Uber’s breach. Phishing in Ukraine’s in-boxes. What’s Russia been up to anyway? (Not the same thing, probably, NATO would be up to.) And the ransomware leader board.
Rick Howard: Hey, everybody, Rick here, the N2K CSO and the chief analyst and senior fellow here at the CyberWire. This upcoming Thursday at 2 p.m. Eastern, join me and our VP and senior editor, John Petrik, as we review topics and events that have made the most significant impact in 2022. Normally, this quarterly show is a CyberWire Pro exclusive. But because of the holidays, we're letting all CyberWire readers and listeners in. You're welcome register today by visiting thecyberwire.com/analystcall. That's thecyberwire.com/analystcall. And happy holidays to everybody.
Dave Bittner: Uber sustains a third-party breach. A phishing campaign hits Ukrainian inboxes. The enduring riddle of why Russian cyber-offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a U.K. food store chain that uses facial recognition technology to track those with criminal or anti-social behavior. And 2023 is ransomware-as-a-service leaderboard.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 13, 2022.
Uber sustains a third-party breach.
Dave Bittner: BleepingComputer reports that Uber has sustained a breach. Over the weekend, a group styling itself UberLeaks began dumping data it claimed to have stolen from Uber and Uber Eats. The data dumped online include what the attackers say is source code for mobile device management platforms and for third-party vendor services the company uses. BleepingComputer says the threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM and the third-party Teqtivity MDM and TripActions MDM platforms.
Dave Bittner: The data compromised include corporate and employee data but not customer information, Uber believes. This incident apparently originated in the compromise of a third-party vendor, and there's some evidence of Lapsu$ gang activity. Uber told BleepingComputer, we believe these files are related to an incident and a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber. However, we are continuing to look into the matter.
Dave Bittner: The third-party vendor seems to have been Teqtivity, which says in its own statement, we are aware of customer data that was compromised due to unauthorized access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.
Dave Bittner: One safe bet is that Uber employees should prepare themselves to withstand a wave of phishing and other social engineering approaches that can be expected to make use of the data the attackers have dumped online.
A phishing campaign hits Ukrainian in-boxes.
Dave Bittner: The State Service for Special Communications and Information Protection of Ukraine warned citizens to be alert for a phishing campaign. The phishing email misrepresents itself as being from the State Emergency Service of Ukraine. The phishbait in the subject line is, how to recognize a kamikaze drone, which shows an attempt to trade upon recent widespread fears of Russian drone attacks. The malicious payload is DolphinCape, whose main function is to collect information about the computer.
Dave Bittner: This isn't the first phishing campaign to impersonate Ukrainian government agencies. Earlier efforts in October and November spoofed the state's Special Communications, the press service of the General Staff of the Armed Forces of Ukraine, the Security Service of Ukraine and even CERT-UA. There is no specific attribution in the warning, but circumstantially, the DolphinCape campaign looks like a Russian operation. It serves Russian interests, and it's coordinated, in at least a general way, with a principal kinetic effort in Russia's war - indiscriminate drone attacks against civilian infrastructure. The Record reports that the targets of the campaign are government agencies and rail transportation.
The enduring riddle of why Russian offensive cyber operations have failed in Ukraine.
Dave Bittner: A study published by the Carnegie Endowment for International Peace titled "Cyber Operations in Ukraine: Russia's Unmet Expectations" offers the beginning of an answer to one of the most discussed questions about Russia's war against Ukraine. Why have Russian cyber operations fallen so short of prewar Western expectations? The author argues that Western and Russian cyber doctrine are incommensurable. Russian doctrine avoids equivalence of the term cyber, preferring to use the terms information confrontation or information warfare, whereas U.S. discussions of cyber operations normally concentrate on the technical integrity of networks, Russian doctrine considers a range of operations, both technical and psychological, code and content that can be deployed against adversarial systems and decision making.
Dave Bittner: The essay offers three hypotheses to explain Russian failure in cyberspace - the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem and the pivotal nature of the initial period of the war. The common theme among the three hypotheses is Russia's unreadiness for the hybrid war it decided to wage.
Ransomware-as-a-service offerings in 2022.
Dave Bittner: Searchlight Security has published a report outlining the three most notorious ransomware groups of 2022 - Lockbit, Conti and Blackcat. All three of these ransomware strains operate under a ransomware-as-a-service model, or in the case of Conti, if we really believe they have held their going-out-of-business sale, they operated, in the past tense. Conti was the most prolific gang until it announced it was shuttering its operations back in June of this year. But this is probably more of a brand retirement than an operator retirement, still less an operator reform. Conti's hoods are in all likelihood still actively working for other groups. The researchers note that it's strongly suspected that group members joined other ransomware-as-a-service operations, such as BlackBasta and BlackByte, or refocused their efforts into groups thought to be subsidiaries of the primary Conti operation, such as Karakurt.
Dave Bittner: Crime abhors a vacuum, at least as much as nature does, and Lockbit partially filled the void left by Conti's closure. And that group now accounts for one-third of all ransomware attacks observed by Searchlight. Lockbit operators are known for their dual extortion tactics, offering victims options for how to deal with the stolen data. Coming in third is Blackcat, also known as ALPHV or Noberus. They also use double extortion attacks, placing their victims' data into a database that's accessible by cybercriminals.
Dave Bittner: So what's up going forward? Searchlight looks at gang lands up-and-comers, highlighting the ViceSociety, AvosLocker and Hive. These ransomware gangs are, they think, the threats to watch going into the next year. ViceSociety is a dual extortion racket that targets the education sector. AvosLocker and Hive are ransomware-as-a-service offerings, with Hive being designed to be easily operated by inexperienced actors. So they are to criminal coding what TV dinners are to cuisine. Yum.
Dave Bittner: Coming up after the break, Joe Carrigan looks at credit card skimming. Carole Theriault describes a U.K. food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. Stay with us.
Dave Bittner: Our U.K. correspondent Carole Theriault has been looking at a U.K. food store chain that's using facial recognition technology to track customers with criminal or antisocial behavior. She files this report.
Carole Theriault: So, dear listeners, many of you based in the US of A, what do you make of this little privacy kerfuffle in the U.K.? So it involves a supermarket chain in the south of England called the Co-op. I have one near my house. It's where I go to pick up last-minute items like juice, milk or eggs, or even be old-school and get a paper. And the problem seems to be, according to the BBC - is that the Co-op is using a facial identification system called Facewatch. Now, Facewatch is not like Clearview, where it scans every single face that comes in and checks it against a huge database scraped from several online sites and social networks to identify anybody that walks into the food store, nor is it taking snaps and comparing these against those convicted of crimes, like, say, burglary or robbery. No, this one's a little different.
Carole Theriault: The Co-op's Facewatch system is matching people against a list of people the Co-op says has stolen from its shops or been violent. A spokesperson told the BBC that the list was of people for which the business had evidence of criminal or antisocial behavior. Now, Big Brother Watch, a U.K.-based privacy campaign group, has challenged the legality of the system in a submission to the Information Commissioner's Office, the ICO. Big Brother Watch says the biometric scans are quote, "Orwellian in the extreme." Quote, "the supermarket is adding customers to secret watch lists with no due process, meaning shoppers can be spied on, blacklisted across multiple stores and denied food shopping despite being entirely innocent. This is a deeply unethical and frankly chilling way for any business to behave."
Carole Theriault: Now, I'm a bit of a privacy buff. I've been talking about privacy for more than 20 years. But I'm not sure I personally would use the terms deeply unethical or chilling here. I get that these Co-op food stores are open late. Many don't have a strong security presence, if any at all. And some have only one or two shopkeepers working the whole store. And this makes them vulnerable to gangs looking to rob or people wanting to cause trouble. And this trouble I'm talking about is actually a growing problem. A House of Commons report published in June 2021, opens with this statement. Quote, "the last five years has seen a shocking rise in attacks on retail workers. The Association of Convenience Stores, ACS, found that 89% of individuals working in local shops had experienced some sort of abuse." Eighty-nine percent - that's like 9 out of 10.
Carole Theriault: So I get that staffing companies need to increase security to deter a growing threat. But perhaps this Facewatch system is not the best approach. I think I'd much prefer staff to carry real-time cameras on lanyards. And then if a customer is acting inappropriately, rudely or criminally, the staff can turn on said camera and record the behavior. And this recording should only be shared with the authorities - you know, the people trained to serve and protect the people of the nation. But maybe that's just me. What do you think? This was Carole Theriault for the CyberWire.
Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting article from the folks over at Naked Security by Sophos. This is actually written by Paul Ducklin. And it's titled "Credit Card Skimming: The Long and Winding Road of Supply Chain Failure." It's an interesting thing going on here. Can you explain it to us, Joe?
Joe Carrigan: This is an interesting thing going on. So here's - Paul lays this out pretty well and summarizes it. But you can actually go and read the entire report from a company called Jscrambler, who did the actual research on this. But Paul's summary is great. So the high-level version is this, that back in the early 2010s, there was a company called Cockpit that offered free web marketing analytics services.
Dave Bittner: OK.
Joe Carrigan: The web browser goes, OK, this is a dead link. I'm not going to try pulling this file down. We'll just continue on and see if the page loads and everything works. And lo and behold, it will work because all you're doing is collecting analytic information and reporting that back up to the servers, which are now shut down. Anyway, in 2021, cybercriminals bought Cockpit's old, expired domain. And I like what Paul says here. He says, to what we can only assume was a mixture of surprise and delight.
Dave Bittner: They have opened the door and, I guess, inadvertently left the door open.
Joe Carrigan: Yes, exactly. That's what it is. They open the door for a site that - you know, they've produced trusted content or received what they thought was trusted content from a vendor that they maybe trusted or did trust. But now that vendor's gone. They don't even exist anymore. Those people have moved on to new jobs.
Dave Bittner: Right. Right. So what's to be done here? Is this a matter of having - regularly auditing your webite to make sure that something like this isn't lingering around?
Joe Carrigan: That is one of the things you should be doing, yeah. Check logs to see if your website makes use of embedded HTTP links that are no longer working. I don't know if your logs will show that unless you're testing the sites because your web server just serves out a line of text that says, you know, include this script from this file. And that's the end of it. The user's machine goes out and makes the request to what was the cockpit server in this case. But maybe you have something else going on behind the scenes that I'm not privy to. I don't know. But check your logs. Perform transaction tests regularly. That's a good thing that Ducklin says to do here. And review - this is the most important - review your web-based supply chain links. Really understand what you're doing when you rely on URLs that are provided by other people. That is paramount.
Dave Bittner: Yeah. All right. Well, the article, again, comes from the Naked Security blog from Sophos, written by Paul Ducklin. It's titled "Credit Card Skimming: The Long and Winding Road of Supply Chain Failure." Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.