CyberWire Daily - Notes on the underworld: emerging, enduring, and vanishing gangs, and their C2C markets. More spearphishing of Ukrainian targets. US CYBERCOM releases IOCs obtained from Ukrainian networks.
Episode Date: July 21, 2022A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$, post-flameout. More spearphishing of Ukrainian targets. US ...Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor, but honor’s self-interested first cousin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/139 Selected reading. Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (Cyberint) 'AIG' Threat Group Launches With Unique Business Model (Dark Reading) Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities (Proofpoint) Sending Phishing Emails From PayPal (Avanan) Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group (Tenable®) Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities (Mandiant) Cyber National Mission Force discloses IOCs from Ukrainian networks (U.S. Cyber Command) The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A criminal talent broker emerges,
developing threats to financial institutions,
phishing through PayPal,
lessons to be learned from lapses post-flameout,
more spear phishing of Ukrainian targets,
U.S. Cyber Command releases IOCs obtained from Ukrainian networks,
Johannes Ulrich from SANS on the value of keeping technology simple,
our guests are Carla Plummer and Akilah Tunsil from the organization Black Girls in Cyber.
And not really Honor, but Honor's self-interested first cousin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 21st, 2022.
Music CyberInt reports the emergence of a new criminal threat group,
the Atlas Intelligence Group, also known as the Atlantis Cyber Army.
Atlas is unusual in its business model,
recruitment of cyber mercenaries to do specific jobs for campaigns
known only to the administrators.
The group has been operating and growing since May
of this year, advertising in telegram markets and its own dedicated telegram accounts.
Their customers access their services in an e-commerce store hosted on the Celex platform.
A guy who goes by the hacker name Mr. Eagle and presents himself as the group's leader
lists Atlas Intelligence Group's services,
exclusive data leaks, distributed denial of service, campaigns for hire, RDP attacks,
and initial access. The group suggests in its advertising that it has connections with corrupt
law enforcement personnel in Europe, but such claims, of course, are difficult to verify.
Cyberint says most of their databases for sale are government-related,
while access to RDP clients and web shells that are being sold
mostly belong to organizations from the finance, education, and manufacturing industries.
The permanent staff includes Mr. Eagle and perhaps four admins.
They're engaged fundamentally in outsourcing,
acting as recruiters and brokers for the talent that actually delivers the illicit services,
rogue pen testers, social engineering specialists, and malware developers.
They keep their crews compartmentalized. The actual workers know only about the specific
capers they've been hired to pull off. Cyberint gives the gang credit
for maturity and sophistication. While this may be true in operational terms, as far as self-presentation
goes, the diction is the crude, strutting, subliterate stuff one expects from the underworld.
The Atlas Intelligence Group has been seen to target countries around the world, including the U.S., Pakistan, Israel, Colombia, and the United Arab Emirates.
Cyberint doesn't say who buys from Atlas.
Calling them mercenaries suggests that their clientele may be states,
but then criminal gangs bring in hired guns as well.
And one final note on naming.
Atlas Intelligence Group is referred to in some reports as AIG.
They are not to be confused with the large and legitimate insurance and financial service company,
American International Group, the real AIG.
Proofpoint today released a study of the TA4563 threat group
and the evil NUM malware it's deployed against financial institutions,
mostly in Europe. The group is particularly interested in financial institutions that
deal with foreign exchange, cryptocurrency, and decentralized finance. EvilNum itself is a back
door that, once in place, can be used either for data theft or for staging further malware.
either for data theft or for staging further malware.
Proofpoint concludes,
Evil NUM malware and the TA4563 group pose a risk to financial organizations.
Based on Proofpoint analysis, their malware is under active development.
Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates Evil NUM malware may be leveraged to distribute
additional malware, including tools available via the Golden Chicken's Malware-as-a-Service.
TA-4563 has adjusted their attempts to compromise the victims using various methods of delivery.
Whilst Proofpoint observed this activity and provided detection updates to thwart this
activity, it should be noted that a
persistent adversary will continue to adjust their posture in their compromise attempts.
Avanon this morning reported that criminals have been seen using a PayPal account to distribute
phishing emails. Avanon says, starting in June 2022, our researchers have seen hackers use PayPal
to send malicious invoices and request payments.
The hackers send the email from PayPal's domain using a free PayPal account that they have signed up for,
with the email body spoofing brands like Norton.
The approach is similar to one seen earlier this summer, in which criminals used QuickBooks to send phishing emails. The tactic is attractive because most allow lists view QuickBooks domains as legitimate
and pass the email right through.
Avanon researchers call the practice of attackers using websites
that appear on static allow lists to get in the victim's inbox the static expressway.
This same tactic is being used again with PayPal,
where criminals have sent out fake invoices that rely on the legitimacy of PayPal to reach inboxes.
Reportedly, the attack works because of what is known on the dark web as a double spear.
They induce the victim to call a number and pay the invoice,
which gives the attackers not only your email but your phone number,
and all too often your money as well.
hackers not only your email but your phone number, and all too often your money as well.
The Lapsus group, which blazed like a skyrocket last year with its gaudy,
wild, and opportunistic data theft and doxing extortion scams, has now effectively fizzled out.
Some of its script kitty leaders have received police attention,
and the group no longer seems to be a player in the underworld.
Tenable has published a look at the Lapsus record with a view to seeing what can be learned from the group's career. Lapsus was motivated equally, it seems, by Cash and Cachet. Specifically,
three characteristics can be discerned in the group's history. Lower maturity tactics and
behaviors, priority for clout and notoriety, and a primary focus on monetary goals.
The group's career followed the sort of arc one might expect.
It began with DDoS and website vandalism, then moved up to data theft.
Tenable sums the group's life like this.
Characterized by erratic behavior and outlandish demands that cannot be met,
at one point the group even accused a target of hacking back,
the Lapsus Group's tenure at the forefront of the cybersecurity news cycle was chaotic.
It's hard to say how much money the Lapsus Group has earned from its enterprise,
but it cannot be denied that the group gained notoriety for better or worse.
Three months since the peak of lapsus attacks and arrests,
the group remains largely inactive.
And we hope the script kiddies have been scared straight,
no more to break their mother's hearts.
Late yesterday, Mandiant released a report
on spearfishing campaigns in progress
against Ukrainian targets.
Two groups, one Russian, the other Belarusian,
have been
recently active. The Russian-aligned actor UNC-2589 uses evacuation-themed emails as its fishbait,
as well as notes about wages and compensation. Mandiant notes uncertainty about UNC-2589's
provenance, let alone its exact place in Moscow's organization charts.
The Belarusian group, UNC 1151, believed to provide technical support for Ghostwriter,
uses a proffer of advice on how to shelter while under artillery fire as its fish bait.
So the lures in this case trade more on fear than anything else.
Evacuation and shelter in place under a
shell fire are very high in Ukrainian minds. Staying with some news related to Russia's war
against Ukraine, U.S. Cyber Command's National Cyber Mission Force has released a large set of
indicators of compromise, 20 in all, obtained from Ukrainian networks. The IOCs are interesting and useful in themselves,
but the release also indicates how closely U.S. Cyber Command is working with its counterparts
in the security service of Ukraine. The announcement from Fort Meade reads, in part,
Our Ukrainian partners are actively sharing malicious activity they find with us
to bolster collective cybersecurity, just as we are sharing
with them. We continue to have a strong partnership in cybersecurity between our two nations.
HP Wolf Security released a report today detailing the evolution of cybercrime.
The story it tells is one of commodification and one of the maturation of the C2C markets in
general.
Stolen credentials can be had, the researchers say,
in the screamer that opens their press release for the price of a gallon of gas.
The security firm's threat team worked together with Forensic Pathways to investigate the dark web for three months
and analyzed over 35 million criminal marketplaces and forum posts.
It was found that malware is cheap and accessible,
as over three-quarters of malware advertised
and 91% of exploits are priced at under $10,
with average remote desktop protocol credentials going for $5.
Vendors have been found to sell products in bundles,
such as plug-and-play malware kits,
tutorials, mentoring services,
and the like, which reduce the barrier to entry for inexperienced coders and hackers.
The researchers also found that there is a utilitarian sense of honor among cybercriminals,
noting that trust and reputation are valued in the cybercriminal underworld.
77% of observed marketplaces require a vendor bond,
85% use escrow payments,
and 92% have a third-party dispute resolution service.
Cybercrime has also increasingly taken place on popular software,
with threat actors using gaps and vulnerabilities in software
such as the Windows OS, Microsoft Office,
content management systems, and web and mail servers.
So egoism and altruism can have indistinguishable results,
for which the authors of the Federalist Papers wouldn't have been surprised.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The nonprofit organization Black Girls in Cyber was founded in 2020
with the goal of increasing industry
awareness and diversity in cybersecurity, privacy, and STEM for women of color.
Joining us today to share more about their mission are Carla Plummer and Akilah Tunsil.
Carla Plummer is an information security engineer at Intel, and Akilah Tunsil is a security delivery
analyst at Accenture Federal Services.
Our conversation starts with Carla Plummer.
I think one of the biggest challenges, you know, from you look at the genesis of everything
is even knowing that it is a possibility, right? Right. And so past that challenge of when you look at a lot of colleges and departments of engineering,
there's not very many women to begin with.
And then there's not very many women of color from that perspective.
So that is one of the major challenges. Second major challenge is being able to
translate some of your skills that may not necessarily be cyber IT specific.
How do you go about translating the skills that you do have that can be an asset to the industry,
to, you know, hiring manager or team to show that you can provide value, you know? And so that's
one of the bigger challenges there. Akilah, I'm particularly interested in what Carla says about
that awareness issue. I mean, what, can you sort of give us some
insights when you're out there spreading the word about this? What's the reaction like for the young
women that you're speaking to or the folks who are looking to change their career path? Is it a
bit eye-opening for them that these options are out there? Yes, absolutely. I think so. There's thought that, you know, cybersecurity
or anything technology is sort of just out of your reach because you have that notion that this is too difficult to even understand, or, you know, you have to have,
you know, a ton of experience and a ton of knowledge that you just never heard of. So,
you know, learning a new language and trying to, I guess, connect that to real life situations. Like how can I
have a career in this? You know, um, I think that's the kind of consensus because we're just
not exposed to it. So, I mean, you only understand what you, what you know, what you've been exposed to, right? So I think that the stigma
behind encouraging young women, especially young women of color, and in general, I don't think that
technology has been, it's just becoming, you know, I guess, mainstream in the sense that we think about traditional careers,
paths, and so forth. Like people from my generation, like, you know, I'm from the 80s,
you know, I was born in the 80s. So, you know, we only thought about being a teacher, a doctor,
lawyer, or something like that, right? You weren't really thinking about technology as a career path. Like,
what do you do in that? And because it's so vague, I think that there's lots of different ways to
interpret what is cyber, like what kind of career is that? There's just so many different things you
can do in the field that it kind of makes it hard to grasp, what can I do
in this field? I think one of the challenges, sorry not to cut you off, but just to piggyback
on something that Akilah said, is a lot of people believe that every role within cyber is uber
technical, right? Everyone, even now, you know, I try to explain to my mom or my family what I do,
and they're like, oh, you're a hacker. No, that's not what I do exactly. And so, you know,
what society portrays versus what the message we're trying to spread, sometimes it is contradictory
because like Akilah said, you only
know what you know. And if you're getting most of your information from the mainstream media and not
diving yourself into the industry, really, that you don't really get to understand that, yeah,
there are a lot of technical roles, sure, but there are also so many non-technical roles that play a part in developing a cyber strategy as a whole.
And what exactly does your outreach look like?
How are you out there spreading the word about this?
So we do lots of, we're on every social media platform.
So Facebook, Instagram, Twitter, LinkedIn.
And that comes through most of our marketing campaign.
Our events team holds, I can't even count how many number events, they do lots of day in the
life series so that to give people an understanding and a little insight into different careers
and things like that. Those events are generally open to the public, free to
join the Zoom webinar to ask questions and things of that nature. So that is mostly how we spread.
From there, you know, we have our fellowship, which Akilah and I serve as the co-directors
over the cybersecurity curriculum. We offer volunteer, you know, other people,
even if you're not a cybersecurity professional, but want to volunteer to help us out and learn
from that perspective. Those opportunities are out there and available. Don't get stuck on
the title of a position and things like that. Just continue to move forward and feel free to reach out to us.
I mean, we have lots of free resources that we can steer you toward to help you, help
you, you know, in your journey.
That's Carla Plummer and Akilah Tunsil from Black Girls in Cyber. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
You know, you and I, we both spend a little bit of time over on Twitter,
and something that I see happen a lot is that some innocent user
will post something about how they did this, that, or the other.
I don't know, they used a QR code or something like that. And in come all of the information
security professionals rolling their eyes and saying, oh, don't ever do that. Don't ever do
that. And then typically there's some back and forth that, you know, not everyone's security
situation is the same. Is there something to be said here for just sort of keeping things simple?
Yeah, keeping things simple.
Also, keep the user in mind and keep in mind what you're protecting.
Keep security reasonable with respect to what you're protecting.
I always tell this story from the guard in the dog park I used to go to.
And 70-something years old, makes $12 an hour.
And the apartment complex he lives in,
well, he used to pay by check,
as you're doing here in the US, his rent every month,
until the management company decided
he has to do a bank transfer now,
which he hasn't really done before.
So his solution to the problem was to give the manager
the username and password for his online banking account
so they can set it up for him.
Worked okay in this case.
You say, okay, it's terribly insecure, it is.
I don't recommend you do that, but actually in this case
it was in some ways better than getting evicted.
Right, right.
And I always see QR codes a little bit similar.
What's a threat that you're protecting the user from?
A QR code is a very simple way to get users to visit the correct website.
It works with mobile devices, which now is, for the most part, a default computing device
for a lot of people. These same devices have impossible-to-use keyboards, for the most part.
And the threat that it's often described is, hey, but you don't know where you are ending up.
So someone could be redirecting you to a malware site, to a phishing site, or what not else. Well,
what's the alternative?
A shortcode?
It doesn't really provide any kind of protection here as far as being redirected to a bad site.
Or even worse, let the user type a real long, weird URL on a mobile keyboard.
They're probably going to put a typo in there, and then you have typo-squatting domains.
probably going to put a typo in there and then you have typo squatting domains.
So in many ways, by not using QR code, you may actually hurt the business purpose here,
but you're not really adding a lot of security.
I think there are a lot of things like this where some of the security establishment mafia is going overboard and trying to do things, trying to secure things that really, in the end,
you have to remember that the goal of security is to stay in business.
Well, also, I think it comes up pretty regularly,
practically a cliche, where you'll see some elderly person
has a notebook full of all of their passwords,
and they get criticized for that.
But it seems like a perfectly reasonable use case for me.
Chances are there aren't bands of people
trying to break into that person's apartment
on the lookout for password books, right?
Another example that I always use is like,
I have, what's it, C-Wave door lock.
And people always say, hey, that's terribly insecure. I tell people, please, if you're pregnant in my house, please-wave door lock. And people always say, hey, that's terribly insecure.
I tell people, please, if you're pregnant in my house,
please hack my door lock because I'm living in an old historic house
and the top half of the door is actually an old window glass pane.
If you smash that with a brick and I need to replace it,
it's a lot more money than breaking or hacking the door lock.
lot more money than breaking or hacking the door lock. So again, you know, I don't see a lot of burglars walking around with Bluetooth hacking kits. Usually I see them walking around with a
brick and not with... Right, right, right, right. Wearing a mask and a black and white striped shirt.
Yeah, I mean, I think, you know, one of the
take-homes for me is don't let the
perfect be the enemy of the good, right?
Yes, that's very important with security
and I see this getting so
often a way where someone says, hey, there's a
vulnerability and the security feature exit
can be bypassed. Does it take
more work to bypass than it takes to implement
a security feature?
Alright, well, Johannes Ulrich, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.