The CyberWire Daily Podcast 5.12.22
Ep 1577 | 5.12.22

Killnet hits Italian targets. Access restored to RuTube. Hacktivism in the hybrid war. Emotet surges. NPM dependency confusion attacks were pentesting. Cybercrime and punishment.

Transcript

Dave Bittner: Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eads from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in biometrics in the criminal underground. And cyber crime and punishment, Florida style.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 12, 2022. 

Dave Bittner: The morning situation report on Russia's war in Ukraine reports, roughly speaking, a stalemate, which from Moscow's point of view might as well be a defeat. Killnet, a hacktivist group aligned with Russian interests, has conducted nuisance-level attacks against a range of Italian targets, Reuters reports. The organizations affected include the Senate, the National Health Institute and the Automobile Club de Italia, the National Drivers' Association. The nature of the attacks wasn't specified, but Killnet's track record and the speed with which the services were restored suggests distributed denial-of-service attacks. Killnet has counted coup against other governments hostile to Russia's special military operation, with Romania having received the most extensive attention from the gang. 

Dave Bittner: Reuters also reports that security teams have restored access to RuTube, Russia's autarkic alternative to YouTube, after the service was downed for three days by hacktivists acting in the perceived Ukrainian interest. The service was taken offline Monday during Russian Victory Day celebrations. 

Dave Bittner: Ukrainian security firm Hacken, which specializes in testing blockchain security, decamped from Kyiv at the beginning of the war and reestablished itself in Lisbon. Since then, The Wall Street Journal reports, the company has both sought to stay in business and to contribute to Ukraine's war effort by hacking Russian services. Among Hacken's contributions is the DDoS application Liberator, which allows users to volunteer their devices for use in DDoS attacks against Russian companies. 

Dave Bittner: The target selection is interesting and shows some insight into Russian logistical weaknesses. One of the companies hit, the Journal says, manufactures military boots. At one level, it's difficult not to sympathize with Hacken and those like them. What thinking person wouldn't wish confusion to the Russian forces? But hacktivism has a downside that parallels the familiar downsides of irregular warfare that the laws of armed conflict have long struggled with. 

Dave Bittner: The annual global HP Wolf Security Threat Insights Report was recently released. The team has identified a 27-fold increase in Emotet malware campaigns in the first quarter of 2022 as compared to the last quarter of 2021 and is now the most common malware family at 9% of all malware identified. HP Wolf Security has identified techniques that cybercriminals are using, including an increase in non-office-based malicious file formats, an increase in HTML smuggling and a two-for-one malware campaign that leads to rat infections. 

Dave Bittner: JFrog, reporting yesterday on the NPM confusion attacks that they and others observed hitting German firms, speculated that the incident might have amounted to nothing more than an unusually aggressive penetration testing effort. That now seems increasingly likely. JFrog reports, following the publication of our blog post, a penetration testing company called Code White took responsibility for this dependency confusion attack. Code White says an intern did it. They say, thanks for your excellent analysis at Snyk. And don't worry, the malicious actor is one of our interns who was tasked to research dependency confusion as part of our continuous attack simulations for clients. 

Dave Bittner: JFrog doesn't give this particular pen test good reviews. Shachar Menashe, their senior director of security research, wrote in an email, I think this level of payload on a legitimate pen test is pretty irresponsible. First of all, since the code has absolutely no indications in it in the source code or in its metadata, the NPM package description, this could have put the company's threat response team into high alert, wasting the client's resources on nothing. Adding a simple string for security pen test purposes on the NPM package description or even in the source code could have prevented this while still proving the point, as was presented in previous very successful attacks

Dave Bittner: In a rough and ready way, Intel 471 suggests that defenders look for three classes of tools - Trojans, information stealers and, unsurprisingly in the wake of the NPM dependency confusion incident in Germany, penetration testing tools. Those last, of course, have their legitimate uses, but they're also readily susceptible to abuse. This isn't, as Intel 471 cautions, anything remotely resembling a panacea, but it can be a useful starting point. 

Dave Bittner: And finally, there's been a conviction in a federal cyber fraud case in Florida - actually, three convictions, all of them on guilty pleas. So here's what happened, according to the Office of the United States Attorney for the middle district of Florida. These three guys all copped pleas to conspiracy to commit fraud and aggravated identity theft. The boys got busy. The trio conspired to knowingly and with intent to defraud, possess thousands of counterfeit and unauthorized access devices, including the names, Social Security numbers, account numbers, usernames and passwords of identity theft victims. These are not hacker masterminds. 

Dave Bittner: What was their secret? Volume, apparently, just like in the big, big sales Crazy Eddie used to run. They emailed each other the elements of personally identifiable information they came across, used it to open accounts fraudulently. And because your secret is volume, you don't have to hit on every try. And they also purchased server credentials from somewhat savvier hoods in the underground C2C market. 

Dave Bittner: IRS-CI special agent in charge Brian Payne said, this trio wrongly assumed that their crimes would be untraceable, hidden under a cloak of internet anonymity. Through sophisticated investigation techniques, IRS-CI and our partners uncovered a digital set of footprints leading to these three criminals. Today's sentencing now holds them accountable for their crimes and should serve as a warning to others involved in this parasitic behavior. So take heed, wise youths, and turn, turn away from that life of crime. 

Dave Bittner: The security team at Intel 471 has been tracking increased activity on dark web markets and forums regarding biometric security controls. Michael DeBolt is chief intelligence officer at Intel 471. 

Michael DeBolt: Cybercriminals are opportunistic. Financially motivated cybercriminals are just looking for every which way they can get in, and they can monetize based on their access and the data they can get access to. And so they're looking at biometric authentication, how they can get access to that data. And then how they can find vulnerabilities to extract that information and leverage that in the financially motivated cybercrime underground is kind of the next phase. 

Dave Bittner: Yeah. One of the things that your research pointed out was the use of this biometric information in a lot of national identification cards. I think, you know, here in the U.S., that's an area where perhaps we lag behind some other nations that are leading the way with this. 

Michael DeBolt: Yeah, absolutely. I mean, one example of - so we would call this documentation fraud. And it caught our attention back in late 2020. And we've seen a couple of situations that emulate this as well. We've had two Iranian actors coming into the marketplace, and they offered to sell biometric and also other identification documents that could be leveraged in multiple countries. And what they were claiming is that they had leaked that or stolen that from an Iranian government website. And this was something around 80,000 national ID cards. Now, we couldn't confirm 100% the validity of those claims. But, you know, if it's true, it just kind of gives an example of the volume to which biometric-based ID cards can be used and sold in the underground to further illicit criminal activity. 

Dave Bittner: You know, I think for most of us, in our imagination, when we think of biometric authentication, it probably comes in two categories. One is the - you know, the Hollywood version, where, you know, somebody in a "Mission Impossible" movie either scans their handprint or does a retina scan. But then there's also the day-to-day stuff that I think many of us experience - so things like Touch ID or Face ID or, you know, the various platform versions of that. What is the practical use of these that are on the dark web? I mean, when - if someone gets your biometric information from one of these national cards, what does that open up for them? 

Michael DeBolt: Yeah, I think you're right. I think there's just - we already talked about documentation fraud. That's one. Really it comes down to, you know, building new identity profiles using that biometric information and spoofing or impersonating the true identity of the person that you stole. So... 

Dave Bittner: I see. 

Michael DeBolt: And I would also say that because this is somewhat of a new sort of thing for us - you know, utilizing biometric authentication as a security mechanism is still somewhat new, is certainly newer than traditional password-based authentication methods - the actors are starting to talk a little bit more about this, discussing, sharing new ideas about how to access this kind of information and how to leverage it for furtherance in their criminal activity, in their schemes. 

Dave Bittner: You know, from an organizational point of view, do you have recommendations for implementing these sorts of things? I mean, users love the convenience of it, but is it something to keep an eye on; that, you know, it's not the panacea that it may seem to be? 

Michael DeBolt: Yeah, I think you're right. So just like passwords, you know, encryption, encryption, encryption, right? Encryption is a must both for in-transit and at-rest biometric patterns and the profiles and templates that are stored in the back end. Also, just like passwords or really any other type of proprietary or sensitive data that you're storing, pay really close attention to exposed databases. A lot of the specific examples that we've seen in the underground are as a result of leaked or exposed databases that are really openly accessible on the internet. So just make sure that we're scrutinizing sensitive databases, making sure that we're segmenting them properly within the network. 

Michael DeBolt: And those tips kind of - they apply to, broadly, you know, any authentication method that you're using - password-based or biometric-based or anything else. But I think there's a couple of others that are more specific to biometric authentication. So a lot of organizations use anti-fraud or anti-spoof vendors. And some of those, you know - they're really great options for password-based fraud monitoring. But not all of them cover biometrics. They just haven't caught up, or it's not their focus areas. So just make sure you have something in place to ensure you're able to, you know, monitor spoof and impersonation attempts and ensure that, you know, the systems that you have in place and the internal processes can pick up on those things. 

Michael DeBolt: And then kind of in the same vein, if you're using a third-party vendor solution - and third-party risk is a huge thing right now with SolarWinds and some of the other stuff that we've seen over the past 12 months or so. And so this is the same for biometric authentication, right? If you're using a third-party vendor solution for biometric authentication, make sure you fully understand, you know, how your data is being handled, how it's being stored. And then also, I'd say stay alert to any possible sort of third-party breach incidents that may be affecting that third party that will have a downstream effect on your users. 

Michael DeBolt: And then last but not least, you know, a lot of the stuff that we try to illuminate in our reporting is from the perspective of the bad guy in the cybercrime underground. And so when you have monitoring in place, you understand what the threat actors are prioritizing, what they're going after, how they're obtaining this information from - in the first place, and then how they're, you know, using it as - in their end goals and their end schemes. It's really important to understand all of that so you can put together the security controls internally to be able to mitigate that more proactively. 

Dave Bittner: That's Michael DeBolt from Intel 471. 

Dave Bittner: And joining me once again is Tim Eades. He's the CEO at vArmour and co-founder of the Cyber Mentor Fund. You know, Tim, you and I have spoken previously, and you sort of touched on this notion of finding the right venture fund to fit your organization's particular needs. I want to dig into that, spend a little more time on that. What's the importance there? 

Tim Eades: Thanks, David. It's great to be here. I think the - when you look at raising money, you're looking at getting married. Look at it that way, right? So when you get married, you have to date first. You want to date first for all sorts of reasons on both sides, right? And when you get into that dating scenario, you can get to know somebody. You get to see how they react. In the venture - or the investor side of these things, you need to go talk to the previous CEOs that they work with and say, what happened when the company was getting acquired? What happened when the company was going through a tough time? It's very easy to get good feedback when it's a good time. But what happened when you did a misstep? What happened if you missed a quarter? What happened if you - when you were trying to get acquired, did they agree? Were they constructive? Did they come with the right advice? 

Tim Eades: So as you're going through that process of dating - raising money and dating, make sure you do your reference checks about the bad times, you know, through talking to previous CEOs that they've been partnering with because, you know, divorce is expensive, complicated and very difficult to get people off the board, particularly if it's not set up correctly. So, you know, I always look at it - you know, investing and marriage is the same thing. 

Dave Bittner: (Laughter) You know, I think when it comes to - perhaps stretch your dating metaphor to its limits, there's that notion that, you know, desperation is not attractive. For the folks who are out there trying to raise the money, does that apply to them as well? 

Tim Eades: Yeah, for sure. I mean, absolutely. I mean, I always tell people it takes you about five months to raise money - right? - from when you start dating to when the money's in the bank, you know? And you should assume kind of that kind of time period. I will also tell you raise, like, 30% more money than you thought you were going to have because you never know. You might make a misstep. And it's always - you know, when you come to do another round, you need to do it from a position of strength. 

Tim Eades: But start dating. Do it casually to begin with. You know, meet three or four independent VCs. Pull together four or five slides. Get to know them. They need to get to know that you can - you have the - you know, you have the domain permission. You have the right technology. You understand the problem statement and that you have the right team, and you can execute milestones. And over those four or five months, they're going to get to know you, that you're hitting those milestones that you put out there. But at the same time, you've got to row back to them. 

Tim Eades: And I would strongly advise that they need to come up with a list of questions - they, the entrepreneur - of what you want to ask these people. You know, tell me about when an investment went wrong. Tell me the bad side of what goes on. Tell me how you reacted. Too often, some of the entrepreneurs don't feel that they have that right or that permission to ask those questions. And I would absolutely say they do. And it's good. It's a good right. And they need to ask that. 

Dave Bittner: Does it sometimes happen where, you know, you'll meet with someone as a funder, and you'll say, this is not a good match for me; you know, this is definitely not a love connection here, but I think I might know someone who, you know, fits your needs better than I do? 

Tim Eades: For sure. I think there - some people will come to the Cyber Mentor Fund or other venture friends of mine and say, we are looking at the world this way. And sometimes we might just have a philosophical disagreement, or we might turn around and say, look, you know, we already have an investment in that category. Please stop communicating. We're not that kind of group. But however, look, there is room for more than one company in this space. Go talk to Jonathan at SignalFire or someone like that or, you know, Charles (ph) or - at Riley (ph) or somebody. But, like, you know, we're not - you know, the fundamental mission that I think we live by, and we should all live by, is making the countries and the enterprises more secure. And no one company would take it over. So we farm those off. 

Tim Eades: But yeah, sometimes you meet with people, and in my opinion, if they're just uncoachable and they don't have the self-awareness, those are the times where we - then we'll - by our grace, we'll just say, hey, not quite a fit - because we go in as the Cyber Mentor Fund very, very early, and we find it very, very rewarding by doing that. But it's got to be a reciprocal environment. Like, it's got to be fun on both sides. 

Dave Bittner: All right. Well, Tim Eades, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.