CyberWire Daily - A not so BASIC farewell.
Episode Date: November 22, 2024META details its efforts against pig butchering. The Salt Typhoon attack on major U.S. telecoms sparks interest from Congress. Microsoft dismantles 240 domains linked to the ONNX phishing-as-a-servi...ce platform. A major U.S. gambling and lottery provider suffers a cyberattack. Hackers exploit newly patched zero-days in Palo Alto Networks firewalls. Researchers say Fortinet VPN servers lack sufficient logging. A pilot program looks to improve security for small U.S. water utilities. Bitdefender warns of scammers using Black Friday-themed spam emails. Our guest is DataDome’s CEO and Co-founder, Benjamin Fabre, discussing how "Fake Accounts Threaten Black Friday Gaming Sales." A fond farewell for a true cyber innovator. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In advance of Black Friday shopping next week, our guest is DataDome’s CEO and Co-founder, Benjamin Fabre discussing their team's work on "Fake Accounts Threaten Black Friday Gaming Sales." Selected Reading Meta cracks down on millions of accounts it tied to pig-butchering scams (CyberScoop) China’s Hacking Reached Deep Into U.S. Telecoms (New York Times) FCC leaders skirt call for wiretap security reform, hope to ‘go deeper’ on telecom breach briefings (NextGov) Microsoft disrupts ONNX phishing-as-a-service infrastructure (Bleeping Computer) Gambling and lottery giant disrupted by cyberattack, working to bring systems back online (The Record) Over 2,000 Palo Alto firewalls hacked using recently patched bugs (Bleeping Computer) Fortinet VPN design flaw hides successful brute-force attacks (Bleeping Computer) First Water Utilities Take Volunteer Cyber Help (The University of Chicago Harris School of Public Policy) Three-Quarters of Black Friday Spam Emails Identified as Scams (Infosecurity Magazine) Thomas E. Kurtz, a Creator of BASIC Computer Language, Dies at 96 (New York Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Meta details its efforts against pig butchering.
The salt typhoon attack on major U.S. telecoms sparks interest from Congress.
Microsoft dismantles 240 domains linked to the Onyx fishing-as-a-service platform.
A major U.S. gambling and lottery provider suffers a cyber attack.
Hackers exploit newly patched zero days in Palo Alto Network's firewalls.
Researchers say Fortinet VPN servers lack sufficient logging.
A pilot program looks to improve security for small U.S. water utilities.
Bitdefender warns of scams using Black Friday-themed spam emails.
Our guest is Datadome's CEO and co-founder Benjamin Fabre,
discussing how fake accounts threaten Black
Friday gaming sales. And a fond farewell for a true cyber innovator.
It's Friday, November 22nd, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Happy Friday, and thanks for joining us here today.
It is great, as always, to have you with us.
Pig butchering scams have escalated into a global crisis,
with organized crime syndicates forcing trafficked individuals
to run scams from compounds in Southeast Asia and the UAE.
Meta, for the first time, has detailed its efforts to combat this activity.
The company has worked with law enforcement and NGOs,
taking down over 2 million accounts linked to scam operations this year.
However, researchers criticize Meta for being slow to address its platform's role in enabling scams.
The term pig butchering refers to scammers grooming victims through social media, messaging apps, or dating platforms, persuading them to invest in fake opportunities.
Victims have collectively lost around $75 billion.
Meanwhile, trafficked individuals, many lured by fraudulent job ads, are held in compounds and forced to scam under threats of violence.
Over 200,000 people from more than 60 countries have been subjected to this exploitation.
Meta acknowledges that pig butchering is an evolving, well-funded threat, with criminals
leveraging tools like AI to evade detection. Scammers use AI to generate messages, create deepfakes, and translate scripts to target
victims globally. In one case, OpenAI flagged accounts using ChatGPT for scam activities,
leading Meta to shut them down. While Meta has increased account takedowns and safety measures,
the scale of scams persists. Researchers argue that tech companies must do more to proactively
address scammers exploiting their platforms, as moderation often fails to catch deceptive content
in time. Chinese hackers identified as Salt Typhoon executed a far-reaching breach of U.S.
telecommunications systems, exposing vulnerabilities and accessing sensitive
communications, including those of political figures. The breach, linked to Chinese intelligence,
targeted systems used for lawful wiretapping and exploited outdated equipment across major
carriers like AT&T, Verizon, and T-Mobile. Hackers could monitor calls, read unencrypted texts, and gather metadata,
raising national security concerns. However, they couldn't access encrypted communications
like iMessage or Signal. Senator Mark Warner described the breach as the most severe telecom
hack in U.S. history, exceeding the scale of solar winds or colonial pipeline incidents. The breach's
full extent remains unclear, as investigators believe hackers may still be embedded in U.S.
systems. Warner urged transparency and stronger cybersecurity standards to address critical
vulnerabilities. The hack has reignited calls for reforming the Communications Assistance for Law Enforcement Act, CALEA, to mandate robust cybersecurity requirements.
While the FCC has authority to enforce such standards, action has been delayed.
Intelligence agencies are investigating potential exposure of sensitive surveillance systems, with officials warning of the significant risks posed by the intrusion.
Microsoft has dismantled 240 domains linked to ONIX,
a phishing-as-a-service platform targeting Microsoft 365
and other tech companies since 2017.
Known for high-volume phishing campaigns,
ONIX facilitated attacks using do-it-yourself kits sold on Telegram for $150 to $550 per month.
The phishing kits included features like two-factor authentication bypass and targeted tech firms such as Google, Dropbox, and Microsoft.
and Microsoft. Onyx attackers also employed advanced tactics like QR code phishing,
which exploited victims' mobile devices and evaded traditional detection methods.
These campaigns targeted financial sector employees and used encrypted JavaScript to evade anti-phishing scanners. Operations ceased in June of this year after researchers identified Onyx's owner, Abinab Nady. Through
a court order, Microsoft redirected Onyx's infrastructure, cutting off access and deterring
future attacks. This follows similar actions by Microsoft against Russian hackers and other
cybercrime operations in recent years. International Game Technology, IGT, a major
U.S. gambling and lottery provider, suffered a cyberattack causing significant disruptions.
The company took systems offline as a precaution and is investigating while working to restore
operations. It has implemented workarounds to continue servicing customers,
but has not yet assessed financial impacts. IGT has over 11,000 employees and $1.9 billion in
2023 revenue, and they provide lottery, gambling machine, and sports betting technology. While no
group has claimed responsibility, ransomware has increasingly targeted casinos and lotteries.
Hackers have exploited two newly patched zero-day vulnerabilities in Palo Alto Network's firewalls, compromising approximately 2,000 devices globally.
The flaws include an authentication bypass and a privilege escalation, allowing attackers to gain administrator and root access.
Palo Alto Networks has observed malware deployments and command execution via these exploits.
Though Palo Alto Networks acknowledges the flaw affecting a limited number of devices, Shadow Server has identified over 2,700 vulnerable systems.
Shadow Server has identified over 2,700 vulnerable systems.
CISA added these flaws to its known exploited vulnerabilities catalog,
requiring federal agencies to patch firewalls by December 9th.
A design flaw in Fortinet VPN servers allows attackers to verify credentials during brute force attacks without logging successful attempts,
concealing compromised logins. Researchers from Pentera discovered that FortiClient VPN
logs only failed login attempts during the authentication stage, while successful logins
are recorded in the subsequent authorization phase. By halting the process after authentication,
attackers can validate credentials without detection.
Though failed attempts alert admins to brute force activity,
the lack of logs for successful logins poses a significant risk,
enabling attackers to exploit credentials later.
Fortinet has not classified this issue as a vulnerability,
leaving it unclear if a fix will
be implemented. The University of Chicago's Cyber Policy Initiative, DEFCON, and the National Rural
Water Association have launched a pilot program called DEFCON Franklin to improve cybersecurity for small U.S. water utilities. Six utilities across Utah,
Vermont, Indiana, and Oregon will partner with volunteer cybersecurity experts to assess and
strengthen their defenses. This initiative addresses the vulnerabilities of 91% of U.S.
community water systems, which serve fewer than 10,000 people and often lack resources for
cybersecurity. Cyber attacks on water infrastructure are escalating, with incidents linked to Chinese,
Iranian, and Russian actors compromising critical systems. DEFCON Franklin's tailored,
volunteer-driven approach aims to provide scalable, cost-effective solutions to safeguard the nation's
water sector. This effort follows EPA warnings that 70% of U.S. water systems fail to meet basic
cybersecurity standards. Bitdefender warns that 77% of Black Friday-themed spam emails in 2024 are scams, marking a 7% increase from 2023 and a 21% rise
from 2022. These scams often aim to steal personal data, banking information, or money through
phishing emails, fake purchases, or malware like banking trojans. The U.S. is the top target, receiving 38% of Black Friday spam,
while Europe accounts for 44%,
with Germany and France heavily affected.
Scammers have tailored their tactics
to various demographics
using fake brand impersonations
and region-specific offers.
Examples include Trojan-laden emails
targeting Spanish tech enthusiasts, phishing campaigns advertising discounted Ray-Ban sunglasses, Thank you. Avoid clicking unsolicited links. Use security tools and approach surveys with caution.
Coming up after the break,
my conversation with Benjamin Fabre
about how fake accounts may threaten Black Friday gaming sales
and a fond farewell for a true cyber innovator.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Benjamin Fabre is CEO and co-founder at Datadome. I recently caught up with him to discuss how fake accounts are threatening Black Friday gaming sales. So every year we see that Black Friday is a moment when our customers and the large retailers have a huge spike of traffic.
And that among this large increase of traffic, a significant part of it is coming from bots and attackers.
So this year we decided to have our threat research team to have a look and test the security of those large retailers in the US, in UK and in Europe to understand how much they are ready and they are properly protected against the evolution of those bot attacks.
Well, let's dig into your findings here. What did you discover? Yeah, so we tend to map the threats on the user journey for retailers.
So everything on the login section with the account creation,
the login attempt, then everything around the cart,
and finally the payments.
So that's the three areas that we usually test and we want to protect.
So our finding is that on the test we've done,
is that 30% of those websites have almost zero protection
on the account creation section of the website.
That means any basic bots can create thousands of accounts
without any protection.
And if we look at the sophisticated bots,
we've discovered that three quarters of those websites
are not protected against the sophisticated threats
like bots that can solve CAPTCHA
or bots that can work around multifactor authentications.
So that's the first learning and surprise for us,
considering the risk that Black Friday is creating for those websites.
And what about the other parts of an online experience here what other
things did you discover yeah so after the account creation the second risk is
the lock-in all the threats like can't take over like credential stuffing and
what we've seen is that 60% of those websites have even no CAPTCHA in place.
You know, CAPTCHA is like the first security measure
that some website can use.
Even though it's not perfect,
it's sort of the first layer of security.
And actually, a significant part and the majority
of the websites don't have any CAPTCHA,
neither more sophisticated protection
like what protection is.
And the second discovery around the login is that
the fraud most of the time will involve to use disposable email, for instance.
And we've seen that a significant part of those websites
actually don't have any protection against all the techniques used
by attackers to create disposable emails and then run attacks at scales on those websites.
So that was surprising also, especially considering all the major attacks we've seen in 2024 with those very large-scale credential stuffing and country cover attacks.
And then what about checkout itself?
Yeah, so the checkout also is a very sensitive area for multiple reasons.
First, with the cart, we can see that attackers are trying to buy all the products that have some limited
supply.
So every single year, there is the one product that everyone wants and that has a very limited
supply.
This year, it's probably going to be the PS5 Pro.
And what we saw is that a significant part of those websites, like 65% of the websites,
don't have real security in place to prevent the abuse,
what we call the scalpers,
so the bots that are trying to buy those products,
on the sensitive part.
And on the checkout, so the payment itself,
it's also very interesting to see that the payment fraud, which is going through
the roof with all the bots that will try stolen credit card numbers on the checkout, have
also not been very accurately blocked during our testing.
So on the 14 large retailers that we've tried, only three had a very strong security in
place at the very late stage of the checkout. So a significant gap here, and we hope that those
websites are going to increase their security measures. Why do you suppose so many websites
are coming up short here? Is this a matter of saving money or are they trying to reduce friction with the folks who are buying from them?
Yeah, that's a very good question.
And it's always a balance between security and user experience.
What we've seen is that the friction that some of the security solutions can provide,
like the capture with the painful red light and crosswalk, etc.
That can generate some friction for the user experience.
And that's the reason why now the state of the art
is just trying to get rid of those painful capture.
And I think the second learning here is that
all the dangerous parts of the raise of AI that can be leveraged by attackers is not really, as we speak, properly assessed by those enterprises.
Using a Gen AI, for instance, it's very, very simple to create a sophisticated bot.
While just with a few clicks, you can turn your laptop into a massive attack to create millions of fake accounts.
And using some very legitimate content.
Now, it's almost impossible to distinguish what is legitimate or not just looking at the content
because when you use Chargpt or Gen AI tools,
you can create some content that looks perfect.
You know, we're coming up on Black Friday here
when certainly many, many folks
will be doing a lot of online shopping. Do you have any tips for the consumers themselves to protect themselves? Are there ways
to know if a website that they're shopping on is more secure than one of their competitors?
Yeah, that's a good question. So, of course, the hard work is supposed to be done by the retailer themselves,
but the consumers also have some power here.
First, they can make sure that they are using unique passwords for every single website.
So, if one of those websites gets compromised,
you are sure that your credential won't be reused somewhere else.
The second action that we always recommend
is to use multi-factor authentication.
So to require, for instance,
some authentication token or SMS,
which is not the best one,
but convenient.
So you can make sure your credentials are safe.
And usually, you want to work with retailers
and to shop on retailers that offer this mechanism.
How complex can be my password on this website?
Can I turn on multi-factor authentications?
That's all the measures that you have to be able to do on those retailers.
That's Benjamin Fabre from Datadome.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep And finally, an appreciation for Thomas E. Kurtz,
a visionary mathematician who transformed the world of computing
with his co-invention of BASIC,
the Beginner's All-Purpose Symbolic Instruction Code.
Dr. Kurtz, who recently passed away at 96, sought to make computers
accessible to students beyond math and engineering alongside his colleague John Kemeny. In the early
1960s, when computers were vast and esoteric, they pioneered the Dartmouth timesharing system,
enabling multiple users to access a single machine simultaneously.
BASIC occupies a unique and often underappreciated place in the history of computing.
While modern programmers may look down on it as simplistic or outdated, BASIC was revolutionary
in its time, democratizing access to programming and sparking a passion for coding in countless beginners.
Its straightforward commands, run, print, stop, invited curiosity and creativity,
making the complex world of computing approachable for students,
hobbyists, and future tech leaders like Bill Gates.
BASIC's simplicity was its strength.
It removed barriers, proving that programming didn't have to be intimidating.
Though today's sophisticated languages power cutting-edge applications,
BASIC's legacy is profound. It opened the door to personal computing and laid the foundation for generations of innovation,
reminding us that accessibility often drives the greatest breakthroughs.
Dr. Kurtz's vision extended beyond
technology. He believed in empowering everyday individuals with tools for exploration and
creativity. His legacy lives on in modern programming education and technologies like
cloud computing. His contributions remain foundational, ensuring computing is not just for the few, but for everyone.
For me personally, I can honestly say I would probably not be doing what I do today professionally
were it not for having crossed paths with those early 8-bit computers
and the creativity they sparked in me as a young teen.
So thank you, Dr. Kurtz, and warm condolences for all who knew and loved him.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Amit Lutwak, co-founder and CTO of Wiz.
their work, Wizz Research finds critical NVIDIA AI vulnerability affecting containers using NVIDIA GPUs, including over 35% of cloud environments. That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Bye.