CyberWire Daily - Dismantling the Manson cybercrime market.
Episode Date: December 5, 2024Europol dismantles the Manson cybercrime market. Operation Destabilise stops two major Russian-speaking money laundering networks. New details emerge on China’s attacks on U.S. telecoms. Black Lotus... Labs uncovers a covert campaign by the Russian-based threat actor “Secret Blizzard”. Cisco issues patches for a high impact bootloader vulnerability. Trend Micro researchers uncovered Earth Minotaur targeting Tibetan and Uyghur communities. Payroll Pirates target HR payroll systems to redirect employee funds .Pegasus spyware may be more prevalent than previously believed. Our guest today is Jon France, CISO at ISC2, with insights from the ISC2 2024 Workforce Study. How businesses can lose customers one tip at a time. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Jon France, CISO at ISC2, sharing the ISC2 2024 Workforce Study. You can read the press release about the report here and dig into the details of the report itself here. Selected Reading 50 Servers Linked to Cybercrime Marketplace and Phishing Sites Seized by Law Enforcement (SecurityWeek) UK’s NCA Disrupts Multibillion-Dollar Russian Money Launderers (Infosecurity Magazine) The White House reveals at least 8 U.S. telecom firms impacted by China’s Salt Typhoon cyberattack (Fast Company) Senators implore Department of Defense to expand the use of Matrix (Element) Snowblind: The Invisible Hand of Secret Blizzard (Lumen) Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage (Microsoft Security) Russian Hackers Exploit Rival Attackers’ Infrastructure for Espionage (Infosecurity Magazine) Bootloader Vulnerability Impacts Over 100 Cisco Switches (SecurityWeek) MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks (Trend Micro) Hunting Payroll Pirates: Silent Push Tracks HR Redirect Phishing Scam (Silent Push) iVerify Mobile Threat Investigation Uncovers New Pegasus Samples (iVerify) How a Russian man’s harrowing tale shows the physical dangers of spyware (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Europol dismantles the Manson cybercrime market.
Operation Destabilize stops two major Russian-speaking money laundering networks.
New details emerge on China's attacks on U.S. telecoms.
Black Lotus Labs uncovers a covert campaign by the Russian-based threat actor Secret Blizzard.
Cisco issues patches for a high-impact bootloader vulnerability.
Trend Micro researchers uncovered Earth Minotaur targeting Tibetan and Uyghur communities.
Payroll pirates target HR payroll systems to redirect employee funds.
Pegasus spyware may be more prevalent than previously believed.
Our guest today is John France, CISO at ISC2, with insights from the ISC2 2024 Workforce Study.
And how businesses can lose customers one tip at a time.
It's Thursday, December 5th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Happy Thursday. Thank you for joining us. It is great to have you with us.
Europol announced the dismantling of the Manson Market cybercrime marketplace and a network of phishing websites. The investigation, first launched in 2022, revealed Manson Market facilitated the sale of stolen personal and financial data,
including bank account information sorted by region and
balance. Scammers also operated fake online shops to steal payment details for resale on the
marketplace. Authorities seized over 50 servers and 200 terabytes of evidence with arrests made
in Germany and Austria. Visitors to Manson Market's site are now greeted with a notice stating law
enforcement possesses all user information. This takedown follows recent operations against
Crime Network, a major German-speaking illegal marketplace, and Matrix, an encrypted messaging
service used by criminals. Europol monitored Matrix for three months before shutting it down,
demonstrating continued efforts to disrupt cybercrime infrastructure across Europe.
The UK's national crime agency, the NCA, has dismantled two major Russian-speaking
money laundering networks, Smart and TGR, in Operation Destabilize. These networks laundered millions for cybercriminals,
including the Riyuk ransomware group, and helped Russian elites bypass sanctions.
They operated in 30 countries, collecting cash in one location and transferring equivalent amounts,
often as cryptocurrency, elsewhere. The NCA made 84 arrests and seized £20 million in cash and crypto.
Key figures include smart leader Ekaterina Zanova and TGR boss George Rossi, both sanctioned by the
US Treasury. The operation delivered a blow to the network's operations severely impacting their finances. NCA Director Rob Jones emphasized the U.K. is no haven for money laundering,
disrupting these schemes at every level.
In an update, Deputy National Security Advisor Ann Neuberger said
the Chinese hacking campaign that compromised at least eight U.S. telecom firms
and affected dozens of countries, Salt Typhoon,
targeted senior U.S. government officials,
political figures, and private individuals,
enabling Beijing to access phone calls and text messages.
Though no classified information was compromised,
ongoing risks remain
as affected companies work to fully expel the hackers.
The breach, believed to have started one or two years ago,
appears regionally focused and impacts a low couple dozen countries.
The FBI and CISA have issued guidance urging telecom firms to enhance encryption,
centralize systems, and monitor networks to mitigate risks.
China denied the allegations, accusing the U.S. of cyber
attacks. The White House emphasized that improved cybersecurity standards, similar to those
implemented after the Colonial Pipeline ransomware attack, are critical to preventing future
intrusions. The FBI, CISA, and allied agencies are urging the use of end-to-end encryption
following revelations
that China's Salt Typhoon Group exploited these backdoors in public telephone networks.
CISA's Jeff Green emphasized the need for encrypted communications to secure networks long-term.
Senators Ron Wyden and Eric Schmidt highlighted vulnerabilities in unencrypted DOD communications,
highlighted vulnerabilities in unencrypted DoD communications, advocating for Matrix,
a decentralized E2EE platform used by NATO allies and the U.S. Navy. Matrix offers enhanced security and digital sovereignty over centralized systems like Microsoft Teams. Obviously, this is a
different Matrix than the one we previously mentioned that was being used by German cybercriminals.
Black Lotus Labs uncovered a covert campaign by the Russian-based threat actor Secret Blizzard, also known as Turla,
targeting Pakistani actor Storm0156 over two years.
Secret Blizzard infiltrated 33 command and control servers operated by
Storm 0156, known for espionage under the Sidecopy and Transparent Tribe clusters.
Secret Blizzard gained access in December of 2022, embedding their malware, 2Dash and Statuzy,
into Afghan government networks by mid-2023. By April of 2023, they infiltrated
Pakistani operators' workstations, acquiring data on Storm 0156's tools, credentials,
and exfiltrated intelligence. Expanding operations in 2024, they appropriated and repurposed Storm
0156's malware, including Crimson Rat,
previously used against Indian government and military targets.
This allowed Secret Blizzard to exfiltrate additional data from prior operations,
showcasing their expertise in hijacking adversarial infrastructure.
Lumen Technologies credited Microsoft Threat Intelligence Team
for their collaboration in addressing this threat.
Cisco has issued patches for a high-impact vulnerability in its NXOS software bootloader
that could allow attackers to bypass image signature verification and load unverified software.
Exploitation requires physical access or administrative privileges,
but no authentication. Over 100 device models are affected, with no workarounds available.
Cisco has released patches and plans to address all devices by month's end,
except for discontinued switches. No active exploitation of this vulnerability has been reported, but users are urged to update promptly.
Trend Micro researchers uncovered Earth Minotaur, a group using the updated Moonshine exploit kit to target vulnerabilities in Android instant messaging apps, primarily impacting Tibetan and Uyghur communities.
primarily impacting Tibetan and Uyghur communities.
Moonshine, now with over 55 servers,
exploits Chromium-based browser flaws and delivers the Dark Nimbus backdoor to both Android and Windows devices.
Dark Nimbus targets apps like WeChat, posing a cross-platform threat.
Researchers emphasize the importance of regular software updates
to mitigate these attacks
and protect against moonshine's evolving capabilities.
The threat analysis team at Silent Push have uncovered an extensive phishing campaign by a
group they call the Payroll Pirates, targeting HR payroll systems to redirect employee funds.
targeting HR payroll systems to redirect employee funds.
Using domains spoofing major organizations like Workday, Kaiser Permanente, and New York Life,
attackers lure victims to fake HR pages through malicious search ads.
Once inside employee portals, scammers use stolen credentials to alter banking details for fund redirection. The group utilizes website builders like Mobberize and Popular Registrars,
creating hundreds of domains linked to dedicated IP ranges.
Silent Push identified evolving tactics,
including phishing campaigns targeting unemployment portals and credit unions.
An investigation by iVerify revealed significant insights into mobile threats,
highlighting the hidden prevalence of spyware like Pegasus.
Through scans of 2,500 user devices,
the investigation uncovered seven Pegasus infections,
showing compromises spanning years
and affecting devices running multiple iOS versions.
This challenged the perception that spyware primarily targets only high-profile individuals
like journalists or government officials. Pegasus, developed by NSO Group, uses sophisticated methods
like zero-click attacks and exploits operating system vulnerabilities to achieve full device control.
The investigation's results, 2.5 infections per 1,000 scans,
suggest that spyware is more common than previously thought.
The research emphasizes the need for broader, scalable detection to uncover threats often hidden from traditional security measures.
By examining a larger sample,
the findings offer a clearer example
of the scope of mobile device compromise
in an evolving threat landscape.
Coming up after the break,
my conversation with John France, CISO at ISC2.
He shares insights from the ISC2 2024 Workforce Study and how businesses can lose customers one tip at a time.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
John France is Chief Information Security Officer at ISC2. I recently caught up with him for insights from the ISC2 2024 Workforce Study.
It's broadly opinion and some data combined to provide a view of not only the workforce,
the potential needs for the workforce coming up,
and we call it the gap, i.e. what's needed to secure
versus what's currently available,
and also to look at the skills in there.
And this year, it's a treasure trove of sort of AI data as well,
because we asked some very specific questions around AI.
Well, let's use that as a starting point here.
Obviously, AI is an ongoing
hot topic. How are cybersecurity teams utilizing generative AI when it comes to workforce issues?
What the report highlighted is a little bit of a double-edged sword, really,
which is we know it's pushed into our environment. In fact, generative AI has been
around for a little over two years now since it hit the public consciousness with chat GPT.
And what we've seen as a profession is not only the proliferation of personal use and business use,
but also AI in pretty much everything, in all the tooling that we use and the general workforce uses.
So I think the double-edged sword is, you know, it promises a lot,
but it also comes with some risks.
Those risks are things that we as cyber pros have to understand
and have to cope with.
And what it's really showing is we probably don't know enough.
Maybe that's, generally speaking, true of anyone that uses AI,
which is, we know, a little bit to be dangerous.
But we really do have to look at what this might mean for our profession.
You know, 50%, 51% of the respondents to the survey said
cybersecurity skills may become obsolete because of some of the AI evolution. Actually,
I think what we'll find is some of our jobs will change fairly significantly when we get used to
using AI and the tooling that we provide in the situations we find ourselves. So, yeah, it's
definitely in the public consciousness, definitely in cyber pros consciousness, and obviously
businesses want to use it for competitive advantage.
I saw someone recently on social media saying that there are folks now who are specializing in helping folks format their resumes
as to make them present themselves in the best possible way
to the AIs that are analyzing them.
Interesting. I hadn't seen that, but yes, of course,
AI is used in lots of things,
and it can be used in selection and sifting.
Interestingly, in the EU,
that may not be a use case you're allowed to do anymore
because of the AI Act,
which is automatic decision-making around people.
So there are some regulatory pressure coming in there as well that might curb some of the
use cases that it could be put to.
But it's not surprising.
And of course, being a hot topic that it is, and candidates wanting to be appealing, it's
going to be on the CV.
What we're actually starting to see is, and what the survey backs up,
is we don't actually know kind of what the core skills in AI are likely to be.
So we're seeing some of them actually going back to things like problem solving,
teamwork and collaboration, communication,
as some of the key skills that are coming through.
Non-technical in nature, but where technology is new, emergent, unsure, you can actually use a
little bit of a fallback on some of those. I'm going to call them more business-orientated
skill sets. And that's what we're seeing coming through on the survey data.
Yeah. That's one of the things that caught my eye when I was reading through the survey was
that it highlights this shift towards prioritizing non-technical skills.
Can you unpack that for us?
What is this trend you're seeing?
Yeah, so I think the survey has two broad components.
One is the needs of the workforce to secure where we see business going.
That's the workforce gap.
And then there's the skills gaps, which is the skills required to do that.
And this year is actually a very pronounced
difference between the two.
Not only do we not have enough people in the industry
to fill those, but the people we do have
may not be skilled in the correct areas.
So part of that move towards more problem-solving
teamwork, collaboration, and communication
is something that naturally means you're probably going to be a really good learner.
And actually, you can cope with change. And we live in a world of change.
So I think that's where we're starting to see those things come through as desired traits.
So I think that's where we're starting to see those things come through as desired traits.
The rest can be kind of learned and picked up.
And actually, I think it's another affectation of cybersecurity, getting a little bit closer to the business.
And actually, when you get closer to the business, you need some of those skills to communicate, to understand.
Not only to understand what you're protecting and how to protect it, but actually explain why you're doing what you're doing.
So I think it's a little bit of a lot of technical and quite a lot of, I'm going to call them interoperation
with other business departments and units
where these will really come to the fore and pay dividends.
Another thing that drew my attention was the report outlines how there's a significant portion of the new folks entering cybersecurity who are older.
They're age 39 to 49.
What does this indicate?
It's an interesting stat.
Actually, I probably picked up on the same as you did, and I was a little surprised by that.
Wow, wow.
And, you know, to bust a myth,
new entrant doesn't have to mean young.
And in case, in fact, the data is actually showing that, right?
Right.
And what we might be seeing is some career changes
coming into the profession, which is great.
To be brutally honest, we need not only new entrants in,
I'm going to call it the bottom end, maybe the youngest side,
but we also really value career changes that come in.
And they bring different viewpoints and different skills
from what they previously been doing.
And maybe that's why we're starting to see that age demographic up in that end.
And maybe it is some of those where we've been interoperating with other bits of the business.
They've become really keen to find out what we do and actually are moving over into our professions.
Well, let's talk about some practical stuff here.
I mean, when we're looking at certifications and standards,
where do we stand with that? What's the importance of the certifications these days and what are considered some of the most valuable? You know, without trying to be slightly neutral,
standards and certifications are a really good mark of competence. In fact, obviously, I see two certifications
are competence-based,
not just knowledge.
So there are,
and we come back to that sifting problem,
which is how do you qualify
on first glance?
Certifications is one of those elements
if you've maintained a certification.
And actually, I use the word
maintenance really keenly
because it not only
shows that you've achieved it, but you've actually maintained it. We have ongoing professional
development requirements in our certifications, as do many others. So I think they're a good way,
a good mark of knowing that you're getting a certain competence. And, you know, if we take
standards as well, not just of the standards of the people,
but things like the NIST cybersecurity framework, etc. Those are ways of obviously operating good
sets of controls, known repeatable with good outcomes. So they absolutely have their place.
They're not the be all and end all. You know, you can't just go and get a certain have done and say, yeah, yeah, I've made it.
It is part of being a rounded individual, not only for proof points, professional development,
but, and that's where we see some of these other skill sets come in, you know, good communicator, you know, curiosity, capacity to learn.
Well, when you look at the report as a whole, what are the take-homes for you? What are the
words of wisdom here? I think, you know, economic pressures, budget constraints, and layoffs
continue to challenge our profession. That challenge impacts the workforce satisfaction,
slide dip in that satisfaction rating. And technology adoption is still fairly aggressive.
So, you know, economic pressures are driving probably that lack of budget,
which is driving staffing challenges.
So, in fact, lack of budget replaced lack of qualified talent
as the top staffing barrier.
So we are definitely seeing that as a pressure.
25% observed some layoffs.
That's up 3% from 2023.
And nearly a third have seen fewer promotions.
So that goes to that little bit of stagnation.
That's number one.
Economic pressure is leading to staffing challenges
through budget constraints.
I think gaps in skills.
67% reported staffing shortages
with 90% indicating a skills gap on their teams.
That's the difference between, I know I need to get someone in or get a person in,
but actually saying there's a really big skills gap out in the market
that I'm not finding what I'm really looking for.
64% viewed those shortages as more serious than the personal shortages.
So even if I can't get people in, the access to skills is the key issue
that they're dealing with.
Now, training and development
is part solution to that.
So there is some upside.
Doesn't have to be formal.
We'd love it to be in certain cases,
but it can be just opportunistic
and giving people experiential component.
And then finally,
sort of that threat landscape um
the environment we swim in is challenging we've seen obviously uh conflicts in a number of regions
that have digital components that's driving uncertainty in the wider market as well as
new and emergent technology sort of giving you something new to look at specifically ai which is
you know i think not only is our profession,
but also the businesses are trying to fill the edges
of where AI can be leveraged for the best effect.
That's John France, Chief Information Security Officer at ISC2.
We'll have a link to the ISC2 2024 Workforce Study in our show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And finally, have you ever felt like you're under the spotlight while choosing how much to tip?
You're not alone. Digital tipping systems with handheld devices or countertop screens displaying
your selection are making tipping feel like a high-stakes social performance. Researchers from
the University of Richmond studying tip surveillance
analyzed 36,000 transactions and ran experiments with over 1,100 participants to uncover its
impact. The findings? Being watched while tipping is bad for business. Customers scrutinized during
tipping were less likely to return or recommend a business. While privacy often made customers feel more generous,
the eyes-on-you approach led to resentment and reduced loyalty.
Interestingly, people enjoy being observed while donating to charity,
but tipping feels more like an obligation than a choice.
Businesses hoping to cash in on pressure tactics might be disappointed.
The research revealed no clear link between surveillance and higher tip amounts. In fact,
when tipping privately, customers tipped similar amounts but felt more in control,
fostering positive experiences. With tipping expectations skyrocketing,
companies need to strike a balance,
training employees to respect tipping privacy while ensuring fair wages
could enhance customer loyalty and build a better reputation.
Ultimately, the debate about tipping's future isn't just about dollars.
It's about creating systems that protect workers, ensure fair pay, and foster a sense of goodwill. After all,
tipping should leave everybody smiling, not sweating under the payment panopticon.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for
companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Bye.