CyberWire Daily - From phishing to felony.
Episode Date: April 18, 2024A major Phishing-as-a-service operation gets taken down by international law enforcement. US election officials are warned of nation-state influence operations. The house votes to limit the feds’ pu...rchase of citizens personal data. A Michigan healthcare provider suffered a ransomware attack. Critical infrastructure providers struggle to trust cybersecurity tools. Cloudflare reports on DDoS. Kaspersky uncovers new Android banking malware. Kubernetes cryptominers leverage previously patched flaws. The Massachusetts Attorney General emphasizes the responsible use of AI. Our guest Caleb Barlow, CEO of Cyberbit, joins us to talk about badge swipe fraud as more are returning to the office. Colorado passes a law to keep big tech out of our heads. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest and podcast partner Caleb Barlow, CEO of Cyberbit, joins us to talk about badge swipe fraud as more are returning to the office. Are your employees faking their badge swipes? Selected Reading LabHost phishing service with 40,000 domains disrupted, 37 arrested (Bleeping Computer) US Election Officials Told to Prepare for Nation-State Influence Campa (Infosecurity Magazine) House votes in favor of curtailing government transactions with data brokers (The Record) 180k Impacted by Data Breach at Michigan Healthcare Organization (SecurityWeek) Trust in Cyber Takes a Knock as CNI Budgets Flatline (Infosecurity Magazine) DDoS threat report for 2024 Q1 (Cloudflare) SoumniBot malware exploits Android bugs to evade detection (Bleeping Computer) Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks (Bleeping Computer) Massachusetts official warns AI systems subject to consumer protection, anti-bias laws (AP News) Your Brain Waves Are Up for Sale. A New Law Wants to Change That (NY Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. A major phishing-as-a-service operation gets taken down by international law enforcement.
U.S. election officials are warned of nation-state influence operations.
The House votes to limit the Fed's purchase of citizens' personal data.
A Michigan health care provider suffered a ransomware attack.
Critical infrastructure providers struggle to trust cybersecurity tools.
Cloudflare reports on DDoS.
Kaspersky uncovers new Android banking malware.
Kubernetes crypto miners leverage previously patched flaws.
The Massachusetts Attorney General emphasizes the responsible use of AI.
Our guest, Caleb Barlow, CEO of Cyberbit,
joins us to talk about badge swipe fraud
as more are returning to the office.
And Colorado passes a law
to keep big tech out of our heads.
It's Thursday, April 18th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us.
In a major global crackdown, the lab host phishing as a service platform has been dismantled
following a year-long international law enforcement operation, leading to the arrest of 37 suspects, including the platform's original developer.
Launched in 2021, LabHost facilitated cybercriminals in orchestrating phishing attacks
against North American banks and services through a subscription model.
The platform offered phishing kits, hosting infrastructure, and tools for automatic email phishing.
Digital security firm Fortra flagged LabHost's burgeoning popularity in February of this year
as it began outperforming established phishing-as-a-service providers.
Coordinated by Europol with support from 19 countries and private sector giants like Microsoft and Trend Micro,
the operation identified over 40,000 phishing domains and 10,000 global users linked to Labhost.
One of Labhost's standout tools, LabRat, enabled real-time management of phishing attacks,
including capturing two-factor authentication tokens.
including capturing two-factor authentication tokens.
Action peaked between April 14th and 17th of this year,
with simultaneous raids at 70 locations worldwide,
arresting key figures behind Labhost and seizing 207 servers in Australia alone.
The UK's Metropolitan Police took into custody four individuals, pinpointing the platform's core developer.
Before its disruption, LabHost amassed roughly $1.17 million from subscriptions.
Following the operation, authorities have begun notifying 800 users of impending investigations,
uncovering that LabHost facilitated the theft of nearly half a million
credit cards and a million passwords. Despite a significant outage in October 2023, which sparked
exit scam rumors, LabHost resumed full operations by December, with its eventual takedown casting
doubt on the outage's connection to law enforcement activities. U.S. election officials
have been alerted by CISA, the FBI, and the Office of the Director of National Intelligence
about potential nation-state influence operations from Russia, China, and Iran aiming to disrupt the
2024 elections, including the presidential election. These operations intend to erode confidence in
democratic institutions and sway public opinion by exploiting societal divisions using methods
ranging from generative AI to deepfakes. Tactics include masquerading as legitimate media,
voice cloning, cyber intrusions, creating false evidence of incidents, paying influencers without their
knowledge of the operation's origin, and using social media to spread disinformation. To combat
these threats, the agencies recommend educating the public and election staff on recognizing and
countering disinformation, securing IT systems, and using authentication measures for public content.
Voters are also encouraged to scrutinize information sources critically,
especially for AI-generated content.
The U.S. House of Representatives has passed the Fourth Amendment is Not for Sale Act,
aiming to limit the government's ability to purchase Americans' data from data brokers
without a warrant or subpoena. This is despite opposition from the Biden administration,
citing national security concerns. The bill, which prohibits federal agencies from buying
commercially available information, passed with a 219 to 199 vote, seeing bipartisan support and opposition. The White House, alongside some Biden
administration officials, criticized the bill as a threat to national security and counterterrorism
efforts, calling it unworkable and devastating. However, proponents argue it protects Americans'
privacy rights against unreasonable search and seizure, addressing concerns over
the unregulated sale of sensitive personal data by data brokers. This legislative move follows
revelations about the extensive governmental use of commercially available information
and the risks associated with data brokers' business practices.
Healthcare provider Cherry Street Services in Michigan has informed over
180,000 individuals about a ransomware attack on December 21, 2023, that compromised personal data,
including social security numbers and health information. After initially disclosing the
incident in early January, Cherry Health confirmed ransomware involvement and completed
risk assessment by March 25th of this year. Affected individuals are being offered free
credit monitoring and identity protection services. Cherry Health, with more than 20
locations and 800 healthcare professionals, continues to respond to the aftermath of the attack.
A report from security firm Bridewell indicates that critical national infrastructure providers
are experiencing diminished trust in cybersecurity tools,
exacerbated by sophisticated nation-state attacks, particularly from China and Russia.
Interviews with over 1,000 CISOs in the U.S. and U.K. reveal a 121% increase in concerns over cybersecurity tool trust from last year.
Additionally, cybersecurity budgets have sharply decreased, with allocations for IT and operational technology dropping significantly.
Despite financial constraints, 30% of critical national infrastructure victims of ransomware paid extortionists, potentially risking legal issues.
Moreover, ransomware attacks have had psychological impacts on employees.
Bridewell advocates for robust security strategies to mitigate these risks and avoid the difficult choice of paying ransoms.
Cloudflare's most recent DDoS threat report, covering the first quarter of 2024,
reveals a 50% year-over-year increase in DDoS attacks, with 4.5 million incidents mitigated.
DNS-based attacks surged by 80%, remaining the most common vector. A notable spike occurred in Sweden,
with attacks up 466% following its NATO acceptance, echoing Finland's previous experience.
The report also highlighted the persistence of Mirai variant botnets, responsible for a 2 terabit per second attack against an Asian hosting provider.
Additionally, concerns about sophisticated DNS-based DDoS threats
prompted the introduction of Cloudflare's advanced DNS protection system.
Despite overall increases in DDoS activity,
budget allocations for cybersecurity within IT and OT sectors have decreased,
underscoring the growing challenge of defending against these evolving cyber threats.
Sumnibot, a new Android banking malware,
employs a novel obfuscation technique
by manipulating the Android manifest parsing process,
thus dodging standard security measures on Android phones
for info-stealing activities.
Kaspersky researchers found that Sumnibot alters the manifest file's compression value and size
and uses excessively long XML namespace strings to confuse analysis tools.
Once installed, it stealthily performs malicious activities like data theft and command execution while primarily targeting Korean users.
The malware's discovery has prompted notifications to Google regarding the limitations of the APK analyzer against such evasion techniques.
Attackers are exploiting critical vulnerabilities in OpenMetadata, an open-source data catalog platform, to conduct a Kubernetes crypto mining campaign.
Microsoft discovered the campaign, leveraging flaws patched on March 15.
These vulnerabilities allow for remote code execution and authentication bypass, enabling attackers to install crypto mining malware on unpatched internet-exposed systems. The malware, hosted on a server in China, aims to mine cryptocurrency, with attackers
leaving notes soliciting Monero donations. They maintain access through reverse shell connections
and scheduled cron jobs. Admins are advised to update their software and secure their systems against these exploits.
The Massachusetts Attorney General, Andrea Campbell,
has issued a warning that developers, suppliers,
and users of artificial intelligence
must adhere to state consumer protection,
anti-discrimination, and data privacy laws
amid the rising use of AI
and algorithmic decision-making. The advisory emphasizes the application of existing laws to
AI technologies, highlighting concerns over bias, lack of transparency, and potential harms.
Campbell underscored the balance between AI's potential benefits and the risks it poses, such as
discrimination and privacy breaches. Misrepresentation of AI capabilities, using AI for deceptive
practices, and failing to disclose AI interaction to consumers could violate state laws. The advisory
also focuses on ensuring AI systems are free from bias before market entry and
stresses the importance of transparency in AI interactions.
Coming up after the break, our guest Caleb Barlow from Cyberbit joins us to talk about
badge swipe fraud as more folks are returning to the office.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like, somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. it is always my pleasure to welcome back to the show caleb barlow he is the ceo of cyberbit
caleb welcome back dave bittner the the voice of the cyber security industry how are you today
i am well thanks listen i want to talk today about return to office and some of the physical security issues that folks are facing here.
I know this is something you've had your eye on here. What can you share with us today?
Well, it isn't so much I've had my eye on it. It's friends of mine that work at large companies are complaining about it. And we all know the
go back to the office thing and everybody wants more innovation that comes from being in the
office. But there's a new thing that's emerging called coffee badging. Have you ever heard of,
are you a coffee badger, Dave? If I am, I'm not aware that I am. So please educate me.
I don't think you can be in your job because you actually need to be in a studio. But what this involves is the idea that I don't want to go back to the office. I work at one of these
big companies in a huge cube farm. And when I do go into the office, I probably don't have meetings
with actual live people. I more often than not go into the office and then just get on Zoom and have
a bunch of meetings with people on Zoom. So as you can imagine, lots of people are
pushing back on this. And of course, the challenge that companies and managers have as well, we'll
just check your badge swipes. So what they're doing is something called coffee badging, where
you show up in the office, you swipe your badge, you get a cup of coffee, you talk to a bunch of
people so they know you were there, and then you walk back out and go home. And ideally, you do this around the times that you
don't have high traffic. Now, I happen to live in the greater Boston area where there is brutal
traffic in the morning, and coffee badge is becoming a big thing. But oh, wait, Dave,
there's been a survey. Owl Labs surveyed 2,000 full-time workers in the U.S.
and found out, can you guess, Gabe,
how many are coffee badging?
Oh, my God.
Well, percentage-wise, let me just say 20%.
Oh, you're not even close.
Try 60% are coffee badging.
I have far too much faith in humanity, or not enough.
And it breaks down on male and female, 62% of men, 38% of women, much higher with millennials.
A full 63% of millennials are coffee badging and only 38% of boomers.
Now, the boomers probably never left the office.
They never got the message that you could go home.
But I mean, this is unreal.
Now, there's other security problems that come into this.
Well, yes.
You want to guess what comes next, Dave?
Okay.
Let's see.
Well, I mean, whenever we think about badging and physical security,
we talk about people following other people in and that sort of thing, tagging along.
Are we headed in that direction or somewhere else?
Oh, somewhere else.
I don't want to go to the office anyway.
Oh, okay, okay, okay.
How about I give my badge to someone else and they badge in?
Ding, ding, ding, ding.
Okay.
So this is the equivalent of having somebody else punch your time clock for you, right?
No, this is what we're doing now to be green.
We have to go into the office.
Our badge has to go into the office.
We don't want to commute.
No.
So what we're going to do is instead is,
you know, what we're going to do is we're going to ride share.
So one employee from our community is going to grab five or 10 badges,
So one employee from our community is going to grab five or ten badges,
or worse yet, we find some gig worker to go take five or ten badges into the office,
show up, swipe the badges, and go home.
No.
And this issue apparently is fairly rampant.
What? That can't be real.
You're going to send a stranger to the office.
Oh, maybe not a stranger. Maybe a work colleague.
So I'll tell you what, Dave.
I'll take Monday.
You take Tuesday.
We'll get Peter Kilby to take Wednesday.
And all of us only have to go into the office one day a week.
And we only have to show up for coffee. I like it.
It's not a bad gig.
Yeah.
This is a classic example of really bad HR practices causing a massive security problem. And here's the attitude amongst most of these employees. They don't care. Right. Go resources and what we're trying to get out of people with a conversation with a CISO.
So if you have one of these return to the office initiatives and you're working just off of badge swipes and you're the CISO, you probably need to be complaining pretty heavily about the security ramifications of this policy. Well, and just to be crystal clear here, I mean, in your mind, what are the obvious security
issues that go with this?
Well, I mean, what also happened over the course of COVID is everybody cut costs because
everybody went home and they got rid of the receptionists.
So in a lot of these big companies, certainly companies I've worked in, there's nobody there.
You walk into the office, there's nobody there. You walk into the office,
there's a badge. There's not even a security officer there. I mean,
one of the companies I worked at security was three states away. You could have been anybody.
I mean, I suppose you could maybe do facial recognition. Nobody's doing that. You look
at the badge reader, the thing's 15 years old. There's no way anybody's doing facial recognition
to figure out if this is actually you. So, you. So you've got a real problem if you're worried about random people walking around your office,
probably getting some coffee.
They could be just a gig worker.
And I think also, obviously, updating policies.
There have been some really bad examples of this, probably the most notable of which is
TikTok at their offices.
Got a lot of pushback from a tool called MyRTO, which stands for Return to the Office, that would not only track badge
swipes, but would even ask employees to submit reasons why they were not there. So it's looking
at security footage or something to tell if you're not at your cube? No, it's back to looking at the security swipes.
But remember back in grade school,
well, you have kids.
If your kid doesn't show up at school,
if you don't call the school,
the Truant officer calls to say,
Dave, why are your kids not in school?
Do you have a doctor's note?
This is literally the equivalent
in a professional world of saying, Dave, do you have a doctor's note? This is literally the equivalent in a professional world of saying,
Dave, do you have a doctor's note?
Because you weren't in the office today.
It's not good.
No, and you know what?
What I think this really shines a light on here is like,
isn't this unintended consequences?
I mean, you're just, the people who are trying to encourage back to work,
it seems to me they're not thinking about, or back to office, I should say, they're not thinking about the downstream security implications of these policy decisions they put in place.
100%.
And the point is, you need to have a reason to go back in the office.
So I'll give you one example.
go back in the office. So I'll give you one example. One of the private equity firm that I do some work for, they've got this amazing rack to the office policy, which is, hey,
we want you in the office on these days of the week, and everybody's going to come in.
And by the way, when you come in, we're going to serve you lunch, and everybody should eat lunch
together. And what ends up coming out of it as a byproduct is this, you know, kind of amazing, you know, coffee culture of everybody's got this
hour or two every week where they're around, you know, around a table talking and exchanging ideas.
And that's where innovation comes from, right? When you're sending people and demanding they go
into a cube farm to get on a Zoom call, you're kind of missing the point of getting people back
in the office. Right.
I agree.
And then there's a security problem that comes with it, is my point.
Yeah, yeah.
I maintain that a big part of this
is that there's nothing a CEO likes more,
and a present company excluded, of course, Caleb,
but there's nothing a CEO likes more
than being able to give one of their CEO buddies
the grand tour of the office, right?
And show them around and say,
look at all these people here.
Look at this.
Working away.
Look at all these people who are under my command.
Look at them all.
Look at them.
And so when people are working from home,
you've lost the ability to do that.
And I think for a lot of CEOs,
that rubs them the wrong way
and it drives a lot of the desire
to bring people back in.
That's just my theory. And here's the other thing, right? There is no question that getting people in person
can drive innovation and can drive new ideas. No question all about it. But there are other ways to
get people in person and get that innovation to occur. The lowest common denominator with the
least innovative ideas is the one that says,
I'm going to watch you based on your badge swipes and make sure you come into the office.
Agreed. Agreed. All right. Well, Caleb Barlow is CEO at Cyberbit. Caleb, thanks so much for joining us. Thank you. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, in an era where the line between science fiction and reality increasingly blurs,
Colorado has taken a pioneering step to safeguard the sanctity of our innermost thoughts. With the stroke of Governor Jared Polis's pen, the state has boldly declared
that our neural data, the intimate electrical whispers of our brains, deserves protection from
the voracious appetite of emerging technologies. By expanding the definition of sensitive data
to include our biological and neural information,
the state is not just protecting us from today's privacy intrusions,
but also those of a future we're still trying to fathom.
It's a reminder that as technology leaps forward,
our legal frameworks must evolve, too,
to preserve our dignity and autonomy.
Colorado lawmakers say this isn't about stifling innovation or putting a damper on the potential
benefits that neurotechnologies could bring. It's about proceeding with caution and respect for
individual rights in uncharted territories. After all, the essence of who we are, our thoughts, emotions, and memories,
should not be up for grabs. It's a bold move, acknowledging the profound implications of
neurotechnology and its potential to transcend the boundaries of personal privacy. In a world
where your brain's data could reveal more about you than your social media profiles ever could,
Colorado is setting a precedent for
the rest of the nation, perhaps even the world, to follow. The legislation isn't just about
protecting privacy, it's about maintaining our autonomy, ensuring that as we stand on the brink
of this new technological era, we retain control over the most private parts of ourselves.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.