CyberWire Daily - Killnet hits Italian targets. Access restored to RuTube. Hacktivism in the hybrid war. Emotet surges. NPM dependency confusion attacks were pentesting. Cybercrime and punishment.
Episode Date: May 12, 2022Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund... on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/92 Selected reading. Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek) Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters) Russian cyber experts restore RuTube access after three-day outage (Reuters) They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. (Wall Street Journal) Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor) HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security) npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog) SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek) Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Killnet hits Italian targets, access to Rootube is restored,
hacktivism in the hybrid war imitates surges.
Clearing up the confusion of NPM dependency confusion attacks.
Tim Eads from Cyber Mentor Fund on finding the right investors.
Our guest is Michael DeBolt of Intel 471 on the growing interest in biometrics in the criminal underground.
And cyber crime and and punishment Florida style.
From the CyberWire
studios at DataTribe, I'm Dave
Bittner with your CyberWire summary
for Thursday, May 12, 2022.
The Morning Situation report on Russia's war in Ukraine reports, roughly speaking, a stalemate,
which from Moscow's point of view might as well be a defeat.
Kilnet, a hacktivist group aligned with Russian interests,
has conducted nuisance-level attacks against a range of Italian targets, Reuters reports.
The organizations affected include the Senate, the National Health Institute,
and the automobile club D'Italia, the National Drivers Association.
The nature of the attacks wasn't specified,
but Kilnett's track record and the speed with which the services were restored suggests distributed denial of service attacks.
Kilnett has counted coup against other governments
hostile to Russia's special military operation,
with Romania having received the most extensive attention from the gang.
Reuters also reports that security teams have restored access to Rutube,
Russia's autarktic alternative to YouTube,
after the service was downed for three days by hacktivists acting in the perceived Ukrainian interest.
The service was taken offline Monday during Russian Victory Day celebrations.
The service was taken offline Monday during Russian Victory Day celebrations.
Ukrainian security firm Hakon, which specializes in testing blockchain security,
decamped from Kiev at the beginning of the war and re-established itself in Lisbon.
Since then, the Wall Street Journal reports, the company has both sought to stay in business
and to contribute to Ukraine's war effort by hacking Russian services.
Among hackens' contributions is the DDoS application Liberator,
which allows users to volunteer their devices for use in DDoS attacks against Russian companies.
The target selection is interesting and shows some insight into Russian logistical weaknesses.
One of the companies hit, the journal says, manufactures military boots. is interesting and shows some insight into Russian logistical weaknesses.
One of the companies hit, the journal says, manufactures military boots.
At one level, it's difficult not to sympathize with hacken and those like them.
What thinking person wouldn't wish confusion to the Russian forces?
But hacktivism has a downside that parallels the familiar downsides of irregular warfare that the laws of armed conflict have long struggled with.
The annual Global HP Wolf Security Threat Insights report was recently released.
The team has identified a 27-fold increase in Emotet malware campaigns in the first quarter of 2022 as compared to the last quarter of 2021 and is now the most common malware family at 9% of all malware identified.
HP Wolf Security has identified techniques that cybercriminals are using,
including an increase in non-office-based malicious file formats,
an increase in HTML smuggling, and a two-for-one malware campaign that leads
to rat infections.
JFrog, reporting yesterday on the NPM confusion attacks that they and others observed hitting
German firms, speculated that the incident might have amounted to nothing more than an
unusually aggressive penetration testing effort.
That now seems increasingly likely.
JFrog reports,
Following the publication of our blog post,
a penetration testing company called Code White
took responsibility for this dependency confusion attack.
Code White says an intern did it.
They say,
Thanks for your excellent analysis at Snyk and don't worry,
the malicious actor is one of our interns who was tasked to research dependency confusion
as part of our continuous attack simulations for clients. JFrog doesn't give this particular pen
test good reviews. Sashar Manash, their senior director of security research, wrote in an email,
I think this level of payload on a legitimate pen test is pretty irresponsible. First of all,
since the code has absolutely no indications in it, in the source code, or in its metadata,
the NPM package description, this could have put the company's threat response team into high alert,
wasting the client's resources on nothing.
Adding a simple string for security pen test purposes on the NPM package description
or even in the source code could have prevented this while still proving the point,
as was presented in previous very successful attacks.
In a rough-and-ready way, Intel 471 suggests that defenders look for three classes
of tools, Trojans, information stealers, and, unsurprisingly, in the wake of the NPM dependency
confusion incident in Germany, penetration testing tools. Those last, of course, have their legitimate
uses, but they're also readily susceptible to abuse. This isn't,
as Intel 471 cautions, anything remotely resembling a panacea, but it can be a useful starting point.
And finally, there's been a conviction in a federal cyber fraud case in Florida.
Actually, three convictions, all of them on guilty pleas. So here's what happened,
according to the Office
of the United States Attorney for the Middle District of Florida. These three guys all copped
pleas to conspiracy to commit fraud and aggravated identity theft. The boys got busy. The trio
conspired to knowingly and with intent to defraud possess thousands of counterfeit and unauthorized access devices,
including the names, social security numbers,
account numbers, usernames, and passwords
of identity theft victims.
These are not hacker masterminds.
What was their secret?
Volume, apparently,
just like in the big, big sales crazy Eddie used to run.
They emailed each other the elements
of personally identifiable
information they came across, used it to open accounts fraudulently, and because your secret
is volume, you don't have to hit on every try. And they also purchased server credentials from
somewhat savvier hoods in the underground C2C market. IRSCI special agent in charge Brian Payne said, this trio wrongly assumed that
their crimes would be untraceable, hidden under a cloak of internet anonymity. Through sophisticated
investigation techniques, IRS-CI and our partners uncovered a digital set of footprints leading to
these three criminals. Today's sentencing now holds them accountable for their crimes
and should serve as a warning to others involved in this parasitic behavior.
So take heed, wise youths, and turn, turn away from that life of crime.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The security team at Intel 471 has been tracking increased activity on dark web markets and forums regarding biometric security controls.
Michael DeBolt is chief intelligence officer at Intel 471.
Cybercriminals are opportunistic. Financially motivated cybercriminals are just looking for every each way they can get in and they can monetize based on their access and the data they can get access to.
And so they're looking at biometric authentication, how they can get access to that data, and then how they can find vulnerabilities to extract that information and then leverage that in the financially motivated cybercrime underground as kind of the next phase.
the next phase. One of the things that your research pointed out was the use of this biometric information in a lot of national identification cards. I think here in the U.S.,
that's an area where perhaps we lag behind some other nations that are leading the way with this.
Yeah, absolutely. I mean, one example of, so we would call this documentation fraud, and it caught our attention back in late 2020.
And we've seen a couple of situations that emulate this as well.
We've had two Iranian actors coming into the marketplace, and they offered to sell biometric and also other identification documents that could be leveraged in multiple countries.
And what they were claiming is that they had leaked that or stolen that from an Iranian
government website. And this was something around 80,000 national ID cards. Now, we couldn't
confirm 100% the validity of those claims. But, you know, if it's true, it just kind of gives an example of the volume to which biometric-based ID cards can be used and sold in the underground to further elicit criminal activity.
I think for most of us in our imagination when we think of biometric authentication, it probably comes in two categories. One is the Hollywood version where,
you know, somebody in a Mission Impossible movie either scans their handprint or does a retina
scan. But then there's also the day-to-day stuff that I think many of us experience,
things like Touch ID or Face ID or, you know, the various platform versions of that.
What is the practical use of these that are on the dark web? I mean,
if someone gets your biometric information from one of these national cards, what does that open
up for them? Yeah, I think you're right. I think there's just, we already talked about documentation
fraud. That's one. Really, it comes down to building new identity profiles using that
biometric information and spoofing or impersonating
the true identity of the person that you stole. I see. And I would also say that because this
is somewhat of a new sort of thing for us, utilizing biometric authentication as a security
mechanism is still somewhat new. It's certainly newer than traditional password-based authentication methods.
The actors are starting to talk a little bit more about this,
discussing, sharing new ideas about how to access this kind of information
and how to leverage it for furtherance in their criminal activity and their schemes.
From an organizational point of view,
do you have recommendations for
implementing these sorts of things? I mean, users love the convenience of it, but is it something
to keep an eye on that it's not the panacea that it may seem to be? Yeah, I think you're right.
So just like passwords, encryption, encryption, encryption, right? Encry encryption is a must, both for in-transit and at-rest biometric patterns and the profiles and templates that are stored in the back end.
Also, just like passwords or really any other type of proprietary or sensitive data that you're storing, pay really close attention to exposed databases. A lot of the specific examples that we've seen in the underground
are as a result of leaked or exposed databases
that are really openly accessible on the internet.
So just to make sure that we're scrutinizing sensitive databases,
making sure that we're segmenting them properly within the network.
And those tips, they apply to broadly any authentication method that you're
using, password-based or biometric-based or anything else. But I think there's a couple of
others that are more specific to biometric authentication. So a lot of organizations use
anti-fraud or anti-spoof vendors. And some of those, you know, they're really great options
for password-based fraud monitoring, but not all of them cover biometrics. They just haven't caught
up or there's not their focus area. So just make sure you have something in place to ensure you're
able to, you know, monitor spoof and impersonation attempts and ensure that, you know, the systems
that you have in place and the internal processes can
pick up on those things. And then kind of in the same vein, if you're using a third-party vendor
solution, and third-party risk is a huge thing right now with SolarWinds and some of the other
stuff that we've seen over the past 12 months or so. And so this is the same for biometric
authentication, right? If you're using a third-party vendor solution for biometric authentication, right? If you're using a third-party vendor solution for
biometric authentication, make sure you fully understand how your data is being handled,
how it's being stored. And then also I'd say, stay alert to any possible sort of third-party
breach incidents that may be affecting that third party that will have a downstream effect on your
users. And then last but not least, a lot of the stuff that we try to illuminate in our reporting
is from the perspective of the bad guy and in the cybercrime underground. And so when you have
monitoring in place, you understand what the threat actors are prioritizing, what they're
going after, how they're obtaining this information from in the first place, and then how they're,
you know, using it as in their end goals and their end schemes.
It's really important to understand all of that
so you can put together the security controls internally
to be able to mitigate that more proactively.
That's Michael DeBolt from Intel 471.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
And joining me once again is Tim Eads.
He's the CEO at vArmor and co-founder of the Cyber Mentor Fund. You know, Tim, you and I have spoken previously, and you sort of touched on this notion of finding the right venture fund to
fit your organization's particular needs. I want to dig into that, spend a little more time on that.
What's the importance there? Thanks, David. It's good to be here. I think when you look at raising money, you're looking at getting married.
Look at it that way, right?
So when you get married, you have to date first.
You want to date first for all sorts of reasons on both sides, right?
And when you get into that dating scenario, you can get to know somebody.
You get to see how they react.
In the investor side of these things, you need to go talk to the previous CEOs that they work with and say, what happened when the company was getting acquired?
What happened when the company was going through a tough time?
Very easy to get good feedback when it's a good time.
What happened when you did a misstep?
What happened if you missed a quarter?
What happened when you were trying to get acquired? Did they agree? Were they constructive? Did they come with the right advice?
So as you're going through that process of dating and raising money and dating,
make sure you do your reference checks about the bad times, you know, through talking to
previous CEOs that they've been partnering with. Because divorce is expensive, complicated,
and very difficult to get people off the board,
particularly if it's not set up correctly.
So I always look at it,
investing and marriage is the same thing.
You know, I think when it comes to
perhaps stretch your dating metaphor to its limits,
there's that notion that desperation is not attractive.
For the folks who are out there trying to raise the money, does that apply to them as well?
Yeah, for sure.
I mean, absolutely.
I always tell people it takes you about five months to raise money, right?
From when you start dating to when the money's in the bank.
You should assume kind of that kind of time period.
dating to when the money's in the bank. You should assume that kind of time period.
I will also tell you, raise like 30% more money than you thought you were going to have because you never know. You might make a misstep. And when you come to do another round,
you need to do it from a position of strength. But start dating. Do it casually to begin with.
Meet three or four independent VCs. Pull together four or five slides, get to know them.
They need to get to know that you have the domain permission,
you have the right technology, you understand the problem statement,
and that you have the right team and you can execute milestones.
And over those four or five months, they've got to get to know you,
that you're hitting those milestones that you put out there.
But at the same time, you've got to go back to them. And I would strongly advise that they need to come up with a list of questions, they the entrepreneur, of what you want to ask
these people. Tell me about when an investment went wrong. Tell me the bad side of what goes on.
Tell me the bad side of what goes on. Tell me how you reacted. Too often, some of the entrepreneurs don't feel that they have that right or that permission to ask those questions. And I would absolutely say they do. And'll say, this is not a good match for me. This is definitely not a love connection here. But I think I might know someone who fits your needs better than I do.
or other venture friends of mine and say,
we are looking at the world this way.
And sometimes we might just have a philosophical disagreement or we might turn around and say, look, you know,
we already have an investment in that category.
Please stop communicating.
We're not that kind of group.
But however, look, there's room for more than one company in this space.
Go talk to Jonathan at SignalFire or someone like that
or Charles at Raleigh or somebody.
The fundamental mission that I think we live by
and we should all live by is making the countries and the enterprises more secure
and no one company will take it all. We farm those off.
Sometimes you meet with people
and in my opinion, if they're just uncoachable
and they don't have the self-awareness,
those are the times when we'll bow our gracefully
and just say, hey, not quite a fit,
because we go in as a cyber mentor from very, very early,
and we find it very, very rewarding by doing that.
But it's going to be a reciprocal environment.
It's going to be fun on both sides.
All right. Well, Tim Eades, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Leave alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.