CyberWire Daily - Pay the ransom or risk data carnage.
Episode Date: February 28, 2025Qilin ransomware gang claims responsibility for attack against Lee Enterprises. Thai police arrest suspected hacker behind more than 90 data leaks. JavaGhost uses compromised AWS environments to launc...h phishing campaigns. LotusBlossum cyberespionage campaigns target Southeast Asia. Malware abuses Microsoft dev tunnels for C2 communication. Protecting the food supply. Today’s guest is Keith Mularski, Chief Global Ambassador at Qintel and former FBI Special Agent, discussing crypto being the target of the cyber underground. And an interview with Iron Man? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we share Dave’s conversation with Keith Mularski, Chief Global Ambassador at Qintel and former FBI Special Agent, discussing crypto being the target of the cyber underground. Selected Reading Ransomware Group Takes Credit for Lee Enterprises Attack (SecurityWeek) Hacker Behind Over 90 Data Leaks Arrested in Thailand (SecurityWeek) JavaGhost’s Persistent Phishing Attacks From the Cloud (Unit 42) Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools (Cisco Talos) Njrat Campaign Using Microsoft Dev Tunnels (SANS Internet Storm Center) New Pass-the-Cookie Attack Bypass Microsoft 365 & YouTube MFA Logins (Cyber Security News)  How pass the cookie attacks can bypass your MFA  (Longwall Security) Farm and Food Cybersecurity Act reintroduced to protect food supply chain from cyber threats (Industrial Cyber) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Chilin Ransomware gang claims responsibility for attack against Lee Enterprises.
Thai Police Arrest Suspected Hacker Behind More Than 90 Data Leaks.
JavaGhost Uses Compromised AWS Environments to Launch Fishing Campaigns.
Lotus Blossom Cyber-Espionage Campaigns Target Southeast Asia.
Malware Abuses Microsoft Dev Tunnels for C2 Communication.
Protecting the Food Supply. Microsoft Dev Tunnels for C2 communication, protecting the food supply. Today's guest is Keith Milarzki, Chief Global Ambassador at Q-Intel and former
FBI Special Agent, discussing crypto being the target of the cyber underground.
And an interview with Iron Man? Today is Friday, February 28, 2023.
I'm Maria Varmazes, host of T-Minus Space Daily, in for Dave Bittner.
And this is your CyberWire Intel Briefing.
The Qilin Ransomware group yesterday claimed responsibility for an attack against Iowa-based newspaper publisher Lee Enterprises, reports Security Week.
The group claims to have stolen around 350 gigabytes of data, including investor records, financial arrangements that raise questions,
payments to journalists and publishers, funding for tailored news stories, and
approaches to obtaining insider information. Chi Lin is threatening to
publish the data on March 5th unless the company pays the ransom. Lee Enterprises,
which publishes more than 350 newspapers across 25 United States states,
sustained a cyberattack on February 3, which disrupted at least 75 of its publications.
The company has avoided using the term ransomware, but it did mention in an SEC filing that the
attackers encrypted critical applications and exfiltrated certain files.
Security Week reports that police in Thailand have arrested a 39-year-old Singaporean man
suspected of involvement in over 90 data leaks.
Group IB, which assisted in the joint operation between the Royal Thai Police and the Singapore
Police Force, said in a press release that the arrested individual was one of the most
active cybercriminals in Asia in Asia Pacific since 2021, targeting
companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India, and many more.
The security firm added that the main goal of his attacks was to exfiltrate the compromised
databases containing personal data and to demand payment for not disclosing it to the
public.
If the victim refused to pay, he did not announce the leaks on dark web forums.
Instead, he notified the media or personal data protection regulators
with the aim of inflicting greater reputational and financial damage on his victims.
Later, he also asserted pressure on his victims by sending direct customer notifications
via email or via instant messengers to force them into submission.
or via instant messengers to force them into submission. Palo Alto Networks' Unit 42 warns that the JavaGhost threat actor is compromising
misconfigured AWS environments and using them to launch phishing campaigns.
The group gains entry to the AWS environments via exposed long-term access keys.
And once they've gained access, the attackers use the victim's Amazon Simple
Email Service, or SES, and Workmail services to send out phishing emails.
Since the emails are sent from a legitimate source, they're more likely to bypass security
filters.
And to defend against these attacks, Unit 42 recommends that AWS users limit access to
administrative rights, rotate IAM credentials regularly, use short-term or just-in-time
access tokens, and enable multi-factor authentication.
Cisco Talos is tracking multiple cyber espionage campaigns by the Lotus Blossom threat actor,
targeting government, manufacturing, telecommunications, and media entities in Vietnam, Taiwan, Hong
Kong, and the Philippines.
The researchers note that the operation appears to have achieved significant success.
The campaigns involve the SageRUNX remote access tool, which is exclusively used by
Lotus Blossom.
The SageRUNX backdoor abuses legitimate cloud services such as Dropbox, Twitter, or NowEx,
and Zimbra for its C2 communication.
Talos does not attribute Lotus Blossom to any particular nation state,
but Microsoft has previously linked the group to China.
In a new twist, cybercriminals are exploiting Microsoft's DevTunnels service
to send data back and forth from malware-infected devices.
This service, designed for developers to test apps and collaborate securely,
is now being abused to help malware
avoid detection.
Recently researchers found two versions of NJRAT malware using Microsoft's DevTunnels
to connect to command and control servers.
The malware communicates through hidden URLs, making it harder for traditional security
systems to spot.
The malware checks in with its remote servers, reporting its status,
and then can even spread through USB devices.
Experts say that organizations
that are not using DevTunnels
should keep an eye on DNS logs
for any unusual DevTunnel URLs
as a way to spot potential attacks early.
According to Longwall Security,
cyber criminals are using pass-the-cookie attacks
to bypass multi-factor authentication.
Instead of stealing passwords, attackers target session cookies, which allow them to hijack
active sessions without triggering MFA.
Info stealer malware like Luma C2 is often used to extract authentication cookies from
victims' browsers.
Once stolen, these cookies let attackers impersonate users and access accounts.
These stolen cookies are even being traded
on dark web marketplaces, making it easier
for cyber criminals to access accounts undetected.
Longwall security recommends shortening session expiration
times, monitoring login behavior, and educating users
on phishing to defend against this rising threat.
As attackers evolve, organizations must strengthen
their security to stay ahead.
As attackers evolve, organizations must strengthen their security to stay ahead. Cyber threats to agriculture are no longer hypothetical. The Farm and Food Cybersecurity
Act, reintroduced in Congress, aims to secure the U.S. food supply chain from digital attacks.
With bipartisan support, the bill mandates the USDA to conduct biennial cybersecurity
assessments and coordinate crisis
response exercises with Homeland Security and intelligence agencies. Recent attacks like the
2021 JBS ransomware incident highlight the growing risks to precision agriculture and food production.
A new Food and Ag Sector Cyber Threat Report found that 90% of cyber attacks exploit readily
available tools and 83% of them involve spearfishing.
With backing from key industry groups, this legislation pushes for stronger public-private
collaboration.
The message is clear.
Food security is national security and cyber resilience must be a priority.
Coming up next, we've got Dave Bittner's conversation with Q-Intel Chief Global Ambassador and former FBI Special Agent Keith Milarzki,
discussing crypto being the target of the cyber underground
and an interview with a superhero courtesy of N2K producer Liz Stokes.
We'll be right back.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast? Well, it's easy. Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed. Indeed's Sponsored Jobs helps you stand
out and hire fast. Your post jumps to the top of search results so
the right candidates see it first. And it works. Sponsored jobs on Indeed get 45% more
applications than non-sponsored ones. One of the things I love about Indeed is how fast
it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts,
you only pay for results. How fast is Indeed? Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide. There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at Indeed.com slash Cyberwire.
Just go to Indeed.com slash Cyberwire right now and support our show by saying you heard
about Indeed on this podcast
indeed dot com slash cyber wire terms and conditions apply hiring indeed is all you need
Cyber threats are more sophisticated than ever passwords. They're outdated and can be cracked in a minute. Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login. Ubico believes the future is passwordless. Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y- be ICO.
Say no to modern cyber threats.
Upgrade your security today.
Today's guest is Keith Milarzke, Q-Intel Chief Global Ambassador and former FBI Special Agent.
Here's his discussion with Dave Bittner.
So today we are talking about some of the threats that are targeting crypto and the cyber underground.
I would love to get your perspective, both from your position at Q-Intel and of course your background with the FBI,
what led us to this place where we are today when it comes to crypto being a continuing, ongoing hot target for folks in the underground here? Yeah, a great question, Dave. So I think
crypto, when it first started, was kind of just this ancillary thing on the side.
A lot of people at that time didn't think much of it when you think, you know, almost
20 years ago that this started.
And now crypto has really gone mainstream.
And the value of crypto has just gone through the roof, you know, the last seven years or so, we have the President of the United States saying
he's going to be the first crypto president.
He issued a couple of tokens himself.
So crypto has gone really from something in the cyber underground to really now very mainstream
where you have mainstream investors.
People are investing in crypto like they would
in their regular brokerage accounts.
And as a result of that, there is just tremendous money
with little regulations around it.
So the bad guys are really targeting it right now.
Well, share some insights.
I mean, again, your background in law enforcement,
what is the difference between trying to track someone down
who is using the traditional financial systems versus someone who's taking advantage of
everything available to them these days in crypto? Yeah, I mean, you know, I think crypto, because of
it being anonymous, makes it much more difficult to track than some of the other mainstream
types of ways of money laundering that we've seen forever.
Because a lot of places don't have a know your customer, really knowing who's behind
the transaction.
So from a law enforcement standpoint, it really makes it much more difficult to track that even though really all of the
transactions are public on the blockchain that you could see that. But what the criminals are doing
really are using exchanges to be able to cash out into different coins. So you could take Bitcoin
or Ethereum and really instantly change that into another coin such as like Monero or something else
that may be a little bit more difficult to track.
So you know, in these conversions really just go at, they're instantaneous.
They go in real time and it makes it much more difficult to track that as the criminals
are using what they call different crypto mixers in order to launder money on the dark web.
Is it fair to say that cryptocurrency has really been an amplifier, an enabler for folks who are doing things like ransomware?
Oh, absolutely. I don't think ransomware would be where it's at without cryptocurrency because it would be much more difficult to launder $5 million in
ransom than it would be through cryptocurrency.
So I think cryptocurrency really enabled ransomware to be as big where it is right now.
And cryptocurrency has really, just in the news the last couple of days, with North Korea,
it's really empowered North Korea, where North Korea over the last couple of years have been
targeting crypto-exchangers.
Just last week, they hit for 1.4 billion crypto-exchangers.
Last year, I know of two big exchanges that North Korea hit.
I think one was for like 300 million, another was for like $235 million.
So North Korea is using cryptocurrency as a way to fund their regime
because of all the sanctions that are out there.
So it really, crypto is enabling a lot of nefarious activity,
being able to find a lot of nefarious activity.
Is it surprising to you that we haven't seen
more regulation and more of a crackdown
from governments around the world?
I think it's just been difficult on how to do that.
And I think we need to get there because, you know,
it is one thing
when we're seeing cyber criminals use crypto for ransom payments or you see North Korea
hacking. One of the things that we're really seeing out there right now is the targeting
of individuals with some of the crypto stealers that are out there. So there are a number of stealer mailwares out there.
They've been around for a long time.
They're really these last few years,
we're seeing the emergence of credential stealing malware
specifically targeting crypto and personal crypto.
So, you know, these stealers are evading AV.
There are about 30 or 40 different variants that are active at any time.
They're targeting Mac and mobile,
and they will go in,
will target like the Apple keychain,
any password, browser extension that you may have.
They know what directories to go into as well. And so we're
really seeing the cyber criminals go after individuals. And like just I had a personal
experience in the last couple of months where a friend of mine had significantly large sum
of crypto stolen from him literally in minutes. And it was most likely probably
from one of these stealing malwares that was out there. So I think as more and more mainstream
people get into crypto and the criminals are targeting that, there's going to have to be
regulation because there's just no protections around the normal consumer like you and I
if we're going to be putting our money into crypto for legitimate investing purposes.
Right. There's no FDIC insurance for crypto.
Yeah. And it's just very tragic, because I know of a number of incidents
where people have lost large amounts of money, and there's just no recourse.
With my brokerage account, if I see a significant large money out, I call my brokerage, chances
are they make me whole or they're able to call back that money.
Same with my bank account.
If somebody steals my 24 word passphrase for my crypto and they wire out hundreds of thousands
of dollars that I have in investments there,
there's just no recourse. There's no way to get that money back. The exchangers aren't able to do
that. And the criminals know that. And so they'll send that money again to one of those mixers.
They'll change it into different coins. And it's just very difficult to trace. And I just think
that the normal consumer right now,
this is a big threat to them,
and especially going forward as crypto becomes more
legitimate in mainstream investing.
When you think about your friend who lost all of that money,
does it lead you to any recommendations for folks
to better protect themselves?
Yeah, I mean, there's really only three ways
to protect your crypto.
I mean, you can store it at an exchanger,
which we see North Korean targeting,
but you wanna have a reliable exchanger.
You can store it on your USB,
or you can use it in cold storage,
have a cold storage service that's out there. None of
them are 100% fail safe, unfortunately. You know, we've seen exchangers go bankrupt. You
know, the malware that's going after the USB, you know, it will recognize if you put the
USB in or even in cold storage. You know, so there just needs to be some regulation around that.
And I think that there will have to be,
or just people won't put their money in there.
The normal consumer won't put their money in there
if they're losing it.
Yeah, I mean, it's an interesting insight.
I mean, if the folks who want cryptocurrency to grow
as an acceptable money exchange system,
part of that is having consumers feel like they can trust it.
And that seems to me to be a missing piece these days.
Yeah, that's the biggest piece.
And I think we need to move that.
And if the administration is talking a lot
about cryptocurrency
that may be something that we see here in the coming years. That was Dave Bittner speaking with
Keith Milarzki of QNTel. Up next, NTK's own Liz Stokes talking to Ironman. Yep, stay tuned. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Last week, some of our team hit the ground in Orlando for Threatlocker Zero Trust World 2025, where we brought hacking humans live to the stage, but we didn't stop there.
Our very own producer, Liz Stokes, took to the floor to capture the buzz, chatting with
attendees about the event, and even scoring a conversation with a certain superhero that
you just might recognize. She's joined by Colin Ellis,
Senior Solutions Engineer at ThreatLocker
to dive into what made this year's event one to remember.
["Solidarity"]
My name is Colin Ellis.
I'm a Senior Solutions Engineer for the ThreatLocker team.
So what has this event been like
for you guys setting up everything?
It's a real team exercise and we prove it right every single time.
It speaks a lot to just how we operate internally, just our culture.
I know a lot of people here just trying to educate the population
and understand a little bit more about cybersecurity.
So how does ThreatLocker help with that?
We can teach the hack. We can teach how simple these things become.
Awareness is just really easy at that point.
Everyone knows it's possible, so the security side of it becomes really simple.
I'd be remiss if I didn't bring up the fact that Iron Man was standing right next to us.
Why is he here? What's going on?
So everyone really likes our logo, the lock and key, our CTO, Michael Jenkins.
The biggest Marvel nerd I have ever met.
The trademark that you'll see under a lot of our marketing branding is the fact that we're cyber heroes.
So it's only right that the center of what we do brings in a little bit of Iron Man.
What is, one, your favorite Marvel movie, and two, have you seen any hacking in any Marvel movies that you're like,
oh my gosh, this is either so realistic or oh my gosh, that's so not how it works.
Anytime Jarvis takes over any type of technology, that's it.
I'm one of the biggest Spider-Man fans I could think of,
so I'm always going to default to Tobey Maguire's Spider-Man.
You want to catch more of Liz's interviews from Threatlocker Zero Trust World 2025, just
head on over to our YouTube page where we'll be posting all of the conversations that she
had on the floor.
And while you're there, don't miss our Hacking Humans live event or tune in wherever you
get your podcasts. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And don't forget to tune in to Research Saturday, where Dave Bittner sits down with Phil Stokes,
a threat researcher at Sentinel One's Sentinel Labs,
as they discuss the research on Mac OS flexible ferret
for their variants of DPRK malware family on Earth.
That's Research Saturday, check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Peter Kielpe is our
publisher and I'm Maria Varmazes in for Dave Bittner. Thanks for listening. We'll
see you next week. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an
18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.