The CyberWire Daily Podcast 10.18.22
Ep 1685 | 10.18.22

Mobilizing DDoS-as-a-service. Interpol takes down Black Axe gang members. Trends in phishing. Spyder Loader active in Hong Kong. Europol announces arrests in keyless car hacking case.


Dave Bittner: Mobilizing DDoS-as-a-service. Interpol takes down the Black Axe gang members. A look at phishing trends. Spyder Loader is active in Hong Kong. Joe Carrigan looks at Google's launch of passwordless authentication. Our guest is Dr. Eman El-Sheikh from University of West Florida's Center for Cybersecurity on NSA-funded national cybersecurity workforce development programs. And Europol announce arrests in a case of keyless car hacking.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 18, 2022. 

Mobilizing DDoS-as-a-service.

Dave Bittner: The Russian hacktivist group with the ungainly NoName057(16) has been organizing DDoS attacks and website defacements against Ukraine and its Western supporters. It pays operators between $315 and $1,255 for their services. Radware described the operation late last week, stating, in July, threat group NoName057(16) quietly launched a crowdsourced botnet project named DDOSIA. The project, similar to the pro-Ukrainian Liberator by disBalancer and the fully automated DDoS bot project by the IT ARMY of Ukraine, leverages politically driven hacktivists willing to download and install a bot on their computers to launch denial-of-service attacks. Project DDOSIA, however, raises the stakes by providing financial incentives for the top contributors to successful denial-of-service attacks. 

Dave Bittner: Researchers at Avast had earlier described the group's use of Bobik malware in its campaigns. They divided a typical NoName057(16) attack into reconnaissance and execution phases, stating, the first step is looking for a target that supports Ukraine or a target with anti-Russian views. The attackers analyze the structure of the target's website and identify pages that can cause server overloading, especially requests requiring higher computing time, such as searching, password resetting, logon and so forth. The second step is filling in the XML template, encrypting it and deploying it to the C&C servers. The attackers monitor the condition of the target server and modify the XML configuration based on needs to be more effective. The configuration is changed approximately three times per day. So it's a simple formula. Find a vulnerable target with anti-Russian views. Hit the target. And repeat as necessary. 

Interpol takes down Black Axe gang members. 

Dave Bittner: An Interpol-led operation has resulted in the arrests of 75 alleged members of the Africa-based Black Axe crime organization, the Register reports. Two of the suspects arrested in South Africa are accused of stealing $1.8 million through online scams. According to Interpol, codenamed Operation Jackal, the joint law enforcement effort mobilized 14 countries across four continents in a targeted strike against Black Axe and related West African organized crime groups. 

Dave Bittner: Black Axe wasn't just a local gang. It was a criminal organization that had achieved a global reach. Interpol regards the operation as a major strike against transnational cybercrime. The police agency said in a statement, Operation Jackal marks the first time Interpol has coordinated a global operation specifically against Black Axe, which is rapidly becoming a major security threat worldwide. Black Axe and similar groups are responsible for the majority of the world's cyber-enabled financial fraud, as well as many other serious crimes, according to evidence analyzed by Interpol's Financial Crime and Anti-Corruption center and national law enforcement. Interpol added, the immense quantity of assets seized, including 12,000 SIM cards, have provided new investigative leads for law enforcement, generating 13 analytical reports and allowing police to identify more than 70 additional suspects. The lavish lifestyles and greed of many suspects was on clear display at the scenes of their arrest. Various luxury assets were seized, including a residential property, three cars and tens of thousands in cash. Black Axe has been a threat for several years. Harper's in 2019 published an account of the group's originally noncriminal origins in a Nigerian university and its evolution into a political movement and then into a criminal gang with some of the coloration of a religious cult. 

Trends in phishing.

Dave Bittner: Cofense has released a report today detailing phishing intelligence trends in the third quarter of 2022. Overall, it was found that malware delivery activity dropped in July with the disappearance of Emotet, with the volume staying the same after July's drop. The top five malware types from quarter two were also the top malware types for quarter three, with keyloggers and remote-access Trojans gaining traction in this quarter. Loaders, keyloggers, information stealers, remote-access Trojans and bankers were, in that order, the top five malware types, with Emotet, Agent Tesla, FormBook, Remcos RAT, and QakBot taking prominence as the top malware families of each type. Emotet vanished from the phishing landscape in July of this year, which had a major impact on the trends shown in the report. The overall amount of phishing attacks for the quarter was significantly lower in the absence of Emotet, and the delivery mechanism and malware types used by Emotet topped the rankings in the start of the quarter and diminished over time. However, Emotet still out-scaled all other malware delivery families despite its short use this quarter. It is possible, due to traffic observed in October by Cofense, that Emotet may be back. 

Dave Bittner: QakBot was identified by Cofense as the malware family to watch during the third quarter. And despite low overall volume, there were developments and new tactics, techniques and procedures. A new tactic of QakBot operators includes hard coding payloads into malicious HTML attachments instead of using embedded URLs or redirects. 

Spyder Loader active in Hong Kong.

Dave Bittner: Researchers at Symantec warn that the Operation CuckooBees campaign, first observed by Cybereason in May 2022, now appears to be targeting government entities in Hong Kong with the Spyder Loader malware. The researchers state, the victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware, it seems likely the ultimate goal of this activity was intelligence collection. Symantec doesn't attribute the campaign to any particular threat actor, but Cybereason tied the earlier activity to the Chinese APT Winnti and saw the goal of the attacks as theft of intellectual property. Symantec notes that the duration and focus of the campaign, which has persisted through several versions of the malware employed, indicates a determined and persistent threat actor. 

Europol announces arrests in keyless car hacking case.

Dave Bittner: Europol has announced 31 arrests as the result of an operation against a gang exploiting keyless cars produced by two French manufacturers, stating, as a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over one million euros in criminal assets seized. French authorities had the lead in the investigation, with cooperation from authorities in Latvia and Spain. So how were they pulling it off? The thieves used, according to Europol, a fraudulent tool marketed as an automotive diagnostics solution, which they employed to replace the vehicle's original software. From there, just open the door and push to start. The alleged crooks who were rounded up included software developers, software resellers and the actual goons on the ground who jacked the cars. So aux Gendarmes, bravo. And to the hoods, what can we say? Push to start, mes amis. 

Dave Bittner: Coming up after the break, Joe Carrigan looks at Google's launch of passwordless authentication. Our guest is Dr. Eman El-Sheikh from the University of West Florida's Center for Cybersecurity on NSA-funded National Cybersecurity Workforce Development Programs. Stay with us. 

Eman El-Sheikh: The U.S. federal government has several active initiatives to help narrow the cybersecurity talent gap, including partnerships with colleges and universities. Dr. Eman El-Sheikh is associate vice president at the Center for Cybersecurity at the University of West Florida, where she and her colleagues are leading participation in NSA-funded National Cybersecurity Workforce Development Programs. 

Eman El-Sheikh: The idea kind of leverages the faculty expertise and the curricula that's available at colleges and universities across the country that are designated as National Centers of Academic Excellence by the NSA and helps them create training and alternative credentialing programs and pathways so that we can reach additional students beyond the academic programs. If you think about it, you know, we have over in - right now across the country, you know, 500,000 open cyber jobs. And that number is going up, not down. And so if we continue to only focus on getting students into academic degree programs, we're never going to meet the demand. And so what we'd like to do is help everyone leverage their expertise to create training, to create alternative credentials, to create certificate programs and more importantly, to reach diverse populations, transitioning military veterans, career changers, high schoolers so that we can really expand the number of pipelines and pathways into cybersecurity roles. 

Dave Bittner: Well, help me understand. Give us an idea the sorts of things that you and your colleagues are doing there at University of West Florida. 

Eman El-Sheikh: So one of the things we're doing is leading a coalition of 10 colleges and universities across the country in order to really kind of provide diverse training programs and pathways across the country. We have really, a number of years ago at UWF, have taken the lead on developing workforce development programs and training pathways with the idea that that's really, you know, the way that we're going to help our country meet this national workforce challenge. And so what we're doing is developing kind of short-course, short-duration training pathways that align with national best practices. So, for example, they focus on cybersecurity work roles that are defined by the NIST Cybersecurity Framework so that we can identify specifically what knowledge and skill competencies are needed for each work role, develop or adapt curricula to specifically train for those knowledge and competencies and then help provide those in flexible formats to veterans, to transitioning military, to diverse populations to really kind of, you know, increase the workforce. Another thing that we, you know, are doing is that, you know, focusing on providing digital credentials and badges so that those who - let's say if you're coming out of the military, you already have a degree, but your degree may not be current, right? And so if we can provide a short-course training program, as well as the credentials, and link them to jobs and employers, then they'll be well on their way to a second career, a second tour of service and to helping us meet that workforce crisis. 

Dave Bittner: Well, so how does this compare to a traditional four-year degree or even a two-year associate's degree? 

Eman El-Sheikh: That's a great question, Dave. The idea is that we want to kind of focus on employability. And so it differs in the sense that we bring in the best of kind of various worlds, you know, the two-year and four-year degree programs, as well as training programs offered, for example, by training providers, as well as employer needs and national best practices. And we try to roll it into a program that is shorter in duration - so can typically be completed in 3 to 6 months - in most cases can also be completed online or hybrid or virtual, also integrates employer needs such as industry certifications, such as hands-on skills. We take a lot of effort into incorporating range-based - cyber range-based exercises and tabletop exercises and hands-on activities. So the idea is to really give them kind of the boot camp version of the training, the credentials and the skills and competencies to get people, you know, prepared for and into cyber jobs. 

Dave Bittner: I would imagine a program like this is also quite attractive because you're not loading someone up with a lot of college debt. I mean, it's a shorter program, so they're not going to have that expense. 

Eman El-Sheikh: Yes, absolutely. That's definitely a great benefit. And I should also point out that, you know, thanks to the generous NSA grant, this program, CyberSkills2Work, is able to fund 1,700 transitioning military and veterans for training and connecting them with employers at no cost to them. So it'll be completely free to eligible participants. And those interested can go to the website,, to actually - it serves as a one-stop shop. It allows them to take an optional aptitude or assessment test so that they can kind of get an idea of which cyber work roles may be a good fit for them. It allows them to see what training pathways will be offered this year and next year. It allows them to apply through a common application to those training programs and then be - apply for scholarships to be fully funded. And then also, at the tail end, it'll allow them to connect with employers and job opportunities. So it definitely helps provide everything so that they just have to focus on committing the time to learn. 

Eman El-Sheikh: But, you know, more importantly than that, another kind of - that's a great feature. Another important feature is that it's very just in time or as needed as well because what we're seeing is that, you know, the cyber threat landscape continuously evolves. The threat actors are getting more sophisticated. The attacks are getting more sophisticated. And, you know, the curricula in traditional colleges and universities is hard to keep up. There's an approval process, for example, for public universities to update their curricula or update their degree programs that takes a year at best, maybe even three to four years. But this program is designed to be more agile and flexible, where we can connect with those employers and federal partners and really keep the curricula relevant and up-to-date and dynamic so that what they're getting and what they're learning is what is actually needed in jobs today and tomorrow. 

Dave Bittner: That's Dr. Eman El-Sheikh from the University of West Florida. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story here. I guess a bit of an update - this is from The Hacker News, and the article is titled "Google Rolling Out Pesky Passwordless Login Support to Android and Chrome." What's going on here, Joe? 

Joe Carrigan: So we heard - we talked about this on the CyberWire back in May... 

Dave Bittner: Yeah. 

Joe Carrigan: ...April timeframe. 

Dave Bittner: A few months ago. 

Joe Carrigan: A while ago. 

Dave Bittner: Yeah. 

Joe Carrigan: And the FIDO Alliance has come out with this idea of passkeys... 

Dave Bittner: Right. 

Joe Carrigan: ...Which are essentially a public key cryptography. You put - you know, you have a private key on your phone or on your device. And the public key is stored in the cloud of whatever site you need to authenticate to. And when it's time for you to authenticate, they show you something like - in this thing, it looks like a QR code. 

Dave Bittner: Yeah. 

Joe Carrigan: You scan that with your phone. Your phone then interprets the QR code and understands what it needs to do cryptographically. It sends something to the service to say, here's what - here's a verification. And then the website can let you in. 

Dave Bittner: I see. 

Joe Carrigan: So I'm not exactly sure how this works on the back end, but it's from the FIDO Alliance. So they've done a pretty good job of... 

Dave Bittner: Right. And it's backed by... 

Joe Carrigan: Crypto. 

Dave Bittner: ...Big names. 

Joe Carrigan: Big - yeah. 

Dave Bittner: They say they got Google, Apple and Microsoft on board. 

Joe Carrigan: Right. 

Dave Bittner: So I would imagine there's been appropriate scrutiny. 

Joe Carrigan: Yeah, this is probably cryptographically sound. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I mean, you never really - I say probably. And to the layman, that means cryptographically sound. 

Dave Bittner: Yeah. 

Joe Carrigan: But to people like Matt Green, that means, I'll bet I could find something wrong with it. 

Dave Bittner: (Laughter). 

Joe Carrigan: But, you know, it's using the standard - the big thing here - it's using the standard cryptography. But the big thing here is that this is just another nail in the coffin, the richly deserved and much anticipated and long overdue coffin of passwords. 

Dave Bittner: Yeah. 

Joe Carrigan: And I'm very happy to see this being rolled out. 

Dave Bittner: From a user's point of view, do you think this streamlines things? 

Joe Carrigan: I would think that it - that's a good question. I don't know. Here's my issue with this. Sometimes when I'm sitting at my computer, my phone might be across the room, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Or in a different room, like on my desk where I came home and left it. 

Dave Bittner: Right. 

Joe Carrigan: And now I'm trying to - or my dresser. And now I'm trying to log in. I've got to get up and go in there. Maybe - I'm always willing to make those sacrifices for security. 

Dave Bittner: Yeah. 

Joe Carrigan: But I don't know that other people will be. What happens if you lose your phone or, you know - well, actually, this article says that your keys are kept - in Google's implementation - your keys are kept encrypted in their cloud so you can get them back. So you can still authenticate. 

Dave Bittner: Right, and not - and Google themselves can't decrypt them. 

Joe Carrigan: Yeah, Google themselves can't use them. So assuming that Google has done everything properly, then you're probably well protected against losing your phone. And Google has done a good job of most of the security that they've implemented. I would like to remind everyone security is not the same as privacy. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Right? Security wise, Google is very, very good. 

Dave Bittner: Yeah. Yeah. So rolling this out, I mean, like you said, that - it'll be interesting to see what kind of adoption we get from this. 

Joe Carrigan: Right. 

Dave Bittner: As we said, we've got support from some big players here, so... 

Joe Carrigan: I will happily adopt because it is a form of public key encryption. 

Dave Bittner: Yeah. 

Joe Carrigan: Which is, you know, you have the private key and if someone hacks - let's say you're using this on some mail service, and someone hacks that mail service, and they get your public key, that doesn't do anything. 

Dave Bittner: Right. 

Joe Carrigan: It really - it doesn't help a malicious actor, at all, take your account over. 

Dave Bittner: They point out that this is cross-platform, which I think is great. They make the point that an Android user could log in using a website, using Safari on iOS, or Mac OS... 

Joe Carrigan: Right. 

Dave Bittner: ...Or Chrome browser in Windows. So it's universal access here. It's a good thing. 

Joe Carrigan: Right. You're just generating an image of a QR code and showing it to the user, who then uses some application on the backend or on the - to take a picture of that QR code and verify that they have the private key. 

Dave Bittner: Yeah. 

Joe Carrigan: Which establishes identity, essentially. 

Dave Bittner: Right. Right. Yeah, I wonder where we will see this first (laughter). 

Joe Carrigan: I don't know. But I'll tell you what, I'll sign up for it because I'm big on the private key, you know, public-private key authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: It's not, you know, it's not - this is - what I like about this is, it seems like it's a fairly transparent-to-the-user way of doing it. That's a very long hyphenated name of saying it's easy for the average user to do. 

Dave Bittner: Right. 

Joe Carrigan: You know, if you think how I authenticate to any SSH server that I use for work, I have to go to a command prompt and, first off, generate the key, then probably, and actually, usually, in fact, always... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...I put a password on that key and I have to store that password. So now I have to manage the password for the keys. Then I have to upload the public key to the server that I'm going to authenticate to, which means I have to be physically present to do that. Then, and only then, can I finally authenticate with public key encryption. This is not like that. This is on your phone. You are going to establish the identity, and there's an integrated way to do that. And when it comes time to utilize the authentication method, your trusted platform module will handle the key... 

Dave Bittner: Right. 

Joe Carrigan: ...And storage of that key is encrypted in Google's cloud. 

Dave Bittner: Yeah. I mean, it seems like, you know, the combo of having both the physical possession of the device, your mobile device... 

Joe Carrigan: Right. 

Dave Bittner: ...Along with some sort of biometric verification, you know, I suppose like, you know, on Planet Apple, it'll be face ID. 

Joe Carrigan: Face ID, which is remarkably good as a biometric. 

Dave Bittner: Yeah. And Android has their own version of that and... 

Joe Carrigan: Yeah, they have the thumbprint, as well... 

Dave Bittner: Right. 

Joe Carrigan: ...Fingerprint. 

Dave Bittner: Right. So those two things, you know, pretty secure and also, these days, pretty fast. 

Joe Carrigan: Yes. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: All right. Well, we will see. Time will tell. I'm curious. Let's agree to keep track and see... 

Joe Carrigan: Agreed. 

Dave Bittner: ...Where we see this first. 

Joe Carrigan: And I'll let you know when I use it, when I set it up. 

Dave Bittner: All right. 

Joe Carrigan: I'll send you an email. 

Dave Bittner: Fair enough. All right, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.