- Exzec Cyber Newsletter
- Posts
- Third Times the Charm.
Another week, another newsletter. On the menu this week:
Social Spyware: Meta’s fighting back against spyware….maybe?
AI and Malware: America’s foes on the AI malware train
This week’s Need to Know: Breaches, vulnerabilities, and research quick hits
Mission Impossible, Furby Style: The NSA’s odd past with an old foe.
Big News
Meta is fighting….checks note…spyware?
This one may seem somewhat unbelievable, considering Zuckerbergs’ bloodlust for data and, well, blood (ok, it’s a stretch, I know, but look at the guy), but Meta is actually fighting back against spyware brokers. Granted, this is all likely to placate Meta’s government detractors and get some good publicity, but hey, I’ll take what I can get.
The spyware brokers, many of whom are legitimately registered companies in their countries, use the social network for various purposes, including employing “artificially generated profile photos — to scrape information about potential targets, set up phishing attacks, perform social engineering or gather target device and location information using IP logging links, for instance.”
In a detailed crackdown in its Q4 2023 Threat Report, Meta took down the networks of fraudulent accounts associated with eight spyware firms. These firms were operating in Spain, Italy, and the United Arab Emirates, but these campaigns have been seen in more than 70 countries. The acquired data can reveal sensitive information about users’ online activities and beliefs. For instance, it could include visits to websites related to mental health, sexual assault support, or telehealth providers focusing on birth control or abortion medication.
The concern extends beyond government surveillance; private companies may also misuse this data. We’ve seen it before with misinformation campaigns, supporting adversarial state’s interests, targeted manipulation during elections, etc. Your feelings about mainstream media aside, statically, legitimately fake news articles get six times the interaction real news does, on both the right and left. More data = more effective.
I suppose it’s time I shut down my Facebook, aka my glorified event planner.
More: CyberScoop | SCMagazine | FastCompany
Can’t Miss
iOS trojan malware is stealing FaceID data.
Ivanti Connect is connecting criminals to your infrastructure.
It looks like Zoom needs a patch on Windows to fix several vulnerabilities.
Microsoft released information on a zero-day in onsite Exchange servers that is being actively exploited.
Malware that allows for backdooring MacOS devices is making the rounds, likely from the ALPHV/BlackCat Ransomware gangs.
Might have missed
Major tech companies are trying to combat election interference using AI-generated content.
Hacking to steal is one thing, but hacking to work more?
Another crypto token, another huge hack. This one is for $290 million.
Ransomware groups have been ramping up against hospitals. Romania had to take 100 hospitals offline after an attack.
$10 Million sound cool? Just find the Hive Ransomware leaders.
Big News
Skynet, is that you?
Forget the skeleton robots from Terminator - these nation-state-linked attackers are utilizing AI to launch smarter, faster, and more dangerous cyberattacks. A recent report by Microsoft and OpenAI sheds light on hackers who've been who have been using AI to create more effective ways of attacking their targets.
These attackers are linked to a number of adversarial countries, like Russia, Iran, China, and North Korea. In one case, Iran-backed attackers used AI to target and “lure prominent feminists to an attacker-built website on feminism”. That’s just one known real-world example, but imagine phishing emails that write themselves, perfectly tailored to your deepest desires and online searches, malware that morphs to bypass defenses, or password-cracking bots that work a million times faster than you can type "multi-factor authentication." These aren't just sci-fi nightmares anymore.
Sounds like a hacker's dream, right? Well, there’s good news and bad news. The bad news: Hackers are upping their game with AI, making their attacks more efficient, targeted, and potentially devastating. The good news? The “good” guys are fighting back too. Microsoft and OpenAI are teaming up to build AI-powered defenses, and other cybersecurity vendors are prepping for a battle. It's an arms race, but one we can (hopefully) win with a little ingenuity and a whole lot of processing power.
Outside of the concerning side of the attackers and the threat they pose, one thing that stood out is that Microsoft and OpenAI are monitoring signups and the use of their AI tools. While it’s something I would have expected given the government’s concern around AI, they appear to be targeting and tracking with greater accuracy than I would have thought. Here’s hoping they only stay focused on the bad guys….
More: Verge | YahooFinance | NewYorkTimes$
Strange Cyber
Furbygate: The NSA's Hilariously Paranoid Brush with a Talking Toy
We all should remember the Furby craze in the late 90s. Those little shits were everywhere, with Hasbro selling over 40 million in the first three years. It turns out, the NSA does too, but not for the cuddly factor. According to declassified documents, the agency banned the furry fellas from their offices, fearing they could become pint-sized spies.
Why were they freaking out? Apparently, these fuzzy f*cks had an "artificial intelligence chip onboard," which could "learn" from nearby speech patterns. The NSA's biggest concern? Employees blabbing classified info that the Furby would then absorb and, who knows, repeat later at a kid's birthday party. While the whole scenario sounds like a fever dream, it highlights the agency's ever-present fear of information leaks, even from the most unexpected sources.
In retrospect, experts say Furby's learning capabilities were likely overblown, more like picking up random phrases than deciphering classified briefings. Still, the episode is a reminder of the evolving data security landscape. Back then, a talking toy was a national security threat. Today, deepfakes and sophisticated malware pose far more complex challenges.
While we might not need to worry about our kids' toys becoming government informants (yet!), it's a reminder to be mindful of what we share online and offline, especially around sensitive topics. And hey, maybe this is a cautionary tale for the next generation of AI-powered toys – who knows what secrets they might be learning! Cue a dystopian scene of children’s toys ruling the world.
Side note: Furby released new models in July of 2023. Perhaps these AI chips are a little more powerful…..
Cool Sh*t Corner
The Apple Vision Pro has some slick Augmented Reality features for watching pro sports. Now if only ‘Augmented Reality’ meant augmenting my golf game.
The @PGATOUR app on the Vision Pro is pretty neat. Not long until this will become the standard for all pro sport viewing! 🥽🤯💯⛳️🏌🏽♂️ @PGA@WMPhoenixOpen@Apple#VisionPro#AppleVisionPro#WMPhoenixOpen#Golf#sports#ar
— Amir (@virtual_amir)
10:39 PM • Feb 11, 2024
Thanks for reading this week’s edition. If you have feedback or advice, or hate everything you see? Hit this link!