CyberWire Daily - Cybercrime and the criminal-to-criminal markets that support it during the holiday shopping season. Shaming as a pressure tactic. Living large, even when living on the lam.
Episode Date: November 30, 2021Today, it’s all crime all the time. Cybercrime, the C2C underground market, and the expansive holiday shopping season. Rebranding in gangland. How crooks exclude targets on the basis of language or ...geolocation. Shaming as a criminal pressure tactic. Bad apps in the Play Store. Andrea Little Limbago looks at internet blackouts. Carole Theriault wonders what the Metaverse really means. And living large while living on the lam. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/228 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's crime, crime all the time.
Cybercrime, the C2C underground market and the expansive holiday shopping season.
Rebranding and gangland, how crooks exclude targets on the basis of language or geolocation.
Shaming as a criminal pressure tactic, bad apps in the Play Store.
Andrea Little Limbago looks at internet blackouts.
Carol Terrio wonders what the metaverse really means,
and living large while living on the lam.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, November 30th, 2021.
There's a fair bit to think about today with respect to cybercrime and the hoods, goons, malls, gunzels, cons,
delinquents, skells, perps, and gonifs who commit it. We're in the midst of what's come to be called
the holiday season, although the shopping season may be more apt. And of course, the C2C markets
are as aware of this as anyone else. Fishing as a service operations are rising in prominence in
those criminal-to-criminal markets during the holiday season, security firm egress warns.
They've observed a surge in typo-squatting associated with fishing kits, with Amazon in particular being an obvious favorite for impersonation.
Egress writes, quote, In the week before Black Friday, researchers uncovered 200 new phishing kits containing imitation Amazon emails
available on dark and clear web forums, with some retailing for as little as $40.
One listing offers multiple language support, the ability to obtain credentials for a range of email providers,
and the option to prompt victims to take and submit pictures of their credit cards.
Some kits boast capabilities to avoid detection, with one listing offering automated IP address checks
to prevent automated security tools from scanning the link.
The effect of this is to commodify cybercriminal tools and to lower the barriers to entry for aspiring crooks who lack the technical chops or perhaps just the patience to develop the phishing tackle themselves.
While a great deal of the discussion of C2C markets and increased rates of online fraud has been associated with Black Friday, and since Black Friday is now four days in the temporal rearview mirror,
one might think that the risk was subsiding, but in this case, one would be wrong.
Have you noticed that the pumpkinification of supermarkets and discount stores now begins
sometime in August, more than two months before Halloween? It's season creep. And season creep has extended Black Friday, Cyber Monday,
and Giving Tuesday from their nominal days to real weeks. Expect the rate of cybercrime to
remain high for the next month, at least. Late yesterday, security firm Mandiant released a
report on Sabbath, which refers to itself by the Leet Pneumeronym 54BB47H.
Get it?
A ransomware shaming site that resurfaced on October 21st.
Sabbath isn't actually new.
Mandiant researchers have determined on the basis of the Cobalt Strike beacon infrastructure the group uses
and sadly persistent grammatical errors that it preserves from site to site, have determined on the basis of the cobalt strike beacon infrastructure the group uses,
and sadly persistent grammatical errors that it preserves from site to site, that Sabbath is in fact a rebranding of a ransomware affiliate operation that's earlier gone by the names of
Eruption and more recently Arcane. Mandiant tracks the gang as UNC-2190 and says it's made a specialty of targeting critical infrastructure, including education, health, and natural resources in the United States and Canada.
UNC-2190's preferred strain of ransomware is called Rollcoast, which appears to be a non-Java cousin of Tycoon ransomware.
a non-Java cousin of tycoon ransomware.
Rollcoast has, as many other malware strains do,
a list of excluded languages,
which the malware won't execute if it detects them on the system it infests.
The usual languages, those spoken in Russia
and the near abroad, are on the list.
But in addition to these are some unusual exclusions.
Some of them are quite surprising.
Croatian, Slovak, Alban them are quite surprising. Croatian,
Slovak, Albanian, Swedish, Latvian, and many others. Not on the exclusion list, English,
French, and Spanish, to mention just three. Why is it characterized as a shaming operation?
Well, that's because it uses a mixture of direct contact with downstream victims and public exposure of stolen data to pressure its targets into paying.
Sabbath had its coming-out party with an attack on a U.S. school district.
Mandiant says, quote, Sabbath first came to light in October 2021 when the group publicly shamed
and extorted a U.S. school district on Reddit and from a now-suspended Twitter account.
During this recent extortion, the threat actor demanded a multi-million dollar payment after
deploying ransomware. Media reporting indicated that the group took the unusually aggressive step
of emailing staff, parents, and even students directly to further apply public pressure on
the school district. End quote. Sabbath is in all probability another
ransomware-as-a-service operation, an affiliate program in which the top-level operators get a
cut of the actual perps, that is their criminal affiliates, take. ThreatPost offers an update on
the Tardigrade malware that's being deployed against targets in the biomedical sector.
The update confirms
Tardigrade's unusual and dangerous ability to change its components. Both Smoke Loader and
Cobalt Strike have been reported, morphing in ways that make it unusually evasive.
Supernus Pharmaceuticals filed an 8K with the U.S. Securities and Exchange Commission Friday,
disclosing that it sustained a
ransomware attack that began in mid-November. The company is cautiously optimistic, saying that it
contained the damage without disruption to its operations and isn't paying the ransom, but that
it can't rule out re-attacks or malicious use of stolen data. Security Week says that the Hive ransomware gang claimed responsibility on
Thanksgiving, anticipating the 8K by a day, and pointing out that the victim hadn't yet
filed that 8K, which itself was probably intended to apply some pressure.
Mobile security firm Threat Fabric has described how criminals are introducing banking trojans into apps offered in Google's Play Store.
While Mountain View regularly purges its store of malicious apps,
the recent wave of malware that's posed variously as QR scanners, PDF scanners, or cryptocurrency wallets
has been somewhat more difficult to detect because of the deliberately small malicious footprint they display, and which they've adopted to help them evade the permission restrictions Google Play
enforces. The malware also pays close attention to geographical location before installing,
the better to evade places and jurisdictions where scrutiny may be more rigorous.
Threat Fabric has identified a dozen malicious apps that,
in aggregate, have been downloaded some 300,000 times.
And finally, we turn to the Daily Mail for a snapshot of what the civilized world is up
against when it tries to prosecute Russian cybercriminals. The Mail's unusually detailed
screamer reads, Our evil superhacker wanted by FBI for using ransomware to fleece millions of dollars from Americans is unmasked by DailyMail.com in his plush hideout in Siberia as Kremlin turns blind eye.
about Mr. Yevgeny Polyanin, a Russian national 28 years young,
whom we've heard of before as being wanted by U.S. authorities for his alleged role in the Our Evil Gang.
The mail's newshounds have tracked him to, quote,
a $380,000 home in the Siberian city of Bernal,
where his wife, Sofia, openly runs a social media baking business, end quote.
The mail adds that Mr. Polyanin has
been seen in Barnaul driving a $74,000 Toyota Land Cruiser and that he owns another car worth
maybe a cool $108,000. This lifestyle sounds more provincial upper middle class than big-time
crime lord, maybe upper upper middle class given that he's living in Siberia,
and it's certainly a far cry from living on a yacht in the Black Sea
and collecting gold chains and exotic cats.
But the mail is absolutely on point when it says it'll be a hot winter in Chelyabinsk
before Mr. Polyanin or his colleagues are extradited to face American law.
We do have one question. What exactly is a social media baking business?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Facebook CEO Mark Zuckerberg recently announced that he's changing his company's name to
Meta Platforms Inc., or Meta for short. And this is because he's chucking
a load of his eggs into his vision of the futuristic-sounding metaverse. Now, the idea
of the metaverse is nebulous at best. It involves virtual reality, instant communications, instant
broadcasting, and a whole host of other technologies.
I've heard people describe it in the media as the internet brought to life. Zuckerberg himself has described it as a virtual environment you can go inside of, like a magical portal that allows you
to step inside of the world rather than gaze at it from the other side of a screen, like an outsider.
You know, this could give a whole new
meaning to the horror genre. Just imagine a digital monster literally snapping at your tail.
But right now we have a number of virtual reality worlds, right? Gaming is a big one.
And the idea of the metaverse is as we create more of these virtual worlds, we will need to
somehow interconnect all of these disparate
virtual communities into a playground where people can meet and game, or meet and work,
or meet and hang out, shop, watch a movie, or attend a theater, a conference, a circus.
So you would be in your living room, or on a beach, or wherever with your virtual reality
headset, or augmented reality glasses or whatever
else they come up with to entice us more deeply into this digital realm. But the idea is that you
would be mentally engaged in a digital world but not have to be physically present. I mean, think
about it. You wouldn't be looking at your colleague or a friend on a screen, but hanging out in this virtual coffee shop
together or a pub or a meeting room or on a beach. According to NPR, Victoria Petrok, she's an
analyst who takes the pulse on emerging tech. She said, it's the next evolution of connectivity
where all of those things start to come together in a seamless doppelganger universe. So you are living your virtual world
the same way you're living your physical life. I know, I find it really hard to wrap my head around,
but then I'm not a tech visionary. There is no doubt though, in my mind, that the pandemic has
put this concept of the metaverse on steroids. Literally billions of us were trapped at home
at the same time. And somehow a huge number of us were still able to keep working, learning,
and communing with people in our individual worlds. So metaverse sounds fabulously sci-fi,
and in a way it is, because we're still in that idea phase. What is interesting is that
Mr. Zuckerberg is doing his best to secure a serious foothold in the concept of this metaverse
world, including rebranding Facebook to Meta Corporation. I mean, what do you think? Do you
think this is a smart move on Facebook's part? A cheeky move? A desperate move to remain a player?
One other thing to note is that Facebook are not
alone tap dancing on the metaverse stage. You have Epic Games, of course, the makers of Fortnite.
Earlier this year, they announced a $1 billion funding round to support Epic's long-term vision
for the metaverse. NVIDIA have told the world that they are busy creating the Omniverse,
a platform for connecting 3D worlds into a shared virtual universe. Sounds a lot like the metaverse,
doesn't it? And that's the question. Are they exactly the same? Are they utterly different?
And the thing is, for any metaverse, Omniverse to manifest itself, it needs experts and money
across industries, cultures, and technologies in order to work.
In other words, competitors need to cooperate in order to win. But one thing is for sure,
this move suggests that technology leaps are not going to slow down. The digital world is here to
stay, and it is going to entrench itself more and more into our lives. And the tech
is going to be thrown at us with even greater precision. You want to be careful what you let
into your lives because it's really hard to get rid of once you get used to it.
This was Carol Theriault for the Cyber Wire.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Andrea Little-Limbago. She's Vice President of Research and Analysis at Interos. Andrea, it's always great to have you back. You know, you and I have spoken in the past about,
I believe you introduced me to the term the splinternet of, you know, nations sort of
putting a fence around their own access to the internet. And I know something you've been
tracking is that there have been nations that have been blacking out their internet for their citizens for a variety of reasons.
What do we need to know about this?
Yeah, I think it really does.
I like that framing because it is part of the broader government attempts to control information within their borders.
And so some strategies are more on the data privacy side or data access.
Some are on the data localization and the storage.
In this case, it's really on
stopping access to the internet. And so it kind of goes across the whole gamut and the whole
spectrum of that. We're seeing just a continued growth in internet blackouts. And what that
basically refers to, that also can be a spectrum from just blocking certain sites all the way to
full out having an internet blackout. India holds a record for the longest democracy with an internet blackout in the Kashmir region. And that still is almost on and off several times.
And by one estimate, it cost them almost $3 billion in 2020 by doing that. And so there
are big business and financial repercussions for this. So on top of the societal implications of it
as far as the populations not having access to communication, not having access to,
I mean, just think about how everything that you do through the internet right now to your finance,
to transportation, to ordering food, like everything. So that's obviously the enormous
human cost. For companies, they should care about this because it really is a financial cost as well
for anyone doing business perhaps in that area. And where we're seeing it really is focused on,
you know, a couple of core areas. One is around election time in many area. And where we're seeing it really is focused on a
couple of core areas. One is around election time in many countries. And so that should be
concerning to folks who care about democracy. We see it around times of protests, like in Iran was
a good example of that. What's going on in Sudan right now, the blackouts continue as we're talking
right now. And that's been going on for a while. But in Myanmar, in the Tigray region, in Ethiopia,
if you were to start looking at where protests are across the globe
or various kinds of conflict, we're almost always increasingly seeing
some level of Internet blackout by the folks in power.
As technologies come online, I'm thinking about more practical satellite Internet,
things like that.
Is it becoming easier for citizens to work around these things?
You know, it depends.
Because you have to think about, in many cases,
these are already occurring in areas that may not be
where some of the most developed internet capacity is.
And so I think in some areas,
so like Hong Kong would be a good example
where many people in that area are figuring out
how to work around some of these blackouts.
But that's when the Chinese government will then leverage a different tool, such as their security regulation. In many of these other areas, there just isn't that level yet of, I guess,
digital awareness, I would say, because in many cases, the internet is still fairly new compared
to other areas of the globe, or this isn't the training capacity to understand
that. So I think there may increasingly be ways to work around that depending on where you are
in the globe. But at the same time, for so many of these cases that are especially in some of the
already most impoverished areas of the globe, the capacity just isn't there yet.
Do you suspect that this is an effective tool that governments have, and so we should expect
to see this continue?
I do.
I think about there's statistics that over the last decade, there's been about 850 different Internet shutdowns across the globe, and about 790 have been since 2016.
It's almost the majority have been in the last five years.
And it does continue over the last couple of years just to remain at fairly high levels.
over the last couple of years just to remain at fairly high levels. And it's not just coordinated. It's not just in one country. There are over 20 different countries in this year alone
that have been deploying internet blackouts. And so if it was just one of those cases where it was,
okay, it's just here. In Iran, some cases, or in Russia, it's like sort of the usual suspects.
But when you're getting to over 20 different countries, leaders look at what each other are
doing, and they learn from that. And so when they see that, oh, it was very successful, it's watching the protests over there, they're going to try it as well. And so there is
the learning effect and seeing how it affects and how successful it is elsewhere. And it's
relatively inexpensive for the government to deploy. Have there been any pushes for nations to say that this is a fundamental human right,
that, you know, we shall not interrupt this? Yeah, it's a great question. There has been,
and that's what I think is actually interesting, where I think that there is some growing visibility
on this now that we're seeing the UN has come out and said that digital rights are a human right,
having access to the internet is part of that. The World Economic Forum has started talking about this a bit.
And so when we start seeing sort of the non-usual,
outside of the cybersecurity community and sort of the tech publications,
when you start seeing those nonprofits and those in focus on economic development
focusing on it, AccessNow does a really great job tracking internet blackouts.
And their nonprofit focuses on basically just the impact that it has across all of society.
And within the framing of it, it's a human right at this point.
All right. Well, it'll be interesting to track for sure.
Andrea Little-Limbago, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.