CyberWire Daily - Collective defense in cyberspace. Notes on gangs, privateers, and hacktivist auxiliaries. Amazon Prime Day is now a commercial holiday (like Black Friday): crooks have noticed–stay safe.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. NATO considers Article 5 in cyberspace while cyber attacks conducted in the Russian interest target the NATO summit. Anonymous Sudan remains a nuisance-level irritant. Klopp's surprising use of move-it exploits.

Starting point is 00:02:14 Asylum Ombuscade is a case study in privateering. There are reports of a breach at Razor. An indictment in a cyber incident at a California water treatment facility. Genesis Market's fire sale, Herald Terrio on the data Amazon customers provide with some suggestions on curbing it, our guest is Dmitry Bastuzhev, Senior Director in Cyber Threat Intelligence for BlackBerry, and Amazon Prime Day is upon us, and the crooks have noticed. I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, July 11th,

Starting point is 00:02:58 2023. The summit in Vilnius, Lithuania affords an opportunity for NATO to take stock of its collective cyber defenses. The NATO Cooperative Cyber Defense Center of Excellence in Tallinn has proven its value, and as cyberspace has become a generally recognized operational domain, the alliance may consider ways in which it might build even more effective collective security in that fifth domain. Security Week offers a range of suggestions that may be under consideration, from collective joint cyber training to the formation of a NATO Cyber Command, analogous to the National Cyber Command several of its members have developed, to considerations of the ways in which cyber attacks might trigger the collective defense provisions of Article 5, and consideration of what a proportionate response to the cyber phases of a hybrid war might look like.

Starting point is 00:04:06 The summit runs today and tomorrow. We'll be following the cyber-relevant developments. BlackBerry researchers have found that the rom-com threat actor is using malicious documents to spread its remote-access Trojan. The targeting is significant. BlackBerry says, based on the nature of the upcoming NATO summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals

Starting point is 00:04:36 supporting Ukraine. The researcher's conclusion reads, based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group. So, the NATO summit hasn't escaped the attention of those interested in disrupting what Russian state media nowadays calls the collective West. Anonymous Sudan launched another wave of DDoS attacks against U.S.-owned companies over the weekend, leading into Monday morning. The group, widely believed to be a Russian cyber-auxiliary, claimed that the DDoS attacks against Reddit, Tumblr, Flickr, and ArchiveYourOwn.org

Starting point is 00:05:25 were to take down services which host LGBTQ+, and not safe for work content. The group explained on its Telegram page, It's part of our campaign targeting companies registered in the United States. The operators of this site is Organization for Transformative Works, OTW, who are registered in the United States. In addition to that, we are against all forms of degeneracy, and the site is full of disgusting smuts and other LGBTQ plus and NSFW things. Anonymous Sudan has also posted tweets from irritated users of Tumblr, Reddit, and Flickr, presumably as evidence of the hacktivist auxiliary's successful DDoS attack.

Starting point is 00:06:11 Update on the Anonymous Sudan story from yesterday, after the company for ArchiveYourOwn.org's parent, AO3, tweeted that their volunteer IT staff is working to fight off the DDoS attack, Anonymous Sudan wrote that they demand a ransom of $30,000. Anonymous Sudan will attack, and if there's public outrage or irritation, the group demands money. Anonymous Sudan, despite its name, is almost certainly a front operated under the direction of Russian intelligence. operated under the direction of Russian intelligence. It's shown a growing sophistication in its operations, and its DDoS activity, more successful than most such attacks,

Starting point is 00:06:50 suggests that it's receiving relatively lavish funding. The infrastructure necessary to conduct a DDoS on the scale the group has doesn't come cheap, Cybersecurity Dive points out. Researchers at Huntress note that the Klopp gang, despite compromising many entities via the Move-It vulnerabilities, still hasn't used the access to deploy ransomware or compromise entire organizations. The group appears to be monetizing compromises that took place in late May by posting stolen data to its leak site. The researchers believe Klopp overloaded itself with opportunities and is working to monetize as many of them as possible until discovery or eviction.

Starting point is 00:07:35 For all of Klopp's prominence in move-it exploitation, their backlog is surprising and, on reflection, a little dismaying. Just how much has the gang got on its plate? Asylum Ambuscade is a criminal group active since 2020, at least, that's engaged in attacks against banks and cryptocurrency traders. ESET reports that the gang increasingly is functioning as an espionage service as well. ESET writes, Asylum Ambuscade has been running cyber espionage campaigns since at least 2020. ESET reports that the gang increasingly is functioning as an espionage service as well. Asylum Ambuscade, whose attacks commonly begin with spear phishing,

Starting point is 00:08:18 is thought to be a financially motivated group that engages in cyber espionage as a side hustle. Who's hiring them is unclear, and ESET offers no speculation, but InfoSecurity magazine notes some coincidences that suggest circumstantially that Pyongyang may be a client. Bleeping Computer reported yesterday on recent rumors that the video game hardware company Razer may have been hacked on July 8th. A user on a nondescript hacker forum made a post titled Razer.com, source code, database, encryption keys, etc., and requested $100 in Monero cryptocurrency, which is known for its

Starting point is 00:08:59 transaction anonymity, for a full dump of the alleged stolen information. Razer responded to this claim on July 9th in a tweet stating, we have been made aware of a potential breach and are currently investigating. Bleeping Computer also reported that Razer seems to have reset all member accounts requiring users to log in with their password and username, likely as a security response to the potential breach. Razer, while famous for their gaming accessories, also has several online paid services such as Razer Gold, a video game purchasing service with the ability to purchase in-game items.

Starting point is 00:09:39 A federal grand jury has indicted a man from Tracy, Massachusetts, for intentionally causing damage to a protected computer after he was accused of remotely deleting critical software from a water treatment facility. The man, Rambler Gio, was employed as an instrumentation and control tech for a private company responsible for operating the Discovery Bay Water Treatment Plant, located in Discovery Bay, California. The indictment was filed on June 27th and was unsealed on July 6th. HackerEid reports that Gaio apparently resigned from the company responsible for servicing the plant and subsequently uninstalled the critical software on the water plant's computers. We note that Mr. Gaio is, of course, entitled to the presumption of innocence with respect to the allegations. The operators of the criminal

Starting point is 00:10:31 marketplace Genesis Market are attempting to sell the platform, the record reports. The attempted sale follows disruptions and seizures carried out by the U.S. FBI earlier this year. The criminals say the sale includes all the developments, including a complete database, source codes, scripts with a certain agreement, as well as server infrastructure. So hop to it, world. The boss is on vacation, or maybe under indictment, which amounts to pretty much the same thing. And they've all gone crazy. Step right up. All sales are probably final. And finally, we've long seen that cyber criminals, hacktivists, and even intelligence services

Starting point is 00:11:13 pay as much attention to the calendar as any ordinary Joe or Jane. And since we now tend to observe sales as if they were holidays, like Black Friday or Cyber Monday, the crooks are observing these in their own way, too. As Amazon Prime Day arrives with promising deals and discounts, it also presents a perfect opportunity for scammers and cyber threat actors to take advantage of eager shoppers. Verity released a preparatory report for users in an attempt to cut the threat actors off at the pass.

Starting point is 00:11:47 Verity explains that PDF-based phishing schemes are a common tool to trick shoppers into giving up their prime credentials. They say unsuspecting users are directed to a phishing website after opening the PDF document meticulously crafted to mimic the official Amazon login page. The attackers employ AI-generated text, such as chat GPT-generated content, to make the phishing sites look convincing. The threat actors are also almost certainly going to use email and fake applications as phishing techniques. It's imperative that users only visit the legitimate Amazon shopping page or use the Amazon shopping application, which was developed by Amazon Mobile LLC. Verity also suggests verifying

Starting point is 00:12:34 that the website you're visiting is legitimate before inputting any personal information. Don't be a prime target for threat actors and scammers. Remain vigilant and skeptical. And happy Prime Day to all those who celebrate. Coming up after the break, Carol Terrio on the data Amazon customers provide and some suggestions on curbing it. Our guest is Dmitry Bastuzhev, Senior Director in Cyber Threat Intelligence for BlackBerry. Stay with us.

Starting point is 00:13:23 Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.

Starting point is 00:13:48 Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices,

Starting point is 00:14:48 home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.

Starting point is 00:15:17 Dmitry Bestuzhev is Senior Director in Cyber Threat Intelligence for BlackBerry. They recently published their Q1 global threat intelligence report, and I checked in with Dmitry Bestuzhev for the details. One of the, let's say, like, terrific things we have seen, it's in 90 days we have seen, we have stopped 1,578,000 malware-based attacks. And that is really a big number because when you convert it into seconds and to minutes,

Starting point is 00:15:54 and so you realize that it's about 12 attacks per minute, every minute. Also, there is something interesting. While splitting those 90 days per week, we can see that the major number of attacks, more than 200,000 attacks, online purchases, everybody was looking to buy something, also online promotions, on-sale things. So that is what we can say in regards to the amount of attacks that happened exactly first week of December, while the lowest number of attacks happened on the fourth week of December, while the lowest number of attacks happened on the fourth week of December, which is, again, logical because vacations off, people already bought everything, so nobody is doing any online purchases, just spending with the family, sitting home, relaxing.

Starting point is 00:16:59 So that said, it's interesting that Malware reflects motivations motivations of threat actors and also victims' habits. So it's not about malicious code only. It's about people. It's about our life. What are you seeing in terms of the threat actors themselves? The tools they're using and how aggressive they are? That's a sad part. And how aggressive they are.

Starting point is 00:17:23 That's a sad part. It's something which concerns me most because we have seen that the threat actors, financially motivated threat actors, nation-state threat actors, those who are in a gray zone, it's unclear who it can be because they use shared tools, same tools, same weapons used by both nation-state and cybercrime. Those threat actors, in general, they have targeted the following industries. Most targeted industries are financial institutions, 34%, then followed by health services, 14%. And then it's food and retailing, 12%. So that is about 60% of all attacks.

Starting point is 00:18:16 And essentially, it's all we need to live. We need access to our finances. We need access to healthcare. We need access to our finances. We need access to healthcare. We need access to food. So we see that independently on the origins of the threat actor and the motivation, the impact, what are they targeting, what kind of businesses or industries they are targeting. And it's what we need just to live. So that's something really concerning.

Starting point is 00:18:47 So based on the information that you all have gathered here, what are your recommendations? How should folks go about best protecting themselves? That is about knowing who are the threat actors, specifically targeting the industry you work for, the industry you defend. who are those threat actors? What weapons do they use and how they use them? That approach is also called applied CTI, applied cyber threat intelligence. So it's about getting factual, contextual knowledge, which you can use to anticipate the attacks and to take specific actions like for example to test your protection capabilities if not your detection capabilities the same as your response can you respond to the attack and recover to recover So that information based on the actual attacks, actual weapons, actual threat actors helps blue teamers, red teamers,

Starting point is 00:19:52 purple team enjoying the exercises to test actual capabilities in terms of protection, prevention, response, etc. And that also helps to understand even if the tools we are using, let's say, to protect my network, to protect my assets, if they are even designed to help me to face those threat actors. Because sometimes threat actors might use tactics, techniques, and procedures which are out of protection scope. It means even with the best things we can do, best effort, if our systems, defensive systems, are not designed to protect against specific techniques, we will not be in a position to stop that threat actor. So my recommendation is to use CTI, cyber threat intelligence, with that context,

Starting point is 00:20:54 so everyone may first do an effective threat module, and second, test your capabilities, the mentioned just before. That's Dmitry Bastuzhev from BlackBerry. You may have noticed that it is Amazon Prime Day, but you may also be wondering what information does Amazon gather about you and your shopping habits, among other things. Our UK correspondent, Carol Terrio, was wondering the same thing.

Starting point is 00:21:38 She files this report. So there I was reading an article in The Guardian about the gazillion-dollar data hoover that is Amazon. And honestly, I was feeling a little smug here because I do not have an Amazon Home Assistant. I do not have a Kindle. I do not have a Ring doorbell. But then I had to swallow my pride because I am indeed an Amazon Prime member. to swallow my pride because I am indeed an Amazon Prime member. Now, I use this membership to buy items I cannot find locally or in another shop, and I also enjoy their video streaming service. And listen to this passage from The Guardian. Quote, the 200 million users who are Amazon Prime

Starting point is 00:22:20 members are not only the corporation's most valuable customers, but also the richest source of user data. The more Amazon and services you use, whether it's the shopping app, the Kindle e-reader, the Ring doorbell, the Echo smart speaker, or the Prime streaming service, the more their algorithms can infer what kind of person you are and what you are most likely to buy next. The firm's software is so accomplished at prediction for what kind of person you are and what you are most likely to buy next. The firm's software is so accomplished at prediction that third parties can hire its algorithms as a service, called Amazon Forecast.

Starting point is 00:22:53 I mean, Amazon's data collection is so vast that the only way to stop it completely is not to use the services at all. Actually, it's probably even worse than that. It probably means trying to stay off the internet entirely. And it's not like Amazon hasn't just recently been seriously dinged. It was hit with an $886.6 million fine for processing personal data in violation of the EU data protection rules, the GDPR. And that isn't pocket change, even for the mega giant that is Amazon.

Starting point is 00:23:30 Now, The Guardian go on to make a few suggestions if you wanted to try and curb some of the data that was being collected by Amazon. You can ask the company for a copy of your data by applying under a data subject access request. The Alexa Assistant and Ring Doorbell have their own privacy hubs that allow you to delete recordings and adjust privacy settings. Inside the Ring Control Center, you can tweak settings including who is able to see and access your videos and personal info from the central dashboard. And even when you are speaking to your home assistant, you can say

Starting point is 00:24:12 delete what I just said or delete everything I said today. You can also use privacy-focused browsers such as DuckDuckGo, Firefox, and Brave to stop Amazon from tracking you. And here's the thing that really gets me in all this. It's that these are not free service that Amazon are kindly providing to you in exchange for your data. They are charging you for the Kindle and then access to the digital books. And they're using that collated data to help build a profile of you for their advertising partners. Same goes for the ring doorbell or the home assistant. And yes, same goes for me, an Amazon Prime user who is paying for these services, but also providing them huge amounts

Starting point is 00:24:59 of data so they can build a profile about me. Maybe that's why I keep getting retirement and funeral ads. I think they've got my age slightly wrong. Or they know something I don't. I'm not sure what's scarier. I don't know, it just reeks of unregulated greed. Like someone who has cashed in their chips but continues to play poker. Not someone I'd want as a friend or as a business partner. And maybe I really need to think hard

Starting point is 00:25:25 about lining Jesus' pockets just so I can stream a few movies. This was Carol Theriault for The Cyber Wire. Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach

Starting point is 00:26:20 can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Thank you. CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter.

Starting point is 00:27:25 your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your

CyberWire Daily - Collective defense in cyberspace. Notes on gangs, privateers, and hacktivist auxiliaries. Amazon Prime Day is now a commercial holiday (like Black Friday): crooks have noticed–stay safe.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.