CyberWire Daily - Criminal networks crumble.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Interpol pursues West African cybercrime groups. Bassett Furniture shuts down manufacturing following a ransomware attack. A gastroenterologist group notifies patients of a data breach. An Apache huge graph flaw is being actively exploited.

Starting point is 00:02:16 OctoTempest updates its toolkit. Satori uncovers evil twin campaigns on Google Play. The cost of the Change Healthcare breach crosses the $2 billion mark. Cybersecurity venture funding saw a surge last quarter. Cyber regulatory agencies face legal challenges. On our Industry Insights segment, Trevor Hillegoss, vice president of SpyCloud Labs,

Starting point is 00:02:39 joins us to talk about exploring the intricate world of cybercrime enablement services. And fighting disinformation is easier said than done. It's Wednesday, July 17th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us once again. It is great to have you with us. Interpol has dealt a significant blow to several West African cybercrime groups, including the infamous Black Axe Syndicate, through Operation

Starting point is 00:03:32 Jackal 3. Running from April 10th through July 3rd across 21 countries on five continents, the operation resulted in 300 arrests and the seizure of $3 million in assets. Police identified 400 suspects and blocked over 720 bank accounts. Black Axe, known for decades of criminal activity, has profited heavily from romance fraud, business email compromise, and other financial crimes. Additionally, a Nigerian-led international criminal network was dismantled in Argentina after a five-year investigation linked to money laundering in over 40 countries

Starting point is 00:04:13 and victimizing 160 individuals. Portuguese police also disrupted a Nigerian criminal network involved in recruiting money mules and laundering illicit funds across Europe. Basset Furniture Industries, one of the largest U.S. furniture companies, was forced to shut down its manufacturing facilities following a ransomware attack that began on July 10. The hackers encrypted data files, leading Bassett to activate its incident response plan and shut down some IT systems. While retail stores and the e-commerce platform remain open,

Starting point is 00:04:50 the company's ability to fulfill orders is impacted. Bassett is working to restore systems and reduce disruption, but admitted the attack has materially impacted operations. No ransomware group has claimed responsibility. impacted operations. No ransomware group has claimed responsibility. This incident occurred as Bassett reported a 17% revenue decrease for the second quarter of 2024. The attack also highlights the growing number of 8K filings to the SEC regarding cybersecurity incidents, following new disclosure rules effective since December of last year. following new disclosure rules effective since December of last year.

Starting point is 00:05:32 MNGI Digestive Health, an independent group of certified gastroenterologists which operates roughly a dozen clinics and endoscopy centers around the Twin Cities metro area, is notifying over 765,000 individuals about an August 2023 data breach that compromised personal information, including names, social security numbers, medical and financial details. Although the breach occurred on August 20th of last year, it took nearly a year to identify the affected individuals and their addresses for notification. MNGI assures that there's no evidence of misuse of the data. The company is offering 12 months of pre-credit and identity protection services. The Alpha Black Cat ransomware group claimed responsibility for the attack. Threat actors are exploiting a recently patched vulnerability in Apache Huge Graph,

Starting point is 00:06:24 an open-source graph database system. The flaw allows remote command execution and was patched in version 1.3.0. The Shadow Server Foundation reported seeing exploitation attempts from eight IP addresses starting June 6, with an increase last week. Proof-of-concept exploit code became available in early June, and Secure Layer 7 rated the flaw as critical, warning that it enables attackers to bypass sandbox restrictions and take control of the server. Microsoft reports that the OctoTempest cybercrime gang, also known as Scattered Spider and Octopus, added Ransom Hub and Quillen Ransomware to its toolkit.

Starting point is 00:07:11 Active since early 2022, Octotempest is notorious for the Octopus campaign, compromising hundreds of organizations, including Twilio, LastPass, and DoorDash. The gang excels in social engineering, identity compromise, and targeting VMware ESXi servers with BlackCat ransomware. The Quillen ransomware group, active since August of 2022, employs a double extortion model, recently impacting Synovus

Starting point is 00:07:41 and causing significant disruptions in London hospitals. The Satori threat intelligence team, funded by Human Security, revealed a massive ad fraud operation named Confetti. Cybercriminals are using the Carmel Ads SDK to create evil twins of legitimate Google Play Store applications. These decoy apps are used to commit ad fraud and redirect users to malware-laden websites. While not directly fraudulent, these apps are disseminated through malvertising, leading to browser extensions, web search monitoring, and sideloading malicious code. Over 250 such apps have been identified. The SDK itself isn't malicious, but was exploited to display ads, sideload APKs, and connect to command and control servers. Lindsay Kay of Human Security

Starting point is 00:08:36 notes, this attack vector is likely being adopted by multiple threat actors. Organizations are urged to pressure ad networks for better security and educate users about the risks of mobile apps. The cost of the Change Healthcare breach has reached $2 billion, according to United Health Group. The February ransomware attack on Change Healthcare, part of UHG's Optum unit, resulted in $1.98 billion in costs by the end of June, with projections reaching up to $2.45 billion. This includes $1.3 billion in direct costs and additional expenses from restoring services and managing higher medical costs due to disrupted care management. Despite the breach, UHG reported a 6% increase in second quarter revenue,

Starting point is 00:09:30 totaling $98.9 billion. UHG paid a $22 million ransom to the Black Cat Group, and ongoing efforts to notify affected individuals continue, potentially impacting up to a third of the U.S. population. State attorneys general advise vigilance against identity theft and fraud due to the exposed sensitive information. Venture funding for cybersecurity startups surged 144% year-over-year in the second quarter of 2024, reaching $4.4 billion across 153 deals, according to Crunchbase. This marks the best quarter since the first quarter of 2022,

Starting point is 00:10:14 driven by significant nine-figure funding rounds, despite a decrease in deal count. Notably, cloud security startup Wiz raised $1 billion, contributing to the uptick. Other large rounds included Sierra's $300 million Series C and Island's $175 million Series D. The first half of 2024 saw $7.1 billion in venture capital, a 51% increase from the first half of 2023. Factors contributing to this growth include increased cyber hacking, threat proliferation due to AI, and renewed enterprise spending on cybersecurity. Investors remain optimistic about supporting robust security startups poised to challenge industry giants. In a piece for Wired, Eric Geller reports that the Commerce Department's proposal to require cloud companies to verify customer identities and report activities

Starting point is 00:11:16 faces potential legal challenges. Critics, including a major tech trade group, argue the regulations may exceed congressional authority. Lawsuits might also target other regulations like those from the FTC and FCC based on outdated laws. The EPA's withdrawal of cybersecurity requirements for water systems after court challenges highlights this issue. Federal judges could issue differing rulings

Starting point is 00:11:44 complicating enforcement. Experts suggest Congress must pass new, clear laws to empower agencies to mandate cyber improvements. Despite Congress's slow pace, there's bipartisan agreement on the need for action in cybersecurity. Indeed, the GOP's recently announced platform prioritizes securing critical infrastructure, indicating possible progress regardless of election outcomes.

Starting point is 00:12:19 Coming up after the break, my conversation with Trevor Hillegoss from SpyCloud. We're talking about the intricate world of cybercrime enablement services. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora

Starting point is 00:13:03 have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. reached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.

Starting point is 00:14:42 On today's sponsored Industry Insights segment, my conversation with Trevor Hillegoss, Vice President of SpyCloud Labs at SpyCloud. He joins us to talk about exploring the intricate Yeah, it is kind of a mouthful too. And I would forgive anybody for not having heard this because I think I first heard this like less than a year ago. But I think it's a pretty good general term that describes kind of an umbrella of tools and services that I would kind of tag as criminal or criminal adjacent. So that, you know, could include things that are very explicitly criminal, like commodity malware. Info stealers have been, you know, getting a lot of attention lately with some of the high-profile breaches that have been occurring. But it extends to things that folks might not immediately think of when they think

Starting point is 00:15:31 about what is being used to commit cybercrime. So the DOJ put out a press release a few weeks ago that was really a fantastic read on their takedown of the 9-11-S5 residential proxy service. And so that was basically a service that allowed people that wanted to commit crimes, especially fraud. I think they cited a crazy statistic in there, like $6 billion worth of fraud just in pandemic unemployment claims that were filed using the service. But it basically allows people to transact their network activity through a router or a computer that's not theirs and appear to be in a place that they're not. So I would summarize CES in general as this umbrella that describes a lot of these related services and tooling that has become this hot market for criminals

Starting point is 00:16:27 that are looking to kind of build their own tool belt and commit crimes. Can we run through some of the types of things that these folks are offering? I mean, what are some of the things that you and your colleagues there at SpyCloud see out on the market? Yeah, so I guess the headline really is commodity malware. Like I said, I think this has been getting just a ton of coverage lately. A few weeks ago, we got the news that the Medibank ransomware event of 2022 was traced back to an info stealer that hit an employee's personal device that then was able to siphon out credentials that were for Medibank's corporate network. It's really interesting to look at this, I think, because for a long time, we in the research community kind of used sophistication as a buzzword for success.

Starting point is 00:17:20 When talking about cyber actors online, be it nation-state affiliated folks or people that are more financially motivated. But with the rise of kind of the commodification of malware, malware as a service especially, that's sort of not really the whole truth anymore, right? You can basically see a situation where a criminal with a few bitcoin, a few tenths of a bitcoin or hundreds

Starting point is 00:17:46 of a bitcoin kicking around in their digital wallet can take that to somebody who has already crafted a pretty comprehensive stealer. Look at something like Redline or Raccoon, for example, and gain access to something that's already built and likely has quite a bit of infrastructure behind it as well. So that poses kind of a high risk to the community because instead of having sort of the smaller pool of high sophistication actors that are able to kind of carry out these really vast and costly cyber attacks, we see that being given to much lower sophistication, lower tech folks that are, you know, a much lower barrier to entry to get into this field. Help me understand the spectrum of players here. I mean, one of the things that fascinates me about

Starting point is 00:18:39 this is that you've got folks who have chosen, rather than doing the crimes, to provide the tools with which to do the crimes. That's the amazing part of this, right? I remember years ago, my background is in federal law enforcement in the U.S., and I remember looking at crypting services. This is many years ago. And these are, for your listeners that might not be aware, crypting services are basically small bits of code that can modify, you know,

Starting point is 00:19:13 the code of a malware application so that it's less likely to be detected by like an antivirus or something like that, right? So I remember having these conversations years ago about these cryptors because they play such a massive role in this that, right? So I remember having these conversations years ago about these cryptors because they play such a massive role in this ecosystem, right?

Starting point is 00:19:29 I mean, malware's useless unless you can actually deliver it. But they're not really malicious in themselves, right? They're kind of benign if you look at them without the context of how they're used. So those kind of things, the residential proxies, install brokers probably to a greater degree,

Starting point is 00:19:51 they kind of exist on this spectrum of, on one side, you've got very explicitly illegal stuff. Any rational human being would look at this and say, okay, there's no legitimate purpose for somebody to maintain, install services, and deliver malware to people at scale. And then on the other side, you've got these services and tools that oftentimes have a legitimate purpose, like residential proxies. I mean, you can look online and find legitimate businesses that are selling access to residential proxies. But you also have ones that are much less legitimate. And even ones that, you know, maybe sit in that gray area, but they're

Starting point is 00:20:32 used by criminals. So it's kind of muddy when you look at like, how do we pursue this? It's not necessarily as clear of a picture as it would be to go after, you know, a ransomware affiliate or somebody that's developing an info stealer, for example. You know, you talk about sophistication. Can we talk about the sophistication of the users here, the folks who are out here buying these things? Are we really at the point now where someone with very little technical abilities can decide this is something they want to pursue and find the services to enable them to do it? Yeah. Yeah. I mean, largely that's correct. You know, one of the things we've seen in the last couple of years is it used to be, you know, maybe you could get access to

Starting point is 00:21:18 a malware somebody's produced and you've purchased it, but there's still some infrastructure you need to set up, right? You got to find a hosting provider that's not going to boot you. You got to figure out how to host your command and control server, and maybe you got to do a proxy here and there to kind of obfuscate your traffic. Nowadays, while those examples definitely still exist, there's this kind of whole market that's supporting this extremely low sophistication, like using things like Discord and Telegram to actually be the command and control server and to exfiltrate the data through what is essentially an application on a phone. And so essentially, for the criminal's perspective, the person that's buying access to this,

Starting point is 00:22:09 they basically need a phone and a Bitcoin wallet, right? And I mean, I'm oversimplifying that, but it is kind of incredible how low the barrier to entry has become. We look at cybercrime actors and we say, wow, this APT is so sophisticated. They've got this whole cyber range that they built and they've got the exact hardware that they're targeting and we need to worry about. We need to worry about the, I mean, quite frankly, kid or young adult that, like I said, has a little bit of Bitcoin, has some basic technical competencies, knows where to look, can read some tutorials that are put out there online. And then suddenly, by virtue of this decentralized economy, they're able to scale up and be this huge player and be incredibly damaging to, quite frankly, the global economy. Well, for the folks who are tasked with protecting their organization against these types of things, what are your recommendations? Again,

Starting point is 00:23:18 you and your colleagues there at SpyCloud, what sort of things are you suggesting for folks to better protect themselves? Yeah, well, unfortunately, there really isn't a silver bullet. And, you know, this is such a big problem. And it's such a decentralized problem that you can, you kind of have to approach it from a number of different angles. So, you know, we could talk about very like specific technical things you can do, like, you know, requiring multi-factor authentication is always a good choice, but that's not infallible, right? A lot of these info stealers, for example, almost all of them contain a cookie theft module. So that enables a criminal to grab a session cookie. And as long as that's valid, they don't really need to trouble themselves with bypassing or emulating that MFA. And that leads into have very short cookie timeouts if that's within your control to modify. But I think the kind of the overarching strategy here is one of awareness. And so what I would recommend is have you know, have visibility into what the criminals have, right?

Starting point is 00:24:26 The amount of data that's out there on every single one of us is, you know, quite frankly, pretty staggering when you really look at it. So, you know, companies like SpyCloud, we go out and we try to recapture that data. We, you know, make sure that it is queryable and pivotable and we can notify on that. sure that it is queryable and pivotable and we can notify on that. So, you know, just having kind of the protections in place to stop the attacks, certainly do all of those things. I'm not recommending you turn off your EDR by any means. But, you know, realize that one of the most pervasive parts of this whole ecosystem is that the actual infection event is kind of a blip in the total timeline of the risk. Once the data is stolen, the internet is forever. So, you know, you might think that you've kind of resolved the incident on your network and,

Starting point is 00:25:19 you know, likely you have, but that doesn't mean that the data that was stolen is not in the hands of criminals. And it might be days, it might be months or years, but eventually that data is going to be used. And it's going to be used for malicious purposes. That's Trevor Hillegoss, vice president of SpyCloud Labs. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.

Starting point is 00:26:38 And finally, in a chaotic election year, Ruth Quint, a volunteer with the League of Women Voters of Greater Pittsburgh, is doing her best to fight disinformation using a variety of tactics. But she's uncertain about their effectiveness. Despite her efforts, including online tutorials, debunking videos, and a pilot project using AI, the overwhelming flow of false information remains daunting. using AI, the overwhelming flow of false information remains daunting. Researchers have identified common toxic content and how it spreads, but effective countermeasures like fact-checking and warning labels have limited impact. A massive study with 33,000 participants showed these interventions only improve the ability to judge true from false headlines by 5-10%.

Starting point is 00:27:27 only improve the ability to judge true from false headlines by 5-10%. Experts worry that sophisticated disinformation schemes will outpace weak defenses, influencing elections globally. Online platforms are burying political posts, making it harder for Quint to reach audiences. Despite extensive efforts, disinformation continues to undermine trust and engagement. The problem is complex, with disagreements on solutions and even definitions. Strategies like fact-checking and content moderation help, but millions still believe false narratives. Researchers hope combining multiple tactics will provide some defense. However, educators and volunteers like Quint feel their efforts are Sisyphean, fighting a flood of disinformation with limited resources.

Starting point is 00:28:13 Solutions such as redesigning online spaces and AI as a hall monitor are being explored, but the challenges remain immense. Jonathan Stray from the Center for Human-Compatible AI stresses that while there is a retrenchment in the field, abandoning the project is not an option. The ongoing search for effective strategies to rebuild trust and ensure information integrity is crucial in this battle against disinformation. It may be daunting, but folks like Ruth Quint need to keep fighting the good fight.

Starting point is 00:28:54 And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.

Starting point is 00:29:22 We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,

Starting point is 00:29:39 your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.

Starting point is 00:29:58 Timon Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.

Starting point is 00:31:04 Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Criminal networks crumble.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.