CyberWire Daily - Caffeine in the C2C market. Refund-fraud-as-a-service. Costs of a nuisance. Staying alert during a hybrid war. Renewed Polonium activity. The Uber case's impact on security professionals.
Episode Date: October 12, 2022Refund fraud as a service. Costs of a nuisance. Remaining on alert during a hybrid war. Renewed activity by Polonium. Andrea Little Limbago from Interos discussing quantum computing policy. CyberWire ...Space Correspondent Maria Varmazis speaks with Dr. Gregory Falco on lessons learned from Russia’s attack on Viasat. Reflections on the Uber case's impact on security professionals. And when it comes to phishing-as-a-service, we’ll take decaf. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/196 Selected reading. The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (Mandiant) Caffeine phishing. (CyberWire) Refund Fraud as a Service (Netacea) Amid reports of JP Morgan cyberattack, experts call Killnet unsophisticated, ‘media hungry’ (SC Media) Hacktivists Force Companies to Respond to Low-Level Cyberattacks (Wall Street Journal) Nato warns Russian sabotage on Western targets 'could trigger Article 5' (The Telegraph) US Not Ruling Out Russian Cyber Offensive (VOA) Ukraine at D+230: Escalation, but unlikely to be sustainable. (CyberWire) POLONIUM targets Israel with Creepy malware (WeLiveSecurity) Hacking group POLONIUM uses ‘Creepy’ malware against Israel (BleepingComputer) Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict (The Record) Sullivan verdict sends shockwaves through the security industry (Security Info Watch) Reflections on the Uber case's impact on security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Refund fraud as a service, the costs of a nuisance, Thank you. speaks with Dr. Gregory Falco on lessons learned from Russia's attack on Viasat,
reflections on the Uber case's impact on security professionals,
and when it comes to phishing as a service, we'll take decaf.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 12, 2022.
We open with a look at the burgeoning criminal-to-criminal marketplace.
Mandiant describes a phishing-as-a-service platform called Caffeine, which is surprisingly accessible and available to anyone on the Internet who knows the URL for its website.
As Mandiant explains, Caffeine is unusual in that it allows practically anyone with an email account to register with its services directly,
bypassing the usual harem-scarum-rigamarole of an underground forum or an encrypted messaging service or a Joe-sent-me recommendation from some trusted hood.
Caffeine is also unusual in that it offers templates designed for use against Chinese and
Russian targets, which has tended historically to be uncommon. What that means is unclear,
but it may be an early sign that the grip Chinese and especially Russian security services have
on the cyber underworld may be slipping a bit. Caffeine also knows that it pays to stay close to the customer,
a lesson they might have picked up, perhaps,
from close reading of the popular business classic In Search of Excellence.
Mandiant researchers note that caffeine's administrators
announced several key platform improvements via the Caffeine news feed,
including feature updates and expansions of their accepted cryptocurrencies. announced several key platform improvements via the Caffeine News Feed,
including feature updates and expansions of their accepted cryptocurrencies.
There are some other relatively novel offerings available in the C2C marketplace.
Security firm Netacea today describes refund fraud as a service.
Refund fraud can seem a relatively dim-witted scam,
even by the low standards that prevail among criminals,
but it is a problem for retailers.
In its most common form,
refund fraud involves asking for a refund on an item you, the fraudster, has no intention of returning.
It became more common as e-commerce tended to displace
in-person shopping during the COVID-19 pandemic.
While the individual capers, the onesies and twosies of petty crime, can be small enough,
little by little they add up. Netacea points out that OneHood took a guilty plea this past
December in a case that involved defrauding one retailer of more than $300,000 over a period of three years.
Netecia explains that the fraudulent refunds are outsourced to professional social engineers
who complete the bogus refund in exchange for their cut of the refunded value.
Here's how it works.
First, a customer orders something from an online retailer.
Then, the customer hands their order
details over to the refund fraud service. The hired scammers initiate a refund request
and inveigles the store into returning the money without receiving a return of the purchased item.
And then the customer splits the refund with the criminal service and keeps what they ordered in
the first place. Now, wait a minute, you say.
Why would the retailer give a refund without getting the item back? Well, that's where the
social engineering comes in. The refund fraud as a service operator may claim that the item didn't
arrive or that the shipment was incomplete. The box was partly empty. And there are a variety of
ancillary support services that can be used to lend
plausibility to the otherwise bald criminal narrative. Forged labels, forged scans,
infiltration or compromise of a delivery service, and so on. A secondary C2C market has grown up
around those support services, offering training, and so on. The first line of defense is an informed and properly
skeptical staff. There will almost always be some interaction between the criminals and customer
service, and a well-trained customer service professional can become alert to the various
forms of social engineering the return fraud as a service operators depend on for success.
turn fraud-as-a-service operators depend on for success.
Killnet, the nominally hacktivist group that actually functions as an auxiliary of the Russian intelligence services,
claims to have disrupted online infrastructure of JPMorgan Chase.
SC Magazine reports there was no evident effect on the financial services company, and Killnet seems again to have produced a fizzle.
The announced attack comes a day after Killnet succeeded in briefly disrupting some public-facing
websites at U.S. airports. Even such low-grade, nuisance-level activity exacts a certain cost
on its targets. The Wall Street Journal points out that affected organizations still have to defend, investigate, and communicate their response, even when the attack has a negligible effect.
As sabotage of the Nord Stream pipelines and German railroad communication networks remains under investigation,
the Telegraph reports NATO has warned that sabotage could trigger the Atlantic Alliance's Article 5,
the collective defense agreement under which an attack on one member is regarded as an attack on all of them.
In the U.S., according to the Voice of America, U.S. officials cautioned against complacency.
While Kilnett's recent DDoS attempts have had negligible effect,
organizations shouldn't rule out the possibility of major crippling Russian cyber attacks.
There's also some activity on the more traditional cyber espionage front.
ESET researchers outline recent activity against Israeli targets by Polonium,
an Iranian-controlled threat actor that operates from Lebanon.
Controlled by Iran's Ministry of Intelligence and Security,
Polonium is a cyber espionage operation that specializes in backdooring its targets
to extract information and maintain persistence.
And finally, the case of Joe Sullivan, Uber's former security chief,
convicted for his attempt to cover up a 2016 hack,
has affected the security community, specifically C-suite security professionals.
The record by Recorded Future reports that CISOs now fear that CISO scapegoating may become more
commonplace after the verdict, and this may prompt more preemptive whistleblowing from CISOs,
since of course,
no one wants a sabbatical in the correctional system. On the other hand, Security InfoWatch
points out that CSOs have long been ripe for scapegoating. They quote Bob Hayes,
managing director of the Security Executive Council and former CSO of Georgia Pacific and 3M,
Executive Council and former CSO of Georgia Pacific and 3M is stating, I don't think this is anything new. I just think it is a high visibility incident with a different twist.
He suggests that CISOs and CSOs should treat the case as a learning opportunity
and go forth and do better. So should we all.
Coming up after the break, Andrea Little-Limbago from Interos discusses quantum computing policy.
Our CyberWire space correspondent Maria Varmatsis speaks with Dr. Gregory Falco on lessons learned from Russia's attack on Viasat.
Stay with Dr. Gregory Falco on lessons learned from Russia's attack on Viasat. Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Russia's attack on satellite provider Viasat was certainly one of the more interesting cyber elements of Russia's hybrid war against Ukraine.
Our CyberWire space correspondent Maria Varmatsis checked in with Dr. Gregory Falco for lessons learned from the attack.
One of Russia's opening salvos in its war against Ukraine was its attack against the Viasat-KASAT network.
On the morning of February 24, 2022, a cyberattack disabled some Viasat modems in Ukraine,
cutting off satellite communications for thousands right as Russian ground forces began their invasion.
This attack also disabled thousands of wind turbine communication modules in Germany.
Dr. Gregory Falco, assistant professor at Johns Hopkins University,
studies space cybersecurity,
and he and his team just completed a study about this attack
in a paper called Lessons Learned from the Viasat Space System Cyber Attack.
I recently spoke with Dr. Falco about the Viasat attack, how it worked, as well as key takeaways
for aerospace. And here's some of our conversation. So the first thing that happened was actually
possibly not even the attackers for the specific attack. And that
happened a number of years ago when a VPN had a vulnerability in it. It was disclosed widely,
Fortinet specifically, and a whole bunch of credentials were leaked on the internet.
So it happened a couple of years ago. It was attributed to a group called Groove,
which was a rather new cybercrime group, also out of Russia or Eastern Europe, probably Russia.
And they took credit for it.
They were like, hey, look at this cool dump we have here.
And they put it all on the hacker forums.
And so we didn't see a lot of activity that was super public
as major attacks that occurred out of that
immediately after the 2019 segment.
Fortinet did push an update to their VPN devices, and some people bopped them in and some people
didn't. And that was the genesis of what we think was happening with the Viasat attack.
And that's also why Russia may not have had the same level of impact that they may have wanted
for the Viasat attack,
because some devices were patched and some were not.
Okay. I was interested also in the collateral damage on the wind turbines in Germany,
and I'm thinking about, okay, is there a unique risk profile when you're talking about the cybersecurity of a space system in this context?
So I do see space systems generally as a field as a single point of failure,
because they're pretty homogenous in how they operate.
If you are attacking those devices, you're looking at thousands, tens of thousands of those devices.
They all are operating exactly the same way.
And if someone knocks it, they're all done.
But one thing that's interesting about the space segment is really end up having a lot of them.
And also they end up being pretty critical
for a whole bunch of different industries that you never would have even imagined,
which is kind of where the wind turbine bit comes in for the Viasat attack. Because Russia probably
was not targeting these wind turbines, right? But collateral damage can get pretty significant when
it comes to space systems. One thing that was kind of really unique and interesting about this attack
was doing some of the analysis
on the different beam spots
that were targeted by the attackers.
And so for these space systems,
yeah, you can characterize an attack
and then target the overall space system,
but you can also target specific individual assets
by looking at where your signal is going. And so the attacker was pretty intelligent in this regard where they're actually looking at, and we have a map in our little case study here, they were looking at the map of Ukraine and trying to choose the showing that there's a lot of these beam spots that have overlapping territory with Germany or with other countries that were impacted by this attack.
And it's just the nature of the physics for how the beams were sent, the signal was sent down from the satellite to the modems.
Switching gears for a second.
So there's a really great warning that you have in the paper.
There's a really great warning that you have in the paper, and I'm using warning very explicitly here, because we're talking about dual-use technologies and what this attack means for the commercial sector.
You make a point to put in bold, and I really appreciate this, that commercial technology that is engaged for both civilian and military purposes should be prepared to be treated as if they are military targets.
What do you think this all means?
What should the commercial sector take away from all of this?
You know, there's some good posturing going on right now,
but it is something where space commercial sector needs to be cognizant that even if they don't think that they're doing anything national security related,
but they may have some kind of government customer
or some scent of, hey, we're doing something for security related, but they may have some kind of government customer or
some scent of, hey, we're doing something for public good. There are going to be targets.
And it's also unclear right now what the US specifically will do to protect those targets
that are commercial assets. But as we may know in the cybersecurity community more generally,
commercial assets are not really fully aided by the government when it comes to
protection, even critical infrastructure sectors, right? There's a support ecosystem that's there,
but it's not like the military stands up all its operations to go protect Sony or whatever, right?
So this is not the world we live in in the US where the government is just protecting every
one of our commercial assets. And so you just got to be worried about this as a commercial
space player now.
Not only do you have to make sure
your bird is flying and operational,
but someone's after you probably.
And I think this is a huge awakening
to the space community
because before, let's say, 2018,
the commercial space community
was not even thinking about this topic,
generally speaking.
That was Dr. Gregory Falco
from Johns Hopkins University.
And again, the title of his paper is Lessons Learned from the Viasat Space System Cyber
Attack. For the Cyber Wire, I'm Maria Varmasis.
And joining me once again is Andrea Little-Limbago.
She is Senior Vice President for Research and Analysis at Interos.
Andrea, it's always great to have you back on the show.
You know, I've been talking to some folks recently about some of the technical aspects of quantum computing and sort of the horizon for
where we are on that. But I know you've been tracking, there's been some movement when it
comes to policy in quantum. What sort of things have caught your eye? Yeah, and thanks for having
me, Dave. It's interesting to see what's going on with quantum right now. The tech discussions on it
have dominated, and that's to be understood. It's a nascent area with a lot of opportunity in there.
But what's interesting is that just as nascent as a technology, policy is starting to actually look at what the roadmap might be for quantum.
And so we saw earlier in May the National Quantum Initiative.
That was a presidential executive order and directive that was released, really highlighting the role, the essential role of quantum for national competitiveness, national security, economic security.
And so that was one of just really kicked off a series really over the last few months,
where we saw CISA also release some, do a press release doing some guidance on how to prepare critical infrastructure for quantum computing in a world of quantum algorithms.
And then we saw the NSA just in early September
do a press release on how to think about a future
where there might be quantum-resistant algorithms
and what the requirements might be to live in that world securely.
And the big concern for a lot of these
on the policy side is how can we secure
and to keep our data safe
and maintain privacy at a time
when there might be algorithms out there
that can decrypt any of the general encryption
that's out there?
So there's a lot coming on.
I think we'll probably see more.
I think it's a growing trend.
Yeah, I mean, it's interesting too
that I guess that we're seeing proactive measures here,
that the policy isn't lagging in this case.
Yeah, and I think that's what's especially interesting to me.
For years, shown a chart where you see technology exponentially exploding and policy basically being a very flat line.
And this is one of those cases where we're seeing policies starting to try and get ahead of where the technology is going. Basically, you know, racing to the puck.
One, it's very interesting. It's an interesting policy shift. You know, ideally, you know,
something that will give us enough time to put some thoughtful considerations into it instead
of being reactive. And so it's a much, you know, I think it's a really good harbinger of a more of
a proactive policy when it comes to technological innovation.
So I'm hopeful on that.
I do have concerns whether, given that we still have policy debates over regular encryption right now, still going on,
we still have the five eyes with a directive basically wanting to have some form of a backdoor in encryption. And so I do worry that some of the lessons learned
from the various decades of crypto debates
will actually trickle into the quantum discussion
as opposed to taking the lessons learned
and building towards a future
where we understand there's the necessity
of really secure algorithms to help protect the data.
I'll be curious to see how much of the crypto wars
then become into quantum computing
and quantum algorithms.
We'll have to see on that.
Do you sense any fear that we could experience
an equivalent of a Sputnik moment here
where one of our adversaries makes a leap forward?
Is it on a timeline that we weren't expecting?
So I think that is also what is sparking some of this,
that understand that whoever gets to it first
and really has the capacity,
basically will be the ones that can decrypt
a lot of the wrongly protected data
that's out there right now
and give them a huge competitive advantage,
both on the economic front and on national security.
If you can no longer protect, you're basically the crown jewels of your national security,
or if companies can no longer protect their IP, that really is a game changer.
So I do think that there's a strong movement and strong understanding that this is something that
we need to move to fast and move. But at the same time, given that there still is a horizon there,
get the policy in place and get the resources in place
to actually help target it towards
I guess the more effective policies
in that regard.
And then also help allocate resources
to help move towards that desired end state
faster than competitors.
Yeah.
All right.
Well, interesting times for sure.
Andrea Little-Limbago,
thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis,
Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.