CyberWire Daily - High-end and low-end extortion. Push to start–wait, not you… Social media and open-source intelligence. Russian cyberattacks spread internationally. Preparing for cyber combat.
Episode Date: July 12, 2022High-end and low-end extortion. Vehicles from Honda may soon be rolling off the lot. Social media and open-source intelligence. Russian cyberattacks spread internationally. Joe Carrigan surveys items... for sale in dark web markets. Our guest is Jonathan Wilson of AU10TIX to discuss consumer sentiment around data privacy. Preparing for cyber combat. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/132 Selected reading. BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands (Resecurity) Ransomware gang now lets you search their stolen data (BleepingComputer) Luna Moth: The Actors Behind the Recent False Subscription Scams (Sygnia) 'Luna Moth' Group Ransoms Data Without the Ransomware (Dark Reading) Hackers can unlock Honda cars remotely in Rolling-PWN attacks (BleepingComputer) Hackers Say They Can Unlock and Start Honda Cars Remotely (Vice) Rolling PWN (PWN) Russia launches attack on Poland as hackers declare war on 10 countries, including UK (Express) Vice Minister: cyber attacks are aimed at seeking publicity and raising tensions (DELFI) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) The Biggest Threat to the Military May Not Be What You Think (ClearanceJobs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Extortion, both high-end and low-end.
Vehicles from Honda may soon be rolling off the lot.
Social media and open-source intelligence.
Russian cyber attacks spread internationally.
Joe Kerrigan surveys items for sale in dark web markets.
Our guest is Jonathan Wilson from Authentics
to discuss consumer sentiment around data privacy
and preparing for cyber combat.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 12, 2022.
Yesterday, we described a report by ReSecurity that the Black Cat gang had adopted a quadruple extortion model.
The four aspects of the extortion attack are encryption, the threat
of doxing, distributed denial of service, and finally, reputational damage achieved by harassing
the victim's customers, business partners, employees, and media to tell them the organization
was hacked. Bleeping Computer reports that one novel and upscale feature of this newer approach is provision of a searchable database of non-paying victims, the better to expose them to reputational damage.
Black Cat may represent the high end of the ransomware-as-a-service market, but that doesn't mean the low-rent simple minds are out of business by no means. There are still plenty of simpler approaches to
cybercrime that require far less talent and attention to detail. Researchers at Signia,
for example, report on the activities of the Lunamoth group, and these are so low-end that
one hesitates to even call them ransomware because where's the where in all this? Lunamoth uses
commodity rats against its victims, and it does so opportunistically with little evidence that
they're fishing for particular targets. It doesn't bother encrypting data and relies simply on the
threat of doxing to extort payment. What's your secret, Lunamoth? How do you do it? Volume.
What's your secret, Luna Moth? How do you do it? Volume.
Researchers claim to have demonstrated a proof of concept they're calling Rolling Pwn that affects the remote keyless entry systems in Honda models between 2012 and 2022.
They say the exploit takes advantage of the keyless entry system's rolling code system,
which uses a synchronizing counter to prevent replay attacks.
The rolling code system accepts a sliding window of codes
to account for the key fob being pressed accidentally
or when it's out of range of the vehicle.
The researchers say,
by sending the commands in a consecutive sequence to the Honda vehicles,
it will be resynchronizing the
counter. Once the counter is resynced, commands from the previous cycle of the counter worked
again. Therefore, those commands can be used later to unlock the car at will. The researchers worked
on Hondas, but they think it likely that other makes are also vulnerable. While there are some
reports of others replicating
these results, the exploit remains to say the least controversial. Honda, for one, doesn't
believe it, according to Bleeping Computer. Honda dismissed the proof of concept as old news.
A Honda representative emailed Vice to say, I'd hope that you would treat it as such and move on
to something current rather than
creating a new round of people thinking that this is a new thing. We've looked into past similar
allegations and found them to lack substance. While we don't yet have enough information to
determine if this report is credible, the key fobs in the referenced vehicles are equipped with
rolling code technology that would not allow the vulnerability as
represented in the report. In addition, the videos offered as evidence of the absence of rolling code
do not include sufficient evidence to support the claims. So, it's a story worth watching,
but so far the prudent verdict would seem to be not proved. In the meantime, push to start, but be safe out there.
Turning to Russia's hybrid war against Ukraine,
The Telegraph cites a blogger accompanying Russian forces in Ukraine
in support of its conclusion that NATO-supplied HIMARS rocket artillery systems
have been striking fear into Russian troops.
On Monday, Roman Saponkov, a Russian military blogger
embedded with frontline Russian forces, wrote on Telegram,
Yesterday, I happened to witness a HIMARS strike on Chernobyl in Kherson
practically in front of my eyes.
I've been under fire many times, but I was struck by the fact
that the whole packet, five or six rockets, landed practically on a penny.
Usually, MLRS lands in a wide area, and at a maximum range, it completely scatters like a fan.
It makes an impression, I won't dispute that.
It is clear that this is just the beginning.
They're going to hammer Kherson and other border cities, Belgorod in particular.
They will cover all the command posts and military installations they have gathered data on for the past four months.
Mr. Saponkov sensibly advises his readers that a single wonder weapon is rarely a war winner.
We mention this not so much as an observation on the kinetic phases of the war in Ukraine,
as compelling and tragic as those may be,
but because Mr. Sapunkov's comments on the effects of Heimar's fire are a striking illustration of how hard it is to moderate communication via social media,
even where there's a strong motivation to do so and a tradition of censorship to draw upon.
there's a strong motivation to do so and a tradition of censorship to draw upon.
Open-source intelligence has played a prominent role in the special military operation from the outset.
On the eve of the invasion, for example,
foreign observers had a tolerably complete and realistic picture of the Russian order of battle based on posts by Russian soldiers and, for example, by curious Belarusian civilians
posting photos of Russian combat vehicles staging through their towns.
Bumper numbers of the vehicles often clearly visible.
This new OPSEC challenge is one all armies will henceforth face to one degree or another.
Clearance Jobs quotes security experts on the challenge. Their comments don't neglect the
effect too much information can have on service members' careers, but the broader OPSEC lessons
are also clear. Dominic Eger, field chief technical officer at Ajuna Security, said,
the advent of social media has created a whole other realm of oversharing, tracking,
and personal opinion
narrative. And he surely has a point. Kilnett, the threat actor that represents itself a
hacktivist tendency operating in the patriotic interest of Russia, but not under the control
of Moscow's security services, has extended its distributed denial-of-service attacks to Polish government sites, the Express reports. As was the case with earlier operations against Lithuania,
the most recent DDoS attacks didn't rise above the level of nuisance. Poland has strongly supported
Ukraine, both since the invasion and during the tensions that preceded Russia's war.
And finally, the hybrid war Russia initiated against Ukraine
has prompted considerable reflection on how one raises and trains a cyber army,
and even irregulars need training and direction. The record by Recorded Future describes the work
of Nikita Nish, a former employee of Ukraine's security service and founder of the cybersecurity consultancy HackControl,
which has been providing Ukrainians with both advice on self-protection and tips on conducting offensive cyber operations against the Russian enemy.
Mr. Nish sees this as a contribution to partisan war against the invader.
He dismisses the concerns some have raised
about the risks of encouraging hacktivism, even in wartime.
He says,
Not attacking your enemy in cyberspace is stupid.
In the past, soldiers destroyed logistics and production facilities,
but now they also attack technology and information.
Taking down a network is becoming to 21st century gorillas
what blowing up a bridge was to their 20th century ancestors.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. looking at issues like preference for security over convenience, corporate responsibility, and trust.
Jonathan Wilson is Chief Risk and Compliance Officer at Authentics.
For me, I think it was a lot of affirmation of what I was seeing in consumer behavior and what our customers were reporting to us. And that's like essentially today's data privacy world is a little bit like the Wild West.
You read a lot of the terms and conditions we're agreeing to when we open accounts,
and there's a lot of room for businesses to liberally collect data.
And in many cases, companies are collecting, you know, troves of
data. And they're doing that perhaps under money laundering and suspicious activity laws that
permit them to do that. And in some cases, they're taking liberties that perhaps, you know, they're
not allowed to take. But just the, you know, the lack of consistent laws and legislation across the globe, I think, has created a bit of a Wild West.
I noticed coming out of the report that there is this theme of transparency that I think is missing, that consumers feel is missing. And I believe we've got a long way to go to get the legal and legislative standard raised
so that businesses become more transparent
about what they are doing
and how they're using personal data.
Is there a sense of resignation on behalf of the users
when faced with these EULAs that are unreadable,
too long to be able to digest, that they feel as though
they're not really in control of things. You know, I think there definitely is that sentiment,
Dave. Clearly coming out of the survey that we did, there were a high proportion of the
respondents who were feeling like they were a little bit out of control.
But I think we are seeing the tide turn a little bit.
We're seeing, you know, what I'm seeing is consumers begin to take control again of their data. There are sites that are dedicated to helping consumers understand who has access to their data
and to help automate requesting access to the data that's
being held. And I think that, you know, the new laws that are emerging, in particular, if we look
at the U.S. market, you know, today there's a handful of states that have data protection laws,
but there's a handful of states coming out with data protection laws, and there's also a federal law that's being positioned at the moment.
So I think a lot of that is coming from consumers that are, quite frankly, probably fed up with being in a place of not being in control, and they want to take back that control.
noticed in the report here is that it seems as though consumers are really looking to the businesses themselves to take responsibility for taking care of a lot of this data. Yeah, very,
very clearly they are. I think the consumers are putting the onus on care of the data back where
it belongs, really, which is where it's being collected. It's at the business level and at the
commercial level, the service provider level.
And so I think there is an expectation that consumers have that, kind of going back to what I had said a little bit earlier, that companies start to become transparent about what they're collecting, why they're collecting it, and what they intend to do with it.
Based on the information you've gathered here, what are your recommendations for organizations to align themselves with the desires of consumers?
My recommendations would be to understand the data protection laws that apply to them, but also not just apply to them, but also the data protection laws that exist globally.
Also, the data protection laws that, you know, that exist globally, there are some really good standards out there, such as GDPR, you know, in Europe and CCPA on the West U.S. coast. And, you know, to examine them and understand the best practices within them to, you know, to effectively treat customers as they're demanding to be treated.
I think also, Dave, we can really, we can help the situations and organizations can help the
situation by leveraging and deploying emerging technologies. So there are technologies available,
such as, you know, for example, verifiable credentials. And this type of technology puts the power
and the sovereignty of the consumer's private information
back into their control.
It allows them to hold it, for example, on their mobile device
and to control when it's shared.
So identify the relevant technology, assess it, apply it,
and be ready to deploy the emerging technologies,
which are putting the power back into the hands of the consumers, which is really good business.
Are you optimistic that we're heading in the right direction here? Do you have a sense that
we're gaining ground? I do. I do. I do think we're gaining ground. If I look at what's happening in the U.S. market, I mean, it's clear, Dave, that the European market has a fairly robust set of requirements and legislation.
But if we look in the U.S., we see the maturation of data protection laws, states, again, states that are going to be passing their own data protection laws.
And we also see movement at the federal level.
And I think that companies are starting to see that there are, there's some teeth to these data protection laws.
You know, we're seeing fines being levied and companies have really have no choice to sit up,
take notice and to take the data protection laws seriously.
So I do think that we're making progress.
That's Jonathan Wilson from Authentics.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting report came out recently.
This is from the folks over at the Privacy Affairs website. This, Joe. Hi, Dave. Interesting report came out recently. This is from
the folks over at the Privacy Affairs website. This is written by Patricia Rufio, and it is the
Dark Web Price Index for 2022. A lot of interesting data in here, Joe. I thought maybe we could unpack
this together. I love these kind of reports, Dave. Yeah. Because I always wonder, what does my ID
cost on the dark web? How much is my email account worth?
Yeah.
Not much, it turns out.
Email database dumps, you can get 10 million email addresses for $120.
Right?
And that's for USA email addresses.
Okay.
Apparently, New Zealand email addresses are a little more pricey.
For $600,000, it's $110.
Yeah.
So it's a lot more per email address.
And Canadian email addresses are also more expensive than American email addresses.
They have a bunch of different things in here about getting into hack services.
Right.
Dave, are you paying for Netflix every month like a chump?
Because if you have $25,
you can get a hacked Netflix account that already has a one-year subscription.
I am paying for a lot of people in my family to watch Netflix, let me tell you.
Not all of them under the same roof. Dave, don't say that. That's not true, of course.
No, I'm just planting a hypothetical out there. Right, yes. Yes. Here's an interesting one.
Hulu, they'll sell you a Hulu account for five bucks,
but isn't that pretty close to what the price of a Hulu account is if you just get it?
Yeah, I think it depends.
There are different tiers, I think.
Yeah, there's advertising tiers.
What's interesting to me in here are the wide variation of the value of different things.
Yes.
Some of these I didn't know or expect.
Evidently, passports are quite pricey.
They're very pricey.
Yeah.
They're like 3,800 bucks for a passport here.
And that's actually another thing.
Later in the article, there's a list of price changes over time,
and passports have come down significantly in cost.
A lot of things have come down in cost.
In fact, most of the items on this list, including social media accounts, followers, and all that stuff has come down in price.
So yeah, passports are down in price about 200 bucks from 4,000 to 3,800 bucks. So not a big,
not a big drop in price, but they're still very pricey, $3,800. Other IDs have gone up in price.
Things like a Louisiana driver's license or a New Jersey driver's license.
A fake green card is up $10.
It's a European Union national ID.
Average is around $160.
That's up about $40 from last year.
U.S. driver's license.
I don't know what a U.S. driver's license is.
Because a driver's license from someone in a U.S. state, I guess.
Well, they call out different states here.
They call out like a New Jersey driver's license, and they have Delaware ID, Indiana ID.
I know that Maryland has IDs that are not driver's licenses that look essentially the same as a driver's license.
Right.
It just doesn't say driver's license.
It says identification card.
U.S. driver's licenses are up.
A Lithuanian passport has gone up almost double.
It was $1,500.
Now it's $3,800 like all the other passports.
Right.
I find the social media section pretty interesting.
You know, the most expensive hacked account is a Facebook account.
$45 for a hacked Facebook account.
Okay.
It's only 40 bucks for a hacked Instagram account.
Twitter accounts are $25. They have a hacked Facebook account. Hmm, okay. It's only 40 bucks for a hacked Instagram account. Twitter accounts are $25.
They have a hacked Gmail account.
I don't think that's a social media account,
but it's here at $65.
That makes sense to me.
A hacked Gmail account
is probably very valuable
because that is a keys to the kingdom
for that person, right?
That will get you access
to all of their accounts
if that's their main account.
Right. And you can look through to find out what kind of services they use and then get access to their
services. If you want to buy followers, followers are cheap. Spotify followers are a dollar for a
thousand of them. Instagram followers, $4 for a thousand. Same with Twitch. LinkedIn, if you want to get a thousand people to follow your
company, 10 bucks. SoundCloud plays. How much to stop having people follow me on LinkedIn?
They can't. I don't think they can do that. Oh, man.
SoundCloud plays a dollar for a thousand of them. Now, that's not a follow. That's a one-time event.
So that's probably why that's cheap, I guess.
Yeah, yeah.
I guess part of what's interesting about this report
is just the breadth of things that are out there.
You don't, I think,
I tend to think about these things in broad categories,
but when you see them laid out,
the detail that they have here,
there really is a market for everything.
And it's interesting to me
that they're able to get all these prices for these
things. Looking around on the forums, it's a market. It's a real market. It is a market. They
talk about that later in the article. And they talk about as the marketplace matures, prices
decline. They say sales volume has gone up and prices have gone down. There's a lot more data
out there. And one of the comments they make in this section is that there is a larger variety of options for people.
They've noticed some important operational changes here.
One, there was an organization that was a dark market called the White House Market.
It was a clear leader, but they shut that down in October of 2021, I think.
They comment that dark web security ops have gotten better.
People have become more secure and efficient,
but law enforcement security specialists
have also become more skillful.
Dark web operators,
site operators,
market operators, I should say,
dark market operators
use better security measures
throughout their dark web transactions.
They started using Narrow
instead of Bitcoin
because of its inherent privacy
preserving in every transaction.
Yeah.
Uh,
and PGP is the way people communicate.
Hmm.
Okay.
Makes sense.
Yep.
Yeah.
Uh,
really interesting report here.
And there's so much more detail than we have time to cover here.
Again,
it's a lot of information over on the privacy affairs website and it's called
dark web price index, 2022, uh Worth checking out. Joe Kerrigan, thanks for joining us. My pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.