CyberWire Daily - Uber’s breach. Phishing in Ukraine’s in-boxes. What’s Russia been up to anyway? (Not the same thing, probably, NATO would be up to.) And the ransomware leader board.
Episode Date: December 13, 2022Uber sustains a third-party breach. A phishing campaign hits Ukrainian in-boxes. The enduring riddle of why Russian offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimm...ing. Carole Theriault describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. And 2023’s ransomware-as-a-service leader board. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/237 Selected reading. Uber suffers new data breach after attack on vendor, info leaked online (BleepingComputer) Uber has been hacked yet again with code and employee data released online (SiliconANGLE) Uber hit by new data breach — what you need to know (Tom's Guide) Uber’s data breach. (CyberWire) Ukrainian railway, state agencies allegedly targeted by DolphinCape malware (The Record by Recorded Future) Cyber Operations in Ukraine: Russia’s Unmet Expectations (Carnegie Endowment for International Peace) The most prolific ransomware groups of 2022 (Searchlight Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Uber sustains a third-party breach.
A phishing campaign hits Ukrainian inboxes.
The enduring riddle of why Russian cyber-offensive cyber operations have failed in Ukraine.
Joe Kerrigan on credit card skimming.
Carol Terrio describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior.
And 2023's ransomware-asware as a Service leaderboard.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Tuesday, December 13th, 2022.
Bleeping Computer reports that Uber has sustained a breach. Over the weekend, a group styling itself UberLeaks
began dumping data it claimed to have stolen from Uber and UberEats.
The data dumped online include what the attackers say is source code
for mobile device management platforms
and for third-party vendor services the company uses.
Bleeping Computer says the threat actor created four separate topics,
allegedly for UberMDM at UberHub.UberInternal.com
and UberEatsMDM and the third-party TechTivityMDM
and TripActionsMDM platforms.
The data compromised include corporate and employee data,
but not customer information, Uber believes.
This incident apparently originated in the compromise of a third-party vendor, and there's some evidence of lapsus gang activity.
Uber told Bleeping Computer,
We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September. The third party vendor seems to have been tech-tivity,
which says in its own statement,
We are aware of customer data that was compromised
due to unauthorized access to our
systems by a malicious third party. The third party was able to gain access to our Tectivity
AWS backup server that housed Tectivity code and data files related to Tectivity customers.
One safe bet is that Uber employees should prepare themselves to withstand a wave of phishing and
other social engineering approaches
that can be expected to make use of the data the attackers have dumped online.
The State Service for Special Communications and Information Protection of Ukraine
warned citizens to be alert for a phishing campaign.
The phishing email misrepresents itself as being from the State
Emergency Service of Ukraine. The fish bait in the subject line is how to recognize a kamikaze drone,
which shows an attempt to trade upon recent widespread fears of Russian drone attacks.
The malicious payload is Dolphin Cape, whose main function is to collect information about the computer.
This isn't the first phishing campaign to impersonate Ukrainian government agencies.
Earlier efforts in October and November spoofed the state special communications,
the press service of the General Staff of the Armed Forces of Ukraine, the Security Service
of Ukraine, and even CERT-UA. There's no specific attribution in the warning,
but circumstantially, the Dolphin Cape campaign looks like a Russian operation.
It serves Russian interests, and it's coordinated in at least a general way
with a principal kinetic effort in Russia's war,
indiscriminate drone attacks against civilian infrastructure.
The record reports that the targets of the campaign are government agencies and rail transportation.
A study published by the Carnegie Endowment for International Peace,
titled Cyber Operations in Ukraine, Russia's Unmet Expectations,
offers the beginning of an answer to one of the most discussed questions about Russia's war against Ukraine. Why have
Russian cyber operations fallen so short of pre-war Western expectations? The author argues
that Western and Russian cyber doctrine are incommensurable. Russian doctrine avoids equivalence
of the term cyber, preferring to use the terms information confrontation or information warfare.
Whereas U.S. discussions of cyber operations normally concentrate on the technical integrity of networks,
Russian doctrine considers a range of operations, both technical and psychological,
code and content, that can be deployed against adversarial systems and decision-making.
The essay offers three hypotheses to explain Russian failure in cyberspace,
the infancy and putative focus of the VIO,
the preponderance of cyber talent in the Russian national security ecosystem,
and the pivotal nature of the initial period of the war.
The common theme among the three hypotheses is Russia's unreadiness for the hybrid war it
decided to wage. Searchlight Security has published a report outlining the three most
notorious ransomware groups of 2022, Lockbit, Conti, and Black Cat. All three of these ransomware
strains operate under a ransomware-as-a-service model, or in the case of Conti, if we really
believe they have held their going-out-of-business sale, they operated in the past tense. Conti was
the most prolific gang until it announced it was shuttering its operations back in June of this
year, but this is probably more of a brand retirement than an operator retirement, still
less an operator reform. Conti's hoods are in all likelihood still actively working for other groups.
The researchers note that it's strongly suspected that group members joined other ransomware as a service operations,
such as Black Basta and Black Byte,
or refocused their efforts into groups thought to be subsidiaries of the primary Conti operation, such as Caracurt.
Crime abhors a vacuum, at least as much as nature does,
and LockBit partially filled the void left by Conti's closure,
and that group now accounts for one-third of all ransomware attacks observed by Searchlight.
LockBit operators are known for their dual extortion tactics,
offering victims options for how to
deal with the stolen data. Coming in third is Black Cat, also known as Alfie or Noberis.
They also use double extortion attacks, placing their victims' data into a database that's
accessible by cybercriminals. So what's up going forward? Searchlight looks at gangland's up-and-comers,
highlighting the Vice Society, Avos Locker, and Hive.
These ransomware gangs are, they think, the threats to watch going into the next year.
Vice Society is a dual extortion racket that targets the education sector.
Avos Locker and Hive are ransomware-as-a-service offerings, with Hive being designed to be easily operated by inexperienced actors.
So, they are to criminal coding what TV dinners are to cuisine.
Yum.
Coming up after the break, Joe Kerrigan looks at credit card skimming.
Carol Terrio describes a UK food store chain that uses facial recognition technology
to track those with criminal or antisocial behavior.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Our UK correspondent, Carol Theriault, has been looking at a UK food store chain that's using facial recognition technology to track customers with criminal or antisocial behavior.
She files this report.
So, dear listeners, many of you based in the US of A, what do you make of this little privacy kerfuffle in the UK? So it involves a
supermarket chain in the south of England called the Co-op. I have one near my house and it's where
I go to pick up last minute items like juice, milk or eggs or even be old school and get a paper.
And the problem seems to be, according to the BBC, is that the co-op is using a facial identification system called FaceWatch.
Now, FaceWatch is not like Clearview, where it scans every single face that comes in and checks it against a huge database scraped from several online sites and social networks to identify anybody that walks into the food store.
Nor is it taking snaps and comparing these against those
convicted of crimes like, say, burglary or robbery. No, this one's a little different.
The co-op's face watch system is matching people against a list of people the co-op says has stolen
from its shops or been violent. A spokesperson told the BBC that the list was of people for
which the business had evidence of criminal or anti-social behavior. Now, Big Brother Watch,
a UK-based privacy campaign group, has challenged the legality of the system in a submission to the
Information Commissioner's Office, the ICO. Big Brother Watch says the biometric scans are, quote,
Orwellian in the extreme. Quote, the supermarket is adding customers to secret watch lists with
no due process, meaning shoppers can be spied on, blacklisted across multiple stores, and denied
food shopping, despite being entirely innocent. This is a deeply unethical and, frankly, chilling
way for any business to behave. Now,
I'm a bit of a privacy buff. I've been talking about privacy for more than 20 years,
but I'm not sure I personally would use the terms deeply unethical or chilling here.
I get that these co-op food stores are open late. Many don't have a strong security presence,
if any at all, and some have only one or two shopkeepers working the whole store.
And this makes them vulnerable to gangs looking to rob or people wanting to cause trouble.
And this trouble I'm talking about is actually a growing problem.
A House of Commons report published in June 2021 opens with this statement.
June 2021, opens with this statement. Quote, the last five years has seen a shocking rise in attacks on retail workers. The Association of Convenience Stores, ACS, found that 89% of individuals working
in local shops had experienced some sort of abuse. 89%, that's like 9 out of 10. So I get that staff
and companies need to increase security to deter a growing threat.
But perhaps this face watch system is not the best approach.
I think I'd much prefer staff to carry real-time cameras on lanyards.
And then if a customer is acting inappropriately, rudely or criminally,
the staff can turn on said camera and record the behavior.
And this recording should only be shared with the authorities,
you know, the people trained to serve and protect the people of the nation.
But maybe that's just me. What do you think?
This was Carol Theriault for The Cyber Wire. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute,
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article from the folks over at Naked Security by Sophos.
This is actually written by Paul Ducklin, and it's titled Credit Card Skimming, the Long and Winding Road of Supply Chain Failure.
It's an interesting thing going on here.
Can you explain it to us, Joe?
This is an interesting thing going on.
an interesting thing going on. So here's, Paul lays this out pretty well and summarizes it,
but you can actually go and read the entire report from a company called J Scrambler, who did the actual research on this. But Paul's summary is great. So the high-level version is
this, that back in the early 2010s, there was a company called Cockpit that offered free web marketing analytics services.
Okay.
Okay.
Interesting that the company would offer free web marketing and analytics services.
Those seem like things that should cost money.
So immediately I'm thinking, okay, they're just going to collect my data and data on my customers. And that's going
to be probably not good. But a lot of companies, e-commerce sites said, okay, let's use this.
And the way they used it was they started sourcing JavaScript code from cockpit servers.
Now, what does that mean? Well, when you're developing a webpage, you can put JavaScript
on the webpage to make the web page to make
the code or to make the page an active page and have it interact with the user. But you don't
have to serve that JavaScript out yourself. You can just push it out from or have the web browser,
have the user's web browser, pull it from another location. It doesn't have to come. And if you look
at just about every web page, they all do this.
And Google Analytics has links that you can put in to get Google Analytics on your site as well.
A lot of different sites offer this.
And what these companies are doing is they're collecting vast amount of user data and the behavior data from your customers and your users of your website.
So in 2014, Cockpit actually shuts down its service.
They notified everybody that was using the service that they were going offline and any JavaScript code that was imported from Cockpit would stop working. And that happened. They just,
they turned their servers off and went away. Now, the interesting thing is that when you do that,
it's not really obvious to the user or even to the administrator that the code isn't coming in anymore.
Unless you go in and proactively check your logs or test pages with some kind of test suite, you're not going to see that.
Chances are the users don't even notice it.
The web browser goes, okay, this is a dead link.
I'm not going to try pulling this file down.
We'll just continue on and see if the page loads and everything works. And lo and behold, it will work because all you're
doing is collecting analytic information and reporting that back up to the servers, which
are now shut down. Anyway, in 2021, cyber criminals bought Cockpit's old expired domain. And I like
what Paul says here. He says, do what we can only
assume was a mixture of surprise and delight. They were able to buy this domain and they found out
that at least 40 e-commerce sites hadn't updated their web pages to remove any links to Cockpit.
And they were still calling home and accepting any JavaScript code that was on offer.
So this is after almost eight years of inactivity. These sites are still looking for this code,
and these bad guys go out and buy the server that supplies the code. Well, that's bad news,
because now these servers can start supplying all kinds of code, and that's exactly what they did.
They inserted JavaScript code that would monitor the content of input fields on predetermined web pages.
So they knew who was calling in.
They could see where the request was coming from because there's a field in an HTTP request called the refer field.
So they know exactly where it's coming from. Then
all they have to do is go in and look at the website, see what that website looks like,
reverse engineer it, which is very easy to do for any website because in order for the web to work,
you have to have all of the actual code on your computer. So you have to go out and download all
that code from whatever sources it's served from. So not only that, but once they've reverse engineered it, they can tailor
JavaScript attacks for each of these websites, each of these 40 websites, to collect information
specific to the forms on those pages. And again, they use that refer field to know which piece of
JavaScript to serve out to which end user, because the end user is just going out to their servers, these old cockpit servers.
And they're actually not old cockpit servers.
They're just old cockpit domain names and asking for the files.
And they're having all their information stolen.
And they're actually even getting tricked with HTML injection.
Because one of the things you can do with JavaScript is inject additional HTML that makes it look like you need to log in again.
So now I can capture your username and your password for that website.
And it's coming from that website.
It looks exactly like it's coming from that website.
They have opened the door.
I guess they've inadvertently left the door open.
Yes, exactly.
That's what it is. They opened the door for a site that, you know, they've produced trusted content or received what they thought was trusted content from a vendor that they maybe trusted or did trust, but now that vendor's gone. They don't even exist anymore. Those people have moved on to new jobs.
Right, right. So what's to be done here? Is this a matter of having regularly auditing your website to make sure that something like this isn't lingering around?
That is one of the things you should be doing.
Check logs to see if your website makes use of embedded HTTP links
that are no longer working.
I don't know if your logs will show that unless you're testing the sites
because your web server just serves out a line of text that says,
include this script from this file, And that's the end of it.
The user's machine goes out and makes the request to what was the cockpit server in this case.
But maybe you have something else going on behind the scenes that I'm not privy to.
I don't know.
But check your logs.
Perform transaction tests regularly.
That's a good thing that Duck says to do here.
And review.
This is the most important.
Review your web-based supply chain links.
Really understand what you're doing when you rely on URLs that are provided by other people. That is
paramount. And there should be some part of your configuration management process that says,
these are the libraries we're using. These are the third-party JavaScript libraries or
JavaScript functions that we're including
in our webpage and here's why we include them.
And periodically, you should be looking at those libraries
and those features and seeing, do we still trust these guys?
Have these guys changed?
Because, you know, I don't know, maybe it's just because
I'm really suspicious of people, but when somebody shows up
and says, hey, we're going to give you free web marketing
or marketing and user data, all you have to do is include our JavaScript link.
The first thing that goes to my mind is, first off, no, I don't want to do that because what
are you doing with that data? What am I giving you access to? And how are you going to impact
my customers? That's really what it is. Because in the end, my goal as an e-commerce
business is to sell things to my customers. The last thing in the world I want to do is hurt my
customers. Yeah. All right. Well, the article again comes from the Naked Security blog from
Sophos, written by Paul Ducklin. It's titled, Credit Card Skimming, The Long and Winding Road
of Supply Chain Failure. Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.