Cybersecurity The State of Enterprise IT Security Podcast - S1 EP. 14: CISA Alert on SharePoint Server Attacks, Chinese Hacking Plot Exposed, Ray AI Framework Under Siege

[00:00:00] These emails then compromise the personal and work accounts, online storage. Call records really facilitating further targeted attacks, and all of it seems to be focused on electronic devices and even home routers.

[00:00:30] Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I'm happy to bring you three topics this week. The first one, CISA, warns that hackers are actively attacking a SharePoint server vulnerability.

[00:00:51] Second, millions of Americans are caught up in a Chinese hacking plot. Third, thousands of servers hacked in an ongoing attack targeting Ray AI framework. So with that, let's get started. The first topic of today is CISA warns that hackers are actively attacking a SharePoint server vulnerability. Now, who is this?

[00:01:19] It's the U. S. Cyber Security and Infrastructure Security Agency, and they've added a security flaw

[00:01:30] that is impacting Microsoft SharePoint server to the known exploited vulnerabilities catalog, and that's based on evidence that this is being exploited in the wild. So there's a vulnerability. And it's a critical remote code execution flaw that allows an authenticated attacker with site owner privileges to execute some arbitrary code.

[00:02:00] So think of this as a network based attack where that authenticated attacker as the site owner could execute code remotely on a SharePoint server. And I'm going to add that this was actually patched back in May of 2023. But as you've heard me say before, we could all be doing a better job when it comes to patching.

[00:02:30] And since we're seeing so much of this in the wild, they actually went back and talked to Microsoft about it. And Microsoft said, Hey, back in May, this was patched and customers who have enabled automatic updates. Uh, they got the update. So if you have it checkmarked to receive updates for other Microsoft products in your patching.

[00:03:00] Then  Windows Update got it, and it has been patched, and they are protected. So, this is just a quick public service announcement. Patch your stuff. Here we are almost a year after the fix was released, and it's running rampant in the wild right now with people being compromised by this. Second topic of today, millions of Americans caught up in Chinese hacking plot.

[00:03:30] So, the U. S. Justice Department and the FBI, they've disclosed what they're calling a sinister hacking campaign. And it's been orchestrated by seven Chinese nationals. And what's interesting about this is it's linked to a 14 year long operation. And it's been aimed at American officials, critics of China, businesses and some select politicians.

[00:04:00] So this extensive cyber attack involved sending over, I think it was like 10, 000 malicious emails worldwide, affecting thousands of victims on multiple continents. And here's what's interesting as well. The U. S. has offered a reward of up to 10 million for information leading to these individuals, and we're highlighting China's ongoing efforts to compromise U.S. cybersecurity as well as innovation.

[00:04:31] And the FBI director emphasized that the U. S., you know, committed to counteracting espionage, underscoring. That cyber espionage against the U. S. and its allies, it's just not going to be tolerated. We can say that as much as we want, but the charges, they actually follow a similar accusation from both the U.K. and New Zealand.

[00:05:03] saying the same thing about this hacker group. Now, despite all of these allegations, the Chinese embassy in Washington, DC and London, they're denying that any of this has actually happened. And they're saying that this is baseless fabricated, things like that. Now, the indictment against these seven Chinese individuals reveals their involvement in what.

[00:05:35] Is considered sophisticated hacking tactics, and that includes the use of emails that appear to be from a reputable news outlet or even a journalist. And then what they do is they, they equip them with hidden tracking links, and these emails then compromise the personal and work accounts online storage.

[00:06:03] Call records, really facilitating further targeted attacks, and all of it seems to be focused on electronic devices and even home routers. So this is insidious type of stuff. And the targets again, U. S. government officials, their spouses, foreign dissidents,

[00:06:30] companies in a lot of different industries. So Including defense, telecom, finance, you know, we've, we've talked about some of this before and really among the U.S. entities targeted were defense contractors and a big piece of that was leading 5G network equipment. So those providers have particularly been targeted. 

[00:07:00] Now, I think the news is pretty good at telling us that the sky is falling, but what isn't talked about in any of this is what can we do about it? So I look at this as what's the response that we can take as business professionals and cyber professionals.

[00:07:19] So I'm going to give you just some, we'll call it to 10 things that you can do Or you can tell your organization to do, maybe you're not in cyber, maybe you're just listening to this podcast to get a little bit better, get a little more knowledge when it comes to cyber security. So, for either side, I would say there's a couple of basic things.

[00:07:45] So, first and foremost, strengthen email security. And that really comes into implementing advanced email security solutions. And a big piece of this is detecting and blocking

[00:08:00] phishing attempts in the first place, making sure that malicious attachments are filtered or not delivered. Suspicious links are also, uh, you know, you do what you need to with those.

[00:08:13] So they don't land. And then if inside of the message, like, like the article was talking about, we make sure that those are identified and then pulled out. And make sure that email authentication is being used. There's a bunch of different protocols. And what it does is it helps to prevent email spoofing.

[00:08:37] So you'll notice I was talking earlier about the fact that a lot of this was spoofing. You're saying you're somebody and you're actually not that person. So you make sure that you are validated and verified. And then that kind of stuff can't happen. Enhanced endpoint security. I think by now everybody has the notion that anti malware, anti virus, those are the ways to keep yourself safe.

[00:09:05] I would take it one step further and use Endpoint detection response because that helps you monitor, detect and then respond to threats on endpoints. So some of this had to do with users home devices and most organizations do a good job of protecting their corporate devices. But I'd like for people to think about this on their home devices, home routers.

[00:09:31] There's some basic things to do. Change your default router password. Make sure that you rotate passwords. Make sure that your home devices are protected. Uh, those are just good high level steps you can take. I would say employ network security measures, both on a corporate network and on your home network.

[00:09:52] So deploy intrusion detection systems, utilize firewalls. A lot of, and they're a little spendy, but a lot of the routers that you can get now for home use, they do come with a security package that you can buy. And it has intrusion detection as well as prevention. And it's all set up through an app. And it's, it's really not that hard, even if you're not a cyber security professional, that kind of stuff can, can do a lot for protecting you and your family at home, fourth, adopt a zero trust security model.

[00:10:30] I'm pretty sure everybody's heard about zero trust by now. And if you're going to unpack it as to like, why we just want to implement the principle of least. Privilege, and that's just to minimize access for users. And making sure that you have the bare minimum required to perform your job. And I would say use multi factor authentication.

[00:11:00] And I actually did wear this shirt just for the occasion says enable MFA. And I strongly recommend anywhere that you can enable MFA. Make your email password the hardest password either to guess, make it the most often changed, and also make it when you do connect to your email from somewhere else, uh, have multi factor authentication.

[00:11:27] Don't just depend on a text message to your phone. Also have an authenticator app. There's a bunch of them out there. They're free. Definitely do that, not only at home, but from a work perspective. So if you're not doing that, ask your I. T. team. Ask your security team. Get that kind of stuff out there and going.

[00:11:48] I conduct regular security awareness training. This is something that I do for, for my company. And it really does help educate employees. About the latest

[00:12:00] techniques that are being used. What kind of phishing attacks out there? What kind of social engineering tactics are being used? And really it, it promotes a culture of security within the org and it ensures that employees are vigilant and report suspicious activities.

[00:12:18] 6th one, engage in threat intelligence sharing. This is really for the cyber professionals out there. Get out on the forums, talk to alliance

[00:12:30] members, look at threat intel feeds, multiple feeds. Get out there and start looking at the blogs. Get familiar with the TTPs, that's tactics, techniques, and procedures.

[00:12:44] That the threat actors are actually using number 7, perform regular security assessments and pen testing again, more for the, the corporate environment out there, but make sure that that is, I always recommend, you know,

[00:13:00] for, for most organizations. It's once a year for compliance. I recommend quarterly if you can, and most of you can and do it with your own tooling, uh, spend the time just to make sure that you have everything secured as well as you can.

[00:13:21] Uh, number eight, collaborate with law enforcement and government agencies. So if there's a cyber incident, report it. There's there's hotlines. There's all different kinds of things that you can do there. Number nine, secure cloud and hybrid environment. So that's just implementing security best practices, and that's encryption, access control, secure configurations, and that's for assets that are hosted in the cloud.

[00:13:50] But I would also say anything that's hybrid. And on prem and ultimately we just want more visibility and control over resources, wherever

[00:14:00] they are. Third topic for today, thousands of servers hacked in an ongoing attack, targeting the Ray AI framework. Interesting story. Thousands of servers storing A. I.

[00:14:15] Workloads and network credentials have been hacked, and this is an ongoing attack campaign targeting a reported vulnerability in red, and that's a computing framework

[00:14:30] that's being used by open A. I. Uber. Amazon and and others. So for those of you that don't know, Ray is an open source framework really for scaling AI apps, meaning, you know, we're allowing huge numbers of them to run at once in the most efficient manner possible.

[00:14:50] And typically, these apps run on huge, huge clusters of servers. And the key to making all of this work

[00:15:00] is a central dashboard that provides an interface for displaying as well as controlling tasks and apps. Now, the attack, it's been active, and they're saying for at least 7 months. And it's led to the tampering of a lot of AI models.

[00:15:22] I think as, as we've been going through this whole AI journey, this is what we were afraid of. And it's the,

[00:15:30] really the result is the compromise of network credentials and it's allowing access to internal networks. And databases and tokens for accessing accounts on platforms. This includes open AI, Stripe, Azure, and, and others.

[00:15:51] So besides corrupting models and stealing credentials, the, the attackers behind the campaign, they've, they've also

[00:16:00] installed cryptocurrency miners on compromised infrastructure. And the reason for that is it, is it typically provides. Money, but it takes a massive amount of computing power. So they're just borrowing your compute to make themselves rich.

[00:16:19] Uh, attackers have also installed reverse shells and that's just a text based interface. that allows them to remotely control servers.

[00:16:30] So you could say these attackers are basically hitting the jackpot and they're getting valuable company data plus the ability to execute remote code. And that just makes it easy to monetize attacks.

[00:16:48] I would say the worst thing about this attack is that the attackers, they're, they're basically undetectable. And that's even if you have static security tools in place.

[00:17:00] So among the compromised sensitive information are AI production workloads, which allow the attackers to control or even tamper with the models during the training phase.

[00:17:14] And from there, they can poison or corrupt the model's integrity. So if you're asking that AI a question, You can't trust it anymore. Uh, the vulnerable clusters also expose a central dashboard. And this thing, this is what makes me crazy. It exposes it directly to the internet and a configuration that allows anyone who looks for it.

[00:17:40] They can see a history of all commands entered. To date, any, any prompts, anything that's gone through it, you can see it. So the history allows an intruder to very quickly learn how a model works and what sensitive data it has access to.

[00:18:00] So that's pretty freaky. And I'm sure you're asking, well, you know, what can we do about it?

[00:18:06] There's a couple of things. Now I will say the, the makers of Ray. I've been pretty evasive with this whole thing. And basically it's a, well, we told you that this was an open system from the beginning, but I would urge you, if you are using this, do not accept the default configurations, go in and update any of the default bindings on your dashboard, because it's, it just straight binds to zero, zero, zero, zero, and that designates all network interfaces and port forwarding.

[00:18:41] Okay. Just to the same address opens it straight up and due to raise nature as a distributed execution framework, you have to prevent access to your Ray cluster from untrusted machines.

[00:19:00] And the best way to do that is when you deploy Ray. You put it in a highly segmented and secure environment. So thank you for joining me, and I look forward to the next time on the State of Enterprise IT Security Mission.