CyberWire Daily - US Treasury targets darknet kingpin.
Episode Date: March 5, 2025US Treasury Department sanctions Iranian national accused of running the Nemesis criminal marketplace. Hunters International threatens to leak data stolen from Tata Technologies. Apple challenges U.K....’s iCloud encryption backdoor order. UK competition regulator says no investigation into Microsoft's OpenAI partnership. Stealthy malware campaign targets the UAE's aviation and satellite industry. This week on our CertByte segment, N2K’s Chris Hare is joined by Troy McMillan to break down a question targeting the Cisco Certified Network Associate (CCNA) exam. And hackers hit the books. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K. This week, Chris is joined by Troy McMillan to break down a question targeting the Cisco Certified Network Associate (CCNA) exam, 201-301, version 1.1 exam. Today’s question comes from N2K’s Cisco Certified Network Associate (CCNA 200-301) Practice Test. According to Cisco, the CCNA is the industry’s most widely recognized and respected associate-level certification. To learn more about this and other related topics under this objective, please refer to the following resource: https://learningnetwork.cisco.com/s/article/protection-techniques-nbsp-from-wardriving-attack To get the full news to knowledge experience, learn more about our N2K Pro subscription at https://thecyberwire.com/pro. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Additional source: https://www.cisco.com/site/us/en/learn/training-certifications/certifications/enterprise/ccna/index.html Selected Reading Treasury sanctions Iranian national behind defunct Nemesis darknet marketplace (The Record) Ransomware Group Claims Attack on Tata Technologies (SecurityWeek) Apple is challenging U.K.’s iCloud encryption backdoor order (TechCrunch) UK's competition regulator says Microsoft's OpenAI partnership doesn't qualify for investigation (TechCrunch)  Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware (Proofpoint) Snail Mail Fail: Fake Ransom Note Campaign Preys on Fear (GuidePoint Security) Fake police call cryptocurrency investors to steal their funds (Bitdefender) Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (Bleeping Computer)  Investigator says differing names for hacker groups, hackers studying investigative methods hinders law enforcement (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
U.S. Treasury Department sanctions Iranian National, accused of running the Nemesis criminal
marketplace.
Hunter's International threatens to leak data stolen from Tata Technologies.
Apple challenges U.K.'s iCloud encryption backdoor order.
U.K. competition regulator says no investigation into Microsoft's OpenAI partnership.
Stealthy malware campaign targets the UAE's aviation and satellite industry.
This week on our CertBytes segment, N2K's Chris Hare is joined by Troy McMillan to break
down a question targeting the Cisco Certified Network Associate exam.
And Packers hit the books. Today is Wednesday, March 5th, 2024.
I'm Maria Varmazes, host of N2K's T-Minus Space Daily podcast, in for Dave Bittner.
And this is your CyberWire Intel Briefing. Thanks for joining us today.
Let's get into it.
The U.S. Treasury Department's Office of Foreign Assets Control has sanctioned the administrator
of the Nemesis darknet marketplace, which was shuttered by law enforcement last year.
Treasury says Iranian national Behrouz Parsarad maintained full control of the marketplace and its illicit profits, pocketing millions of dollars, while Nemesis was active.
Acting Undersecretary for Terrorism and Financial Intelligence Bradley T. Smith said in a press
release that, as the administrator of the Nemesis darknet marketplace, Parsarad sought
to build and continues to try to reestablish a safe haven to facilitate
the production, sale, and shipment of illegal narcotics like fentanyl and other synthetic
opioids.
Treasury in partnership with U.S. law enforcement will use all available tools to dismantle
these darknet marketplaces and hold accountable the individuals who oversee them.
The Hunter's International Ransomware Gang has claimed responsibility for an attack against
Tata Technologies, a product engineering subsidiary of Indian auto manufacturing giant Tata Motors.
The company disclosed in January that it had sustained a ransomware attack that affected
some of its IT systems, according to a report from Security Week.
The Hunters Gang is threatening to publish 1.4 terabytes of stolen data
if a ransom isn't paid by next week.
Hunter's hasn't shared what the stolen data contains,
and Tata hasn't commented on the gang's claims.
Apple has filed a legal complaint
with the UK's Investigatory Powers Tribunal
to challenge a government order
demanding the creation of a backdoor
into its encrypted iCloud systems.
This order, issued under the Investigatory Powers Act of 2016, seeks access to data protected
by Apple's ADP or Advanced Data Protection encryption.
In response, Apple has withdrawn ADP from the UK, arguing that such measures compromise
user privacy and security.
The case raises significant concerns about the balance
between national security and individual privacy rights
with potential implications
for global data protection standards.
In other UK regulatory and big tech news,
the UK's Competition and Markets Authority or CMA
has concluded its review of Microsoft's
$13 billion investment in OpenAI,
determining that the partnership does not warrant a formal merger investigation.
The CMA found no evidence of Microsoft exercising de facto control over OpenAI,
particularly in light of OpenAI's recent collaborations,
such as the $100 billion AI infrastructure project, Stargate, with SoftBank,
which reduces its reliance on Microsoft's computing infrastructure.
This decision comes amid increased regulatory scrutiny of AI-related partnerships,
with the CMA also examining collaborations between other tech giants and AI startups,
such as Amazon's investment in Anthropic.
Proofpoint has published a report on a highly targeted phishing campaign that targeted several
aviation and satellite communications organizations in the United Arab Emirates, as well as critical
transportation infrastructure.
And the threat actor, which Proofpoint tracks as UNK Crafty Camel, compromised an Indian
electronics company that had a business relationship with the targets and used this access to send spear phishing emails tailored to each targeted entity.
The emails were designed to deliver a custom go back door, which Proofpoint has dubbed Sosano.
The researchers note that the campaign used polyglot files to obfuscate payload content,
which is a technique that is relatively uncommon for espionage-motivated actors
in Proofpoint telemetry,
and speaks to the desire of the operator to remain undetected.
Proofpoint doesn't attribute the campaign to any known threat actor, but notes that the TTPs overlap with previous operations
tied to Iran's Islamic Revolutionary Guard Corps.
Scammers are imitating the BNLian ransomware gang and sending physical letters with fake
ransom demands to C-suite employees in the United States, according to a report from
Bleeping Computer.
The letters inform the recipient that their organization's data has been stolen and will
be published if a ransom isn't paid within 10 days.
The letters, and again these are physical letters, contain a QR code leading to a Bitcoin
wallet address and recipients are instructed
to pay up to $350,000.
GuidePoint Security, which is tracking this scam, assesses with a high level of confidence
that the extortion demands are fake and not actually tied to the Bi'an Lian gang.
The security firm hasn't observed any evidence of intrusions at the targeted organizations,
and the information in the letters is copied from Bienlien's public websites.
According to the police in the UK, scammers are impersonating police officers in order
to steal cryptocurrency from investors.
Using personal information obtained from data leaks, the scammers create fake action fraud
reports and then contact victims, claiming to investigate alleged fraud.
Victims are then instructed to expect a call from their cryptocurrency wallet provider.
Subsequently, a scammer posing as a security officer requests sensitive information, including
the seed phrase of the victim's cryptocurrency wallet, enabling the scammer to access and
steal the funds.
Kent police report that nine individuals
have collectively lost one million pounds to this scheme.
Authorities advise against sharing personal details
over the phone and recommend verifying the identity
of callers claiming to be from law enforcement
or financial institutions.
Recent research has uncovered further links
between the Black Basta and Cactus ransomware gangs,
with members
of both groups utilizing the same social engineering attacks and the Back Connect proxy malware
for post-exploitation access to corporate networks. These shared tactics and tools suggest
a potential overlap between the Black Basta and Cactus ransomware groups, indicating that
they may be collaborating or sharing resources.
Coming up after our break, we've got our CertBite segment. N2K's Chris Hare is joined by Troy McMillan
to break down a question from N2K's
Cisco Certified Network Associate Practice Test.
And after CertBite,
here how cybercriminals are studying port docs.
Your business needs AI solutions that are not only ambitious but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.
Cyber threats are more sophisticated than ever. Passwords? They're outdated and can be cracked in a minute. Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login. Ubico believes the future is passwordless. Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y- be ICO.
Say no to modern cyber threats.
Upgrade your security today.
We've got our CertBytes segment coming up next.
NTUK's Chris Hare is joined by Troy McMillan to break down a question from N2K's
Cisco Certified Network Associate Practice Test. Hi everyone, it's Chris. I'm Content Developer and
Project Management Specialist here at N2K Networks. I'm also your host for this week's edition of
CertBite, where I share a practice test question from our suite of industry-leading content,
and a study tip to help you achieve the professional certifications you need to fast-track your
career growth in IT, cybersecurity, and project management.
Today's question targets the Cisco Certified Network Associate CCNA exam 201-301, version
1.1, which was updated in April 2024.
This exam tests skills related to network fundamentals,
along with new topics such as generative AI,
cloud network management, and machine learning.
I've enlisted Troy as our new guest host today.
He's a specialist in all things Cisco,
ISACA, and EC Council.
Welcome, Troy, how are you today?
I'm doing great, Chris, thank you for having me.
Absolutely. And before we get into it, be sure to stick around after our question for our special study bit for this test,
as well as for the latest news on upcoming N2K practice tests.
Okay, so we're going to be turning the tables and Troy, you're going to be asking me today's question.
Troy, I turn it over to you.
Okay, Chris, here's your question.
You've discovered that hackers are gaining access
to your web wireless network.
After researching, you discovered that the hackers
are using war driving methods.
You need to protect against this type of attack.
What should you do?
And it tells us that there is more than one correct answer.
Okay.
Your choices are change the default SSID, disable the SSID broadcast, configure the
network to use authenticated access only, or configure the WEP protocol to use a 128-bit
key.
Okay. So before I answer, Troy, I understand this is under the network fundamentals objective
and the describe wireless principles sub-objective, correct?
That is correct.
Okay, and I have more than one correct answer.
So on the exam, should students expect select more than one correct answer or do they say
select two, et cetera?
Well, it may even be more difficult than that, Chris. expect select more than one correct answer or do they say select two etc?
Well it may even be more difficult than that Chris. I hate to inform you that
sometimes they may even say select all that apply.
Oh okay yeah that makes it even tougher. So to help me out since this is way out
of my wheelhouse what does WEP stand for?
It says for Wired Equivalent Privacy, the
name attempting to imply that the security is as good as being on a wired
network. All right, and for those who are not familiar with what a
wardriving method is, could you explain that a little bit? Wardriving is when a
hacker rides around in a car, that's where the driving comes from,
and they use a high-powered antenna attached to a laptop to see if they can discover what
wireless networks are in the area.
And sometimes they'll go a step further and they'll record information about the network,
its security
settings, whether it's an open network or not, and they sometimes share that information
online with other hackers.
Okay.
Wow.
All right.
So I'm going to assume there's never an option on this exam to select all answer choices.
So I'm going to choose the following based on them sounding like a logical set of sequential
steps.
I'm going to select B, disable the SSID broadcast, and C, configure the network to use authenticated
access only.
Am I right?
Good try, Chris.
You're partially correct.
The answers are actually A, D, and C. You had three choices here.
Here's why.
To protect against war driving,
you need to change the default SSID,
disable the SSID broadcast,
and configure the network to use authenticated access only.
You would change the default SSID
because if you don't change that default,
hackers generally see that and assume that you haven't changed any of the other security settings
such as the administrator password. You would disable the SICD broadcast to prevent them from
even seeing the network when they scan for networks. And then, configuring the network to use authenticated access only would be a final step to ensure
that even if somehow they do get access to the network, they can't log in.
Now you shouldn't configure the WEP protocol to use a 128-bit key. Because in recent years, this particular encryption protocol
has been proven to be ineffective. It's very easily cracked.
In fact, it's so easily cracked that we have students
doing it in classes now. So that would not be something you want to use.
Wow. Okay. That's all great info. Now, we're
going to get into your study bit in a moment, but how would you instruct students
on how they can prepare for a question of this type?
Well, first of all, I would say don't jump for the first shiny object that you see.
Oftentimes, when you're looking at a set of options to a question, one may jump right
out at you as being correct, and in
your excitement to know the right answer, you may not read the question as completely
as you should, and there could be one small detail in the question that rules that particular
option out.
So carefully consider all the options before you jump for what you think may be the quickest answer.
That is really great advice and that could probably apply across many different types of exams. So
great. And who would you say is the target audience for this exam? Well, the CCMA exam is sort of the
entry-level exam to the Cisco ecosystem. So the target audience for this would be people that are just beginning to get into Cisco.
On the other hand, I would say that anybody that wants to take this exam should have some
background.
They probably want to have already passed some other exams, like the Network Plus exam
and the A Plus exam.
They probably want to have some background in networking before they do this exam.
Great information and question, Troy.
All right.
So now it's time to discuss the study bit for this test.
What do you have for us?
The study bit for this one is time management because you're going to have, based on the
number of items you're going to get and the amount of time you have, you're going to have
90 seconds per item to answer these questions. So you can't get stuck on one. If you come to a
question and you don't know the answer, you want to think about it, move on. Make sure you answer
all the questions that you know first so that you don't leave any unanswered. Awesome tip. Thanks so much for being here with me today, Troy.
You're welcome.
And as we wrap up today's episode, are there any upcoming practice tests you'd like to promote here?
Yes, we just released the Comtea Tech Plus, the AWS Certified AI Practitioner,
and Azure AI Engineer Associate Practice Tests.
We'll also have more coming up for CompTIA,
Microsoft, and Oracle next month.
Thanks so much, Troy, and thank you for joining me for this week's CertBite.
If you're actively studying for this certification and have
any questions about study tips or even
future certification questions you'd like to see, please feel free to email me at certbite at n2k.com. That's C-E-R-T-B-Y-T-E at
nnumber2k.com. If you'd like to learn more about N2K's practice tests, visit our website at
n2k.com board slash certify. For sources and citations for this question, please check out our show notes. Happy certifying!
Be sure to visit our show notes for links to the practice test and other helpful resources
that Chris and Troy talked about. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up,
they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports
so you know exactly what's been done.
Take control of your data and keep your private life private
by signing up for DeleteMe.
Now at a special discount for our listeners.
Today, get 20% off your DeleteMe plan
when you go to joindeleteeme.com slash n2k and
use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.
And for our final story today, cyber criminals aren't just launching attacks.
They're studying how law enforcement investigates them.
A cyber crime investigator recently revealed
that hackers use the US court's system called PACER
to analyze legal cases, learning investigative tactics
and adapting to avoid prosecution.
But PACER access is just one of law enforcement's challenges.
A major hurdle is the lack of standardized naming
for hacker groups.
Different cybersecurity firms use different labels for the same threat actors, making it harder to track and dismantle cyber
criminal operations. Jurisdictional red tape further complicates cyber investigations.
With 40 federal agencies handling cybercrime, overlapping cases create inefficiencies. Unlike
Europol, which assigns dedicated personnel to cross-border cases, US agencies rely on
detailees who remain tied to their home organizations, often competing rather than collaborating.
The solution?
Well, we've been saying it for a long time.
Standardized threat intelligence, better coordination between agencies, and more flexible jurisdictional
policies.
Cybercrime knows no borders.
And law enforcement must evolve to keep up.
And that's the CyberWire. We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world
of cybersecurity. If you like this show, please share a rating and review in your podcast
app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector. From the Fortune 500 to many of the
world's prominent intelligence and law enforcement agencies, N2K makes it easy for companies
to optimize your biggest investment, your people. We make you smarter about your teams
while making your team smarter. Learn how at n2k.com.
N2K's senior producer is Alice Carruth. Our
cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music
and sound design by Elliot Peltsman. Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher and I'm Maria Varmasis in for Dave Bittner.
Thanks for listening. We'll see you tomorrow. Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today
to see how a default deny approach can keep your company safe
and compliant.