The CyberWire Daily Podcast 12.13.22
Ep 1722 | 12.13.22

Uber’s breach. Phishing in Ukraine’s in-boxes. What’s Russia been up to anyway? (Not the same thing, probably, NATO would be up to.) And the ransomware leader board.


Rick Howard: Hey, everybody, Rick here, the N2K CSO and the chief analyst and senior fellow here at the CyberWire. This upcoming Thursday at 2 p.m. Eastern, join me and our VP and senior editor, John Petrik, as we review topics and events that have made the most significant impact in 2022. Normally, this quarterly show is a CyberWire Pro exclusive. But because of the holidays, we're letting all CyberWire readers and listeners in. You're welcome register today by visiting That's And happy holidays to everybody.

Dave Bittner: Uber sustains a third-party breach. A phishing campaign hits Ukrainian inboxes. The enduring riddle of why Russian cyber-offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a U.K. food store chain that uses facial recognition technology to track those with criminal or anti-social behavior. And 2023 is ransomware-as-a-service leaderboard. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 13, 2022. 

Uber sustains a third-party breach.

Dave Bittner: BleepingComputer reports that Uber has sustained a breach. Over the weekend, a group styling itself UberLeaks began dumping data it claimed to have stolen from Uber and Uber Eats. The data dumped online include what the attackers say is source code for mobile device management platforms and for third-party vendor services the company uses. BleepingComputer says the threat actor created four separate topics, allegedly for Uber MDM at and Uber Eats MDM and the third-party Teqtivity MDM and TripActions MDM platforms. 

Dave Bittner: The data compromised include corporate and employee data but not customer information, Uber believes. This incident apparently originated in the compromise of a third-party vendor, and there's some evidence of Lapsu$ gang activity. Uber told BleepingComputer, we believe these files are related to an incident and a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber. However, we are continuing to look into the matter. 

Dave Bittner: The third-party vendor seems to have been Teqtivity, which says in its own statement, we are aware of customer data that was compromised due to unauthorized access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers. 

Dave Bittner: One safe bet is that Uber employees should prepare themselves to withstand a wave of phishing and other social engineering approaches that can be expected to make use of the data the attackers have dumped online. 

A phishing campaign hits Ukrainian in-boxes.

Dave Bittner: The State Service for Special Communications and Information Protection of Ukraine warned citizens to be alert for a phishing campaign. The phishing email misrepresents itself as being from the State Emergency Service of Ukraine. The phishbait in the subject line is, how to recognize a kamikaze drone, which shows an attempt to trade upon recent widespread fears of Russian drone attacks. The malicious payload is DolphinCape, whose main function is to collect information about the computer. 

Dave Bittner: This isn't the first phishing campaign to impersonate Ukrainian government agencies. Earlier efforts in October and November spoofed the state's Special Communications, the press service of the General Staff of the Armed Forces of Ukraine, the Security Service of Ukraine and even CERT-UA. There is no specific attribution in the warning, but circumstantially, the DolphinCape campaign looks like a Russian operation. It serves Russian interests, and it's coordinated, in at least a general way, with a principal kinetic effort in Russia's war - indiscriminate drone attacks against civilian infrastructure. The Record reports that the targets of the campaign are government agencies and rail transportation. 

The enduring riddle of why Russian offensive cyber operations have failed in Ukraine.

Dave Bittner: A study published by the Carnegie Endowment for International Peace titled "Cyber Operations in Ukraine: Russia's Unmet Expectations" offers the beginning of an answer to one of the most discussed questions about Russia's war against Ukraine. Why have Russian cyber operations fallen so short of prewar Western expectations? The author argues that Western and Russian cyber doctrine are incommensurable. Russian doctrine avoids equivalence of the term cyber, preferring to use the terms information confrontation or information warfare, whereas U.S. discussions of cyber operations normally concentrate on the technical integrity of networks, Russian doctrine considers a range of operations, both technical and psychological, code and content that can be deployed against adversarial systems and decision making. 

Dave Bittner: The essay offers three hypotheses to explain Russian failure in cyberspace - the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem and the pivotal nature of the initial period of the war. The common theme among the three hypotheses is Russia's unreadiness for the hybrid war it decided to wage. 

Ransomware-as-a-service offerings in 2022.

Dave Bittner: Searchlight Security has published a report outlining the three most notorious ransomware groups of 2022 - Lockbit, Conti and Blackcat. All three of these ransomware strains operate under a ransomware-as-a-service model, or in the case of Conti, if we really believe they have held their going-out-of-business sale, they operated, in the past tense. Conti was the most prolific gang until it announced it was shuttering its operations back in June of this year. But this is probably more of a brand retirement than an operator retirement, still less an operator reform. Conti's hoods are in all likelihood still actively working for other groups. The researchers note that it's strongly suspected that group members joined other ransomware-as-a-service operations, such as BlackBasta and BlackByte, or refocused their efforts into groups thought to be subsidiaries of the primary Conti operation, such as Karakurt. 

Dave Bittner: Crime abhors a vacuum, at least as much as nature does, and Lockbit partially filled the void left by Conti's closure. And that group now accounts for one-third of all ransomware attacks observed by Searchlight. Lockbit operators are known for their dual extortion tactics, offering victims options for how to deal with the stolen data. Coming in third is Blackcat, also known as ALPHV or Noberus. They also use double extortion attacks, placing their victims' data into a database that's accessible by cybercriminals. 

Dave Bittner: So what's up going forward? Searchlight looks at gang lands up-and-comers, highlighting the ViceSociety, AvosLocker and Hive. These ransomware gangs are, they think, the threats to watch going into the next year. ViceSociety is a dual extortion racket that targets the education sector. AvosLocker and Hive are ransomware-as-a-service offerings, with Hive being designed to be easily operated by inexperienced actors. So they are to criminal coding what TV dinners are to cuisine. Yum. 

Dave Bittner: Coming up after the break, Joe Carrigan looks at credit card skimming. Carole Theriault describes a U.K. food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. Stay with us. 

Dave Bittner: Our U.K. correspondent Carole Theriault has been looking at a U.K. food store chain that's using facial recognition technology to track customers with criminal or antisocial behavior. She files this report. 

Carole Theriault: So, dear listeners, many of you based in the US of A, what do you make of this little privacy kerfuffle in the U.K.? So it involves a supermarket chain in the south of England called the Co-op. I have one near my house. It's where I go to pick up last-minute items like juice, milk or eggs, or even be old-school and get a paper. And the problem seems to be, according to the BBC - is that the Co-op is using a facial identification system called Facewatch. Now, Facewatch is not like Clearview, where it scans every single face that comes in and checks it against a huge database scraped from several online sites and social networks to identify anybody that walks into the food store, nor is it taking snaps and comparing these against those convicted of crimes, like, say, burglary or robbery. No, this one's a little different. 

Carole Theriault: The Co-op's Facewatch system is matching people against a list of people the Co-op says has stolen from its shops or been violent. A spokesperson told the BBC that the list was of people for which the business had evidence of criminal or antisocial behavior. Now, Big Brother Watch, a U.K.-based privacy campaign group, has challenged the legality of the system in a submission to the Information Commissioner's Office, the ICO. Big Brother Watch says the biometric scans are quote, "Orwellian in the extreme." Quote, "the supermarket is adding customers to secret watch lists with no due process, meaning shoppers can be spied on, blacklisted across multiple stores and denied food shopping despite being entirely innocent. This is a deeply unethical and frankly chilling way for any business to behave." 

Carole Theriault: Now, I'm a bit of a privacy buff. I've been talking about privacy for more than 20 years. But I'm not sure I personally would use the terms deeply unethical or chilling here. I get that these Co-op food stores are open late. Many don't have a strong security presence, if any at all. And some have only one or two shopkeepers working the whole store. And this makes them vulnerable to gangs looking to rob or people wanting to cause trouble. And this trouble I'm talking about is actually a growing problem. A House of Commons report published in June 2021, opens with this statement. Quote, "the last five years has seen a shocking rise in attacks on retail workers. The Association of Convenience Stores, ACS, found that 89% of individuals working in local shops had experienced some sort of abuse." Eighty-nine percent - that's like 9 out of 10. 

Carole Theriault: So I get that staffing companies need to increase security to deter a growing threat. But perhaps this Facewatch system is not the best approach. I think I'd much prefer staff to carry real-time cameras on lanyards. And then if a customer is acting inappropriately, rudely or criminally, the staff can turn on said camera and record the behavior. And this recording should only be shared with the authorities - you know, the people trained to serve and protect the people of the nation. But maybe that's just me. What do you think? This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article from the folks over at Naked Security by Sophos. This is actually written by Paul Ducklin. And it's titled "Credit Card Skimming: The Long and Winding Road of Supply Chain Failure." It's an interesting thing going on here. Can you explain it to us, Joe? 

Joe Carrigan: This is an interesting thing going on. So here's - Paul lays this out pretty well and summarizes it. But you can actually go and read the entire report from a company called Jscrambler, who did the actual research on this. But Paul's summary is great. So the high-level version is this, that back in the early 2010s, there was a company called Cockpit that offered free web marketing analytics services. 

Dave Bittner: OK. 

Joe Carrigan: OK? Interesting that the company would offer free web marketing and analytic services. Those seem like things that should cost money. So immediately, I'm thinking, OK, they're just going to collect my data and data on my customers, and that's going to be probably not good. But a lot of companies - e-commerce sites, - said, OK, let's use this. And the way they used it was they started sourcing JavaScript code from Cockpit servers. 

Joe Carrigan: Now, what does that mean? Well, when you're developing a webpage, you can put JavaScript on the webpage to make the code - or to make the page an active page, like in - have it interact with the user. But you don't have to serve that JavaScript out yourself. You can just push it out from - or have the web browser - have the user's web browser pull it from another location. It doesn't have to - if you look at just about every webpage, they all do this. And it's - Google Analytics has links that you can put in to get Google Analytics on your site as well. A lot of different sites offer this. And what these companies are doing is they're collecting vast amount of user data and the behavior data from your customers and your users of your website. 

Joe Carrigan: So in 2014, Cockpit actually shuts down its service. They notified everybody that was using the service that they were going offline and any JavaScript code that was imported from Cockpit would stop working. And that happened. They just - they turned their servers off and went away. Now, the interesting thing is that when you do that, it's not really obvious to the user, or even to the to the administrator, that the code isn't coming in anymore. Unless you go in and proactively check your logs or test pages with some kind of test suite, you're not going to see that. Chances are, the users don't even notice it. 

Joe Carrigan: The web browser goes, OK, this is a dead link. I'm not going to try pulling this file down. We'll just continue on and see if the page loads and everything works. And lo and behold, it will work because all you're doing is collecting analytic information and reporting that back up to the servers, which are now shut down. Anyway, in 2021, cybercriminals bought Cockpit's old, expired domain. And I like what Paul says here. He says, to what we can only assume was a mixture of surprise and delight. 


Joe Carrigan: They were able to get this - to buy this domain. And they found out that at least 40 e-commerce sites hadn't updated their webpages to remove any links to Cockpit. And they were still calling home and accepting any JavaScript code that was on offer. So this is after almost eight years of inactivity. These sites are still looking for this code, and these bad guys go out and buy the server that supplies the code. Well, that's bad news because now these servers can start supplying all kinds of code. And that's exactly what they did. 

Joe Carrigan: They enscripted - or inserted, rather, JavaScript code that would monitor the content of input fields on predetermined webpages. So they knew who was calling in. They could see the - where the request was coming from because there is a field in an HTTP request called the refer field. So they know exactly where it's coming from. Then all they have to do is go in and look at the website, see what that website looks like, reverse engineer it, which is very easy to do for any website because in order for the web to work, you have to have all of the actual code on your computer. So you have to go out and download all that code from whatever sources it's served from. 

Joe Carrigan: So not only that, but once they've reverse engineered it, they can tailor JavaScript attacks for each of these websites, each of these 40 websites, to collect information specific to the forms on those pages. And, again, they use that refer field to know which piece of JavaScript to serve out to which end user. Because the end user is just going out to their servers, these old cockpit servers - and they're actually not old cockpit servers. They're just old cockpit domain names - and asking for the files. And they're having all their information stolen, and they're actually even getting tricked with HTML injection because one of the things you can do with JavaScript is inject additional HTML that makes it look like you need to log in again. So now I can capture your username and your password for that website. And it's coming from that website. It looks exactly like it's coming from that website. 

Dave Bittner: They have opened the door and, I guess, inadvertently left the door open. 

Joe Carrigan: Yes, exactly. That's what it is. They open the door for a site that - you know, they've produced trusted content or received what they thought was trusted content from a vendor that they maybe trusted or did trust. But now that vendor's gone. They don't even exist anymore. Those people have moved on to new jobs. 

Dave Bittner: Right. Right. So what's to be done here? Is this a matter of having - regularly auditing your webite to make sure that something like this isn't lingering around? 

Joe Carrigan: That is one of the things you should be doing, yeah. Check logs to see if your website makes use of embedded HTTP links that are no longer working. I don't know if your logs will show that unless you're testing the sites because your web server just serves out a line of text that says, you know, include this script from this file. And that's the end of it. The user's machine goes out and makes the request to what was the cockpit server in this case. But maybe you have something else going on behind the scenes that I'm not privy to. I don't know. But check your logs. Perform transaction tests regularly. That's a good thing that Ducklin says to do here. And review - this is the most important - review your web-based supply chain links. Really understand what you're doing when you rely on URLs that are provided by other people. That is paramount. 

Joe Carrigan: And there should be some part of your configuration management process that says these are the libraries we're using. These are the third-party JavaScript libraries or JavaScript functions that we're including in our webpage. And here's why we include them. And periodically, you should be looking at those libraries and those features and seeing, do we still trust these guys? Have these guys changed? Because, you know, I don't know, maybe it's just because I'm really suspicious of people, but when somebody shows up and says, hey, we're going to give you free web marketing or marketing and user data, all you have to do is include our JavaScript link, the first thing that goes to my mind is, first of all, no. I don't want to do that because what are you doing with that data? What am I giving you access to? And how are you going to impact my customers? That's really what it is. Because in the end, my goal as an e-commerce business is to sell things to my customers. And the last thing in the world I want to do is hurt my customer. 

Dave Bittner: Yeah. All right. Well, the article, again, comes from the Naked Security blog from Sophos, written by Paul Ducklin. It's titled "Credit Card Skimming: The Long and Winding Road of Supply Chain Failure." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.