Merlin Labs Memo -- Week of April 17-21

DDoSing a Nation: Israel Under Cyberattack

The nation of Israel has been enduring a series of brute force DDoS attacks across private and government targets for the last week. These DDoS attacks are coupled with targeted penetrations that have included CheckPoint Firewalls, Ben-Gurion Airport, and Smart TVs across the nation, causing them to turn on in the middle of the night and play an anti-Israel propaganda video. Attackers are not only going after defacing websites, as they’ve done in the past, but are now targeting services with these attacks. Moreover, it is apparent that the attackers are receiving Russian backing.

Our Take: This is not the first time that Israel has endured a wave of cyberattacks. The new element is the way the attacks are targeting services and Russian involvement. With smart home controls, IoT devices, and cloud-based services taking hits, the impact is broader and deeper than the typical small-scale website defacement hack. To be sure, website defacements are ongoing, but the damage is being done against commercial and industrial devices that have previously escaped broad cyberattacks.?

Israel is a nation that faces constant cyber threats and has a robust culture of defense. Even so, in the face of service-focused attacks – and let’s not forget Russian backing – it’s facing more impacts in this wave of concerted attacks than in previous years. It’s likely that this is a cyber version of the old Arab-Israeli wars, where the USSR and USA tested their conventional arms through their Middle Eastern proxies. Now, it’s cyber-arms on the frontlines, the proxies include Iran, and those Israeli defenses are, in large part, the same as USA defenses. Israeli organizations have been able to mitigate damage because of their general levels of preparedness. We now have to ask, “how well prepared are USA cyberdefenses?” – Dean Webb ?

Additional Reading:

• New DDoS Attacks on Israel’s Enterprises, Infrastructure Should be a Wake-Up Call (TechRepublic)
• Iranian-Russian Cooperation on Hack Attacks May Challenge Israeli Cyber Supremacy (The Times of Israel)
• Quds Day Cyberattack Strikes Israeli banks, Red Alert App (The Jerusalem Post)

Storytelling is the Key to Cybersecurity

This is going to be a little different approach to ChatGpt and its influence on cybersecurity as an industry and as a double-edged sword. On one side, the storytelling capabilities are remarkable:

“Chat GPT can help enhance threat detection capabilities by analyzing large volumes of data and identifying potential cyber threats. It can analyze patterns in data to identify suspicious behavior and detect anomalies that may be indicative of a cyber attack” – Via Bootcamp

On the other side: “Cybersecurity researchers CyberArk?recently detailed ?how their researchers bypassed ChatGPT’s content filters and got it to create what they described as “functional code” to inject a DLL into explorer.exe. The researchers went on to use the chatbot to create polymorphic code that is difficult for anti-malware software to spot and deal with.” – Via InfoSys

Our Take: Since ancient times, humans have been natural storytellers, from recounting tales of mammoth hunts around a fire to sharing stories on social media today. Stories have a unique ability to bring together disparate pieces of information and create a cohesive narrative that explains the when, why, how, who, and what of an event. When writing incident reports as analysts, we also rely on storytelling to make sense of complex data and use it to inform future decisions.

While ChatGPT is a powerful tool that can be used for both good and bad purposes, its strength lies in its ability to weave data into a compelling story. Companies like Recorded Future have already begun using an internalized form of this generative AI to write incident reports with remarkable speed. By leveraging its storytelling capabilities, they are able to make sense of disparate data and create a more comprehensive understanding of cyber threats.

Of course, early versions of ChatGPT are not foolproof and there is the risk of exploitation in the future. However, the potential benefits of this tool in the field of cybersecurity are tremendous. As long as we remain cautious and responsible in our use of AI, it can help us protect digital assets and privacy more effectively.

I asked GPT what it thought: "As an AI language model, I agree that storytelling has been a fundamental part of human communication since ancient times. And, in the context of cybersecurity, the ability to create coherent narratives from scattered data points can be a game changer. The use of ChatGPT in incident reporting, as exemplified by Recorded Future, can help organizations detect, prevent, and respond to cyberattacks more effectively.

However, it's important to note that the effectiveness of ChatGPT or any other AI tool is not just based on its ability to generate stories but also on the quality of the data it's trained on and the algorithms it uses. AI is not a magic solution that can solve all problems, and there are risks and limitations that need to be addressed. For example, biases in the data or the model can lead to incorrect or unfair decisions, and malicious actors can also use AI for nefarious purposes.

Therefore, while there is immense potential for AI in the field of cybersecurity, it's important to approach it with caution and take measures to ensure its ethical and responsible use. As AI technology continues to evolve, it's essential to keep abreast of the latest developments and use them wisely to protect digital assets and privacy." – Via ChatGPT

I welcome our future Overlord. Remember, always be polite… even to AI. – Jeremy Newberry

Additional Reading:

• My kids and I just played D&D with ChatGPT4 as the DM (Medium)
• Introducing Recorded Future AI: AI-Driven Intelligence to Elevate Your Security Defenses (Recorded Future)
• ChatGPT May be a Bigger Cybersecurity Risk Than an Actual Benefit (BleepingComputer)

Zero Trust and Doing Business: Studying the BlackCat Breach at NCR

Recently, the BlackCat malware group managed to make its way into the NCR data center that runs its Aloha Point-of-Sale (POS) system that services more than 140,000 small businesses and franchises globally. The BlackCat group claimed that it did not exfiltrate any data, but did collect account credentials, including those to access customer systems.?

While it’s possible that BlackCat did not exfiltrate data because defenses may have been in place to prevent that from happening, it’s also a possibility that BlackCat simply chose to skip data exfiltration entirely to speed along its attack. It’s entirely possible that taking down something like Aloha POS was the main objective and no consideration was made for also grabbing data.

Our Take: There are considerations about what happened at NCR and the implications for the rest of the world. NCR services many customers globally, including many large retail companies. As such, NCR likely has a great deal of connections with environments that it cannot manage. While the security people would clamor for “Zero Trust! Zero Trust!” and wall off customer connections, the business people have to ask, “How do we keep the lights on with Zero Trust?” That’s a tough question, and we in security must be ready with answers or the status quo will continue.

Let’s add to this the potential cost of recovery. By that, I don’t mean money spent on getting infrastructure back to functional levels. I mean addressing the concerns of those 140,000-plus small businesses and franchises that have been doing business without Aloha POS during the outage. What happens to their data when the system goes back online? When we read the Reddit for the Aloha POS outage, there’s a very real worry that when the system goes back online, the local data they have won’t be retained. Their revenue, tax reporting, and payroll all get adversely impacted in such an event. Not only did they have to endure the disruption of the outage, they now face a possible disruption of the?restoration of service.

The lessons we can take out of this situation include the need to add layers to security. When we dismiss the need for one tool to do a job because another one?almost?does, it is no longer a valid argument. We need our tools to overlap if we want to catch attackers like BlackCat. (Given the way BlackCat operates, we can pretty much guarantee that we?will?see more of their attacks in the future.) We need to eliminate silos in our defense: NCR is a large organization and it’s likely that different teams have taken different security responsibilities. Any organization in such a condition will benefit from coordinating tools, activities, and data-sharing. Finally, contingency planning is not a “nice to have.” The desperation evident on the Reddit board makes it very clear that the Aloha POS customers are left in the dark about what’s happening now and what’s going to happen when there’s a restoration of service. There’s an old saying that it wasn’t raining when Noah built the ark. The time for considering what to do in the event of a disaster needs to be fully explored before that disaster happens.?

That contingency planning is not the sole responsibility of the CISO, either. It needs to be owned by the CEO and the rest of the top-tier executives. It’s not just a function of security, it’s a function of successfully running the enterprise. The breach will happen. An organization’s capability to fully recover depends upon a comprehensive continuity and restoration plan. – Dean Webb

Additional Reading:

• Restaurants Reel as POS App Hit by Ransomware (The Stack)
• NCR Suffers Aloha POS Outage After BlackCat Ransomware Attack (BleepingComputer)
• The Great NCR Hospitality Outage of 2023: Questions (Reddit)

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!??