The CyberWire Daily Podcast 4.6.23
Ep 1796 | 4.6.23

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Disinformation at the UN, and drop-shipping for Mother Russia.


Dave Bittner: New phishing techniques. Arrests in the Genesis Market case. APT43's Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Tausek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ's attempts to disrupt cybercrime. And, make robo-love, not robo-war. The latest on nuisance-level hacktivism in the interest of Ukraine.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire "Summary" for Thursday, April 6, 2023.

New phishing techniques.

Dave Bittner: Vade today released a report detailing a newly identified phishing campaign that utilizes YouTube attribution links and a CAPTCHA in order to fly under the radar. The victims receive a fake e-mail alerting them that their Microsoft 365 password has expired. In reality, the e-mail comes from a hacker that utilizes display name spoofing in order to feign legitimacy. The e-mail contains Microsoft's logo and branding, and provides a button with a link for the user to keep their same password.

Dave Bittner: The link redirects to a YouTube URL, and later a page with a Cloudflare CAPTCHA. Once the CAPTCHA is completed, the user will be redirected to a phishing page that auto-populates the e-mail address of the user and provides a space to enter a password. Both YouTube and Cloudflare are commonly whitelisted, so using these URLs allows for the bypassing of much security software, as well as e-mail gateways. Vade advises good cyber hygiene and cautiousness around e-mails that ask for account access or credentials.

Arrests in the Genesis Market case.

Dave Bittner: Europol yesterday reported that Tuesday's seizure of the Genesis Market was a combined operation involving 17 countries. One hundred nineteen people were arrested, 208 properties were searched, and a reported 97 "knock and talk measures" took place. This combined effort was spearheaded by the US FBI and the Dutch National Police. The DoJ yesterday disclosed that law enforcement had seized 11 domain names that were in support of the Genesis Market infrastructure.

APT43’s Archipelago.

Dave Bittner: A formerly little-noted cybercrime group, APT43, was described by Mandiant in a report last week. The threat actor was also shown to have ties to the Democratic People’s Republic of Korea. Mandiant explains  that after five years of tracking the activities of APT43, they can attribute the group to the DPRK. Because their collection priorities align with the mission of the Reconnaissance General Bureau, North Korea's main foreign intelligence service. Mandiant also highlights how APT43 acquires and launders stolen cryptocurrency to fund its own espionage operations. This differs from other DPRK cyber threat actors who seem to funnel cryptocurrency to fund the DPRK government as a whole.

Dave Bittner: Google released a follow-up report on the 5th of April which focused on that subset of APT43's activities Google calls Archipelago. Google notes that it observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues. Google goes on to expose how Archipelago conducts its phishing and various malware operations. Explaining, "Archipelago invests time and effort to build rapport with targets, often corresponding with them by e-mail over several days or weeks before finally sending a malicious link or file."

Dave Bittner: Google also notes, "For several years, Archipelago focused on conducting traditional credential phishing campaigns. More recently, TAG has observed Archipelago incorporate malware into more of their operations. To protect their malware from AV scanning, Archipelago commonly password-protects their malware and shares the password with recipients in a phishing e-mail."

Russia's turn in the Security Council chair immediately becomes an occasion for disinformation.

Dave Bittner: It's Russia's turn to chair the United Nation's Security Council and it used its first week in that role to convene a meeting to share its own view of the widespread abduction of Ukrainian children. It featured a video presentation by the director of Russia's child protection agency, Maria Lvova-Belova. Presently wanted by the International Criminal Court for war crimes involving the kidnapped children.

Dave Bittner: Ms. Lvova-Belova said she welcomed the opportunity to "dispel the fakes and show the opposite side." She added that Russia did not recognize the jurisdiction of the International Criminal Court and claimed that Russia's custody of the children was protective. And that Moscow stands ready to help reunite the children with their families. Criticism of Russian policy, she said, amounted to lies designed to slander Russia. The New York Times quotes her as saying, "We have no doubt that this is a campaign to discredit our country and attempts to conceal their irresponsible actions about children."

Dave Bittner: Several Western members of the Council walked out on the presentation, returning once it was over to denounce Russian disinformation. It seems likely that Russia's month in the chair will be devoted to more such tendentious propaganda. And putting a wanted alleged war criminal out there as your spokeswoman shows a lot of brass, and not in a good way, either.

Make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine.

Dave Bittner: And finally, in a rare filing from our teledildonics desk. We hear that the Ukrainian hactivist group, Cyber Resistance, took control of an AliExpress account organized by the Russian blogger, Mikhail Luchin, to solicit donations for Russian forces. Numerama reports that the hacktivists then used the pirated account to spend about 23,000 euros on erotic novelties.

Dave Bittner: InformNapalm explained the move, stating, "The hacktivists of Cyber Resistance punished Z-volunteer, Mikhail Luchin. They hacked his e-mail and charged $25,000 worth of adult toys to his card, which is linked to AliExpress. He planned to spend the money to buy #drones for the #Russian #army." The hacktivists, themselves, bragged in their own Telegram channel. Posting, "Instead of drones, Misha will now have truckloads of other things useful to every Russian to the occupiers, which we ordered and paid for with his card on AliExpress." The original is clear on what the hacktivists invoiced from Mr. Luchin's card, but we're a family show so we've redacted that part. But really, folks, AliExpress is Alibaba's e-commerce service, and apparently the hacktivist universe is like middle school.

Dave Bittner: Alas, Firstpost says that Mr. Luchin attempted to return the items, but found that all sales were final, although some other sources say Mr. Luchin did get some money back. Apparently, he's stuck with a truckload of saucy marital aids, which he'll now just have to deliver to the front. In any case, he counter-boasted to the Cyber Resistance that he'll just resell them to Russians who want to buy such novelties. And that he'll do so at a 300% profit, all going to raise more money for Russia's cause.

Dave Bittner: We hate to rain on Mr. Luchin's parade, but we have it on good authority that such reselling schemes no longer work very well, whatever the drop ship gurus may have told him on TikTok. In any case, he must have a lot of inventory. We hesitate to even speculate how many romantic appliances 23,000 euros will fetch, nowadays. But we're betting that it's what financial experts would call a lot, a whole lot.

Dave Bittner: Coming up after the break, Nick Tausek from Swimlane discusses supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ's attempts to disrupt cybercrime. Stay with us.

Dave Bittner: The US federal government has taken a leading role in the reduction of supply chain attacks through the efforts of CISA and other supporting agencies. Despite the effort, reports indicate that supply chain attacks are on the rise. For more on this, I spoke with Nick Tausek, lead security automation architect at security firm, Swimlane.

Nick Tausek: As an industry, supply chain attacks have been increasing steadily. I shouldn't say steadily. I should say exponentially, actually, year-over-year. This has been an increasing problem in scope and severity. In 2021, it was something over 600% year-over-year increase in supply chain attacks against the open source community. And then last year, in 2022, that number jumped up to like 750% year-over-year increase in open source supply chain attacks. So a lot of these attacks are going after a pretty broad swatch of the industry, right?

Nick Tausek: It's not just the federal government, but the feds are a pretty huge attack surface with a lot of resources devoted to trying to keep them safe. And a lot of really juicy targets for all kinds of malicious actors who might be interested in breaking into a system. So I guess the short answer to that is that the supply chain attack problem is not going away. It's increasing exponentially and the federal government remains a primary target for actors who are using this rapidly increasing attack vector to perform their malicious activities.

Dave Bittner: And what have we seen so far in terms of the federal government's response to this? What sort of defenses and protections have they put in place?

Nick Tausek: So as far as the federal government's responses are concerned, we've seen a lot in the last couple of years from the Biden Administration, which has been really refreshing to see. In regards to mandatory reporting requirements for various industries outside of just the most critical infrastructure. They just signed a new document called the National Cybersecurity Strategy, which differs a lot from previous iterations of this document that we've seen from every administration prior in two ways.

Nick Tausek: One of which is that it authorizes US defense, intelligence, and law enforcement agencies to go more on the offensive against malicious actors to attempt to disrupt their activities. Retaliate for cyberattacks and prevent cyberattacks. And it also includes more ample reporting requirements for industries and cybersecurity events inside the United States.

Nick Tausek: For a long time, many of us in the industry have been asking for greater transparency and greater sharing of information. To try to raise the tide for all organizations who are facing cybersecurity threats. But this is really a concrete step with these reporting requirements to make sure that organizations are actually sharing what information they can safely with the greater intelligence community. To help kind of shore up everybody's defenses at once. And that's a really important message in the age of supply chain attacks.

Nick Tausek: Because as we saw with SolarWinds, for example, one compromised vendor can cause an enormous problem for the federal government, cause untold amounts of damages. And frankly, make themselves almost inextricable from networks once they've gained a really strong foothold. You know, it could take millions or potentially even billions of dollars to extract bad actors from some of these federal agencies once they've gotten a really deep toehold in.

Dave Bittner: What are some of your insights when it comes to this? What are some of the things that you and your colleagues there at Swimlane would recommend to government agencies in terms of getting on top of this?

Nick Tausek: So there's a few things. Supply chain attacks are notoriously difficult to prevent because you don't control the entire supply chain. The best you can do is engage with vendors you trust. Make sure that they're following security controls like SOC 2 compliance, make sure that they're regularly audited to make sure that their cybersecurity posture is as good as it can be. But with supply chain attacks, and especially supply chain attacks against the open source community, these can have really huge ripple effects when compromises do occur to a code base.

Nick Tausek: So what we recommend is leveraging security automation to allow you to respond more quickly when events do occur. This can be from the worst-case scenario, an actual vendor is compromised and your environment has been breached. And you need to shut down large swaths of your network, or quarantine critical resources, or disable a large number of compromised user accounts at once. This could also be something a like supply chain attack does occur against a vendor. Doing the documentation to decide whether or not you're affected by monitoring your critical assets and patching your critical assets.

Nick Tausek: All of these actions can really be greatly assisted in speed and accuracy by security automation. So that's probably the primary thing I would say as far as being able to rapidly respond when a supply chain event does occur. And that doesn't necessarily have to be a SOAR platform. Of course, Swimlane is a SOAR vendor, so that's what we sell, but this can be Homebrew automation, as well. A lot of organizations have been incredibly successful with developing Homebrew automation solutions. These high code approaches tend to be very hands on, take a lot of time and developer expertise, but they're- they can be really, really critically fit into your environment. To make sure that you have exactly what you need for your organization.

Nick Tausek: So there's a whole different conversation about what kind of products that you could get into. But I think the most effective line to go into to mitigate supply chain attacks when they do occur is in the automation arena.

Dave Bittner: Does the US government, with their massive purchasing power, is this an opportunity for them to really take a leadership role in kind of setting the standard for what's expected with supply chains?

Nick Tausek: Absolutely. The government, like you said, has an enormous amount of purchasing power, and thereby, an enormous amount of influence on the entire cybersecurity market as a whole. Besides being aggressive leaders in best cybersecurity practices, they should also continue to exert pressure on cybersecurity vendors to increase their own security postures. The open source community is a little bit trickier because anybody can contribute to it and a lot of this work is done pretty pro bono. But when you're dealing with vendors, making sure that they're compliant with the latest security standards, their auditing procedures. And making sure that they're regularly validating their code base to make sure that they're not the victims of open source supply chain attacks that may have occurred.

Dave Bittner: That's Nick Tausek from Swimlane.

And joining me once again is Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post. Tim, always great to welcome you back.

Tim Starks: Yeah, thanks.

Dave Bittner: So I want to touch with you today on, first of all, Operation Cookie Monster, which I have to say as a lifelong Muppets fan, really grabbed my attention and my affection in their naming. But beyond my interest in it, interesting move here from the FBI in terms of takedowns.

Tim Starks: Yeah. I'm- I, also, like you, am fascinated by the naming conventions of some of these things. I remember once writing an article about how they named military operations. Yeah, this is another big takedown in just the last several weeks of these kinds of underground cybercriminal marketplaces. Genesis was specializing in access brokerage, being able to give people user names, passwords, other ways to log in to accounts that they'd stolen. And this another really, really big market that they've taken down.

Dave Bittner: In today's Cybersecurity 202 at the Post, you have an interview with Lisa Monaco, who's deputy attorney general. Take us through that interview.

Tim Starks: I was at the Aspen Verify Conference last week and had requested a chance to speak with her. And it looked like we were gonna arrange it and then something happened at the Justice Department that was kind of big. Some ex-president, some guy got arrested or something.

Dave Bittner: I think I've heard of that, yeah.

Tim Starks: Yeah. So we had to delay things until today and we had a nice chat. I thought she gave a few newsy nuggets, there. It was just a generalized perspective, but she also did talk about philosophy. And because of the news of the Genesis Market, that's where we started things. She had talked about this as exemplifying a twist or evolution in the way they've been doing disruptive operations.

Dave Bittner: Mm-hmm.

Tim Starks: You know, they- there's the traditional, of course, law enforcement arrest kind of operations that we're used to in cyber. Or at least, you know, indictments and charges filed, but sometimes not arrested. In this case, they didn't just arrest people. They did arrest people. They also arrested people in the United States. They seized domains. They shut down the website. They shut down the entire marketplace, essentially. And the reason she said this was a variant was because of that access broker part. If you look at some of the other markets they've taken down, they've been things like, you know, people selling packets of information, things like just credit card numbers or raw data on people. This was a little different in that sense.

Tim Starks: And then we had a broader talk about how they do these disruptions and what they mean. I had been wondering for a while how do they decide when to do this kind of operation as opposed to doing something else. You know, there's a situation with Kaseya a couple of years back. You know, people who are deep into this will remember where the FBI got into a little bit of controversy with the Capitol Hill. Over the fact that as, you know, my colleagues, Ellen Nakashima and another reporter reported, had held on to some information about what was going with Kaseya. And had not sent out the decryption keys that they had access to right away.

Tim Starks: And that made me wonder, well, when do they decide to do these kinds of things versus when they don't. And what she said is there's no hard and fast rule. It is a thing where she has let everybody know in the department be looking for opportunities to do this.

Dave Bittner: Yeah, I thought that was interesting, the focus on- the opportunism of looking for disruption I thought was an interesting insight. You also touched on TikTok and the RESTRICT Act, which is certainly controversial in many ways. I have to say the answer she gave you on the RESTRIC Act was a little non-satisfying to me. How did you feel about it?

Tim Starks: Yeah, I mean backing up just slightly to what you said before the question.

Dave Bittner: Yeah.

Tim Starks: You know, one of the things that seems to have really triggered this let's be opportunistic is ransomware and the harm that it's caused to the United States over the years. And, you know, they seem to make some progress on that, that, you know, people have praised the law enforcement operations, their focus on disruption. But as we, you know, put in the newsletter a couple of weeks ago, or actually just last week, people aren't entirely sure that's going to be a lasting change, so we'll see how that goes.

Tim Starks: The answer was interesting to me in this way. There are these First Amendment concerns about whether if the United States were to ban TikTok, whether that would be a violation of the First Amendment. It's a platform that people use to communicate and, you know, the civil libertarians, Senator Rand Paul, so, you know, he certainly would consider himself a civil libertarian. But we're talking about, in some cases, a range of ideological perspectives because he is more conservative than your traditional what we think of as a civil libertarian.

Tim Starks: What was slightly interesting about that answer was she thinks that the RESTRICT Act puts them on stronger legal footing if there is any action taken. This is a case where the people who are doing the review of TikTok, the Committee on Foreign Investment in the United States, is extremely secretive. They always meet behind closed doors. Getting a little bit of information about what they're doing is always a lot for them. They- I had asked her several questions about TikTok and that was the only one she even came close to answering.

Tim Starks: So, yeah, I hear you on unsatisfying. I think everybody is getting impatient, and by everybody, I mean TikTok, I mean probably other people in the federal government. I think probably Capitol Hill. This negotiation has been going on for years now. When are we gonna get a resolution for this? And I sense your frustration and I share it a little bit. Just as a reporter, like I would really like to know what's gonna happen here.

Dave Bittner: Yeah. Yeah. I suppose, I mean, not satisfying, but also not surprising that it would be kind of a beige answer.

Tim Starks: Yeah, it would, you know, the other questions I asked her were maybe a little bit more specific and maybe that's why she didn't answer them. I was really being careful to- I had seen her talk about TikTok at the conference I just mentioned, so I knew that- I knew what she wasn't going to want to talk about. But I tried to phrase things in a way that I thought would just be innocuous enough that she would answer them or that they would be not making her touch on the specifics of the case. But she was pretty consistent on staying on that line of thinking. And I under- like you said, unsurprising. I understand why, but it's also I wish they were talking more about this. I wish we knew more about what was happening.

Dave Bittner: Right, right. Well, I highly suggest that our listeners check out the interview with Lisa Monaco from the Department of Justice. Again, that's over on the Cybersecurity 202, which is authored by Tim Starks. Tim, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at the The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.