CyberWire Daily - Mobilizing DDoS-as-a-service. Interpol takes down Black Axe gang members. Trends in phishing. Spyder Loader active in Hong Kong. Europol announces arrests in keyless car hacking case.
Episode Date: October 18, 2022Mobilizing DDoS-as-a-service. Interpol takes down the Black Axe gang members. A look at phishing trends. Spyder Loader is active in Hong Kong. Joe Carrigan looks at Google’s launch of passwordless a...uthentication. Our guest is Dr. Eman El-Sheikh from University of West Florida's Center for Cybersecurity on NSA-funded National Cybersecurity Workforce Development Programs. And Europol announces arrests in a case of keyless car hacking. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/200 Selected reading. Project DDOSIA Russia's answer to disBalancer (Radwaare) Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies (Gridinsoft Blogs) International crackdown on West-African financial crime rings (Interpol) Giant online scamming syndicate 'Black Axe' destroyed in Interpol-led operation (teiss) INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organization (The Hacker News) Operation Jackal: Interpol arrests Black Axe fraud suspects (Register) When the Black Axe falls: cybercrime suspects detained in global bust (Cybernews) International Police Action Blunts Black Axe Criminal Group - HS Today (Hstoday) Q3 2022 Cofense Phishing Intelligence Trends Review (Cofense) Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong (Symantec) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason) 31 arrested for stealing cars by hacking keyless tech | Europol (Europol) European gang that sold car hacking tools to thieves arrested (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Mobilizing DDoS as a service,
Interpol takes down the Black Axe gang members.
A look at phishing trends.
Spider Loader is active in Hong Kong.
Joe Kerrigan looks at Google's launch of passwordless authentication.
Our guest is Dr. Iman El-Sheikh from University of West Florida's Center for Cybersecurity
on NSA-funded National Cybersecurity Workforce Development Programs.
And Europol announced arrests in a case of keyless car hacking.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, October 18th, 2022.
The Russian hacktivist group with the ungainly name NoName05716 has been organizing DDoS attacks and website defacements against Ukraine and its Western supporters.
It pays operators between $315 and $1,255 for their services.
described the operation late last week, stating, In July, threat group Noname05716 quietly launched a crowdsourced botnet project named DDoSia.
The project, similar to the pro-Ukrainian Liberator by Disbalancer
and the fully automated DDoS bot project by the IT Army of Ukraine,
leverages politically driven hacktivists willing to download and install
a bot on their computers to launch denial-of-service attacks. Project Didotia, however, raises the
stakes by providing financial incentives for the top contributors to successful denial-of-service
attacks. Researchers at Avast had earlier described the group's use of Bobik malware in its campaigns.
They divided a typical no-name 05716 attack into reconnaissance and execution phases,
stating,
The first step is looking for a target that supports Ukraine or a target with anti-Russian views.
The attackers analyze the structure of the target's website and identify pages that
can cause server overloading, especially requests requiring higher computing time, such as searching,
password resetting, logon, and so forth. The second step is filling in the XML template,
encrypting it, and deploying it to theC servers. The attackers monitor the condition of the target server
and modify the XML configuration based on needs to be more effective.
The configuration is changed approximately three times per day.
So, it's a simple formula.
Find a vulnerable target with anti-Russian views,
hit the target, and repeat as necessary.
views, hit the target, and repeat as necessary. An Interpol-led operation has resulted in the arrests of 75 alleged members of the Africa-based Black Axe crime organization, the Register reports.
Two of the suspects arrested in South Africa are accused of stealing $1.8 million through online
scams. According to Interpol, codenamed Operation Jackal,
the joint law enforcement effort mobilized 14 countries across four continents in a targeted
strike against Black Axe and related West African organized crime groups. Black Axe wasn't just a
local gang, it was a criminal organization that had achieved a global reach. Interpol regards
the operation as a major strike against transnational cybercrime. The police agency
said in a statement, Operation Jackal marks the first time Interpol has coordinated a global
operation specifically against Black Axe, which is rapidly becoming a major security threat
worldwide. Black Axe and similar groups are responsible for the majority of the world's cyber-enabled financial fraud,
as well as many other serious crimes, according to evidence analyzed by Interpol's Financial Crime and Anti-Corruption Center and National Law Enforcement.
Interpol added, of many suspects, was on clear display at the scenes of their arrest. Various luxury assets
were seized, including a residential property, three cars, and tens of thousands in cash.
Black Axe has been a threat for several years. Harper's, in 2019, published an account of the
group's originally non-criminal origins in a Nigerian university and its evolution into a
political movement and then into a political movement
and then into a criminal gang with some of the coloration of a religious cult.
CoFence has released a report today detailing phishing intelligence trends in the third quarter of 2022.
Overall, it was found that malware delivery activity dropped in July with the disappearance of Emotet,
with the volume staying the same after July's drop. The top five malware types from quarter two were also the top
malware types for quarter three, with keyloggers and remote access trojans gaining traction in
this quarter. Loaders, keyloggers, information stealers, remote access trojans, and bankers were, in that order, the top five malware types,
with Emotet, Agent Tesla, Formbook, Remcos Rat, and Cackbot taking prominence as the top malware families of each type.
Emotet vanished from the fishing landscape in July of this year, which had a major impact on the trends shown in the report.
The overall amount of fishingishing attacks for the quarter
was significantly lower in the absence of Emotet,
and the delivery mechanism and malware types used by Emotet
topped the rankings in the start of the quarter and diminished over time.
However, Emotet still outscaled all other malware delivery families
despite its short use this quarter.
It is possible, due to traffic
observed in October by Cofence, that Emotet may be back. CACbot was identified by Cofence as the
malware family to watch during the third quarter, and despite low overall volume, there were
developments and new tactics, techniques, and procedures. A new tactic of CACBOT operators includes hard-coding payloads
into malicious HTML attachments instead of using embedded URLs or redirects.
Researchers at Symantec warn that the Operation Cuckoo Bees campaign, first observed by Cyber
Reason in May 2022, now appears to be targeting government entities in Hong Kong with the
Spider Loader malware. The researchers state, the victims observed in the activity seen by Symantec
were government organizations, with the attackers remaining active on some networks for more than a
year. We saw the Spider Loader malware deployed on victim networks, indicating this activity is
likely part of that ongoing campaign.
While we did not see the ultimate payload in this campaign, based on the previous activity
seen alongside the spider loader malware, it seems likely the ultimate goal of this activity
was intelligence collection. Symantec doesn't attribute the campaign to any particular threat
actor, but Cyber Reason tied the earlier
activity to the Chinese APT Winti and saw the goal of the attacks as theft of intellectual property.
Symantec notes that the duration and focus of the campaign, which has persisted through several
versions of the malware employed, indicates a determined and persistent threat actor.
employed indicates a determined and persistent threat actor.
Europol has announced 31 arrests as the result of an operation against a gang exploiting keyless cars produced by two French manufacturers,
stating,
As a result of a coordinated action carried out on 10 October in the three countries involved,
31 suspects were arrested, a total of 22 locations were searched,
and over 1 million euros in criminal assets seized.
French authorities had the lead in the investigation
with cooperation from authorities in Latvia and Spain.
So how are they pulling it off?
The thieves used, according to Europol,
a fraudulent tool marketed as an automotive diagnostic solution,
which they employed to replace the vehicle's original software.
From there, just open the door and push to start.
The alleged crooks who were rounded up included software developers, software resellers,
and the actual goons on the ground who jacked the cars.
So, au gendarme, bravo, and to the hoods, what can we say?
Push to start, mes amis.
Coming up after the break, Joe Kerrigan looks at Google's launch of passwordless authentication.
Our guest is Dr. Iman El-Sheikh
from the University of West Florida's Center for Cybersecurity
on NSA-funded national cybersecurity workforce development programs.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The U.S. federal government has several active initiatives
to help narrow the cybersecurity talent gap,
including partnerships with colleges and universities.
Dr. Iman El-Sheikh is Associate Vice President
at the Center for Cybersecurity at the University of West Florida,
where she and her colleagues are leading participation
in NSA-funded national cybersecurity workforce development
programs. The idea kind of leverages the faculty expertise and the curricula that's available at
colleges and universities across the country that are designated as National Centers of Academic centers of academic excellence by the NSA and helped them create training and alternative
credentialing programs and pathways so that we can reach additional students beyond the academic
programs. If you think about it, we have over in right now across the country, 500,000 open cyber jobs, and that number is going up, not down.
And so if we continue to only focus on getting students into academic degree programs, we're never going to meet the demand. their expertise to create training, to create alternative credentials, to create certificate
programs, and more importantly, to reach diverse populations, transitioning military, veterans,
career changers, high schoolers, so that we can really expand the number of pipelines and pathways
into cybersecurity roles. Well, help me understand, give us an idea of the sorts of things that you and your
colleagues are doing there at University of West Florida.
So one of the things we're doing is leading a coalition of 10 colleges and universities
across the country in order to really kind of provide diverse training programs and pathways
across the country.
We have really, a number of years ago at UWF, taken the lead on developing workforce development programs and training pathways
with the idea that that's really the way that we're going to help our country meet this national workforce challenge.
And so what we're doing is developing kind of short course, short duration training pathways
that align with national best practices.
So for example, they focus on cybersecurity work roles that are defined by the NICE cybersecurity
framework so that we can identify specifically
what knowledge and skill competencies are needed for each work role, develop or adapt curricula to
specifically train for those knowledge and competencies, and then help provide those
in flexible formats to veterans, to transitioning military, to diverse populations,
to really kind of, you know, increase the workforce. Another thing that we, you know,
are doing is that, you know, focusing on providing digital credentials and badges so that those who,
let's say, if you're coming out of the military, you already have a degree, but your
degree may not be current, right? And so if we can provide a short course training program,
as well as the credentials and link them to jobs and employers, then they'll be well on their way
to a second career, a second tour of service, and to helping us meet that workforce crisis.
tour of service and to helping us meet that workforce crisis. Well, so how does this compare to a traditional four-year degree or even a two-year associate's degree? That's a great
question, Dave. The idea is that we want to kind of focus on employability. And so it differs in
the sense that we bring in the best kind of various worlds, the two-year and four-year degree programs, as well as training programs offered, for example, by training providers, as well as employer needs and national best practices.
And we try to roll it into a program that is shorter in duration, so can typically be completed in three to six months.
In most cases, can also be completed online or hybrid or virtual. Also integrates employer needs
such as industry certifications, such as hands-on skills. We take a lot of effort into incorporating cyber range-based exercises and tabletop exercises
and hands-on activities so that the idea is to really give them kind of the boot camp version
of the training, the credentials, and the skills and competencies to get people prepared for and
into cyber jobs. I would imagine a program like this is also
quite attractive because you're not loading someone up with a lot of college debt. I mean,
it's a shorter program, so they're not going to have that expense.
Yes, absolutely. That's definitely a great benefit. And I should also point out that
thanks to the generous NSA grant, this program, Cyber Skills to Work, is able to fund 1, cyberskillstowork.org.
It serves as a one-stop shop. It allows them to take an optional aptitude assessment test
so that they can kind of get an idea of which cyber work roles may be a good fit for them.
It allows them to see what training pathways will be offered this year and next year.
It allows them to apply through a
common application to those training programs and then apply for scholarships to be fully funded.
And then also at the tail end, it allowed them to connect with employers and job opportunities. So
it definitely helps provide everything so that they just have to focus on committing the time
to learn.
But, you know, more importantly than that, another kind of, that's a great feature.
Another important feature is that it's very just in time or as needed as well, because what we're seeing is that, you know, the cyber threat landscape continuously evolves.
The threat actors are getting more sophisticated.
Attacks are getting more sophisticated. Attacks are getting more sophisticated. And the curricula in traditional colleges and universities is hard to keep up. There's an approval process, for example, for public universities to update their curricula or update their degree programs that takes a year at best, maybe even three to four years. But this program is designed to be more agile and flexible,
where we can connect with those employers and federal partners and really keep the curricula
relevant and up-to-date and dynamic so that what they're getting and what they're learning
is what is actually needed in jobs today and tomorrow.
That's Dr. Iman El-Sheikh from the University of West Florida.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story here.
I guess a bit of an update.
This is from the Hacker News,
and the article is titled,
Google rolling out passkey passwordless login support to Android and Chrome.
What's going on here, Joe?
So we talked about this on the CyberWire back in May, April?
Yeah, a few months ago.
A while ago.
Yeah.
And the Fido Alliance has come out with this idea of pass keys,
which are essentially a public key cryptography.
You have a private key on your phone or on your device,
and the public key is stored in the cloud at whatever site you need to authenticate to.
And when it's time for you to authenticate, they show you something like in this thing,
it looks like a QR code.
You scan that with your phone.
Your phone then interprets the QR code and understands what it needs to do cryptographically.
It sends something to the service to say, here's a verification, and then the website can let you in.
I see.
So I'm not exactly sure how this works on the back end, but it's from the Fido Alliance, so they've done a pretty good job of crypto.
Right, and it's backed by big names.
They say they got Google, Apple, and Microsoft on board.
So I would imagine there's been appropriate scrutiny.
Yeah, this is probably cryptographically sound.
I say probably, and to the layman, that means cryptographically sound.
But to people like Matt Green, that means I'll bet I could find something wrong with this.
But, you know, it's using the standard.
The big thing here, it's using standard cryptography.
But the big thing here is that this is just another nail in the coffin, the richly deserved and much anticipated and long overdue coffin of passwords.
Yeah.
And I'm very happy to see this being rolled out.
From a user's point of view, do you think this streamlines things?
I would think that it, that's a good question.
I don't know.
Here's my issue with this.
Sometimes when I'm sitting at my computer, my phone might be across the room, right?
Yeah.
Or in a different room, like on my desk where I came home and left it.
Right.
And now I'm
trying to, or my dresser, and now I'm trying to log in. I got to get up and go in there. Maybe.
I'm always willing to make those sacrifices for security. But I don't know that other people
will be. What happens if you lose your phone? Well, actually, this article says that your keys are kept,
in Google's implementation, your keys are kept encrypted in their cloud so you can get them back
so you can still authenticate. Right. And Google themselves can't decrypt them. Yeah, Google
themselves can't use them. So assuming that Google has done everything properly, then you're probably
well protected against losing your phone. And Google has done a good job of most of the security that they've implemented. I would like to remind
everyone, security is not the same as privacy. But security-wise, Google is very, very good.
Yeah. Yeah. So rolling this out, I mean, like you said, it'll be interesting to see
what kind of adoption we get from this.
Right.
As we said, we've got support from some big players here.
I will happily adopt it because it is a form of public key encryption.
Yeah.
Which is, you know, you have the private key, and if someone hacks,
let's say you're using this on some mail service,
and someone hacks that mail service and they get your public key.
That doesn't do anything.
Right.
It doesn't help a malicious actor at all take your account over.
They point out that this is cross-platform, which I think is great.
They make the point that an Android user could log in using a website,
using Safari on iOS or macOS or Chrome browser and Windows.
So it's universal access here.
It's a good thing.
Right.
You're just generating an image of a QR code
and showing it to the user
who then uses some application on the back end
to take a picture of that QR code
and verify that they have the private key,
which establishes identity essentially.
Right, right.
I wonder where we will see this first. I don't know, but I'll tell you what, I'll sign up for it because
I'm big on the private key, you know, public private key authentication. It's not, you know,
it's not, it's, this is what I like about this is it seems like it's a fairly transparent to the
user way of doing it. That's a very long hyphenated name of saying it's easy for the average user to do.
Right.
You know, if you think how I authenticate to any SSH server that I use for work,
I have to go to a command prompt and first off generate the key,
then probably and actually usually, in fact, always,
I put a password on that key and have to store
that password. So now I have to manage the password for the keys. Then I have to upload
the public key to the server that I'm going to authenticate to, which means I have to be
physically present to do that. Then, and only then, can I finally authenticate with public
key encryption. This is not like that. This is on your phone. You are going to establish the identity and there's an integrated way to do that.
And when it comes time to utilize
the authentication method,
your trusted platform module will handle the key.
Right.
And storage of that key is encrypted in Google's cloud.
Yeah.
I mean, it seems like, you know,
the combo of having both the physical possession
of the device, your mobile device, along with some sort of biometric verification, I suppose like on planet Apple, it'll be Face ID.
Face ID, which is remarkably good as a biometric.
Yeah, and Android has their own version of that.
They have the thumbprint as well, fingerprint.
Right, so those two things, pretty secure and also these days pretty fast.
Yes.
Yeah.
Yeah.
All right. Well, we will see. Time will tell. I'm curious. Let's agree to keep track and see where we see this first.
And I'll let you know when I use it, when I set it up.
All right.
I'll send you an email.
Fair enough. All right. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. We'll be right back. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Varmatsis, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, Thank you.