The CyberWire Daily Podcast 4.5.22
Ep 1550 | 4.5.22

Disinformation at the UN. Phishing against Ukraine. Hydra Market taken down. Is someone carrying on for Lapsus$? Compromise at Mailchimp. FIN7 branches out into ransomware.


Dave Bittner: Disinformation at the U.N. Russian cyber operations against Ukraine. German police take down a major contraband market - at least someone's carrying on for Lapsus$. There's a compromise at Mailchimp. Joe Carrigan describes JavaScript vulnerabilities. Carole Theriault has an eye on romance scams through the lens of Netflix's "The Tinder Swindler." And a well-known gang branches out. From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 5, 2022.

Dave Bittner: Fighting in Ukraine shifts as Russia retreats from Kyiv to reconstitute and shift forces to the Donbas and the Black Sea. U.S. national security adviser Sullivan sees a long war ahead, Bloomberg reports, one that could last for months. 

Dave Bittner: It's necessary to devote some attention to Russian disinformation and its debunking, since we can expect to see Russia's themes planted and amplified online. 

Dave Bittner: After the United Nations secretary general this morning called for an immediate end to the war against Ukraine, a humanitarian cease-fire, Ukrainian President Zelenskyy addressed the United Nations Security Council. He denounced in detail Russian atrocities in Bucha and other cities Ukrainian forces have now retaken. We all know, Mr. Zelenskyy said, what Russia will tell the world. They will blame everyone just to justify their own actions, he said. Russia's method has been to insist that there are differing accounts of events and divergent interpretations. But this is done just to sow confusion. 

Dave Bittner: In this case, however, President Zelenskyy said, the evidence is incontrovertible and preserving that evidence and publicizing it is vitally important. He said, the Russian military and those who gave them orders must be brought to justice immediately for war crimes. He called for trials like those held in Nuremberg after World War II, pointedly reminding Russian diplomats that the Nazi foreign minister, Ribbentrop, didn't escape punishment in 1946. President Zelenskyy called for equal treatment of all nations and an end to the privilege Russia has enjoyed as a permanent member of the Security Council. 

Dave Bittner: Russia's representative on the council, in a strikingly mendacious response, asked that the U.N. recognize Russia's humanitarian work in Ukraine. He deplored Ukraine's interference with those efforts. He characterized Russia's mass abduction of Ukrainian citizens to Russia as a voluntary, humanitarian effort. As we note, these themes can be expected to reappear in Russian disinformation over the coming week. 

Dave Bittner: Security firm Intezer followed up CERT-UA's discovery of a new malware framework being used in phishing campaigns. They said a recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses. The four malware components delivered are used for stealing credentials, documents and to provide remote access to the infected machine. Two of these components were first reported on by the Computer Emergency Response Team for Ukraine - that's CERT-UA - in March 2022. They named the two components GraphSteel and GrimPlant. When investigating these events, we have identified that Elephant has also been delivered via phishing emails from spoofed Ukrainian email addresses. Elephant is a malware framework written in Go. 

Dave Bittner: Germany's federal police, the BKA, today announced its takedown of Hydra Market, the largest Russophone dark web contraband market. The blockchain analysis firm Elliptic says that it's been able to determine that Hydra Market has processed some $5 billion in bitcoin since 2016, with its take peaking in 2021. The BKA said that it had seized about 23 million euros from the illegal trading platform and that its investigation and takedown had been accomplished in cooperation with international partners, especially U.S. law enforcement agencies. In addition to trading such contraband as illegal drugs and stolen data, Hydra Market was heavily involved in money laundering. 

Dave Bittner: London police may have arrested several alleged leaders of the Lapsus$ group and arraigned two of them, but Naked Security reports that the gang's activities seem to have resumed. Evidently, some of its members are carrying on even after the leaders' arrest. Mailchimp says it's discovered and contained a data breach accomplished by criminal social engineering. TechCrunch reports that about 300 user accounts were compromised and that customer data was extracted from 102 of those. The stolen data appears to have been put to use in phishing attempts against the cryptocurrency and financial services sectors. Bleeping Computer reports that cryptocurrency customers appear to be particularly at risk. The problem is social engineering on the basis of stolen information, not direct corruption of Mailchimp's systems. 

Dave Bittner: In what appears to be news from the C2C marketplace, according to researchers at Mandiant, the financial cybercrime gang FIN7 is branching out. Hitherto best known for breaking into payment systems and corporate networks, FIN7 has now added ransomware to its repertoire. FIN7 is now using REvil, DarkSide, BlackMatter and ALPHV ransomware. 

Dave Bittner: Our correspondent Carole Theriault recently checked out the popular Netflix film, "The Tinder Swindler," and that's got her pondering romance scams. She files this report. 

Carole Theriault: Based on a glut of news coverage that I'm seeing from my little corner of the internet, Netflix's "Tinder Swindler" is all the rage. Don't worry if you haven't seen it. I won't ruin it for you, other than to say it shows to what lengths some people are willing to go to dupe another person. There are a number of jaw-dropping moments that made me take pause 'cause normally when I hear about romance scams, I find it hard to relate to the conned individual. Normally I'm thinking, how could she - yeah, it is normally women who are victims here in romance scams - how could she not see what was going on? But "Tinder Swindler" opened my eyes because I related to some of the victims doing their due diligence to try and see if this was a good match for them. See, I'd like to think that's what I would do, too. But turns out, just because you do your due diligence does not mean you definitely will not be conned. 

Carole Theriault: And this is an important topic because romance scams have skyrocketed. Did you know that according to the U.S. Federal Trade Commission, the FTC, online dating scams cost Americans $304 million during the lonely months of the 2020 pandemic? That figure's increased almost 50% from 2019. And the U.K. isn't any different. There were reportedly more than 7,500 cases of romance fraud in the last year alone, an annual rise of 40%. 

Carole Theriault: So let's take this opportunity to go through just a few things to look out for if you should find yourself in the online dating scene. And really, it comes down to noticing and reacting to red flags, like if the profile is too incredibly heroic and Prince Charming-like. Or perhaps the pictures are a little bit blurry or even look a bit photoshopped. Maybe they never want to meet you in person or even have a video call with you. Maybe they try and employ the love-at-first-sight tactic using language like I've never met anyone like you before; I've never felt this way - something like that to make you feel all aflutter and lose your head. And the whole game is to move you from a potential love interest into love zone as quickly as possible because once you are there, they can start trying to get their grubby little hands on your hard-earned cash. 

Carole Theriault: And the killer - the killer in all this is that so many of us right now are isolated, lonely, in need of communion with another person more than ever before. So we're sitting ducks. And how do ducks protect themselves? They stay in a pack. So if you do find a love interest online, tell your friends and your family about it. Get their take, and listen to the people who love you. Because there's one thing I've learned on how to defeat scammers, is there's power in numbers. It's much easier to fool one person than it is to fool three or five or 10. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting information coming from you and your colleagues over at Hopkins. 

Joe Carrigan: That's right. 

Dave Bittner: You all identified a vulnerability in some websites, so what exactly is going on here, Joe? 

Joe Carrigan: So this is some research done by Dr. Yinzhi Cao and some of his Ph.D. students. And they found a vulnerability - it's a JavaScript vulnerability - called ProbeTheProto, which is something, when you're writing JavaScript - I haven't written JavaScript in years, but I did get a look at the vulnerability - and it permits a user or a malicious actor to inject arbitrary code into the JavaScript prototype, which can then essentially export any information out, including, like, tokens, browser tokens and cookies and things. 

Dave Bittner: Oh, wow. 

Joe Carrigan: It allows session hijacking and a lot of other cross-site scripting attacks. 

Dave Bittner: OK. 

Joe Carrigan: But that's not what I want to focus on because I wasn't involved in the technical portion of this, but because Dr. Cao is an ISI instructor, and he found a vulnerability, he worked with me as the Information Security Institute's vulnerability disclosure coordinator to tell the websites that he and his team examined. Now, the examination happened offline, so we requested the websites, the students requested the websites, ran the analysis on a local computer. 

Dave Bittner: Right. 

Joe Carrigan: That analysis was not - we didn't do anything against anybody else's computer. All we did was access freely available websites and then analyze them... 

Dave Bittner: OK. 

Joe Carrigan: ...To see if they were vulnerable. Twenty-seven-hundred of these websites were vulnerable out of the top 10,000 websites. 

Dave Bittner: So did you fire up the Hopkins Bat-Signal? 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: This was the largest vulnerability disclosure that I have - that I think we've ever done. 

Dave Bittner: Wow. 

Joe Carrigan: Right? Because we found this vulnerability. It's out there. It's 2,700 sites that we know about. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And these are only the ones we looked at. There are probably many more sites that are vulnerable to this attack, but then we had to notify all the 2,700 sites, which was a huge task. 

Dave Bittner: Yeah. 

Joe Carrigan: So I wrote the disclosure document. I - you know, and I handed that off to the students because there's no way I was going to be able to go through and do everything. Additionally, when I was going to be - when a question was going to be asked about this, I wasn't going to be able to answer the technical questions as well as the students and Dr. Cao were. 

Dave Bittner: Sure. 

Joe Carrigan: I mean, I could've done that, but that would've taken much more time than I had. 

Dave Bittner: Yeah. 

Joe Carrigan: And as long as I'm involved in the process, that's fine. What I want to talk about is what happened when we made 2,700 disclosures. 

Dave Bittner: OK. 

Joe Carrigan: We heard back from maybe 50 of these people, 50 of these organizations who had questions. Now, I will say this. The tone of every one of these organizations was gratitude and appreciation for the work. 

Dave Bittner: Oh, that's good. 

Joe Carrigan: Right? And in the letter, I made sure that we described that we weren't actively exploiting anything on their systems at all. 

Dave Bittner: Right. 

Joe Carrigan: We're just doing the analysis back home, but that analysis could be done, or that vulnerability could be exploited via cross-site scripting, right? 

Dave Bittner: OK. 

Joe Carrigan: And we also provided the fix for it because the fix is actually fairly simple. 

Dave Bittner: Oh, good. 

Joe Carrigan: Out of the 2,700, about 50 people responded, which, to me, says that a lot of these sites just didn't even read the email. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's not uncommon, in my experience. 

Dave Bittner: Right. 

Joe Carrigan: Companies need to have some kind of vulnerability disclosure process, regardless of who they are. You know, if you have a website anywhere that you maintain, somebody has to be able to tell you about vulnerabilities on that website, even if you don't maintain it. So, you know, you're a small business - small, medium-sized business - and you have a contractor that says, we'll host your - we'll host and manage your website for you, ask them this question - how do you handle when somebody discloses a vulnerability on my website? That's an important question to ask. 

Dave Bittner: Mmm hmm - is there a real human being who's reviewing these submissions? 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. I would like to see 100% response from these things - oh, hey, great. Thanks. We'll fix that. 

Dave Bittner: Right. 

Joe Carrigan: But - and maybe that's what happened with a lot of them. Maybe a lot of them just said, oh, look at this. We'll just make this change to the JavaScript, and we're done. 

Dave Bittner: Yeah. 

Joe Carrigan: And - but I don't know that that's what happened. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know. 

Dave Bittner: Is there any plans to go back and do any checking to see, I mean, you know, a year from now, revisit some of these sites and see if it's been fixed? 

Joe Carrigan: That is interesting. That would be some good follow-on research, wouldn't it? 

Dave Bittner: (Laughter) That's right. I'll just take that honorary doctorate any - it's - there's two T's in Bittner, so... 

Joe Carrigan: Right (laughter). 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: I'll hook you up with Dr. Cao, and maybe you could become one of his Ph.D. students, Dave (laughter). 

Dave Bittner: There you go. Yes. That's what I need (laughter). All right, well, so, I mean, what's the take-home here for you? Are you - were you disappointed to not see more response, or - I guess... 

Joe Carrigan: I was not disappointed. 

Dave Bittner: Disappointed, but not surprised... 

Joe Carrigan: Right, yeah. 

Dave Bittner: ...You know? 

Joe Carrigan: I guess maybe that's the better way to say it. I am happy to see that no one said, you'd better not disclose this or we'll sue you. 

Dave Bittner: Oh, yeah, 'cause that happens sometimes, right? 

Joe Carrigan: It does, and I have a response for that (laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: I say, you know, our counsel knows about this. 

Dave Bittner: Yeah. 

Joe Carrigan: You are welcome to sue us (laughter). 

Dave Bittner: Right. 

Joe Carrigan: It will not end well for you... 


Joe Carrigan: ...Because this is a mistake that you have made... 

Dave Bittner: Right. 

Joe Carrigan: ...And it's a mistake that's out there, and we're going to publish the methodology, and it will be in the - you know, in the vulnerability mindset within a couple of months. And we gave everybody a good, long non-disclosure period on this. 

Dave Bittner: Yeah. Yeah. All right. Well, if you're interested in the actual vulnerability, again, I guess just do a search for ProbeTheProto, and you'll find the publications that Johns Hopkins - the ISI - has put out about this - interesting stuff. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.