CyberWire Daily - New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Disinformation at the UN, and drop-shipping for Mother Russia.
Episode Date: April 6, 2023New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Ta...usek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ’s attempts to disrupt cyber crime. And, make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/66 Selected reading. New Phishing Campaign Exploits YouTube Attribution Links, Cloudflare Captcha (Vade Security) Criminal Marketplace Disrupted in International Cyber Operation (U.S. Department of Justice) Takedown of notorious hacker marketplace selling your identity to criminals | Europol (Europol) Notorious criminal marketplace selling victim identities taken down in international operation (National Crime Agency) Check your hack (Politie) Carr Announces Investigation into Suspected Users of Genesis Dark Web Marketplace Following FBI Takedown of Illicit Site (Office of Attorney General of Georgia Chris Carr) U.S., European Police Shut Down Hacker Marketplace, Make 119 Arrests (Wall Street Journal) 120 Arrested as Cybercrime Website Genesis Market Seized by FBI (SecurityWeek) International cops put the squeeze on Genesis Market users (Register) FBI obtained detailed database exposing 60,000 users of the cybercrime bazaar Genesis Market (CyberScoop) Genesis Black Market Dismantled, But Experts Warn of Potential Vacuum (Nextgov.com) How we’re protecting users from government-backed attacks from North Korea (Google) Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (The Hacker News) ‘Outrageous’: Russia Accused of Spreading Disinformation at U.N. Event (New York Times) Des hackers ont acheté 23.000 euros de sex-toys avec de l’argent russe (20 minutes) Thanks to Ukrainian hackers, war freak orders £20,000 worth drones for Russian soldiers, gets sex toys instead (First Post) Ukrainian hackers exchange Russian fighter’s drone order for dildos (New York Post) ‘It’s bullshit’: Inside the weird, get-rich-quick world of dropshipping (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New phishing techniques, arrests in the Genesis Market case,
APT 43's archipelago, Russia's turn in the Security Council chair
immediately becomes an occasion for disinformation.
Our guest is Nick Tosek from Swimlane to discuss supply chain attack trends.
Tim Starks from the Washington Post has the latest on the DOJ's attempts to disrupt cybercrime.
And make robo-lovelove not robo-war.
Latest on nuisance-level hacktivism in the interest of Ukraine.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 6, 2023. Vade today released a report detailing a newly identified phishing campaign
that utilizes YouTube attribution links and a captcha in order to fly under the radar.
The victims receive a fake email alerting them that their Microsoft 365 password has expired.
In reality, the email comes from a hacker that utilizes display name spoofing in
order to feign legitimacy. The email contains Microsoft's logo and branding and provides a
button with a link for the user to keep their same password. The link redirects to a YouTube URL
and later a page with a Cloudflare captcha. Once the captcha is completed,
the user will be redirected to a phishing page
that auto-populates the email address of the user
and provides a space to enter a password.
Both YouTube and Cloudflare are commonly whitelisted,
so using these URLs allows for the bypassing of much security software
as well as email gateways.
allows for the bypassing of much security software as well as email gateways.
Bade advises good cyber hygiene and cautiousness around emails that ask for account access or credentials.
Europol yesterday reported that Tuesday's seizure of the Genesis market was a combined operation involving 17 countries.
119 people were arrested, 208 properties were searched, and a reported 97
knock-and-talk measures took place. This combined effort was spearheaded by the U.S. FBI and the
Dutch National Police. The DOJ yesterday disclosed that law enforcement had seized 11 domain names
that were in support of the Genesis Market
infrastructure. A formerly little-noted cybercrime group, APT43, was described by Mandiant in a
report last week. The threat actor was also shown to have ties to the Democratic People's Republic
of Korea. Mandiant explains that after five years of tracking the activities of APT43,
they can attribute the group to the DPRK because their collection priorities align with the mission
of the Reconnaissance General Bureau, North Korea's main foreign intelligence service.
Mandiant also highlights how APT43 acquires and launders stolen cryptocurrency to fund its own espionage
operations. This differs from other DPRK cyber threat actors who seem to funnel cryptocurrency
to fund the DPRK government as a whole. Google released a follow-up report on the 5th of April
which focused on that subset of APT43's activities Google calls Archipelago.
Google notes that it observed the group target individuals with expertise in North Korea policy issues,
such as sanctions, human rights, and non-proliferation issues.
Google goes on to expose how Archipelago conducts its phishing and various malware operations,
explaining,
Archipelago invests time and effort to build rapport with targets,
often corresponding with them by email over several days or weeks before finally sending a malicious link or file.
Google also notes,
For several years, Archipelago focused on conducting traditional credential phishing campaigns. More recently, TAG has observed Archipelago incorporate malware into more of their operations.
To protect their malware from AV scanning, Archipelago commonly password protects their malware
and shares the password with recipients in a phishing email.
It's Russia's turn to chair the United Nations Security Council, and it used its first
week in that role to convene a meeting to share its own view of the widespread abduction of
Ukrainian children. It featured a video presentation by the director of Russia's
Child Protection Agency, Maria Lvova-Belova, presently wanted by the International Criminal Court for war crimes involving the kidnapped children.
Ms. Lova Belova said she welcomed the opportunity to dispel the fakes and show the opposite side.
She added that Russia did not recognize the jurisdiction of the International Criminal Court
and claimed that Russia's custody of the children was protective
and that Moscow stands ready to help custody of the children was protective and that Moscow
stands ready to help reunite the children with their families. Criticism of Russian policy,
she said, amounted to lies designed to slander Russia. The New York Times quotes her as saying,
We have no doubt that this is a campaign to discredit our country and attempts to conceal their irresponsible actions
about children. Several Western members of the council walked out on the presentation,
returning once it was over to denounce Russian disinformation. It seems likely that Russia's
month in the chair will be devoted to more such tendentious propaganda, and putting a wanted alleged war criminal out there as your
spokeswoman shows a lot of brass, not in a good way either. And finally, in a rare filing from
our Teledildonics desk, we hear that the Ukrainian hacktivist group Cyber Resistance took control of
an AliExpress account organized by the Russian blogger Mikhail Lukin to solicit
donations for Russian forces. Numerama reports that the hacktivists then used the pirated account
to spend about 23,000 euros on erotic novelties. InformNapalm explained the move, stating,
The hacktivists of Cyber Resistance punished Z-volunteer Mikhail Lukin.
They hacked his email and charged $25,000 worth of adult toys to his card, which is linked to AliExpress.
He planned to spend the money to buy drones for the Russian army.
The hacktivists themselves bragged in their own Telegram channel, posting, Instead of drones, Misha will now have truckloads of other things useful to every Russian to the occupiers, which we ordered and paid for with his card on AliExpress.
The original is clear on what the hacktivists invoiced for Mr. Lucan's card, but we're a family show, so we've redacted that part. But really, folks,
AliExpress is Alibaba's e-commerce service, and apparently the hacktivist universe is like
middle school. Alas, First Post says that Mr. Lucan attempted to return the items,
but found that all sales were final, although some other sources say Mr. Lukin did get some money back.
Apparently, he's stuck with a truckload of saucy marital aids, which he'll now just have to deliver to the front. In any case, he counter-boasted to the cyber resistance that he'll just resell them
to Russians who want to buy such novelties, and that he'll do so at a 300% profit, all going to raise more money for Russia's cause.
We hate to rain on Mr. Lukin's parade, but we have it on good authority that such reselling schemes no longer work very well,
whatever the dropship gurus may have told him on TikTok.
In any case, he must have a lot of inventory.
We hesitate to even speculate how many romantic appliances 23,000 euros will fetch nowadays, but we're betting that it's what financial experts would call a lot. A whole lot.
Coming up after the break, Nick Tosek from Swimlane discusses supply chain attack trends.
Tim Starks from The Washington Post has the latest on the DOJ's attempts to disrupt cybercrime.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform Thank you. third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The U.S. federal government has taken a leading role in the reduction of supply chain attacks through the efforts of CISA and other supporting agencies.
Despite the effort, reports indicate that supply chain attacks are on the rise.
For more on this, I spoke with Nick Tosek, lead security automation architect at security firm Swimlane.
As an industry, supply chain attacks have been increasing steadily.
I shouldn't say steadily, I should say exponentially, actually, year over year.
This has been an increasing problem in scope and severity. In 2021, it was something over 600%
year over year increase in supply chain attacks against the open source community. And then last year in 2022, that number jumped up to like 750% year over year
increase in open source supply chain attacks.
So a lot of these attacks
are going after pretty broad swath of the industry, right?
It's not just the federal government,
but the feds are a pretty huge attack surface
with a lot of resources devoted to trying to keep them safe
and a lot of really juicy targets for all kinds of malicious actors who might be interested in
breaking into a system. So I guess the short answer to that is that the supply chain attack
problem is not going away. It's increasing exponentially, and the federal government
remains a primary target for actors who are using this rapidly increasing attack vector to perform their malicious activities.
And what have we seen so far in terms of the federal government's response to this?
What sort of defenses and protections have they put in place?
So as far as the federal government's responses are concerned, we've seen a lot in the last couple of years from the Biden administration, which has been really refreshing to from previous iterations of this document that we've seen from every administration prior in two ways.
One of which is that it authorizes U.S. defense, intelligence, and law enforcement agencies to go more on the offensive against malicious actors to attempt to disrupt their activities, retaliate for cyber attacks, and prevent cyber attacks.
And it also includes more ample reporting requirements
for industries and cybersecurity events inside the United States.
For a long time, many of us in the industry have been asking
for greater transparency and greater sharing of information
to try to raise the tide for all organizations who are facing cybersecurity threats.
But this is really a concrete step with these reporting requirements to make sure that organizations are actually sharing
what information they can safely with a greater intelligence community to help kind of shore up everybody's defenses at once.
And that's a really important message in the age of supply chain attacks
because, as we saw with SolarWinds, for example,
one compromised vendor can cause an enormous problem
for the federal government, cause untold amounts of damages,
and frankly make themselves almost inextricable from networks
once they've gained a really strong foothold.
It can take millions or potentially even billions of dollars to extract bad actors from some
of these federal agencies once they've gotten a really deep toehold in.
What are some of your insights when it comes to this?
What are some of the things that you and your colleagues there at Swimlane would recommend
to government agencies in terms of getting on top of this?
So there's a few things. Supply chain attacks are notoriously difficult to prevent
because you don't control the entire supply chain. The best you can do is
engage with vendors you trust, make sure that they're following security controls like SOC 2
compliance, make sure that they're regularly audited to make sure that their cybersecurity
posture is as good as it can be. But with supply chain attacks, and especially supply chain attacks
against the open source community, these can have really huge ripple effects when compromises do
occur to a code base. So what we recommend is leveraging security automation to allow you to
respond more quickly when events do occur. This can be from the worst case scenario,
an actual vendor is compromised and your environment has been breached and you need to
shut down large swaths of your network or quarantine critical resources or disable a large
number of compromised user accounts at once. This could also be something like supply chain attack
does occur against a vendor doing the documentation to decide whether or not you're affected by monitoring your critical assets and patching your critical assets. All of these
actions can really be greatly assisted in speed and accuracy by security automation.
So that's probably the primary thing I would say as far as being able to rapidly respond when a
supply chain event does occur. And that doesn't necessarily have to be a SOAR platform. Of course, Swivelane is a SOAR vendor,
so that's what we sell.
But this can be homebrew automation as well.
A lot of organizations have been incredibly successful
with developing homebrew automation solutions.
These high-code approaches tend to be very hands-on,
take a lot of time and developer expertise,
but they can be really, really critically fit
into your environment
to make sure that you have exactly what you need for your organization.
So there's a whole different conversation about what kind of products that you could
get into, but I think the most effective line to go into to mitigate supply chain attacks
when they do occur is in the automation arena.
Does the U.S. government, with their massive purchasing power,
is this an opportunity for them to really take a leadership role
in kind of setting the standard for what's expected with supply chains?
Absolutely.
The government, like you said, has an enormous amount of purchasing power
and thereby an enormous amount of influence
on the entire cybersecurity market as a whole.
Besides being aggressive leaders in best cybersecurity practices,
they should also continue to exert pressure on cybersecurity vendors
to increase their own security postures.
The open source community is a little bit trickier
because anybody can contribute to it,
and a lot of this work is done pretty pro bono.
But when you're dealing with vendors,
making sure that they're compliant
with the latest security standards,
their auditing procedures,
and making sure that they're regularly
validating their code base
to make sure that they're not the victims
of open source supply chain attacks
that may have occurred.
That's Nick Tosek from Swimlane.
And joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, always great to welcome you back.
Yeah, thanks.
So I want to touch with you today on, first of all, Operation Cookie Monster,
which I have to say, as a lifelong Muppets fan,
really grabbed my attention and my affection in their naming.
But beyond my interest in it, interesting move here from the FBI in terms of takedowns.
Yeah, I also, like you, am fascinated by the naming conventions of some of these things.
I remember once writing an article about how they named military operations.
Yeah, this is another big takedown in just the last several weeks of these kinds of underground cyber criminal marketplaces.
Genesis was specializing in access brokerage, being able to give people usernames, passwords,
other ways to log into accounts that they'd stolen. And this was another really, really big market that they've taken down. In today's Cybersecurity 202 at The Post, you have an
interview with Lisa Monaco, who's Deputy Attorney General.
Take us through that interview.
I was at the Aspen Verify conference last week and had requested a chance to speak with her.
And it looked like we were going to arrange it.
And then something happened at the Justice Department that was kind of big.
Some ex-president, some guy got arrested or something.
I think I've heard of that.
Yeah.
So we had to delay things until today.
And we had a nice chat.
I thought she gave a few newsy nuggets there.
It wasn't just a generalized perspective,
but she also did talk about philosophy.
And because of the news of Genesis Market,
that's where we started things,
she had talked about this as exemplifying a twist or evolution in the way they've been doing disruptive
operations. There's the traditional, of course, law enforcement arrest kind of operations that
we're used to in cyber or at least indictments and charges filed, but sometimes not arrested.
In this case,
they didn't just arrest people. They did arrest people. They also arrested people in the United States. They seized domains. They shut down the website. They shut down the entire marketplace,
essentially. And the reason she said this was a variant was because of that access broker part.
If you look at some of the other markets they've taken down, they've been things like people selling packets of information, things like just credit card numbers or raw data on
people. This was a little different in that sense. And then we had a broader talk about how they do
these disruptions and what they mean. I had been wondering for a while, how do they decide when to
do this kind of operation as opposed to doing something else? colleagues, Ellen Nakashima and another reporter reported, had held on to some information about
what was going on with Kaseya and had not sent out the decryption keys that they had access to
right away. And that made me wonder, when do they decide to do these kinds of things versus when
they don't? And what she said is there's no hard and fast rule. It is a thing where she has let
everybody know in the department, be looking for opportunities to do this.
Yeah, I thought that was interesting, the focus on the opportunism of looking for disruption.
I thought it was an interesting insight.
You also touched on TikTok and the restrict act, which is certainly controversial in many ways.
The Restrict Act, which is certainly controversial in many ways.
I have to say that the answer she gave you on the Restrict Act was a little non-satisfying to me.
How did you feel about it?
Yeah, I mean, backing up just slightly to what you said before the question.
Yeah.
One of the things that seems to have really triggered this, let's be opportunistic, is ransomware. and the harm that it's caused to the United States over the years.
And they've seen to make some progress on that.
People have praised the law enforcement operations that are focused on disruption.
But as we put in the newsletter a couple weeks ago, or actually just last week, people aren't entirely sure that's going to be a lasting change.
So we'll see how that goes.
The answer was interesting to me in this way.
There are these First Amendment concerns about whether if the United States were to ban TikTok,
whether that would be a violation of the First Amendment.
It's a platform that people use to communicate.
And the civil libertarians, Senator Rand Paul, so, you know, he certainly would consider himself a civil libertarian, but we're talking about, in some cases, a range of ideological perspectives because he is more conservative than your traditional, what we think of as a civil libertarian.
What was slightly interesting about that answer was she thinks that the Restrict Act puts them on stronger legal footing if there is any action taken.
on stronger legal footing if there is any action taken.
This is a case where the people who are doing the review of TikTok,
the Committee on the Foreign Investment of the United States,
is extremely secretive.
They always meet behind closed doors.
Getting a little bit of information about what they're doing is always a lot for them.
I had asked her several questions about TikTok,
and that was the only one she even came close to answering.
So yeah, I hear you on unsatisfying. I think everybody is getting impatient. And by everybody, I mean TikTok,
I mean probably other people in the federal government, I think probably Capitol Hill.
This negotiation has been going on for years now. When are we going to get a resolution for this?
And I sense your frustration and I share it a little bit just as a reporter. I would really like to know what's going to happen here.
Yeah, yeah.
I suppose, I mean, not satisfying but also not surprising that it would be kind of a beige answer.
Yeah, the other questions I asked her were maybe a little bit more specific and maybe that's why she didn't answer them.
I was really being careful.
I had seen her talk about TikTok at the conference I just mentioned,
so I knew what she wasn't going to want to talk about,
but I tried to phrase things in a way that I thought
would just be innocuous enough that she would answer them
or that they would be not making her touch on the specifics of the case.
But she was pretty consistent on staying on that line of thinking.
And like you said, unsurprising. I understand why, but it's also, I wish they were talking
more about this. I wish we knew more about what was happening. Right, right. Well, I highly suggest
that our listeners check out the interview with Lisa Monaco from the Department of Justice. Again,
that's over on the Cybersecurity 202, which is authored by
Tim Starks. Tim, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by John Petrick. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.