The CyberWire Daily Podcast 7.12.22
Ep 1617 | 7.12.22

High-end and low-end extortion. Push to start–wait, not you… Social media and open-source intelligence. Russian cyberattacks spread internationally. Preparing for cyber combat.


Dave Bittner: Extortion, both high-end and low-end. Vehicles from Honda may soon be rolling off the lot. Social media and open-source intelligence. Russian cyberattacks spread internationally. Joe Carrigan surveys items for sale in dark web markets. Our guest is Jonathan Wilson from AU10TIX to discuss consumer sentiment around data privacy. And preparing for cyber combat.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 12, 2022. 

High-end and low-end cyber extortion.

Dave Bittner: Yesterday, we described a report by Resecurity that the BlackCat gang had adopted a quadruple extortion model. The four aspects of the extortion attack are encryption, the threat of doxing, distributed denial of service and, finally, reputational damage achieved by harassing the victim's customers, business partners, employees and media to tell them the organization was hacked. BleepingComputer reports that one novel and upscale feature of this newer approach is provision of a searchable database of nonpaying victims - the better to expose them to reputational damage. 

Dave Bittner: BlackCat may represent the high end of the ransomware as a service market, but that doesn't mean the low-rent simple minds are out of business - by no means. There are still plenty of simpler approaches to cybercrime that require far less talent and attention to detail. Researchers at Sygnia, for example, report on the activities of the Luna Moth group. And these are so low-end that one hesitates to even call them ransomware because where's the ware in all this? Luna Moth uses commodity RATs against its victims, and it does so opportunistically, with little evidence that they're phishing for particular targets. It doesn't bother encrypting data and relies simply on the threat of doxing to extort payment. What's your secret, Luna Moth? How do you do it? Volume. 

Hacking Hondas (and others)?

Dave Bittner: Researchers claim to have demonstrated a proof of concept they're calling Rolling-PWN that affects the remote keyless entry systems in Honda models between 2012 and 2022. They say the exploit takes advantage of the keyless entry system's rolling code system, which uses a synchronizing counter to prevent replay attacks. The rolling code system accepts a sliding window of codes to account for the key fob being pressed accidentally or when it's out of range of the vehicle. The researchers say, by sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once the counter is resynched, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will. The researchers worked on Hondas, but they think it likely that other makes are also vulnerable. 

Dave Bittner: While there are some reports of others replicating these results, the exploit remains, to say the least, controversial. Honda, for one, doesn't believe it, according to BleepingComputer. Honda dismissed the proof-of-concept as "old news."  A Honda representative emailed Vice to say, I'd hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a new thing. We've looked into past similar allegations and found them to lack substance. While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims. So it's a story worth watching, but so far, the prudent verdict would seem to be not proved. In the meantime, push to start, but be safe out there. 

Social media and open-source intelligence.

Dave Bittner: Turning to Russia's hybrid war against Ukraine, the Telegraph cites a blogger accompanying Russian forces in Ukraine in support of its conclusion that NATO-supplied HIMARS rocket artillery systems have been striking fear into Russian troops. On Monday, Roman Saponkov, a Russian military blogger embedded with frontline Russian forces, wrote on Telegram, yesterday, I happened to witness a HIMARS strike on Chornobaivka in Kherson practically in front of my eyes. I've been under fire many times, but I was struck by the fact that the whole packet - five or six rockets - landed practically on a penny. Usually, MLRS lands in a wide area, and at a maximum range, it completely scatters like a fan. It makes an impression. I won't dispute that. It is clear that this is just the beginning. They're going to hammer Kherson and other border cities, Belgorod in particular. They will cover all the command posts and military installations they have gathered data on for the past four months. 

Dave Bittner: Mr. Saponkov sensibly advises his readers that a single wonder weapon is rarely a war winner. We mention this not so much as an observation on the kinetic phases of the war in Ukraine - as compelling and tragic as those may be - but because Mr. Saponkov's comments on the effects of HIMARS fire are a striking illustration of how hard it is to moderate communication via social media, even where there is a strong motivation to do so and a tradition of censorship to draw upon. 

Dave Bittner: Open-source intelligence has played a prominent role in the special military operation from the outset. On the eve of the invasion, for example, foreign observers had a tolerably complete and realistic picture of the Russian order of battle based on posts by Russian soldiers and, for example, by curious Belarusian civilians posting photos of Russian combat vehicles staging through their towns, bumper numbers of the vehicles often clearly visible. This new OPSEC challenge is one all armies will henceforth face to one degree or another. Clearance Jobs quotes security experts on the challenge. Their comments don't neglect the effect too much information can have on servicemembers' careers, but the broader OPSEC lessons are also clear. Domnick Eger, field chief technical officer at Anjuna Security, said the advent of social media has created a whole other realm of oversharing, tracking and personal opinion narrative. And he surely has a point. 

Russian cyberattacks spread internationally.

Dave Bittner: Killnet, the threat actor that represents itself a hacktivist tendency operating in the patriotic interest of Russia but not under the control of Moscow's security services, has extended its distributed denial-of-service attacks to Polish government sites, the Express reports. As was the case with earlier operations against Lithuania, the most recent DDoS attacks didn't rise above the level of nuisance. Poland has strongly supported Ukraine both since the invasion and during the tensions that preceded Russia's war. 

Preparing for cyber combat.

Dave Bittner: And finally, the hybrid war Russia initiated against Ukraine has prompted considerable reflection on how one raises and trains a cyber army, and even irregulars need training and direction. The Record by Recorded Future describes the work of Nikita Knysh, a former employee of Ukraine's security service and founder of the cybersecurity consultancy HackControl, which has been providing Ukrainians with both advice on self-protection and tips on conducting offensive cyber operations against the Russian enemy. Mr. Knysh sees this as a contribution to partisan war against the invader. He dismisses the concerns some have raised about the risks of encouraging hacktivism, even in wartime. He says not attacking your enemy in cyberspace is stupid. In the past, soldiers destroyed logistics and production facilities, but now they also attack technology and information. Taking down a network is becoming to 21st-century guerrillas what blowing up a bridge was to their 20th-century ancestors. 

Dave Bittner: Identity security firm AU10TIX recently shared study data on consumer sentiment around data privacy, looking at issues like preference for security over convenience, corporate responsibility and trust. Jonathan Wilson is chief risk and compliance officer at AU10TIX. 

Jonathan Wilson: For me, I think it was a lot of affirmation of, you know, what I was, you know, seeing in our end-consumer behavior and what our customers were reporting to us. And - you know, and that's like - you know, essentially, today's data privacy world is a little bit like the Wild West. You know, you read a lot of the terms and conditions we're agreeing to when we open accounts, and there's a lot of room for businesses to liberally collect data. And in many cases, companies are collecting, you know, troves of data. And they're doing that perhaps under money laundering and suspicious activity laws that permit them to do that. And in some cases, they're taking liberties that perhaps, you know, they're not allowed to take. But just the, you know, lack of consistent laws and legislation, you know, across the globe, I think, has created a bit of a Wild West. 

Jonathan Wilson: You know, I noticed, you know, coming out of the report that there is this theme of transparency that, you know, I think is missing - that consumers, you know, feel is missing. And I believe we've got a long way to go, you know, to get this - you know, the legal and legislative standard raised so that businesses become more transparent about what they are doing and how they're using personal data. 

Dave Bittner: Is there a sense of resignation on behalf of the users? You know, when faced with these, you know, EULAs that are unreadable - you know, too long to be able to digest - that they feel as though they're not really in control of things? 

Jonathan Wilson: You know, I think there definitely is that sentiment, Dave. They clearly - coming out of the survey that we did, there were a high proportion of the respondents who were feeling like they were a little bit out of control. But I think we are seeing the tide turn a little bit. We're seeing - you know, what I'm seeing is consumers begin to take control again of their data. There are sites that are dedicated to helping consumers understand who has access to their data and to help automate requesting access to the data that's being held. 

Jonathan Wilson: And I think that, you know, the new laws that are emerging - in particular, if we look at the U.S. market, you know, there's - today there's a handful of states that have data protection laws, and - but there's a handful of states coming out with data protection laws. And there's also a, you know, federal law that's being positioned at the moment. So I think a lot of that is coming from consumers that are, you know, quite frankly, probably fed up with being in the place of not being in control, and they want to take back that control. 

Dave Bittner: Yeah. One of the things I noticed in the report here is that it seems as though consumers are really looking to the businesses themselves to take responsibility for taking care of a lot of this data. 

Jonathan Wilson: Yeah. Very, very clearly, they are. I think the consumers are putting the onus on care of the data back where it belongs, really, which is where it's being collected. It's at the business level and at the, you know, commercial level, the service provider level. And so I think there is an expectation that consumers have that - kind of going back to what I had said a little bit earlier, that companies start to become transparent about what they're collecting, why they're collecting it and what they intend to do with it. 

Dave Bittner: Based on the information you've gathered here, what are your recommendations for organizations to, you know, align themselves with the desires of consumers? 

Jonathan Wilson: My recommendations would be to understand the data protection laws that, you know, apply to them, but also not just apply to them, but also the data protection laws that, you know, exist globally. There are some really good standards out there, such as GDPR, you know, in Europe and CCPA on the west U.S. coast - and, you know, to examine them and understand the best practices within them to, you know, effectively treat customers as they're demanding to be treated. 

Jonathan Wilson: I think also, Dave, we can really - we can help the situations and organizations can help the situation by leveraging and deploying emerging technologies. So there are technologies available, such as, you know, for example, verifiable credentials. And this type of technology puts the power and the sovereignty of the consumers' private information back into their control. It allows them to hold it, for example, on their mobile device and to control when it's shared. So identify, you know, the relevant technology, assess it, apply it and be ready to deploy the emerging technologies which are putting the power back into the hands of the consumers, which is really good business. 

Dave Bittner: Are you optimistic that we're heading in the right direction here? Do you have a sense that we're gaining ground? 

Jonathan Wilson: I do. I do think we're gaining ground. If I look at what's happening, you know, in the U.S. market - I mean, it's clear, Dave, that, you know, the European market has a fairly robust set of requirements and legislation. But if we look in the U.S., we see the maturation of data protection laws of states - again, states that are going to be passing their own data protection laws. And we also see movement at the federal level. And I think that companies are starting to see that there are - there's some teeth to these data protection laws. You know, we're seeing fines being levied. And companies have - really have no choice to, you know, sit up, take notice and to take the data protection laws seriously. So I do think that - I do think we're making progress. 

Dave Bittner: That's Jonathan Wilson from AU10TIX. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting report came out recently - this is from the folks over at the Privacy Affairs website. This is written by Patricia Ruffio, and it is the "Dark Web Price Index" for 2022. A lot of interesting data in here, Joe. I thought maybe we could unpack this together. 

Joe Carrigan: I love these kind of reports, Dave... 

Dave Bittner: Yeah? 

Joe Carrigan: ...Because I've always wondered, what does my ID cost on the dark web? How much is my email account worth? 

Dave Bittner: Yeah. 

Joe Carrigan: Not much, it turns out. Email database dumps - you can get 10 million email addresses for 120 bucks, right? And that's for USA email addresses. 

Dave Bittner: OK. 

Joe Carrigan: Apparently, New Zealand email addresses are a little more pricey. For 600,000, it's $110. 

Dave Bittner: Yeah. 

Joe Carrigan: So it's a lot more per email address. And Canadian email addresses are also more expensive than American email addresses. They have a bunch of different things in here about, like, getting into hack services. 

Dave Bittner: Right. 

Joe Carrigan: Dave, are you paying for Netflix every month like a chump? 

Dave Bittner: (Laughter). 

Joe Carrigan: Because if you have $25, you can get a hacked Netflix account that already has a one-year subscription. 

Dave Bittner: I am paying for a lot of people in my family to watch Netflix, let me tell you... 

Joe Carrigan: Right. 

Dave Bittner: ...Not all of them under the same roof. 

Joe Carrigan: Shh, Dave. Don't say that. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's not true, of course. 

Dave Bittner: No. I'm just planting a hypothetical out there. 

Joe Carrigan: Right. Yes. 

Dave Bittner: Yes. Yes. 

Joe Carrigan: Here's an interesting one. Hulu - they'll sell you a Hulu account for five bucks. But isn't that pretty close to what the price of a Hulu account is if you just get it? 

Dave Bittner: Yeah, I think it depends. There are different tiers, I think. 

Joe Carrigan: Yeah, there's advertising tiers. 

Dave Bittner: What's interesting to me in here are the wide variation of the value of different things. 

Joe Carrigan: Yes. 

Dave Bittner: Some of these I didn't know or expect. Evidently, passports are quite pricey. 

Joe Carrigan: They're very pricey. 

Dave Bittner: Yeah. 

Joe Carrigan: They're like 3,800 bucks for a passport here. And that's actually another thing - later in the article, there's a list of price changes over time, and passports have come down significantly in cost. A lot of things have come down in cost. In fact, most of the items on this list - including social media accounts, followers and all that stuff - has come down in price. So yeah, passports are down in price about 200 bucks - from 4,000 to 3,800 bucks, so not a big drop in price. But they're still very pricey - $3,800. Other IDs have gone up in price, things like a Louisiana driver's license or a New Jersey driver's license. A fake green card is up ten bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: It's - a European Union national ID averages around 160 bucks. That's up about 40 bucks from last year. U.S. driver's license - I don't know what a U.S. driver's license is. 

Dave Bittner: (Laughter). 

Joe Carrigan: I mean... 

Dave Bittner: Because a driver's license from someone in a U.S. state, I guess, as opposed to another nation. 

Joe Carrigan: Well, and they call out different states here. They call out, like, a New Jersey driver's license, and they have Delaware ID, Indiana ID. I know that Maryland has IDs that are not driver's licenses... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That look essentially the same as a driver's license. 

Dave Bittner: Right. 

Joe Carrigan: It just doesn't say driver's license. It says identification card. U.S. driver's licenses are up. A Lithuanian passport has gone up almost double. It was $1,500. Now it's $3,800 like all the other passports. 

Dave Bittner: Right. 

Joe Carrigan: I find the social media section pretty interesting. You know, the most expensive hacked account is a Facebook account - $45 for a hacked Facebook account. 

Dave Bittner: OK. 

Joe Carrigan: It's only 40 bucks for a hacked Instagram account. Twitter accounts are $25. They have a hacked Gmail account that's - I don't think that's a social media account, but they're - it's here at $65. That makes sense to me. A hacked Gmail account is probably very valuable because that is the keys to the kingdom for that person, right? That will get you access to all of their accounts if that's their main account. 

Dave Bittner: Right. 

Joe Carrigan: And you can look through to find out what kind of services they use and then get access to their services. 

Dave Bittner: Yeah. 

Joe Carrigan: If you want to buy followers, followers are cheap. 

Dave Bittner: (Laughter). 

Joe Carrigan: Spotify followers are a dollar for a thousand of them - Instagram followers, $4 for a thousand, same with Twitch. LinkedIn - if you want to get a thousand people to follow your company, 10 bucks, right? SoundCloud plays... 

Dave Bittner: How much to stop having people follow me on LinkedIn? 


Joe Carrigan: They can't - I don't think they can do that. 

Dave Bittner: Oh, man. 

Joe Carrigan: Yeah. SoundCloud plays - a dollar for a thousand of them. Now, that's not a follow. That's a one-time event. So that's probably why that's cheap, I guess. 

Dave Bittner: Yeah. Yeah. I guess part of what's interesting about this report is just the breadth of things... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That are out there. You don't - I think - I tend to think about these things in broad categories, but when you see them laid out, the detail that they have here, there really is a market for everything. 

Joe Carrigan: Yep. 

Dave Bittner: And it's interesting to me that they're able to get all these prices for these things. You know, looking around on the forums, it's a market. It's a real market. 

Joe Carrigan: It is a market. They talk about that later in the article. And they talk about as the marketplace matures, prices decline. They say sales volume has gone up, and prices have gone down. There's a lot more data out there. And one of the comments they make in this section is that there is a larger variety of options for people. They've noted some important operational changes here. One, there was an organization that was a dark market called the White House Market. It was a clear leader, but they shut that down in October of 2021, I think. 

Dave Bittner: Yeah. 

Joe Carrigan: They comment that dark web security ops have gotten better. People have become more secure and efficient. But law enforcement security specialists have also become more skillful. Dark web operators - site operators - market operators, I should say - dark market operators use better security measures throughout the - their dark web transactions. They started using Monero instead of Bitcoin because of its inherent privacy preserving in every transaction. 

Dave Bittner: Yeah. 

Joe Carrigan: And PGP is the way people communicate. So... 

Dave Bittner: OK, makes sense. 

Joe Carrigan: Yep. 

Dave Bittner: Yeah. Really interesting report here. There's so much more detail than we have time to cover here. Again it's... 

Joe Carrigan: Yeah, it's a lot of information in this report. 

Dave Bittner: ...Over on the Privacy Affairs website, and it's called "Dark Web Price Index 2022" - worth checking out. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.