CyberWire Daily - The cybercriminal labor market and the campaigns it’s supporting. Russia’s Killnet is running DDoS attacks against US hospitals, but Russia says, hey, it’s the real victim here.
Episode Date: January 31, 2023Some perspective on the cybercriminal labor market. DocuSign is impersonated in a credential-harvesting campaign. Social engineering pursues financial advisors. Killnet is active against the US health...care sector. Mr. Security Answer Person John Pescatore has thoughts on cryptocurrency. Ben Yelin and I debate the limits of section 230. And, hey, who’s the real victim in cyberspace? A hint: probably not you, Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/20 Selected reading. Perspectives on the cybercriminal labor market. (CyberWire). IT specialists search and recruitment on the dark web (Securelist) Cybercrime job ads on the dark web pay up to $20k per month (BleepingComputer) Report on hackers' salaries shows poor wages for developers (Register) Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web (CyberScoop) Application security risks. (CyberWire) Survey gives insight into new app security challenges (Cisco App Dynamics) DocuSign impersonated in credential phishing attack. (CyberWIre) Breaking the Impersonation: Armorblox Stops DocuSign Attack (Armorblox) "Pig butchering" and financial advisor impersonation scams. (CyberWire) No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams (Domain Tools) Ukraine at D+341: Killnet hits US hospitals.(CyberWire) HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector (American Hospital Association) HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals (Gov Info Security) Russian hackers allegedly take down Duke University Hospital’s website (Carolina Journal) The Evolution of DDoS: Return of the Hacktivist (FSISAC) Russia becomes target of West’s coordinated aggression in cyberspace — MFA (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some perspective on the cybercriminal labor market.
DocuSign is impersonated in a credential harvesting campaign.
Social engineering pursues financial advisors.
KillNet is active against the U.S. healthcare sector.
Mr. Security Answer Person John Pescatori has thoughts on cryptocurrency.
Ben Yellen and I debate the limits of Section 230.
And hey, who's the real victim in cyberspace?
Here's a hint. It's probably not Mr. Putin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
January 31st,
2023. So imagine you're a lowlife looking for a career in the go-go world of cybercrime.
Not that you are, or of course that
you would be, but pretend for a minute that you were. Where are you going to go? Where are the
want ads? A study by Kaspersky describes the criminal labor market. Think of it as like
Indeed or Monster.com for the cybercriminal class. Kaspersky analyzed long-term and full-time job listings on 155 dark web forums from January
2020 through June 2022. They found a high density of posted ads in March of 2020, suspected to be
so because of the pandemic and the changing nature of the labor markets. Hackers and APT groups are found to be the key employers,
often looking for developers who comprise 61% of the total job listings. The highest salary
shown for a developer was listed as $20,000 a month, though the median pay for the listings
averaged between $1,300 and $4,000 a month for most IT professionals, with the highest pay going to reverse engineer
positions. That's the careerist stuff, the money mules and the others who do the grunt work for
the bosses. That's more like the gig economy. But steer clear of the underworld, friends.
Stay in school and stay out of trouble. And if you're in the U.S., well, NSA is hiring,
and they like to bring you in young.
Why is that?
Well, for one thing, you're easier to clear before you've acquired the crust of bad judgment and erratic behavior
your elders are all schlepping around with them.
Cisco AppDynamics has published a report
looking at the increase in application security risks
over the past several years.
A survey they conducted found that 89% of technologists report
that their organization has experienced an expansion in its attack surface over the last two years,
and 46% state that this is already presenting increasing challenges.
Most respondents believe the main reason for this increase is the rapid adoption
of IoT devices, migration to the cloud, and the dramatic increase in hybrid workplaces as remote
work became more normal during the pandemic. Additionally, 92% of respondents admit that the
rush to rapidly innovate and respond to the changing needs of customers and users during
the pandemic has come at the expense of robust application security during software development.
So make haste, innovators, but do it with deliberate speed and not in a mad rush.
Cybersecurity firm Armor Blocks this morning detailed a new phishing campaign in which the
hackers purport to be from DocuSign in an attempt to
harvest credentials. The campaign begins with an email appearing to originate from DocuSign,
with the subject line reading, Please DocuSign. Approved. Document 2023-01-11.
The phishing email's sender's name simply reads DocuSign, although neither sender's email address
nor its domain shows any connection with the legitimate DocuSign, although neither sender's email address nor its domain shows any connection
with the legitimate DocuSign service. That mismatch, by the way, is one of the typical
signs that betray a phishing attempt. The fish requests the review and signature of a document.
If clicked, the View Completed Document button redirects to a malicious web page.
The page appears to be a proof point login screen,
though in actuality, if you were incautious enough to enter, your login credentials would
be harvested. The language in the subject line of the email instills a sense of urgency in the
victim. Both DocuSign and Proofpoint's legitimacy are being leveraged by the attackers to instill trust in those targeted. The accurate
emulation of a DocuSign workflow also increased trust and likelihood of successful interactions
for hackers, and the urgency of the request is intended to cloud your mind enough to swallow
the bait. Researchers at Domain Tools describe another instance of the fraud technique known as pig butchering,
in which a threat actor poses, in this case, as a financial advisor in order to build trust with a victim.
Eventually, the scammer convinces the victim to invest in a phony cryptocurrency or other fraudulent venture.
The researchers outline one of these scam campaigns based in West Africa that's targeted several hundred financial advisors.
The attackers use LinkedIn and other professional networking services to research and contact their targets.
They also advertise their services on TikTok, Instagram, and other social media platforms.
The scammers set up professional-looking websites, which are often modified versions of
legitimate financial advisor pages. They use bulletproof hosting providers so their sites
won't be taken down during the course of these lengthy scams. The attackers use live chat widgets
on the sites to talk to their victims, then move the conversation to email or WhatsApp.
They generally try to avoid talking to the victim over the phone,
probably because the imposture is more obvious
when there's a voice on the other end of the line.
At least 14 U.S. medical centers,
among them Duke University Hospital in North Carolina,
Stanford Health Care in Cedars-Sinai in California,
University of Pittsburgh Medical Center in
Jefferson Health, Philadelphia in Pennsylvania, were hit by distributed denial-of-service
attacks yesterday, according to the Carolina Journal. The incidents are being attributed
to the Russian cyber-auxiliary Killnet. The American Hospital Association warned its members
yesterday that the hacktivist group Killnet has targeted the
U.S. healthcare industry in the past and is actively targeting the health and public health
sector. The group is known to launch DDoS attacks and operates multiple public channels aimed at
recruitment and garnering attention from these attacks. This week's DDoS attacks seem to have
been quickly contained and mitigated, which has normally been the case with earlier KillNet actions.
An alert issued by the U.S. Department of Health and Human Services
Health Sector Cybersecurity Coordination Center assessed the implications of the threat,
stating KillNet has been using publicly available DDoS scripts and IP stressors for most of its operations.
These tools have been on offer for some time in the criminal-to-criminal underground markets.
Law enforcement organizations have been able to take down some of those services
and indict some of the operators, but HC3 cautions that the threat's far from over,
stating, despite this success, it remains unknown if and
how this law enforcement action might impact Kilnet, which turned its DDoS-for-hire service
into a hacktivist operation earlier this year. Furthermore, it is likely that pro-Russian
ransomware groups or operators, such as those from the defunct Conti group, will heed Killnet's call and provide
support. This likely will result in entities Killnet targeted also being hit with ransomware
or DDoS attacks as a means of extortion, a tactic several ransomware groups have used.
And finally, we hear a lot about the virtual mayhem Russian criminals and intelligence services work around the world.
We just went over some of Kilnett's works.
In fairness, there's another side to the story.
It's not a very plausible side, but it is another side.
TASS presents a very different picture of the cyber phases of Russia's hybrid war.
Russia's deputy foreign minister says that the real victim
is Russia, that what the Kremlin has taken to calling the collective West is behind it,
that Ukraine has lost its independence, which presumably Russia's aggressive war is out to
restore, and has become nothing more than a jumping-off point for cyber and other attacks that the collective West is running against a beleaguered Russia.
That's one way of looking at it.
Coming up after the break, Mr. Security Answer Person John Pescatori
has thoughts on cryptocurrency,
and Ben Yellen and I debate the limits of Section 230.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Mr. Security Answer Person Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode,
I'm about to insert myself into trying to explain to two different management levels
the recent news about cryptocurrencies collapsing.
The CEO is asking because they are looking at a possible innovative use of blockchain
to demonstrate fair trade in our supply chain.
The CEO also wants to be prepared if the board asks about our exposure
to something like the recent bankruptcy of the FTX exchange.
Can you give me a starting point?
Timely question giving all the news photos of the FTX CEO doing the perp walk down in the Bahamas.
I'll suggest some words for you eventually, but let me go deep for a bit before I do.
First off, I never used the term cryptocurrency.
I'll generally say virtual currency with fair quotes around currency.
Others use digital currency, as you'll find in the Oxford language definition of cryptocurrency
that you'll get if you ask Google for a definition.
A digital currency in which transactions are verified and records maintained by a decentralized system using cryptography, rather than by a centralized authority.
The reason I don't use the term cryptocurrency is that I have a big problem with that simplistic using cryptography
part of the definition. If you ask Oxford language to define cryptography, it comes back with
the art of writing or solving codes. Yuck. If you look at the NIST glossary, you'll find
cryptography defined as the discipline that embodies the principles, means, and methods
for the transformation of data in order to hide their
semantic content, prevent their unauthorized use, or prevent their undetected modification.
Notice the Oxford definition called cryptography an art, while NIST said it takes discipline,
principles, means, and methods. Would you really want to base the liquidity of your business
on transactions that trust a Captain Crunch cereal box to Coder Ring approach for codes?
One last point.
Here's the actual example that Oxford Language uses for cryptocurrencies.
Decentralized cryptocurrencies such as Bitcoin now provide an outlet for personal wealth that is beyond restriction and confiscation.
personal wealth that is beyond restriction and confiscation. Personal wealth that is beyond restriction and confiscation is not what CXOs and boards of directors should be spending investor
resources on. I'm having so much fun with definitions. Let me throw in two more important
ones. First, ledger. A ledger is a book or database in which double-entry accounting transactions are stored and summarized.
This ledger is the central repository of information needed to construct the financial
statements of an organization. It is also a key source of information for auditors.
And finally, a definition for blockchain. Blockchain is a distributed digital ledger
of transactions digitally signed using verified cryptography that are grouped into blocks.
Each block is cryptographically linked to the previous one, making it tamper-evident after validation and undergoing a consensus decision.
Okay, thanks for bearing with me. I think you get the idea.
Based on all that, here's a paragraph for you to use with management.
Based on all that, here's a paragraph for you to use with management.
Blockchain technology using verified cryptography is a very effective and efficient means of delivering trustable records of business transactions.
Virtual currencies can, but don't always, use blockchain technologies to attempt to enable new payment systems. Virtual currencies also rarely have any actual backing to establish or maintain value
of a unit of their currency, and they rarely result in cost per transaction that is meaningful
lower than traditional payment systems. The major attraction to so-called cryptocurrencies
has been by individuals and groups interested in evading legal government visibility into their transactions.
Let's hope your CEO or board decides they are not in the business of evading legitimate
government visibility.
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person. Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori
airs the last Tuesday of each month
right here on the Cyber Wire.
Send in your questions for Mr. Security Answer Person
to questions at thecyberwire.com.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the Caveat podcast.
Hello, Ben. Hello, Ben.
Hello, Dave.
Interesting article from the folks over at the Daily Dot.
This is written by Jacob Seitz, and it's titled, Tech Experts Ask Supreme Court to Rule
That Section 230 Protections Apply to Algorithmic Recommendations.
What's going on here, Ben?
So they wrote this amicus brief, friend of the court brief, for a Supreme Court case
that's going to be heard sometime in the fall of 2023. And who's they? This is from a group called
the Center for Democracy and Technology, and that is a tech advocacy nonprofit. And six other tech
experts joined their amicus brief in this case. So the case is called Gonzalez v. Google,
and it comes from the family of a woman who was killed in the 2015 Paris terrorist attacks.
The family in that case is arguing that through recommended videos on YouTube,
and Google is the parent company over YouTube, which is why they're the name defended in this
case, users were being shown ISIS recruitment videos, and therefore the company
is partially responsible for the death of their daughter. Now, with our current understanding of
Section 230 of the Communications Decency Act, companies are shielded from liability based on
the content that is posted on their platform, and therefore this suit should be dismissed.
What the plaintiffs are arguing here is that Section 230 should not cover
what they refer to as recommended content.
So based on the videos we watch on YouTube,
they recommend videos according to their algorithms,
generally things that are similar to the interest that we've expressed
through our searching of their video databases.
Right.
So this group is writing to argue that Section 230,
the shield of liability should be extended even to recommended videos.
They say that the court should rule in Google's favor
for the disposition of this case.
And they lay out a couple of reasons.
One is that the case is treating Google as a publisher and not a provider.
So I'm quoting here from the brief. At issue in Gonzalez is whether Section 230 shields Google from liability for allegedly recommending ISIS content posted on YouTube to other users.
Petitioners in this case argue that Section 230, which shields intermediaries from liability for publishing third-party content,
applies only to claims based on the display of content, not the recommendation of content.
But that distinction is unworkable. If liability is based on recommendations versus targeted recommendations,
then crucial tools for content moderation might become legally discouraged.
Companies would have to shut down some of the algorithms they use
to generate recommended content for users,
which would not only hurt the user experience,
but might cause them to over-regulate and try and knock out certain categories of perhaps politically protected speech from ever appearing on lists of recommended content.
And that could be an overbroad inhibition on First Amendment rights.
So I think this could potentially be a persuasive amicus brief for Supreme Court justices.
Uh, it remains to be seen whether justices will agree with them that there is kind of this false distinction between, uh, recommended content and, uh, just standard content that's, uh, original content that's posted on these platforms.
Can I play the other side here real quick?
Absolutely.
Give us the devil's advocate's perspective.
Well, I'm just trying to imagine the difference.
And these are always imperfect, but I'm imagining if I'm someone who posts or supplies a bulletin
board for people to post their information on versus I'm the editor of a newspaper
who decides what goes on the editorial page
and what you will see.
With one of them, I have no real control or interest
or influence on what gets pinned to that bulletin board.
But in the other, I'm making the decision
as to what rises to the top,
what gets put in front of you first and foremost. Seems to
me like that's what these recommendation algorithms are doing. They're making these decisions. Now,
in this case, it's for engagement, right? They want to sell you more. They want to keep you there
and sell you more ads. But do you think that argument holds any water?
Problem is, in the example that you're citing, you have one
instance where the platform is exercising no editorial control. That's the bulletin board.
Right. And a situation where the platform is exercising full editorial control. That would
be the newspaper. Yeah. We're kind of in an in-between area here because there's no human
being who's saying, let's sit around a table and think about
what people want to watch in their YouTube videos and have a conscious conversation weighing the
plus and minuses and see what type of Muppets video we're going to recommend next for Dave
Bittner. That's a conversation that's just not happening. It's all being done via algorithm.
But humans wrote the algorithm.
via algorithm.
But humans wrote the algorithm.
Humans wrote the algorithm, sure.
But humans are not playing sort of the same hand
that they are in your hypothetical.
Okay.
Because they're not exerting
the full extent of editorial control.
Yeah.
It's certainly a valid argument.
I don't think there's a right answer
one way or another.
But I don't think that metaphor is perfect simply because of the involvement of
this automated system where recommended content is generated without human eyeballs, except as,
you know, it relates to the algorithm being created in the first place.
I guess that what I'm trying to imagine is, could we see a future where
in order for a platform like YouTube to enjoy the immunity they do through Section 230,
they would have to eliminate algorithmic recommendations. In other words, host the
videos, make them searchable, but don't put your thumb on the scale.
So that's, I think,
what these platforms are trying to avoid
is a situation where
because of the threat of liability,
they're not able to have recommended content.
Right.
I think there are people
with very good faith policy reasons
for coming down one way or another on this issue.
But I think the industry is frankly freaked out
because recommended content is the engine of growth.
Right.
People go to YouTube and stay on YouTube
because of recommended videos.
Believe me, there are a lot of things
that I would have never searched myself
that I ended up learning a lot about
because of these algorithms.
Right.
So it would be a major hit to their business model.
Right.
So I'm not accusing the Center of Democracy and Technology here
of writing this amicus brief
for parochial reasons to protect the industry.
I'm just saying that, obviously,
the industry's interests here are extremely large, to say the least.
I guess I'm saying, in my mind, perhaps it doesn't have to be all or nothing.
That they could still enjoy some 230 protection, but give a little also.
And maybe not have wheelbarrows full of money rolling in.
Right?
Yeah.
Not that there's anything wrong with that.
I mean, you know, you provide a good service for people and they enjoy it.
There's nothing wrong with getting paid for that.
But I think, I don't know, I guess a lot of people, there's a strong case to be made that
algorithmic recommendations are a bit out of whack.
I think they are out of whack.
I mean, if I were to take off my legal hat and just look at this as what are the societal effects of algorithms, I think they're pretty destructive.
Yeah.
And this is something we've talked about on this podcast and on our caveat podcast before, but I've seen it happen just with acquaintances in my own life.
They're interested in video games.
So they start searching YouTube videos of people playing video games.
So they start searching YouTube videos of people playing video games.
And then a lot of other people who were interested in these same video games also have dabbled in white supremacy and the Proud Boys.
And so the algorithm directs them to those types of videos,
which can be dangerous and it's bad for all of us.
But I think the argument here is twofold.
One is that the user experience on these sites would never be the same
if companies were forced to limit recommendations because of Section 230 liabilities.
It would significantly hurt the user experience.
And if there was some sort of middle ground,
it would be really hard to distinguish between original content and recommendations. There's just, there's kind of practical difficulties in getting that to work
and which types of recommendations would be shielded with Section 230 and which would not.
Based on how the algorithm was structured, et cetera, that's just a problem that would be
pretty unworkable and I think not something that the Supreme Court would want to supervise in any meaningful way. Yeah. So that's
those are kind of the parameters here. Okay. All right. Well, Ben Yellen, thanks for joining us.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a
production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester
with original music by Elliot Peltzman. The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.