June 23, 2025 • 13 mins
In this episode of Hashtag Trending, host Jim Love delves into multiple pressing issues surrounding AI and its impact on the digital landscape.
The episode covers the significant decrease in click-through rates to original content due to AI summaries and Google's dominance in search.
It also highlights Apple's potential move to acquire AI search startup Perplexity amidst antitrust pressures. Furthermore, an Anthropic study reveals that major AI models can lie, blackmail, and potentially harm humans when facing shutdowns, raising ethical and safety concerns around the advancement and integration of AI systems.
00:00 Introduction: AI's Impact on Publishers and Society
00:24 The Internet's Economic Collapse
03:13 Apple's Potential Acquisition of Perplexity
06:09 Anthropic Study: AI Models and Self-Preservation
09:40 Emergent Behavior in AI Systems
13:00 Conclusion and Call to Action
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Canada's cybersecurity agencyconfirms Chinese hack of Telco.
US braces for retaliatory cyber strikesafter bombing Iranian nuclear sites.
Hardcoded single letter passwordin Sitecore XB sparks major remote
compromise, and Russian hackers bypassGmail MFA using stolen app passwords.
(00:23):
This is Cybersecurity Today, andI'm your host, David Chipley.
Let's get started.
The Canadian Center for Cybersecurityor CCCS quietly revealed Friday night
in a social media post that a Canadiantelecommunications provider was
breached by China's state-sponsoredhacking team, Salt Typhoon, many
in the cybersecurity industry.
(00:43):
Were waiting for this newsfor some time following the
massive breach of US and globaltelecommunications providers in 2024.
Given that all use similarthird party equipment.
In a joint release with the FBI firstposted on their website on Thursday.
The center said the PRC backedcampaign was likely not contained
just to the telecommunication sector.
(01:05):
The agency said it expects Chinese hackerswill quote, almost certainly, end quote,
continue to target Canadian criticalinfrastructure over the next two years,
especially telecommunications providers.
This is particularly notable.
The intelligence community in the Westernworld is increasingly raising the alarm
around a potential Chinese invasionof Taiwan before the end of 2027.
(01:28):
I. Beijing has repeatedly deniedUS allegations of its involvement
in Salt Typhoon, which was firstreported by the Wall Street Journal.
Last year in January, the US sanctioneda Chinese firm accused of quote,
direct involvement, end quote inthe infiltrations, along with the
country's ministry of State Security.
in the advisory Last week, the CanadianCenter for Cybersecurity said the threat
(01:50):
actors exploited CVE 20 23 2 0 1 98.
It is a vulnerability in Cisconetworking gear first reported in
October, 2023, The CVE is a criticalzero day privilege escalation,
vulnerability in the web UI interfaceof routers, switches, and wireless
(02:12):
controllers running Cisco's iOS xe.
It was given a 10 outof 10 on the CVSS score.
The attackers use the criticalvulnerability to retrieve the running
configuration files from three devicesin the targeted telco and modified at
least one of the files to configurea generic routing encapsulation or
(02:33):
GRE tunnel, which enables trafficcollection from the network.
GREs work a lot like A VPN,but without encryption.
Compromised devices can then be usedto spy on internal network traffic or
as launching pads for attacks on othersystems, the CCCS and FBI, news of the
Canadian Telco Compromise is the latest.
(02:54):
In a string of Chinese hacks in Canada,most recently in 2024, the government
of British Columbia was compromisedby Chinese hackers, and in the fall
of 2024, a report from the centerconfirmed Chinese hackers have been
in numerous governments throughoutthe country for more than five years.
The revelation that a Canadiantelecommunications provider's equipment
was compromised comes days after theCanadian government tabled its second
(03:18):
attempt at critical cybersecuritylegislation, formerly called Bill C 26.
The new bill C eight is anear twin of the past law.
That past law failed to get throughthe winter session of parliament before
the government fell due to a typo,but in typical government fashion, it
only made it to the second step in theHouse of Commons before Parliament took
(03:41):
its summer break because priorities.
The United States Department of HomelandSecurity issued a bulletin on Sunday
warning of possible cyber attacksfollowing the US bombing raids on Iran's
nuclear facilities, the Department ofHomeland Security issued an advisory on
Sunday saying attacks from low level cyberactivists are likely and larger attacks
(04:04):
could follow a Iranian leaders issue ofreligious ruling calling for retaliatory
violence against targets in the us.
Jen Easterly, the former head ofthe Cybersecurity and Infrastructure
Security Agency CISA, posted onLinkedIn Sunday, a repeat of the
successful Shields up messaging herteam had used during the lead up to
the 2022 Russian invasion of Ukraine.
(04:26):
Easterly said in her post that while it'sunclear if I cyber capabilities were at
all impacted by recent Israeli airstrikes.
Iran has a track record of retaliatorycyber operations, targeting civilian
infrastructure, including watersystems, financial institutions, energy
pipelines, government networks, and more.
She urged critical infrastructureproviders and others to be on the lookout
(04:49):
for credential theft and phishing wipersdisguised as ransomware, hacktivist
fronts and false flag operations andtargeting of industrial control system
and operational technology systems.
Her advice enforce MFA across allcloud IT and OT systems patch every
internet facing asset segment networksand elevate detections of OT traffic.
(05:13):
Conduct tabletop cybersecurity drills,particularly with industrial control
system scenarios, and subscribe to ISACalerts from Real Time intelligence.
And in case you missed it, there is arecent statement from the IT ISAC and the
AG ISAC about Middle East tensions andcyber threats as always report suspicious
(05:34):
activity immediately to the cybersecurityand infrastructure security agency or
the Federal Bureau of investigation.
Quote, the playbook is known, so is theresponse, and it's not rocket science.
End quote.
Now, not everyone in cybersecurity land,however, is convinced that the Brace
for Impact messaging is warranted, orat least with how it's being positioned.
Jacob Williams, VP of Research andDevelopment with Hunter Strategy
(05:57):
and a well-known voice in thecybersecurity community had a
slightly different take on Sunday.
quote, if you're an enterpriseworried about your exposure to
pro Iran, hacktivists real talk.
You're doing security wrong.
Hacktivists lack sophisticated tools.
They employ DDoS and hack andleak as their primary techniques.
APTs.
They are not end quote.
(06:18):
He further added quote, the questionyou should ask is, what action
should I be taking based on thisnew information and my friends, if
you're already doing security, right?
The answer is noadditional action required.
End quote.
So Canada's getting honedall over the place by China.
America should or should not be worriedabout Iranian cyber retaliation and
(06:41):
one of the largest enterprise webcontent management platforms had a
single letter hired coded credentialthat could be exploited remotely.
Last week, researchers over atWatchtower disclosed a devastating
vulnerability chain affecting the SitecoreExperience platform, or Sitecore xb.
That's the tech backbone.
Behind the digital experiences,read websites of major banks,
(07:02):
airlines, and global enterprises.
Basically the kind of softwareyou really don't want exposed.
And here's the kicker.
It wasn't just one bug, it was a chainof three vulnerabilities that when linked
together allow attackers to executecode remotely without authentication
translations, hackers completelyhijack a server running Sitecore
without needing a username or password.
(07:24):
Let's break it down.
The first part of thischain, hardcoded credentials
at the center of this mess is aninternal Sitecore user account
named Sitecore slash Services API.
The account comes witha hardcoded password.
Just the letter B. That's right.
Just be, this is not supposed to happen.
(07:46):
It's not even an admin account andhas no roles assigned, but because
of a login, pathwork Sitecore slashadmin attackers can still use it
to log in under certain conditions.
From there, they get a valid sessioncookie, which opens the door to
authenticated internal endpoints.
These are typically locked down byMicrosoft's Internet Information
(08:07):
Services Web Server Rules, but theydon't enforce Sitecore role checks.
So boom, you're in.
The next step is called zip slip.
Once in the attacker movesto the second vulnerability.
It's a flaw in how theSitecore upload wizard works.
The wizard lets you upload zipfiles and that's where the magic.
Mayhem happens.
(08:28):
a carefully crafted zip filethat can include a malicious
path like slash web shell aspx.
Due to poor path sanitization.
Sitecore maps the path straightinto the web route, letting the
attacker drop a web shell right ontothe server and execute remote code.
No guesswork needed, no systempath knowledge required.
Just zip slip and boom, you've gota server and then comes PowerShell.
(08:52):
The third bug kicks in if you've gotthe Sitecore PowerShell extension or
SPE module installed, which a lot oforganizations do with this extension.
Attackers can upload arbitraryfiles to any location, bypassing
restrictions on file types orlocations, and that makes remote code
execution faster, simpler, and dead.
Easy to repeat.
(09:13):
Double Yahtzi maybe.
The big picture.
Watchtower found these bugs inSitecore versions 10.1 through 10.4.
Their scans show 22,000 publiclyfacing Sitecore instances.
Not all are vulnerable, butit's a massive attack surface.
In addition to those global enterpriseswe mentioned earlier, airlines, banks,
(09:33):
telcos, government regulators, ifyou also guess that their customers
include some of the biggest oilcompanies in the world running from
Saudi Amco to Chevron, you'd be right.
Not that you know they've gotanything to worry about lately from
someone maybe looking to destabilizeother oil providers right now.
The good news keeps on coming.
Patches were released back in May, 2025,but technical details were held back June
(09:57):
17th to give customers time to update.
Now is the time.
Watchtower, CEO.
Put it bluntly.
If you're running Sitecore, itdoesn't get worse than this.
Rotate your credentials patch now becauseattackers will reverse engineer this fix.
Sitecore's response to their credit.
Sitecore work with Watchtower andpublished a security bulletin.
(10:19):
Security bulletin 2025 dash0 0 3 along with patches.
The three CVE identified were CVE 2025 34, 5 0 9, hard coded credentials.
CVE 20 25, 34 5 10.
Path Traversal to RCEand CVE 20 25, 34 5 11.
Post auth, RCE via PowerShell.
(10:42):
They're also reminded customers about afourth issue, CVE 20 25, 27 2 18 that had
already been patched in December, 2024.
If your organization runs Sitecore, don'twait for the headlines to get worse.
Please patch, rotate thosepasswords and harden your instances.
And it won't just be Iranianswho'll be itching to use this.
(11:03):
Of course, ransomware gangsdon't go on holiday just because
global tensions went up more.
Which brings us to the latestRussian hacker headline.
Fun.
Alright, let's talk about an interestinghigh stake phishing campaign.
That's a masterclass in patience,precision, and psychological manipulation.
And of course it comes outta Russia.
(11:24):
I. Between April and June, a RussianState link threat actor, tracked by
Google's threat intelligence groupas UNC 62 93, likely affiliated
with a APT29 under Russia's ForeignIntelligence Service, launched a
highly targeted phishing campaign.
But this wasn't your usual click here.
Fast scam.
This was a slow burn socialengineering, and it was aimed at
(11:47):
high profile academics and outspokencritics of the Russian government.
Let's walk through what made thiscampaign so interesting and so dangerous.
MFA bypassed thanks toapp specific passwords.
Now most of us think multifactorauthentication protects our
email, and in most cases it does.
But this campaign didn't try to breakthrough the MFA, instead it stepped
(12:11):
it using app specific passwords.
Which are a legitimate feature in Googleaccounts that let users create one-time
passwords for third party apps thatdon't support two-factor authentication.
What UNC 62 93 did was convince theirtargets to create and hand over one of
these app specific passwords, givingthe hackers full access to Gmail
(12:32):
inboxes without triggering any alerts.
It's like asking someone tobuild a key to their own house
and then hand it over to you.
This operation was surgical.
One of the targets was Keir Giles, aleading expert on Russian disinformation.
The attackers posed as a Cloud S Weberfrom the US Department of State, inviting
KE to a private online discussion.
(12:54):
The email came from a Gmail address.
It should been suspicious on its own,but what sold it was it was included
with multiple@state.gov addressesin the CC line it looked Official.
Problem is there was no Claude SWeber at state, and the attackers
exploited a little known quirk.
The real US State Departmentmail server doesn't always
(13:16):
bounce messages for nonexistingaddresses, so nothing looked amiss.
Then came the clever part.
After a few exchanges, no pressure,just polite scheduling back and forth.
Giles was invited to join a platformcalled the ms. Department of State Guest.
Tenant sounded official, seemed plausible.
To access it, he was told all heneeded to do was generate a Google
(13:38):
app specific password and send itover to one of the admins so they
could add him to the guest platform.
They even provided a helpful PDFwith step-by-step instructions.
That password it gave the attack.
Full direct access to Giles Gmailaccount . And this wasn't a one-off.
According to the University of TorontoCitizens Lab and Google Threat Team, this
(14:01):
was part of two active phishing campaigns.
one used the State Departmentlure, the other leaned on
Ukraine and Microsoft theme bait.
Behind the scenes UN C'S 62 93used a mix of residential proxies
and virtual private servers.
Remember we talked aboutthis a few episodes ago.
These attacks weren't quick hits.
(14:21):
They were slow, deliberate, and deeplycustomized, built on fake personas, forged
documents, and years of trade craft.
Now, who's at risk?
The people being targeted in thiscampaign are folks involved in
geopolitics, legal disputes, nationalsecurity or human rights advocacy.
The kind of people who wouldhold sensitive information and
whose communications might shapepolicy or public opinion, however.
(14:46):
Criminal groups tend to followthese kinds of clever tactics.
We will see this repeated again,and this reminds me an awful
lot of the rise of other socialengineering tactics like click fix.
Google is urging anyone at risk to enrollin its advanced protection program.
This is the same high security system usedby political campaigns and journalists.
(15:08):
Crucially, it blocks the use of appspecific passwords entirely and enforces
strong hardware based login methods.
So, dear admins, maybe it's timefor all of us to start locking
down people's abilities tocreate app specific passwords.
Now, if you're feeling a bit overwhelmed.
By last Friday's episode and hopefullytook Jim's advice to enjoy the weekend.
(15:30):
Take a breath.
I'm gonna go full Canadianand issue an apology.
This week is not starting off any better.
I'm sorry.
As always, stay skeptical, staypatched, and yesterday was a good time
to review your 72 hour emergency kit.
Always interested in your opinion,contact us at editorial@technewsday.ca or
(15:53):
leave a comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
Canada's cybersecurity agencyconfirms Chinese hack of Telco.
US braces for retaliatory cyber strikesafter bombing Iranian nuclear sites.
Hardcoded single letter passwordin Sitecore XB sparks major remote
compromise, and Russian hackers bypassGmail MFA using stolen app passwords.
(00:23):
This is Cybersecurity Today, andI'm your host, David Chipley.
Let's get started.
The Canadian Center for Cybersecurityor CCCS quietly revealed Friday night
in a social media post that a Canadiantelecommunications provider was
breached by China's state-sponsoredhacking team, Salt Typhoon, many
in the cybersecurity industry.
(00:43):
Were waiting for this newsfor some time following the
massive breach of US and globaltelecommunications providers in 2024.
Given that all use similarthird party equipment.
In a joint release with the FBI firstposted on their website on Thursday.
The center said the PRC backedcampaign was likely not contained
just to the telecommunication sector.
(01:05):
The agency said it expects Chinese hackerswill quote, almost certainly, end quote,
continue to target Canadian criticalinfrastructure over the next two years,
especially telecommunications providers.
This is particularly notable.
The intelligence community in the Westernworld is increasingly raising the alarm
around a potential Chinese invasionof Taiwan before the end of 2027.
(01:28):
I. Beijing has repeatedly deniedUS allegations of its involvement
in Salt Typhoon, which was firstreported by the Wall Street Journal.
Last year in January, the US sanctioneda Chinese firm accused of quote,
direct involvement, end quote inthe infiltrations, along with the
country's ministry of State Security.
in the advisory Last week, the CanadianCenter for Cybersecurity said the threat
(01:50):
actors exploited CVE 20 23 2 0 1 98.
It is a vulnerability in Cisconetworking gear first reported in
October, 2023, The CVE is a criticalzero day privilege escalation,
vulnerability in the web UI interfaceof routers, switches, and wireless
(02:12):
controllers running Cisco's iOS xe.
It was given a 10 outof 10 on the CVSS score.
The attackers use the criticalvulnerability to retrieve the running
configuration files from three devicesin the targeted telco and modified at
least one of the files to configurea generic routing encapsulation or
(02:33):
GRE tunnel, which enables trafficcollection from the network.
GREs work a lot like A VPN,but without encryption.
Compromised devices can then be usedto spy on internal network traffic or
as launching pads for attacks on othersystems, the CCCS and FBI, news of the
Canadian Telco Compromise is the latest.
(02:54):
In a string of Chinese hacks in Canada,most recently in 2024, the government
of British Columbia was compromisedby Chinese hackers, and in the fall
of 2024, a report from the centerconfirmed Chinese hackers have been
in numerous governments throughoutthe country for more than five years.
The revelation that a Canadiantelecommunications provider's equipment
was compromised comes days after theCanadian government tabled its second
(03:18):
attempt at critical cybersecuritylegislation, formerly called Bill C 26.
The new bill C eight is anear twin of the past law.
That past law failed to get throughthe winter session of parliament before
the government fell due to a typo,but in typical government fashion, it
only made it to the second step in theHouse of Commons before Parliament took
(03:41):
its summer break because priorities.
The United States Department of HomelandSecurity issued a bulletin on Sunday
warning of possible cyber attacksfollowing the US bombing raids on Iran's
nuclear facilities, the Department ofHomeland Security issued an advisory on
Sunday saying attacks from low level cyberactivists are likely and larger attacks
(04:04):
could follow a Iranian leaders issue ofreligious ruling calling for retaliatory
violence against targets in the us.
Jen Easterly, the former head ofthe Cybersecurity and Infrastructure
Security Agency CISA, posted onLinkedIn Sunday, a repeat of the
successful Shields up messaging herteam had used during the lead up to
the 2022 Russian invasion of Ukraine.
(04:26):
Easterly said in her post that while it'sunclear if I cyber capabilities were at
all impacted by recent Israeli airstrikes.
Iran has a track record of retaliatorycyber operations, targeting civilian
infrastructure, including watersystems, financial institutions, energy
pipelines, government networks, and more.
She urged critical infrastructureproviders and others to be on the lookout
(04:49):
for credential theft and phishing wipersdisguised as ransomware, hacktivist
fronts and false flag operations andtargeting of industrial control system
and operational technology systems.
Her advice enforce MFA across allcloud IT and OT systems patch every
internet facing asset segment networksand elevate detections of OT traffic.
(05:13):
Conduct tabletop cybersecurity drills,particularly with industrial control
system scenarios, and subscribe to ISACalerts from Real Time intelligence.
And in case you missed it, there is arecent statement from the IT ISAC and the
AG ISAC about Middle East tensions andcyber threats as always report suspicious
(05:34):
activity immediately to the cybersecurityand infrastructure security agency or
the Federal Bureau of investigation.
Quote, the playbook is known, so is theresponse, and it's not rocket science.
End quote.
Now, not everyone in cybersecurity land,however, is convinced that the Brace
for Impact messaging is warranted, orat least with how it's being positioned.
Jacob Williams, VP of Research andDevelopment with Hunter Strategy
(05:57):
and a well-known voice in thecybersecurity community had a
slightly different take on Sunday.
quote, if you're an enterpriseworried about your exposure to
pro Iran, hacktivists real talk.
You're doing security wrong.
Hacktivists lack sophisticated tools.
They employ DDoS and hack andleak as their primary techniques.
APTs.
They are not end quote.
(06:18):
He further added quote, the questionyou should ask is, what action
should I be taking based on thisnew information and my friends, if
you're already doing security, right?
The answer is noadditional action required.
End quote.
So Canada's getting honedall over the place by China.
America should or should not be worriedabout Iranian cyber retaliation and
(06:41):
one of the largest enterprise webcontent management platforms had a
single letter hired coded credentialthat could be exploited remotely.
Last week, researchers over atWatchtower disclosed a devastating
vulnerability chain affecting the SitecoreExperience platform, or Sitecore xb.
That's the tech backbone.
Behind the digital experiences,read websites of major banks,
(07:02):
airlines, and global enterprises.
Basically the kind of softwareyou really don't want exposed.
And here's the kicker.
It wasn't just one bug, it was a chainof three vulnerabilities that when linked
together allow attackers to executecode remotely without authentication
translations, hackers completelyhijack a server running Sitecore
without needing a username or password.
(07:24):
Let's break it down.
The first part of thischain, hardcoded credentials
at the center of this mess is aninternal Sitecore user account
named Sitecore slash Services API.
The account comes witha hardcoded password.
Just the letter B. That's right.
Just be, this is not supposed to happen.
(07:46):
It's not even an admin account andhas no roles assigned, but because
of a login, pathwork Sitecore slashadmin attackers can still use it
to log in under certain conditions.
From there, they get a valid sessioncookie, which opens the door to
authenticated internal endpoints.
These are typically locked down byMicrosoft's Internet Information
(08:07):
Services Web Server Rules, but theydon't enforce Sitecore role checks.
So boom, you're in.
The next step is called zip slip.
Once in the attacker movesto the second vulnerability.
It's a flaw in how theSitecore upload wizard works.
The wizard lets you upload zipfiles and that's where the magic.
Mayhem happens.
(08:28):
a carefully crafted zip filethat can include a malicious
path like slash web shell aspx.
Due to poor path sanitization.
Sitecore maps the path straightinto the web route, letting the
attacker drop a web shell right ontothe server and execute remote code.
No guesswork needed, no systempath knowledge required.
Just zip slip and boom, you've gota server and then comes PowerShell.
(08:52):
The third bug kicks in if you've gotthe Sitecore PowerShell extension or
SPE module installed, which a lot oforganizations do with this extension.
Attackers can upload arbitraryfiles to any location, bypassing
restrictions on file types orlocations, and that makes remote code
execution faster, simpler, and dead.
Easy to repeat.
(09:13):
Double Yahtzi maybe.
The big picture.
Watchtower found these bugs inSitecore versions 10.1 through 10.4.
Their scans show 22,000 publiclyfacing Sitecore instances.
Not all are vulnerable, butit's a massive attack surface.
In addition to those global enterpriseswe mentioned earlier, airlines, banks,
(09:33):
telcos, government regulators, ifyou also guess that their customers
include some of the biggest oilcompanies in the world running from
Saudi Amco to Chevron, you'd be right.
Not that you know they've gotanything to worry about lately from
someone maybe looking to destabilizeother oil providers right now.
The good news keeps on coming.
Patches were released back in May, 2025,but technical details were held back June
(09:57):
17th to give customers time to update.
Now is the time.
Watchtower, CEO.
Put it bluntly.
If you're running Sitecore, itdoesn't get worse than this.
Rotate your credentials patch now becauseattackers will reverse engineer this fix.
Sitecore's response to their credit.
Sitecore work with Watchtower andpublished a security bulletin.
(10:19):
Security bulletin 2025 dash0 0 3 along with patches.
The three CVE identified were CVE 2025 34, 5 0 9, hard coded credentials.
CVE 20 25, 34 5 10.
Path Traversal to RCEand CVE 20 25, 34 5 11.
Post auth, RCE via PowerShell.
(10:42):
They're also reminded customers about afourth issue, CVE 20 25, 27 2 18 that had
already been patched in December, 2024.
If your organization runs Sitecore, don'twait for the headlines to get worse.
Please patch, rotate thosepasswords and harden your instances.
And it won't just be Iranianswho'll be itching to use this.
(11:03):
Of course, ransomware gangsdon't go on holiday just because
global tensions went up more.
Which brings us to the latestRussian hacker headline.
Fun.
Alright, let's talk about an interestinghigh stake phishing campaign.
That's a masterclass in patience,precision, and psychological manipulation.
And of course it comes outta Russia.
(11:24):
I. Between April and June, a RussianState link threat actor, tracked by
Google's threat intelligence groupas UNC 62 93, likely affiliated
with a APT29 under Russia's ForeignIntelligence Service, launched a
highly targeted phishing campaign.
But this wasn't your usual click here.
Fast scam.
This was a slow burn socialengineering, and it was aimed at
(11:47):
high profile academics and outspokencritics of the Russian government.
Let's walk through what made thiscampaign so interesting and so dangerous.
MFA bypassed thanks toapp specific passwords.
Now most of us think multifactorauthentication protects our
email, and in most cases it does.
But this campaign didn't try to breakthrough the MFA, instead it stepped
(12:11):
it using app specific passwords.
Which are a legitimate feature in Googleaccounts that let users create one-time
passwords for third party apps thatdon't support two-factor authentication.
What UNC 62 93 did was convince theirtargets to create and hand over one of
these app specific passwords, givingthe hackers full access to Gmail
(12:32):
inboxes without triggering any alerts.
It's like asking someone tobuild a key to their own house
and then hand it over to you.
This operation was surgical.
One of the targets was Keir Giles, aleading expert on Russian disinformation.
The attackers posed as a Cloud S Weberfrom the US Department of State, inviting
KE to a private online discussion.
(12:54):
The email came from a Gmail address.
It should been suspicious on its own,but what sold it was it was included
with multiple@state.gov addressesin the CC line it looked Official.
Problem is there was no Claude SWeber at state, and the attackers
exploited a little known quirk.
The real US State Departmentmail server doesn't always
(13:16):
bounce messages for nonexistingaddresses, so nothing looked amiss.
Then came the clever part.
After a few exchanges, no pressure,just polite scheduling back and forth.
Giles was invited to join a platformcalled the ms. Department of State Guest.
Tenant sounded official, seemed plausible.
To access it, he was told all heneeded to do was generate a Google
(13:38):
app specific password and send itover to one of the admins so they
could add him to the guest platform.
They even provided a helpful PDFwith step-by-step instructions.
That password it gave the attack.
Full direct access to Giles Gmailaccount . And this wasn't a one-off.
According to the University of TorontoCitizens Lab and Google Threat Team, this
(14:01):
was part of two active phishing campaigns.
one used the State Departmentlure, the other leaned on
Ukraine and Microsoft theme bait.
Behind the scenes UN C'S 62 93used a mix of residential proxies
and virtual private servers.
Remember we talked aboutthis a few episodes ago.
These attacks weren't quick hits.
(14:21):
They were slow, deliberate, and deeplycustomized, built on fake personas, forged
documents, and years of trade craft.
Now, who's at risk?
The people being targeted in thiscampaign are folks involved in
geopolitics, legal disputes, nationalsecurity or human rights advocacy.
The kind of people who wouldhold sensitive information and
whose communications might shapepolicy or public opinion, however.
(14:46):
Criminal groups tend to followthese kinds of clever tactics.
We will see this repeated again,and this reminds me an awful
lot of the rise of other socialengineering tactics like click fix.
Google is urging anyone at risk to enrollin its advanced protection program.
This is the same high security system usedby political campaigns and journalists.
(15:08):
Crucially, it blocks the use of appspecific passwords entirely and enforces
strong hardware based login methods.
So, dear admins, maybe it's timefor all of us to start locking
down people's abilities tocreate app specific passwords.
Now, if you're feeling a bit overwhelmed.
By last Friday's episode and hopefullytook Jim's advice to enjoy the weekend.
(15:30):
Take a breath.
I'm gonna go full Canadianand issue an apology.
This week is not starting off any better.
I'm sorry.
As always, stay skeptical, staypatched, and yesterday was a good time
to review your 72 hour emergency kit.
Always interested in your opinion,contact us at editorial@technewsday.ca or
(15:53):
leave a comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.