CyberWire Daily - Kingdom come, kingdom fall.
Episode Date: December 21, 2023German officials take down a dark web market. Google patched zero-day. Terrapin attack targets SSL. A look at payment fraud. Agent Tesla is spreading through an old vulnerability. An iPhone thief expl...ains his techniques. Ukrainian reprisals for Russia's Kyivstar attack. Israeli officials warn of data wipers. Rick Howard speaks with Scott Roberts of Interpress about Driving Intelligence with MITRE ATT&CK, and leveraging limited resources to build an evolving threat repository. And go ahead and click that like button - just don’t expect to get paid. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest Scott Roberts of Interpres joins N2K’s Rick Howard from the recent MITRE ATT&CKcon event. They discuss driving intelligence with MITRE ATT&CK: Leveraging limited resources to build evolving threat repository. Selected Reading German police takes down Kingdom Market cybercrime marketplace (BleepingComputer) GOOGLE ADDRESSED A NEW ACTIVELY EXPLOITED CHROME ZERO-DAY (Securityaffairs) SSH protects the world’s most sensitive networks. It just got a lot weaker (Ars Technica) Annual Payment Fraud Intelligence Report: 2023 (Recorded Future) Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla (Zscaler) iPhone Thief Explains How He Breaks Into Your Phone (Wall Street Journal) Ukrainian hackers breach Rosvodokanal, seize data of Russia's largest private water utility (RBC Ukraine) Fake F5 BIG-IP zero-day warning emails push data wipers (BleepingComputer) “Get Paid to Like Videos”? This YouTube Scam Leads to Empty Wallets (Hack Read) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
German officials take down a dark web market.
Google patches a zero-day. Terrapin attack targets SSL. A look at payment fraud. Agent Tesla is spreading through an old vulnerability. An iPhone thief explains his techniques.
data wipers. Rick Howard speaks with Scott Roberts of Interpress about driving intelligence with MITRE ATT&CK and leveraging limited resources to build an evolving threat repository.
And go ahead and click that like button. Just don't expect to get paid.
It's Thursday, December 21st, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Germany's Federal Criminal Police Office and Frankfurt's Internet Crime Unit,
in collaboration with international authorities, have seized Kingdom Market,
a notorious dark web marketplace known for drugs, cybercrime tools, and fake IDs.
Operational since March 2021 and facilitating transactions in cryptocurrencies,
Kingdom Market catered to an extensive international user base with over 42,000 items,
including a significant portion from Germany.
The operation led to the arrest of an administrator in the U.S.
and ongoing efforts to identify further operators through server analysis.
and ongoing efforts to identify further operators through server analysis.
The seizure has caused a stir among its users and other darknet communities,
with reports of significant financial losses and arrests related to the platform's infrastructure.
In the wake of the marketplace's closure,
other darkweb platforms have quickly moved to recruit dislocated users,
showcasing the dynamic and competitive nature of illegal online marketplaces.
Google issued emergency updates for Chrome to fix a zero-day vulnerability, a heap buffer overflow in WebRTC, discovered by its threat analysis group.
Google is restricting details on the exploit, which is already active in the wild, to protect users until most are updated.
The vulnerability marks the eighth Chrome issue Google has addressed this year.
Nearly 30 years after the invention of the Secure Shell protocol, a new vulnerability known as Terrapin has emerged. This attack targets SSH
connections by exploiting specific encryption modes, and it operates through a man-in-the-middle
position, allowing attackers to intercept and alter communications during the SSH handshake.
Terrapin's prefix truncation technique can disrupt the secure data stream, posing a significant threat as research indicates that a large portion of Internet-exposed SSH servers support these vulnerable encryption modes.
This development challenges the long-standing security assumptions of SSH, a protocol crucial to the security infrastructure of countless organizations.
a protocol crucial to the security infrastructure of countless organizations.
Recorded Futures' Insict Group released its 2023 Annual Payment Fraud Intelligence Report. The study highlighted the persistent use of e-skimmer infections by Magecart actors
through platforms like Google Tag Manager and Telegram Messenger.
It also noted a rise in targeting restaurants, bars, and online ordering
platforms for payment card data breaches, with phishing and scam pages becoming more common
for card compromise. The report predicts that in 2024, fraudsters will further refine their
techniques, merging advanced technology, intricate workflows, and social engineering to evade rule-based fraud detection systems.
Zscaler identified that cybercriminals are exploiting an old Microsoft Office vulnerability to spread the agent Tesla keylogger.
They send phishing emails with malicious documents, often disguised as invoices or orders, to trick users into
downloading attachments. If the user's Microsoft Excel is vulnerable, the opened file silently
communicates with a malicious server and downloads further harmful files, requiring no additional
action from the user. This exploit emphasizes the need for vigilance against seemingly legitimate emails
and the importance of updating software to patch known vulnerabilities.
The Wall Street Journal's Joanna Stern published a video interview with convicted iPhone thief
Aaron Johnson, in which he outlines his journey from homeless pickpocket to being a member of
a gang of thieves using social engineering to
target unsuspecting victims. Johnson and his associates would befriend their marks at a local
bar, casually convince them to reveal their iPhone passcode, then steal the device and drain the
victim's bank accounts and credit cards. You've got the phone. You've got the passcode. What do you do next?
It's kind of like a bank robbery.
You've got to be quick.
You've got to go to the settings.
Go to iCloud, click reset password,
and put the six-digit code in and make my own password.
And then I turn and I'll find my iPhone.
And then that completely locks him off the phone.
This was the bit that was so crazy to me
when I first started reporting on this crime. With just the passcode to an iPhone, a thief can
change someone's Apple ID password and do a host of other things to your account and phone.
Johnson was eventually caught and is currently serving time in a Minnesota correctional facility.
The Ukrainian hacking group Blackjack, allegedly
aided by Ukraine's security service, retaliated against the recent cyber attack on Ukrainian
telecommunications company Kivstar by targeting Russia's largest private water supplier,
Rosvoda Canal, disrupting its IT infrastructure and affecting 7 million consumers.
The hackers allegedly encrypted over 6,000 computers and deleted 50 terabytes of data,
with SSU analyzing 1.5 terabytes of the retrieved information.
Additionally, the Blackjack Group reportedly infiltrated the Russian Ministry of Labor's website and extracted data. In a related
development, the IT army of Ukraine claimed an attack on Bittrex24's servers, heavily used by
Russian companies, causing widespread customer issues. The Israel National Cyber Directorate
issued a warning about phishing emails masquerading as F5 Big IP
security updates, which instead deploy data wipers targeting Windows and Linux systems.
The attacks, attributed to pro-Palestinian hacktivist group Handala, are part of a broader
trend of cyber aggression against Israel, including destructive data wiping assaults.
The phishing campaign deceives users
into downloading malicious executables or scripts,
presenting as legitimate updates,
but ultimately wiping system data.
Users are advised to only download files
from trusted sources
and directly from hardware vendors
to avoid these sorts of threats.
Coming up after the break, Rick Howard speaks with Scott Roberts of Interpress about driving intelligence with MITRE ATT&CK
and leveraging limited resources to build an evolving threat repository.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
More at blackcloak.io.
Back in October, the MITRE Corporation hosted the ATT&CKON 4.0 conference at their company headquarters in McLean, Virginia.
Since MITRE ATT&CK is all about organizing cyber threat intelligence, or CTI, I got to attend. I bumped into one of the thought leaders in the
space, Scott Roberts. He's currently the head of threat research at Interpress Security, but he's
been kicking around the CTI space for a while. He's worked at Apple, GitHub, and Splunk. He teaches
CTI at SANS in their 578 course and at Utah State University, where he's also getting his master's
degree in anticipatory
intelligence. And he's just published the second edition of his book, Intelligence-Driven Incident
Response, outwitting the adversary with his co-author, Rebecca Brown. Scott and I got to
talking about the relative newness of CTI to the InfoSec community. I mean, it's only been 10 years
since Mandiant released their famous APT1 report that crystallized the idea that if you're trying to defend against a cyber adversary, then you need cyber threat intelligence.
And I think people forget that cyber threat intelligence has not really been a thing for that long.
Is it fair to say that really kicked off in the commercial sector after the APT1 report happened?
I mean, people were doing it,
but it wasn't common, I guess is the word. I don't know that. Yeah, I don't think it had a
name necessarily before that. I mean, that was certainly an incredibly formative thing where
I think it had been a quiet aspect going on where, you know, certain companies would have a small
cell that was working on it or, you know, there were chat rooms with, you know, certain companies would have a small cell that was working on it or, you know,
there were chat rooms with, you know, a couple different people who had all bounced around it.
But I do think APT1 was definitely a watershed event in making it a thing that...
For the masses.
Yeah. It went from something that if you were a government contractor or maybe a couple of
the financials you would do to something that, you know, now we see in almost every fortune 500 in some,
to some extent.
I'm an old army guy.
And we,
you know,
we were doing it in the early two thousands.
We didn't know what it was.
Okay.
But we were doing it.
The APT one report came out.
And so everybody said,
Oh,
maybe we should be doing that.
And then vendor started having their own threat intelligence teams as a
marketing arm,
as a way to show that their product could
collect telemetry and do stuff to adversaries, right?
So there's lots of different aspects to it in the world.
Your current work is you're running the Intel team, or they work for you, or you're just
advising?
How does that work?
I run the Intel team at Interpress.
So we're still small.
We're scrappy.
That's part of what I'm going to be talking about today
in my talk for ATT&CK CON is,
how do you build that kind of scrappy team
that can get a lot without having a whole lot backing you?
Threat intelligence is definitely a kind of
have or have not type of role.
On one hand, you see some of these Fortune 10s
that'll have 100 people.
Massive teams. Mass massive teams where they're hiring all these ex-intelligence agency folks and things like that.
And they have the backings of massive tools companies who are still facing the same threats, still dealing with the same problems, but might only have a handful of people and might not have budget for some of those higher-end tools.
Or none. We're a startup. We were talking yesterday. There's two guys in the IT department. We have no Intel team.
So how do we use intelligence as gleaned from everybody else into our own systems? It's tough to
do that. How would you suggest startups to medium-sized companies approach that problem?
Well, I mean, that is one of the problems we're trying to solve at Interpris.
So buy your product.
Buy our product. I mean, I think we're done here.
Done here. Okay, thank you very much for coming in.
No, I think it's definitely something where there's a variety of solutions.
And certainly buying one is a thing.
It's going to be just a question of how you want to deploy your resources.
I have also seen some very small teams that only have a couple people who've been able to do a lot because I think it's a question of, can you get the right access to data,
internal data as well as external data?
And I do think it doesn't all have to be commercial.
I think there's a lot of ability
to use open source resources to get that.
But then how do you apply it?
Do you have the right mindset?
Do you have the right understanding of what the data is and where you can apply it? Do you have the right mindset? Do you have the right understanding
of what the data is and where you can apply it most effectively? Because ultimately speaking,
at least from my perspective, there's three things threat intelligence really does.
It's a precursor for detection engineering. It's situational awareness. Or to the point
you've already brought up, it's marketing. Well, if you're not a security vendor,
you don't really care about the marketing aspect of it. So, you know, I really think for most
organizations, it's understanding, okay, what's most helpful? Is it getting your leadership to
understand the state of the world? Well, you know, if you're concerned about moving into a new
country or, you know, entering a new business and what's that going to change to your threat
profile, situational awareness is probably the most important thing.
If you're more tactically focused, maybe it is using open source data to drive new detections.
And again, that's, I think, part of what MITRE ATT&CK is about is how do you make that
translation between intelligence to detection.
That was Scott Roberts, the head of threat research at Interpress Security.
You'll be able to hear my full interview with Scott
in my CSO Perspectives podcast in 2024.
And if you're interested,
I discuss CTI in detail in my book,
Cybersecurity First Principles,
a reboot of Strategy and Tactics,
available at Amazon as a hard copy,
a digital Kindle version,
and as an audiobook.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, researchers at Bitdefender have exposed a scam where individuals are offered money to like YouTube videos. The scheme begins with a message luring users with payment for engaging with YouTube content.
Participants are asked to provide personal details and prove their work by liking videos and posting screen grabs on a Telegram channel.
Initially, a small payment is made to the victim to build trust.
The scam escalates as victims are encouraged to join a VIP group for a fee, promising higher earnings.
Once paid, the scammers cut communication and block the victim.
These deceptive practices are also promoted through Facebook groups under the guise of
remote work opportunities. Bitdefender's investigation reveals that this isn't a new
tactic, but the small initial payment is a novel twist to engender trust. Users are cautioned against such too-good-to-be-true offers
and advised to secure their accounts,
report scams,
and educate others about these fraudulent practices.
Turns out, liking YouTube videos
can lead to an unlikable bank balance
and can be a real thumbs down for your wallet.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
CyberWire listeners, as we near the end of the year,
it's the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year.
We'd love to help you achieve those goals.
We've got some unique end-of-year opportunities complete with special incentives to launch 2024.
So tell your marketing team to reach out.
Send us a message at sales at thecyberwire.com
or visit our website so we can connect about building a program to meet your goals.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.