CyberWire Daily - Trends in the cybercriminal underworld. The prosecution of Lapsus$ and Tornado Cash. More developments in Russia’s hybrid war.
Episode Date: August 24, 2023There’s a new sophistication in BEC campaigns. Trends in brand impersonation–crooks still like to pretend they’re from Redmond. The future of Russian influence operations in the post-Prigozhin e...ra. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. In our latest Threat Vector segment David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42 to discuss Muddled Libra. And more on the doxing of a deputy Duma chair, who seems to have been selling hot iPhones as a side hustle (maybe). And the growing problem of Synthetic identity fraud. On this segment of Threat Vector, Stephanie Ragan, Senior Consultant at Unit 42, joins host David Moulton to discuss Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge (Trustwave) Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations (Kroll) Microsoft Impersonated Most in Phishing Attacks Among Nearly 350 Brands (Abnormal Security) TransUnion Analysis Finds Synthetic Identity Fraud Growing to Record Levels (TransUnion) Ukraine at D+546: Yevgeny Prigozhin dies in a plane crash. (CyberWire) Without Prigozhin, expect some changes around the edges on Russian influence operations (Washington Post) 2023 H1 Global Threat Analysis Report (Radware) Lapsus$: Court finds teenagers carried out hacking spree (BBC News) British court convicts two teen Lapsus$ members of hacking tech firms (Record) Treasury Designates Roman Semenov, Co-Founder of Sanctioned Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Tornado Cash Founders Charged With Money Laundering And Sanctions Violations (U.S. Attorney for the Southern District of New York) Russian Duma leader’s emails hacked and leaked (Cybernews) Ukrainian hackers expose money laundering and sanction evasion by senior Russian politician (teiss) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's a new sophistication in BEC campaigns,
trends in brand impersonation, the future of Russian influence operations in the post-Pragosian era.
Andrea Little-Limbago from Interos shares insights on the new cyber workforce strategy. Palo Alto Networks is joined by Stephanie Reagan, senior consultant at Unit 42, to discuss muddled Libra and the growing problem of synthetic identity fraud.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, August 24th, 2023.
There are several trends being discussed by industry researchers today. First, Trustwave's Spider Labs has published a report on the business email compromise landscape in the first half of 2023.
The researchers saw an increase of 25% in unique BEC attacks in the first quarter
over the final quarter of 2022. February accounted for the highest BEC volume in that period. Trustwave says that history
teaches that BEC usually picks up in February after a holiday slump. They say, as the year
begins, people are gearing up for tax season and the start of new endeavors. Fraudsters are sure
to take advantage of this. The researchers found that Gmail, iCloud, and Mail.ru were the most common free email services abused in BEC attacks.
Security firm Kroll has observed a notable shift toward increased supply chain risk in the second quarter of 2023.
This was driven both by the notorious Klopp gang's
exploitation of a Movit transfer vulnerability, but also by a jump in email compromise attacks.
The researchers believe the Klopp gang has been targeting Movit users for the past two years.
They write, initial crawl analysis of the MoIt cases across their client base identified that similar activity targeting MoveIt servers had been observed as far back as 2021,
suggesting that the Klopp ransomware group had likely identified the zero-day years earlier
and had spent some time creating automated tools to aid them in conducting the mass exploitation event.
to aid them in conducting the mass exploitation event.
Turning to brand impersonation,
abnormal security has found that Microsoft is by far the most commonly spoofed brand used in phishing attacks.
Microsoft-branded attacks have accounted for 4.3% of all phishing attempts in 2023.
Attackers frequently target Microsoft credentials
in order to compromise an organization's
Microsoft 365 environment. The crooks are using better grammar and more plausible usage too,
no longer sounding like Ensign Chekhov having a bad day on the bridge of the enterprise.
Abnormal has seen an increase in grammatically correct phishing emails. It's not that they're becoming better writers,
but they're using generative AI to write their phishing templates.
The researchers lament,
Unfortunately, the use of generative AI goes beyond emails.
Cybercriminals can produce whole websites,
complete with logos, brand copy, and images,
then link those to their phishing messages.
This deepens the impression that these emails really are from the impersonated brand, logos, brand copy, and images, then link those to their phishing messages.
This deepens the impression that these emails really are from the impersonated brand and makes it more likely that the victim will enter their credentials.
It's almost enough to make you nostalgic for Clippy.
Almost.
Turning to the hybrid war Russia launched against its neighbor Ukraine in the winter of 2022,
Turning to the hybrid war Russia launched against its neighbor Ukraine in the winter of 2022,
the most startling news so far this week was yesterday's plane crash that killed Yevgeny Prigozhin yesterday. In cyberspace, the crash, which we have to say is generally regarded as
a shoot-down ordered by Russian President Putin, casts further doubt on the future of a prominent player in Russian
influence operations. Mr. Progozhin's troll-farming Internet Research Agency had already indicated
after the march on Moscow that it was ceasing operations. It seems likely, however, that its
template for disinformation and influence will continue in use by Russian intelligence services,
and influence will continue in use by Russian intelligence services, especially the GRU.
The Washington Post quotes an assessment by Gavin Wilde, former U.S. National Security Council director for Russia, Baltic and Caucasus affairs, now a senior fellow with the Carnegie
Endowment for Peace, as stating, Progozhin was for Russian information operations kind of what Kurt Cobain was for grunge music.
The guy ushers in a certain era and perfects a certain craft.
But now that he's gone, what's likely to follow is a saturated market of copycats,
and that will probably end up falling short of the kind of heyday or the prominence of what it once was.
Radware's recently published 2023 H1 Global
Threat Analysis Report looks at the current state of global distributed denial-of-service attacks
and finds two Russian hacktivist auxiliaries atop the threat leaderboard. The researchers find that
attacks on Layer 7, that is the application layer, have surged, as have high
volume long duration attacks, while other forms of DDoS somewhat diminished. The researchers state,
No Name 05716 was the most active hacker group on Telegram, claiming 1,459 DDoS attacks,
159 DDoS attacks, followed by Anonymous Sudan with 660 attacks and Team Insane PK with 588 attacks.
No Name and Anonymous Sudan are Russian operations.
The group that showed in third place, Team Insane PK, is an Islamist group operating, for the most part, from Pakistan against targets in India.
The Southwark Crown Court in London has found two teenagers, members of the Lapsus group,
responsible for cyber attacks against companies that included Uber,
NVIDIA, and Rockstar Games, the BBC reports. One of the youths, aged 18, has been remanded.
The other, a 17-year-old, remains out on bail.
Both are awaiting sentencing.
In the U.S., the U.S. Attorney for the Southern District of New York has announced the indictment of Roman Storm and Roman Semenov,
founders of Tornado Cash,
on charges of conspiracy to commit money laundering,
conspiracy to commit sanctions violations,
and conspiracy to operate an unlicensed conspiracy to commit sanctions violations, and conspiracy to
operate an unlicensed money-transmitting business. They are alleged to have handled more than a
billion dollars in illicit transactions, including hundreds of millions laundered on behalf of North
Korea's Lazarus Group. The U.S. Department of the Treasury also announced yesterday that it had
sanctioned Mr. Semenov for operating his mixer service in the interest of North Korea.
Treasury said,
As a result of today's action, all property and interests in property of the designated individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.
That's Treasury's Office of Foreign Assets Control. OFAC's regulations
generally prohibit all dealings by U.S. persons or within the United States that involve any
property or interests in property of blocked or designated persons. Mr. Storm was arrested
yesterday. Mr. Semenov, a Russian citizen, remains at large, still very much in the wind.
And finally, analysis by TransUnion has found that synthetic identity fraud has reached record
levels, particularly in the auto finance industry. TransUnion explains, synthetic fraud is the use
of personally identifiable information to fabricate a person or
entity in order to commit a dishonest act for personal or financial gain. Synthetic identity
exposure in the auto industry reached $1.8 billion in the first half of 2023, making the sector an
attractive target for fraudsters. The researchers note that the retail industry has had the highest rate of
digital fraud this year, with retail and video gaming at 10.6% and 7%, respectively, followed
by telecommunications at 5.3%. Globally, insurance and logistics were the industries with the lowest
suspected digital fraud attempt rate in the first half of 2023. Among all industries,
the suspected digital fraud rate stood at 5.3%, up from 4.5% a year ago.
Coming up after the break in our latest Threat Vector segment, David Moulton of Palo Alto Networks is joined by Stephanie Reagan,
senior consultant at Unit 42, to discuss modeled Libra.
Andrea Little-Limbago from Interos shares insights on the new cyber workforce strategy.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In the latest edition of our sponsored Threat Vector segment,
Palo Alto Network's David Moulton speaks with Stephanie Reagan,
senior consultant at Uni42.
Their conversation centers on muddled Libra.
Here's the Threat Vector.
It's not always possible from an investigative side to be able to tell whether AI is used.
And honestly, it's not always our goal.
We're really focused on ejecting the threat actor from the environment and getting our clients back up and running.
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence insights,
new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to
safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Uni42.
In today's episode, I'm going to talk with Stephanie Regan, a senior consultant with Uni42. Stephanie started her career in law enforcement and now specializes in
compromise assessment and incident response. In our last episode, I spoke with Chris Russo,
a senior threat researcher with UNO42 focused on ransomware and cybercrime about Muddled Libra.
Chris painted a picture of a determined and dangerous adversary. Today, I want to talk
with Stephanie to hear her insights
and advice when it comes to responding to an attack from muddled Libra and groups like them.
To kick us off, can you share the number of matters that you've been involved with
when it comes to muddled Libra? Yeah, my numbers are likely a little higher since
we're not always confident on attribution. However, I've worked definitely
at least a half dozen cases with muddled Libra. Can you share a detail or an insight from a
matter that really sticks out to you? One of the things that really sticks out to me about
muddled Libra cases has been the reconnaissance portion of the investigation. A lot of the times
we see threat actors doing a really light reconnaissance, trying the investigation. A lot of the times we see threat actors doing a
really light reconnaissance, trying to figure out where they're at in the environment
and how they can navigate. I've seen them deep dive the how-to and the technical docs. They're
really trying to get a really deep understanding of the environment and how to connect and change
their level of persistence as well as further their access into the environment.
So Chris mentioned that this group is prolific when it comes to use of fishing kits and social
engineering. And what are some of the ways that you've seen success in combating these approaches?
These approaches are really successful because it's focused on that human factor.
People are focused on their jobs, getting their jobs accomplished. MFA is a huge must and moving towards more secure
methods of MFA, getting away from using SMS for our multi-factor authentication.
Really thinking about where is your data stored when it comes to help desk information. We've seen
phishing and spoofing of help desk personnel. So really thinking critically about where is the information that the user might use
to reset their password through the help desk.
One of the things that we've talked about
that they use a lot of is domain typo squatting
and also buying access from initial access brokers.
Things like dark web and domain monitoring
can also help in these situations
to help you know quickly
when credentials might be available on the dark web or when you have certain things like mistyped domains and slightly misconfigured domain URLs that have been developed and are created that spoof your sites.
Stephanie, tell our listeners what it takes to help a client recover from one of these attacks.
Especially with a muddled labor attack, I think moving quickly to understand the level of
persistence that has been able to be obtained at the time of detection is really important.
IR playbooks are essential, knowing the actions that you're going to need to take before you're in the emergency
environment. Password resets, asset resets, those have to have a plan around them because when
you're in large environments and you're trying to reset passwords for thousands of users, that's
very difficult. It's going to be kind of that whackable game to keep kicking them out of one
account, but they can use another one to get right back in.
Another crucial piece with Model Libra and many threat actors today
is getting to out-of-band comms very quickly as well.
A lot of threat actors, including Model Libra,
like to sit on and listen to whatever your chat platform of choice is
and trying to understand what actions the IT team and maybe
the investigators are taking, getting out of band and being able to really coordinate your
approach quickly to get your environment reset is very important.
Final question for you. Do you expect that there'll be copycat groups out there that
take Mundled Libre's playbook and use it, expand on it?
there that take muddled Libra's playbook and use it, expand on it? I think that the idea of copycats is an interesting one in this era of cyber. Being able to see the success of muddled Libra and other
groups like them and have enough information about them to be able to copy, definitely I can see
people doing that. However, one of the things to keep in mind is that we hear a lot about like
RAS, ransomware as a service, initial access brokers and things like that.
So we're seeing a lot of blending of TTPs, IOCs, indicators, but also as far as that goes, things that look like the same threat actor that might be slightly different because they're sharing resources and have really become this complex marketplace today.
because they're sharing resources and have really become this complex marketplace today.
Stephanie, thanks for joining me today on Threat Vector and for sharing your insights and experience defending against muddled Libra. If you're interested in reading more about this threat
actor group, visit the Unit 42 Threat Research Center and look for the Threat Group Assessment
on muddled Libra. We'll be back on the Cyber Wire daily in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
That's Unit 42's Stephanie Reagan speaking with David Moulton from Palo Alto Networks.
And it is always my pleasure to welcome back to the show Andrea Little-Limbago.
She is Senior Vice President of Research and Analysis at Interos.
Andrea, it is great to have you back.
And I want to touch base today and get your reaction to the White House's national cybersecurity strategy.
Yeah, no, and thanks for having me, Dave.
And this is, you know, it's a welcome strategy.
You know, always, you know, the devils are in the details and so forth, but actually
putting together a strategy
is the first step in really identifying
what is a big gap.
It's interesting when we think about
the workforce gap, and
we could talk about some of the different experiences
that we've had, but there is
the talent gap, but there's also a hiring
challenge. It's almost that there's
a supply and demand disconnect going on across the entire industry that really keeps exacerbating it.
So I was pleasantly surprised to see it.
I think it's done well.
It had a lot of great input from a variety of different interests.
And I think it's something that's critical both for our national security and our economic security going forward.
So I think it highlights just the role that that workforce development is going to play, especially in cybersecurity going forward as a core component of our government.
So very welcome.
You mentioned the sort of disconnect between the hiring side and the gap with employees.
What do you suppose is driving that?
I think there are a couple of different things. It's almost hard to figure out where to start out. On the one hand, cybersecurity as an industry, in many ways,
it hasn't been around for centuries, like you say, like finance has been. And even a couple
decades ago, you'd say there was a tech and then we've slowly evolved and some companies don't
necessarily even have more than one security person for small and medium-sized businesses.
And so very often, the needs are more so presented as someone middle career, senior career,
to help fill the gap for what they're hiring for. And at that level, there may not be enough
people out there to fill those gaps.
And there has been less on the company side to want to do workforce training and development.
They really want to hire someone coming in at that higher level, even if that means they have an opening for a year.
And they could have taken that year, brought someone in who, you know, out of college, has their degree, is eager, ready to learn, and instead of training them.
And so that's starting to change.
We are starting to see more companies look both for more junior-level candidates
or provide some on-the-job training.
So I think that's really what's going to have to be needed.
But we're also just seeing the cybersecurity industry
just notorious for their job applications, listing.
You need to have these 30 criteria that are ridiculous.
Five years of experience for a technology that's only been around for three.
That's exactly right.
Yeah, so you see that gap too.
And then, as we know, many underrepresented groups, unless you check off every single box,
they're not going to apply.
And then we also see a lot of the job descriptions that are written for, you know, that kind
of has some talk commentary in there.
So that also, I think a lot has evolved, honestly, over the last 10 years in that area.
We're moving in the right direction.
And actually, I think some of those movements are reflected in the workforce strategy.
So we're getting there, but still a lot more needs to be done on both sides.
Well, getting back to the White House's strategy here, any other things in particular that caught your eye?
I like very much that it focuses on some of the adjustments for the federal workforce,
because the federal hiring really does need to adjust to bring in the top talent.
And so it was almost some good introspection going on there and acknowledging that there's a challenge there.
So I like that.
I really do like that it takes an all-of-society approach to cybersecurity and really focuses on really raising the skill gap across all of the U.S. society.
And so even whether they're going in the workforce, just making everyone in our population a much more cyber-aware population.
the workforce, just making everyone in our population a much more cyber-aware population.
So I think for whatever age you are, everyone is on some sort of technology right now.
And so that means there's going to be some insecurity that inherently goes along with it.
And so just raising the bar on that, I think, is really, I think that was an important point to
note. And in some cases, it almost seems like it's lending some insights from Estonia and some of the other countries that have done this a little bit better,
largely as a forcing function from having
major wide-scale cyber attacks
15 years ago.
But it's taking some lessons learned from other
countries as well, so I think that was
a good component of it. Because it really does have to be an all-society
approach to it, to then
help fill in the gap.
Whatever industry you're in,
it has to be something that becomes an important issue to discuss and have that awareness.
Yeah, there's no getting around it, right? I mean, it's part of everybody's
everyday lives now.
Exactly.
Yeah. All right. Well, Andrea Little-Limbago, thanks for joining us.
All right. Thank you, Dave. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Advantage banking account.
And we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 Thank you. your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by
Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter
Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.