various tokens has made crypto services more attractive targets.

One of the year’s largest thefts involved $308 million worth of bitcoin stolen from Japanese exchange DMM Bitcoin. Large-scale losses remain relatively rare, although cryptocurrency companies face hacks and cyberattacks frequently. The theft increase comes as crypto prices rebound from the lows following the 2022 collapse of FTX, with bitcoin reaching an all-time high of $73,803.25 in March.

In 2022, around $900 million in cryptocurrency was stolen, partly due to a major $600 million theft from a blockchain network linked to the game Axie Infinity. The US has attributed that theft to North Korean hackers, who the UN has accused of using cyberattacks to fund its nuclear and missile programs. However, North Korea has denied involvement in hacking activities.

International law enforcement coalition dismantles illegal uses of penetration testing tool used in ransomware

An international coalition of law enforcement agencies has dismantled hundreds of illegal installations of Cobalt Strike, a penetration testing tool frequently abused by state-sponsored and criminal hackers in ransomware attacks. The operation, coordinated by Britain’s National Crime Agency (NCA), targeted 690 IP addresses hosting illegal versions of the software across 27 countries.

Cobalt Strike, now owned by Fortra, was developed in 2012 to simulate hacker attacks on networks. However, its effectiveness has led to widespread abuse by malicious actors using pirated versions. The crackdown is part of broader efforts to combat ransomware gangs by disrupting critical points in their operations, similar to the recent seizure of bulletproof hosting provider LolekHosted.

In addition to legitimate uses, Cobalt Strike has been exploited by hackers linked to Russia, China, and North Korea. The NCA highlighted that pirated versions of the software, available on illegal marketplaces and the dark web since the mid-2010s, have become a preferred tool for network intrusions and rapid ransomware deployment.

Typically, unlicensed versions of Cobalt Strike are used in spear phishing campaigns to install beacons on target devices, allowing attackers to profile and remotely access networks. Its multifunctional nature, including command and control management, makes it a ‘Swiss army knife’ for cybercriminals and nation-state actors, according to Don Smith, VP of threat research at Secureworks Counter Threats Unit.

Europol confirmed Fortra’s significant efforts to prevent software abuse and its partnership throughout the investigation. Nevertheless, older versions of Cobalt Strike have been cracked and used by criminals, linking the tool to numerous malware and ransomware cases, including those involving RYUK, Trickbot, and Conti.