CyberWire Daily - The international effort making digital spaces safer.
Episode Date: December 2, 2024A major cybercrime crackdown by Interpol nabs hundreds of suspects and millions in stolen funds. Zabbix has disclosed a critical SQL injection vulnerability. A novel phishing campaign exploits Microso...ft Word’s file recovery feature. Researchers track the Rockstar 2FA phishing toolkit. Critical vulnerabilities are found in Advantech’s industrial wireless access points. North Korea’s Kimsuky hacking group shifts their tactics. The U.N. forms an advisory body to address growing threats to critical undersea cable infrastructure.The U.K. is laser-focused on AI security research. Russian authorities arrest the Wazawaka ransomware affiliate. Our guest is Marshall Heilman, CEO of DTEX Systems, sharing his experience with a nation-state actor's attempt to gain employment at his company. OpenAI opens the door for encrudification. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Marshall Heilman, CEO of DTEX Systems, discussing how HR can spot fake IT workers and sharing their own experience with a nation-state actor's attempt to gain employment at his company. You can read DTEX Systems findings here. Selected Reading Global Police Arrest 5500 in $400m Cyber-Fraud Crackdown (Infosecurity Magazine) Critical Vulnerability Found in Zabbix Network Monitoring Tool (SecurityWeek) Novel phishing campaign uses corrupted Word documents to evade security (Bleeping Computer) "Rockstar 2FA" Phishing-as-a-Service Steals Microsoft 365 Credentials Via AiTM Attacks (Cyber Security News) Warning: Patch Advantech Industrial Wireless Access Points (GovInfo Security) North Korean Hacking Group Launches Undected Malwareless URL Phishing Attacks (Cyber Security News) UN, international orgs create advisory body for submarine cables after incidents (The Record) U.K. launches AI security lab to combat nation-state cyber threats (SC Media) Ransomware suspect Wazawaka reportedly arrested by Russia (SC World) OpenAI explores advertising as it steps up revenue drive (Financial Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A major cybercrime crackdown by Interpol nabs hundreds of suspects and millions in stolen funds.
Zabbix has disclosed a critical SQL injection vulnerability.
A novel phishing campaign exploits Microsoft Word's file recovery feature.
Researchers track the Rockstar 2FA phishing toolkit.
Critical vulnerabilities are found in Advantech's industrial wireless
access points. North Korea's Kimsuki hacking group shifts their tactics. The UN forms an
advisory body to address growing threats to critical undersea cable infrastructure.
The UK is laser-focused on AI security research. Russian authorities arrest the
Wazawaka ransomware affiliate. Our guest is Marshall Heilman, CEO of DTEX Systems,
sharing his experience with a nation-state actor's attempt to gain employment at his company.
And OpenAI opens the door for encruttification.
it's monday december 2nd 2024 i'm dave bittner and this is your cyberwire intel briefing Good day and happy Monday to you all.
If you are here in the U.S., I hope you had a relaxing Thanksgiving break.
It's good to be back.
An international cybercrime crackdown led by Interpol targeted cyber-enabled fraud across 40 countries between July and November of this year.
Operation Heike 5 resulted in over 5,500 arrests and the seizure of $400 million in stolen funds,
encompassing virtual assets and government-backed currencies.
It focused on crimes such as voice phishing, romance scams, online sextortion,
investment fraud, illegal gambling, business email compromise, and e-commerce fraud. A notable
achievement occurred in East Asia, where South Korean and Chinese authorities dismantled a voice
phishing network linked to $1.1 billion in losses. The scammers, impersonating police,
victimized over 1,900 individuals, leading to 27 arrests. In another high-profile case,
Singaporean police intercepted $39.3 million of a $42.3 million sum stolen through business
email compromise. Seven suspects were apprehended and $2.6 million
in additional funds recovered. Key to these successes was Interpol's Global Rapid Intervention
of Payments initiative, enabling swift action to halt stolen funds in transit. This operation,
supported by the South Korean government, is the fifth in the HYKI series,
achieving record results compared to the previous operation,
including nearly double the number of solved cases and tripling the blocked virtual asset accounts.
Interpol's Secretary General emphasized the importance of international cooperation
in combating the borderless threat of cybercrime,
highlighting the devastating impacts on individuals and businesses alike.
Open-source enterprise network monitoring solution Zabbix
has disclosed a critical SQL injection vulnerability.
Exploitable by non-admin users with API access,
it allows attackers to escalate privileges
and compromise systems.
Over 83,000 Internet-exposed servers are at risk.
Patches were released in July,
and users should update immediately.
No active exploitation has been reported.
A novel phishing campaign
exploits Microsoft Word's file recovery feature by using intentionally corrupted Word documents to bypass email security software.
These attachments, disguised as HR or payroll-related files, evade detection due to their damaged state, but remain recoverable by Word.
but remain recoverable by word.
Once opened, the document prompts users to recover the file,
displaying a phishing message instructing them to scan a QR code, which redirects to a fake Microsoft login page to steal credentials.
The campaign, identified by any run,
embeds Base64-encoded strings and file names to obfuscate intent.
The attachments lack malicious code,
helping them avoid antivirus detection on platforms like VirusTotal.
Recipients are urged to remain vigilant, delete suspicious emails,
and confirm unexpected messages with administrators to avoid falling victim to this tactic.
Researchers from Trustwave have linked the advanced phishing
toolkit Rockstar 2FA to a rise in adversary-in-the-middle phishing attacks targeting
Microsoft 365 users. This toolkit creates fake login pages to harvest credentials and bypass
multi-factor authentication using adversary-in-the-middle techniques to intercept session
cookies. Campaigns have escalated since August of this year, leveraging car-themed webpages and
domains with over 5,000 hits since May. Rockstar 2FA, a phishing kit offered as a service for $200,
features 2FA bypass, anti-bot protections, randomized codes, and telegram bot integration,
making it attractive to cybercriminals.
Phishing emails use themes like HR alerts, document sharing, and MFA lures,
often evading detection by exploiting trusted platforms and obfuscation methods.
Experts warn these cost-effective kits enable credential theft,
account takeovers, and business email compromise. Researchers at Nozomi Networks Labs identified 20
critical vulnerabilities in Advantech's industrial wireless access points, widely used in critical
infrastructure. The flaws allow remote code execution with root privileges and denial of
service attacks, even without authentication. Vulnerabilities also enable lateral movement
across networks and exploit wireless data packet management scripts. Firmware updates have been
released to address the issues. South Korean researchers have uncovered a shift in the tactics of the North Korean hacking group KimSuki,
which now employs malware-less phishing attacks to evade endpoint detection and response systems.
These attacks focus on researchers and organizations studying North Korea
using phishing emails that impersonate entities such as financial institutions and public agencies.
A notable change is Kim Suk-hee's switch from Japanese to Russian email services,
making their campaigns harder to detect. They also leverage domains from free Korean
registration services and fabricate phishing sites using themes tied to financial matters.
fishing sites using themes tied to financial matters. These fishing attempts often include URLs without malware, making them harder to flag as threats.
The United Nations, alongside the International Telecommunication Union and the International
Cable Protection Committee, has formed the International Advisory Body for Submarine
Cable Resilience
to address growing threats to critical undersea cable infrastructure.
Submarine cables handle over 99% of global data exchanges, making their security vital.
The advisory body will focus on enhancing cable protection,
promoting best practices, and ensuring timely repairs.
cable protection, promoting best practices and ensuring timely repairs. The initiative follows recent incidents, including damage to cables connecting Finland, Germany, Sweden, and Lithuania
under investigation for possible sabotage. The ICPC reports 150 to 200 annual cable damage
incidents, mainly from ship anchors, fishing, or natural disasters,
necessitating weekly repairs. The 40-member body, co-chaired by Nigeria and Portugal,
will meet twice annually, working with industry experts. The U.S. has also launched projects to
bolster cable security, including partnerships with Pacific Island nations. The UK has launched the Laboratory
for AI Security Research, LASER, or maybe I should say laboratory, to combat nation-state
cyber threats, particularly from adversaries like Russia. Initially funded with $10.3 million from
the government, the lab expects additional support from private
sector partners. LASER aims to harness artificial intelligence to bolster cybersecurity and
intelligence capabilities, collaborating with organizations like GCHQ, the Alan Turing Institute,
and top universities such as Oxford and Queen's University Belfast. The lab also seeks international partnerships,
including with NATO and Five Eyes allies.
Chancellor Pat McFadden highlighted AI's dual role
in amplifying cyber threats and enabling advanced defense tools.
Laser's creation reflects the UK's commitment
to addressing emerging AI-driven cyber challenges
as part of a broader global strategy.
Russian authorities have reportedly arrested Mikhail Matveev,
also known as Wazawaka, a high-profile ransomware affiliate
linked to groups like Babuk, Conti, DarkSide, Hive, and Lockbit.
Matveev faces charges under Russia's Article 273
for creating malware to extort commercial organizations
by encrypting data and demanding ransom.
If convicted, he could face up to four years in prison or fines.
Medvedev, indicted by the U.S. in 2023
and offered a $10 million bounty by the State Department,
allegedly participated in major attacks, including the 2021 ransomware attack on
Washington, D.C.'s Metropolitan Police Department. Despite his crimes, he previously claimed to live
freely in Russia. Russia rarely prosecutes domestic hackers, especially those targeting foreign entities, but recent arrests, including members of Varevol and Sugar Locker, suggest a possible shift in strategy.
I can't resist putting this out there. Wazzawaka? A Russian threat actor? I mean, we've got to go with Fozzie Bear, right? Waka, waka.
Coming up after the break, my conversation with Marshall Heilman from DTEK Systems about his experience with a nation-state actor attempting to gain employment at his company.
And OpenAI opens the door for encredification.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Marshall Heilman is CEO of DTEX Systems.
We recently got together to chat about his experience
with a nation-state actor's attempt to gain employment at his company.
So there's really three different aspects of this from my perspective. You know, what has gotten a
lot of attention recently is the fake North Korean IT worker, right? There's been a bunch of articles
that have come out of that. We know that it's affecting a large number of companies, especially
high technology companies. And so essentially what is happening with these situations
is that there are North Korean workers getting hired into organizations
in IT positions where they have significant access into an organization.
And then what these IT workers are then able to do
is either take data to send back to their home country,
or in some cases, they're able to install software
that allows other entities from their home country to gain access to their organization to do whatever damages that they want
to do. So that's really the first aspect of the fake worker. The second aspect that we see a lot
of as well is where in today's remote world or remote environment, we see some employees going
and getting hired at multiple companies. And so while they're not necessarily malicious in nature, what they're doing is not spending a lot of time working at the organization as paying them because they're having to split their, 15 organizations, and they outsource their job to somebody else in another country. And what you have then is a
worker that now has access into an organization that the organization has no control over. They
don't know who that is, and it's not the person that they believe that they hired. And that is
obviously malicious in nature. So from my perspective, those are the three main pillars
of this particular issue that we see today.
Well, and on top of that, it's my understanding that you and your colleagues there had a run-in with this sort of thing yourselves?
We did, yes.
Interestingly enough, it was right around the same time as the Know Before article came out that really launched this into mainstream.
But yes, we had an individual who applied for a job. And as we're going through the interview process, we spotted some discrepancies. And ultimately, there were
enough discrepancies that we decided to shut down the interview process and not move forward with
the candidate any further. Some of the specifics around there that we saw is, for one, what we
noticed is that the email address that the individual used did not match the name that he used in a very, let's say, obvious sort of way.
And so it was clear that there was something off there. And that could be a mistake or it could
just be someone has a funny email address. But in this particular case, paired with the other
things we saw, it was a red flag for us. A second thing that we saw is this particular individual claimed to have used a technology in a certain year,
but one of our interviewers correctly recognized
that that particular technology had not been released
until a couple years afterwards when the person said they used it,
so that was obviously fake.
Right.
This individual claimed to work at an organization
and leverage certain technologies that really
didn't make sense for the organization he said he was employed at to have used. So that set off
another red flag. And then really the final flag that we saw before we decided to terminate the
interviews was this particular individualist using a geometric background. And as you know,
on these calls, you can always see a little bit what's behind the person as they're moving around.
And it was pretty obvious
that they were in some type of a call center.
They definitely were not sitting at a home office.
And so when you put those four pieces of information together,
what you have as a candidate
is probably not who they say they are.
Wow.
Do you have any sense for how widespread this actually is?
So personally, I don't.
But I know from talking with all the senior level executives that I speak
with, it is an ongoing problem that pretty much every company I talk to, I know
Mandian and CrowdStrike have done some reporting talking about just how widespread this problem
actually is. I believe in the companies that we've spoken to, we've seen
a 73% or so increase in the number of conversations
around this particular topic at the organizations
that we talk to on a regular basis. So I think it's probably more widespread than initially
thought. Well, what are your recommendations then? I mean, in this world where so many people
want to work remotely, how do we enable that but also manage this potential problem?
Yeah, and that's a great question.
Remote work is fantastic.
I'm a remote worker myself.
And so I think finding the way to get this right is really important.
So there's a couple of obvious things we can do.
When it comes to looking at a candidate's resume,
as I said, just trying to match the name against their email address,
against the phone number they gave.
That's a basic thing.
When you're doing a background check,
make certain that there's no red flags that come back on the
background check. When an individual submits his picture,
or their picture, I should say, I think it's important to leverage some of the myriad
of AI tools out there that exist nowadays to try and detect whether the picture was AI-generated
or modified or not. Those are some things you can do.
When conducting an interview,
I think it's really important
to always have the camera on
so you always see the person that you're talking to
and you can match up who you see
against the picture that they're using.
It also allows you to see through their background,
whether they're sitting in an area
that seems to be where they say they are
or whether they're very obviously in a call center.
If companies are comfortable with it,
they can ask the individual not to
leverage a background so they can see exactly where they are. I think it's important afterwards
to look at the IP address that the individual connected from to see if they're on any known
watch list. Is it a malicious IP address or is it an IP address maybe that is in Texas when the
person claimed they were in Maine and that seems like a very unlikely scenario. And it's something
you can ask the candidate to explain. And then once you've made a decision to hire an individual
you can do things like when you ship out the computer to the address the person's listed
you want to make sure that the address you're shipping the computer to is the same one that
they claim they're actually living at if there's a discrepancy there you obviously want to investigate
why you can also have you know if you have employees in the area
where the individual is located you can have them go and have a quick coffee just put me up with the
individual to make certain that they you know the person that you are meeting is actually there
locally and not in some other country or some other area and i think to give them to get even
even more detail in a very logical uh fashion we uh we atX released a blog that we call an Insider Threat Advisory.
And we discuss at each different phase of the process.
So pre-employment or interview phase,
pre-employment, early stages of employment,
later stages of employment,
what you can be looking for
to make certain that you as a company
don't fall victim to this type of malicious activity.
You know, it seems to me like that you as a company don't fall victim to this type of malicious activity.
You know, it seems to me like this really requires close coordination between the folks on the HR team and the folks in IT.
I mean, perhaps even earlier in this process than it had previously traditionally demanded.
Yeah, absolutely.
And I think, again, as you correctly pointed out,
in today's world where we allow remote work
more than we ever have in the past,
I think we have to think about how we go about recruit
and hire and onboard employees
differently than we have in the past.
And that does mean close collaboration between HR and IT
to make certain that the companies are hiring the people
that they believe they're hiring into the organization
and that those employees are as productive as they expect them to be.
That's Marshall Heilman from DTEX Systems.
You can read more about this incident in a blog post from DTEX.
We'll have a link in the show notes. Thank you. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, it was bound to happen.
it was bound to happen.
OpenAI, the company that wowed us all with ChatGPT,
is considering, wait for it, advertising.
Yes, folks, the tech darling that made us believe in the magic of AI might just join the dark side of internet monetization,
trading user delight for ad revenue.
The Financial Times reports that OpenAI's CFO, Sarah Fryer,
confirmed the company is exploring ads as a potential revenue stream.
While she insists there are no active plans yet,
the writing on the wall is as clear as a programmatic banner ad.
They're hiring ad veterans from Google and Meta,
and their chief product officer is
Instagram's former ad architect. Fryer assures us they'll be thoughtful about ads, but isn't that
what they all say? This isn't just a cash grab, it's a necessity. OpenAI may be pulling in $4
billion annually, but training cutting-edge AI models
is an expensive endeavor.
They're burning through cash
faster than you can say monetization strategy,
and with a $5 billion spend forecast,
even their enviable $150 billion valuation
needs some heavy lifting.
To be fair, ads work wonders for companies like Google, but let's be
real. Nothing ruins a seamless AI chat like a pop-up screaming about discount mattresses.
OpenAI claims it'll be careful not to alienate its 250 million weekly users. Let's hope so,
because once the ad floodgates open, there's no going back.
After all, when has thoughtful advertising ever lived up to the promise?
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in
the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire
is part of the daily routine of the most influential leaders and operators in the public
and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law
enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.