CyberWire Daily - Disinformation at the UN. Phishing against Ukraine. Hydra Market taken down. Is someone carrying on for Lapsus$? Compromise at Mailchimp. FIN7 branches out into ransomware.
Episode Date: April 5, 2022Disinformation at the UN. Russian cyber operations against Ukraine. Bravo, BKA: German police take down a major contraband market. Under arrest but still in business? At least someone’s carrying on ...for Lapsus$. Compromise at Mailchimp. Joe Carrigan describes Javascript vulnerabilities. Carole Theriault with an eye on romance scams through the lens of Netflix's "The Tinder Swindler". And a well-known gang branches out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/65 Selected reading. Live Updates: U.N. Security Council to Meet as Evidence of War Crimes Mounts (New York Times) Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations (Intezer) Germany takes down Hydra, world's largest darknet market (BleepingComputer) LAPSUS$ hacks continue despite two hacker suspects in court (Naked Security) FIN7 hackers evolve toolset, work with multiple ransomware gangs (BleepingComputer) Notorious hacking group FIN7 adds ransomware to its repertoire (CyberScoop) Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer) Email marketing giant Mailchimp has confirmed a data breach (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Disinformation at the UN, Russian cyber operations against Ukraine,
German police take down a major contraband market,
at least someone's carrying on for lapsus,
there's a compromise at MailChimp,
Joe Kerrigan describes JavaScript vulnerabilities,
Karel Terrio has an eye on romance scams through the lens of Netflix's The Tinder Swindler,
and a well-known gang branches out.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, April 5th, 2022. Fighting in Ukraine shifts as Russia retreats from Kiev to reconstitute and shift
forces to the Donbass and the Black Sea. U.S. National Security Advisor Sullivan sees a long war ahead,
Bloomberg reports, one that could last for months. It's necessary to devote some attention to Russian
disinformation and its debunking, since we can expect to see Russia's themes planted and amplified
online. After the United Nations Secretary General this morning called for an immediate end to the war against Ukraine, a humanitarian ceasefire,
Ukrainian President Zelensky addressed the United Nations Security Council.
He denounced in detail Russian atrocities in Bukha and other cities Ukrainian forces have now retaken.
We all know, Mr. Zelensky said, what Russia will tell the world.
They will blame everyone just
to justify their own actions, he said. Russia's method has been to insist that there are differing
accounts of events and divergent interpretations, but this is done just to sow confusion. In this
case, however, President Zelensky said, the evidence is incontrovertible and preserving that evidence and publicizing it is vitally important.
He said the Russian military and those who gave them orders must be brought to justice immediately for war crimes.
He called for trials like those held in Nuremberg after World War II,
pointedly reminding Russian diplomats that the Nazi foreign minister Ribbentrop didn't escape punishment in 1946.
President Zelensky called for equal treatment of all nations
and an end to the privilege Russia has enjoyed as a permanent member of the Security Council.
Russia's representative on the Council, in a strikingly mendacious response,
asked that the UN recognize Russia's humanitarian work in Ukraine.
He deplored Ukraine's interference with those efforts. He characterized Russia's mass abduction
of Ukrainian citizens to Russia as a voluntary humanitarian effort. As we note, these themes
can be expected to reappear in Russian disinformation over the coming week.
can be expected to reappear in Russian disinformation over the coming week.
Security firm Intezer followed up CERT-UA's discovery of a new malware framework being used in phishing campaigns.
They said a recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns
using spoofed Ukrainian governmental email addresses.
The four malware components delivered are used for stealing credentials, documents,
and to provide remote access to the infected machine.
Two of these components were first reported on by the Computer Emergency Response Team for Ukraine,
that's CERT-UA, in March 2022.
They named the two components Graphsteel and Grimplant.
When investigating these events, we have identified that Elephant has also been delivered via phishing emails from spoofed Ukrainian email addresses.
Elephant is a malware framework written in Go.
Germany's federal police, the BKA, today announced its takedown of HydraMarket, the largest russophone dark web contraband market.
The blockchain analysis firm Elliptic says
that it's been able to determine that HydraMarket
has processed some $5 billion in Bitcoin since 2016,
with its take peaking in 2021.
The BKA said that it had seized about 23 million euros
from the illegal trading platform
and that its investigation and takedown had been accomplished in cooperation with international partners,
especially U.S. law enforcement agencies.
In addition to trading such contraband as illegal drugs and stolen data,
Hydra Market was heavily involved in money laundering.
London police may have arrested several alleged
leaders of the lapsus group and arraigned two of them, but Naked Security reports that the gang's
activities seem to have resumed. Evidently, some of its members are carrying on even after the
leader's arrest. MailChimp says it's discovered and contained a data breach accomplished by
criminal social engineering.
TechCrunch reports that about 300 user accounts were compromised and that customer data was extracted from 102 of those.
The stolen data appears to have been put to use in phishing attempts against the cryptocurrency and financial services sectors.
Bleeping Computer reports that cryptocurrency customers appear to be particularly at risk.
The problem is social engineering on the basis of stolen information, not direct corruption
of MailChimp's systems.
In what appears to be news from the C2C marketplace, according to researchers at Mandiant, the
financial cybercrime gang Fin7 is branching out. Hitherto best known
for breaking into payment systems and corporate networks, FIN7 has now added ransomware to its
repertoire. FIN7 is now using REvil, DarkSide, BlackMatter, and ALF-B ransomware. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Our correspondent Carol Terrio recently checked out the popular Netflix film, The Tinder Swindler, and that's got her pondering romance scams.
She files this report.
Based on a glut of news coverage that I'm seeing from my little corner of the internet, Netflix's Tinder Swindler is all the rage.
Netflix's Tinder swindler is all the rage.
Don't worry if you haven't seen it, I won't ruin it for you.
Other than to say it shows to what lengths some people are willing to go to dupe another person.
There are a number of jaw-dropping moments that made me take pause. Because normally when I hear about romance scams, I find it hard to relate to the conned individual.
Normally, I'm thinking, how could she?
Yeah, it is normally women who are victims here in romance scams.
How could she not see what was going on?
But Tinder Swindler opened my eyes because I related to some of the victims doing their
due diligence to try and see if this was a good match for them.
See, I'd like to think that's what I would do too.
But turns out just because you do your due diligence
does not mean you definitely will not be conned.
And this is an important topic because romance scams have skyrocketed.
Did you know that according to the U.S. Federal Trade Commission, the FTC, online dating scams cost Americans $304 million during the lonely months of the 2020 pandemic?
That figure has increased almost 50% from 2019.
And the U.K UK isn't any different.
There were reportedly more than 7,500 cases of romance fraud in the last year alone,
an annual rise of 40%.
So let's take this opportunity to go through just a few things to look out for
if you should find yourself in the online dating scene. And really, it comes down to noticing and reacting to red flags,
like if the profile is too incredibly heroic and Prince Charming-like, or perhaps the pictures are
a little bit blurry or even look a bit photoshopped. Maybe they never want to meet you in person
or even have a video call with you.
Maybe they try and employ the love at first sight tactic
using language like,
I've never met anyone like you before.
I've never felt this way.
Something like that to make you feel all aflutter
and lose your head.
And the whole game is to move you from a potential love interest
into love zone as quickly as possible, because once you are there, they can start trying to
get their grubby little hands on your hard earned cash. And the killer, the killer in all this is that so many of us right now are isolated, lonely, in need of communion with another person more than ever before.
So we're sitting ducks.
And how do ducks protect themselves?
They stay in a pack. So if you do find a love interest online,
tell your friends and your family about it.
Get their take and listen to the people who love you.
Because there's one thing I've learned
on how to defeat scammers is there's power in numbers.
It's much easier to fool one person
than it is to fool three or five or ten.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting information coming from you and your colleagues over at Hopkins.
That's right.
You all identified a vulnerability in some websites.
So what exactly is going on here, Joe?
So this is some research done by Dr. Yunzi Cao and some of his PhD students.
And they found a vulnerability.
It's a JavaScript vulnerability called probe the proto, which is something when you're writing JavaScript.
I haven't written JavaScript in years, but I did get a look at the vulnerability. And it permits a user or a malicious
actor to inject arbitrary code into the JavaScript prototype, which can then essentially export any
information out, including like tokens, browser tokens and cookies and things.
Oh, wow.
And allow session hijacking and a lot of other cross-site scripting attacks.
Okay.
But that's not what I want to focus on because I wasn't involved in the technical portion of this.
But because Dr. Cao is an ISI instructor and he found a vulnerability,
And he found a vulnerability. He worked with me as the Information Security Institute's Vulnerability Disclosure Coordinator to tell the websites that he and his team examined. Now,
the examination happened offline. So we requested the websites. The students requested the websites,
ran the analysis on a local computer. That analysis was not, we didn't do anything against anybody else's
computer. All we did was access freely available websites and then analyze them to see if they
were vulnerable. 2,700 of these websites were vulnerable out of the top 10,000 websites.
So did you fire up the Hopkins bat signal? That's right.
Okay. This was the largest vulnerability disclosure that I think we've ever done. Because we found this vulnerability. It's out there. It's 2,700 sites that we know about. And these are only the ones we looked at. There are probably many more sites that are vulnerable to this attack. But then we had to notify all the 2,700 sites, which was a huge task.
So I wrote the disclosure document, and I handed that off to the students because there's
no way I was going to be able to go through and do everything.
Additionally, when a question was going to be asked about this, I wasn't going to be
able to answer the technical questions as well as the students and Dr. Cal were.
Sure.
I mean, I could have done that, but that would have taken much more time than I had.
Yeah.
And as long as I'm involved in the process, that's fine.
What I want to talk about is what happened when we made 2,700 disclosures.
Okay.
We heard back from maybe 50 of these people, 50 of these organizations who had questions.
Now, I will say this.
The tone of every one of these organizations was gratitude and appreciation for the work.
That's good.
Right?
And in the letter, I made sure that we described that we weren't actively exploiting anything on their systems at all.
Right.
We were just doing the analysis back home,
but that analysis could be done
or that vulnerability could be exploited
via cross-site scripting, right?
Okay.
And we also provided the fix for it
because the fix is actually fairly simple.
Oh, good.
Out of the 2,700, about 50 people responded,
which to me says that a lot of these sites
just didn't even read the email.
And that's not uncommon in my experience.
Right.
Companies need to have some kind of vulnerability disclosure process,
regardless of who they are.
You know, if you have a website anywhere that you maintain,
somebody has to be able to tell you about vulnerabilities on that website,
even if you don't maintain it.
So, you know, you're a small business, small, medium-sized business, and you have a contractor that says, we'll host and manage your website for you.
Ask them this question.
How do you handle when somebody discloses a vulnerability on my website?
That's an important question to ask.
Is there a real human being who's reviewing these submissions?
Right.
Yeah.
Yeah.
I would like to see 100% response from these things.
Oh, hey, great.
Thanks.
We'll fix that.
And maybe that's what happened with a lot of them.
Maybe a lot of them just said, oh, look at this.
We'll just make this change to the JavaScript and we're done.
Yeah.
But I don't know that that's what happened.
Yeah.
I don't know.
Is there any plans to go back and do any checking to see, you know, a year from now, revisit some of these sites and see if it's been fixed?
That is interesting.
That would be some good follow-on research, wouldn't it?
That's right.
I'll just take that honorary doctorate.
There's two Ts in Bittner.
Right.
So, yeah.
I'll hook you up with Dr. Cow and maybe you can become one of his PhD students.
There you go.
Yeah, that's what I need.
All right.
Well, so, I mean, what's the take home here for you?
Were you disappointed to not see more response or I guess—
I was not disappointed.
Disappointed but not surprised.
Right, yeah.
I guess maybe that's the better way to say it.
I am happy to see that no one said,
you better not disclose this or we'll sue you.
Oh yeah.
Cause that happens sometimes.
It does.
And I have a response for that.
Yeah.
I say,
you know,
our council knows about this.
Yeah.
You are welcome to sue us.
Right.
It,
it will not end well for you.
Because, because this is some, this is a mistake that you've made. Right. It will not end well for you because this is a mistake that you've made.
Right.
And it's a mistake that's out there, and we're going to publish the methodology, and it will be in the vulnerability mindset within a couple of months. And we gave everybody a good long nondisclosure period on this.
Yeah.
Yeah.
All right. a good long nondisclosure period on this. Yeah, yeah.
All right, well, if you're interested in the actual vulnerability,
again, I guess just do a search for probe the proto
and you'll find the publications
that Johns Hopkins, the ISI,
has put out about this.
Interesting stuff.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.