Collective defense in cyberspace. Notes on gangs, privateers, and hacktivist auxiliaries. Amazon Prime Day is now a commercial holiday (like Black Friday): crooks have noticed–stay safe.

Dave Bittner: NATO considers Article 5 in cyberspace while cyberattacks conducted in the Russian interest target the NATO summit. Anonymous Sudan remains a nuisance-level irritant. Cl0p's surprising use of MOVEit exploits. Asylum Ambuscade is a case study in privateering. There are reports of a breach at Razer. An indictment in a cyber incident at a California water treatment facility. Genesis Market's fire sale. Carole Theriault on the data Amazon customers provide with some suggestions on curbing it. Our guest is Dmitri Bestuzhev, Senior Director in Cyber Threat Intelligence for Blackberry. And Amazon Prime Day is upon us, and the crooks have noticed.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, July 11, 2023.

NATO considers Article 5 in cyberspace.

Dave Bittner: The summit in Vilnius, Lithuania, affords an opportunity for NATO to take stock of its collective cyber defenses. The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn has proven its value, and as cyberspace has become a generally recognized operational domain, the alliance may consider ways in which it might build even more effective collective security in that fifth domain. Security Week offers a range of suggestions that may be under consideration from collective joint cyber training to the formation of a NATO Cyber Command analogous to the National Cyber Command several of its members have developed to considerations of the ways in which cyberattacks might trigger the collective defense provisions of Article 5 and consideration of what a proportionate response to the cyber phases of a hybrid war might look like. The summit runs today and tomorrow. We will be following the cyber relevant developments.

Cyberattacks aimed at the NATO summit (and conducted in the Russian interest).

Dave Bittner: BlackBerry researchers have found that the RomCom threat actor is using malicious documents to spread its Remote Access Trojan. The targeting is significant. BlackBerry says based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine. The researchers' conclusion reads, "Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group." So the NATO summit hasn't escaped the attention of those interested in disrupting what Russian state media nowadays calls the "collective West."

Anonymous Sudan remains a nuisance-level irritant.

Dave Bittner: Anonymous Sudan launched another wave of DDoS attacks against U.S.-owned companies over the weekend, leading into Monday morning. The group, widely believed to be a Russian cyber auxiliary, claimed that the DDoS attacks against Reddit, Tumblr, Flickr, and archiveyourown.org were to take down services which host LGBTQ-plus and not-safe-for-work content. The group explained on its Telegram page, "It's part of our campaign targeting companies registered in the United States. The operators of this site is Organization for Transformative Works, OTW, who are registered in the United States. In addition to that, we are against all forms of degeneracy, and the site is full of disgusting smuts and other LGBTQ-plus and NSFW things." Anonymous Sudan has also posted tweets from irritated users of Tumblr, Reddit, and Flickr, presumably as evidence of the hacktivist auxiliary's successful DDoS attack. Update on the Anonymous Sudan story from yesterday, after the company for archiveyourown.org's parent AO3 tweeted that their volunteer IT staff is working to fight off the DDoS attack, Anonymous Sudan wrote that they demand a ransom of $30,000. Anonymous Sudan will attack, and if there's public outrage or irritation, the group demands money. Anonymous Sudan, despite its name, is almost certainly a front operated under the direction of Russian intelligence. It's shown a growing sophistication in its operations, and its DDoS activity, more successful than most such attacks, suggests that it's receiving relatively lavish funding. The infrastructure necessary to conduct a DDOS on the scale the group has doesn't come cheap, Cybersecurity Dive points out.

Cl0p's surprising use of MOVEit exploits.

Dave Bittner: Researchers at Huntress note that the Cl0p gang, despite compromising many entities via the MOVEit vulnerabilities, still hasn't used the access to deploy ransomware or compromise entire organizations. The group appears to be monetizing compromises that took place in late May by posting stolen data to its leak site. The researchers believe Cl0p overloaded itself with opportunities and is working to monetize as many of them as possible until discovery or eviction. For all of Cl0p's prominence and MOVEit exploitation, their backlog is surprising and, on reflection, a little dismaying. Just how much has the gang got on its plate?

Asylum Ambuscade: a case study in privateering.

Dave Bittner: Asylum Ambuscade is a criminal group active since 2020, at least, that's engaged in attacks against banks and cryptocurrency traders. ESET reports that the gang increasingly is functioning as an espionage service as well. ESET writes, "Asylum Ambuscade has been running cyber espionage campaigns since at least 2020." ESET reports that the gang increasingly is functioning as an espionage service as well. Asylum Ambuscade, whose attacks commonly begin with spear phishing, is thought to be a financially motivated group that engages in cyber espionage as a side hustle. Who's hiring them is unclear and ESET offers no speculation, but Infosecurity Magazine notes some coincidences that suggest circumstantially that Pyongyang may be a client. Bleeping Computer reported yesterday on recent rumors that the video game hardware company Razer may have been hacked on July 8th. A user on a nondescript hacker forum made a post titled "Razor.com source code, database, encryption keys, etc.," and requested $100 in Monero cryptocurrency, which is known for its transaction anonymity, for a full dump of the alleged stolen information. Razer responded to this claim on July 9th in a tweet stating, "We have been made aware of a potential breach and are currently investigating."

Report: breach at Razer.

Dave Bittner: Bleeping Computer also reported that Razer seems to have reset all member accounts requiring users to log in with their password and username, likely as a security response to the potential breach. Razer, while famous for their gaming accessories, also has several online paid services such as Razer Gold, a video game purchasing service with the ability to purchase in game items.

An indictment in a cyber incident at a California water treatment facility.

Dave Bittner: A federal grand jury has indicted a man from Tracy, Massachusetts, for intentionally causing damage to a protected computer after he was accused of remotely deleting critical software from a water treatment facility. The man, Rambler Gallo, was employed as an instrumentation and control tech for a private company responsible for operating the Discovery Bay water treatment plant located in Discovery Bay, California. The indictment was filed on June 27th and was unsealed on July 6th. HackRead reports that Gallo apparently resigned from the company responsible for servicing the plant and subsequently uninstalled the critical software on the water plant's computers. We note that Mr. Gallo is, of course, entitled to the presumption of innocence with respect to the allegations.

Genesis Market's fire sale.

Dave Bittner: The operators of the criminal marketplace Genesis Market are attempting to sell the platform, The Record reports. The attempted sale follows disruptions and seizures carried out by the U.S. FBI earlier this year. The criminals say the sale includes all the developments including a complete database, source codes, scripts with a certain agreement, as well as server infrastructure. So hop to it, world. The boss is on vacation, or maybe under indictment, which amounts to pretty much the same thing, and they've all gone crazy. Step right up, all sales are probably final.

Shoppers are Prime targets for scammers and hackers on Amazon Prime Day.

Dave Bittner: And finally, we've long seen that cyber criminals, hacktivists, and even intelligence services pay as much attention to the calendar as any ordinary Joe or Jane, and since we now tend to observe sales as if they were holidays like Black Friday or Cyber Monday, the crooks are observing these in their own way, too. As Amazon Prime Day arrives with promising deals and discounts, it also presents a perfect opportunity for scammers and cyber threat actors to take advantage of eager shoppers. Verity released a preparatory report for users in an attempt to cut the threat actors off at the pass. Verity explains that PDF-based phishing schemes are a common tool to trick shoppers into giving up their Prime credentials. They say unsuspecting users are directed to a phishing website after opening the PDF document meticulously crafted to mimic the official Amazon login page. The attackers employ AI-generated text, such as Chat GPT-generated content, to make the phishing sites look convincing. The threat actors are also almost certainly going to use email and fake applications as phishing techniques. It's imperative that users only visit the legitimate Amazon shopping page or use the Amazon shopping application which was developed by Amazon Mobile, LLC. Verity also suggests verifying that the website you're visiting is legitimate before inputting any personal information. Don't be a prime target for threat actors and scammers. Remain vigilant and skeptical. And happy Prime Day to all those who celebrate.

Dave Bittner: Coming up after the break Carole Theriault on the data Amazon customers provide and some suggestions on curbing it. Our guest is Dimitri Bestuzhev, Senior Director in Cyber Threat Intelligence for Blackberry. Stay with us.

Dave Bittner: Dimitri Bestuzhev is Senior Director in Cyber Threat Intelligence for Blackberry. They recently published their Q1 Global Threat Intelligence Report, and I checked in with Dimitri Bestuzhev for the details.

Dimitri Bestuzhev: One of the, let's say, like, terrific things we have seen in 90 days, we have seen, what we have talked, 1,578,000 malware-based attacks, and that is like really a big number, because when you convert it into seconds and to minutes, and so you realize that it's about 12 attacks per minute, every minute. Also, there is something interesting. While splitting those 90 days per week, we can see that the major number of attacks, more than 200,000 attacks, happen exactly the first week of December. So why? Because holidays, shopping season, online purchases, everybody is like looking to buy something, also online promotions like on-sale things. So that is what we can say in regards to the amount of attacks have happened exactly first week of December, while the lowest number of attacks happened on the fourth week of December, which is, again, logical because occasions of people already bought everything, so nobody's doing any online purchase. They're just being with the family, sitting home, relaxing. So that said, it's interesting that malware reflects motivations of threat actors and also victims' habits. So it's not about malicious code only. It's about people. It's about life.

Dave Bittner: What are you seeing in terms of the threat actors themselves, the tools they're using and how aggressive they are?

Dimitri Bestuzhev: That's a sad part. It's something which concern me -- concerns me most because we have seen that the threat actors and, might say, financially motivated threat actors, nation state threat actors, those who are, let's say, like in shade or gray zone, it's unclear who it can be because they use, let's say, like shared tools, same tools, same weapons used by both nation state and cybercrime. They -- those threat actors, in general, they have targeted the following industries, like most targeted A-listers are financial institutions 34%, then followed by health services 14%, and then it's food and retail in 12%. So that is about 60% of all attacks, and essentially, it's all we need to live. We need access to our finances. We need to access to health care. We need access to food. So we see that independently on the region, so the threat actor and the motivation, the impact, like, what are the targets, what kind of businesses or industries they are targeting, and it's like what we need in just to live. So that's something like really concerning.

Dave Bittner: So based on the information that you all have gathered here, what are your recommendations? How should folks go about best protecting themselves?

Dimitri Bestuzhev: That is about knowing who are the threat actors specifically targeting, the industry you work for, the industry you defend. Who are those threat actors? What weapons do they use, and how they use them. That approach is also called applied -- CTI-applied cyber threat intelligence. So it's about getting factual contextual knowledge which you can use to anticipate the attacks and to take specific actions, like, for example, to test your protection capabilities, if not your detection capabilities. Same as your response. Can you respond to that attack and recover -- recover? So that information based on the actual attacks, actual weapons, actual threat actors helps blue teamers, red teamers, purple team, and joint team exercises to test actual capabilities in terms of protection, prevention, response, etc., and that'll -- that also helps to understand even if the tools we are using, let's say, to protect my network, to protect my assets, if they are even designed to help me to face those threat actors, because sometimes they might use -- threat actors might use tactics, techniques, and procedures which are out of protection scope. It means even with the best things, we can do best effort, if our systems, defensive systems are not designed to protect against specific techniques, we will not in a position -- be in a position to stop that threat actor. So my recommendation is to use CTI, cyber threat intelligence, with that context so everyone may first do an effective threat module, and second, test your capabilities I mentioned just before.

Dave Bittner: That's Dimitri Bestuzhev from BlackBerry.

You may have noticed that it is Amazon Prime Day, but you may also be wondering what information does Amazon gather about you and your shopping habits, among other things. Our U.K. correspondent Carole Theriault was wondering the same thing. She files this report.

Carole Theriault: So there I was reading an article in The Guardian about the gazillion-dollar data hoover that is Amazon, and honestly, I was feeling a little smug here because I do not have an Amazon home assistant. I do not have a Kindle. I do not have a Ring doorbell. But then I had to swallow my pride because I am indeed an Amazon Prime member. Now, I use this membership to buy items I cannot find locally or another shop, and I also enjoy their video streaming service. And listen to this passage from The Guardian, quote, the 200 million users who are Amazon Prime members are not only the corporation's most valuable customers but also the richest source of user data. The more Amazon and services you use, whether it's the shopping app, the Kindle e-reader, the Ring doorbell, the Echo Smart Speaker, or the Prime streaming service, the more their algorithms can infer what kind of person you are and what you are most likely to buy next. The firm's software is so accomplished at prediction that third parties can hire its algorithms as a service called "Amazon Forecast." I mean, Amazon's data collection is so vast that the only way to stop it completely is not to use the services at all. Actually, it's probably even worse than that. It probably means trying to stay off the internet entirely, and it's not like Amazon hasn't just recently been seriously dinged. It was hit with an $886.6 million fine for processing personal data in violation of the EU data protection rules, the GDPR, and that isn't pocket change even for the mega giant that is Amazon. Now, The Guardian go on to make a few suggestions. If you wanted to try and curb some of the data that was being collected by Amazon, you can ask the company for a copy of your data by applying under a data subject access request. The Alexa assistant and Ring doorbell have their own privacy hubs that allow you to delete recordings and adjust privacy settings. Inside the Ring control center, you can tweak settings, including who is able to see and access your videos and personal info from the central dashboard, and even when you are speaking to your home assistant, you can say, "Delete what I just said," or "Delete everything I said today." You could also use privacy-focused browsers such as DuckDuckGo, Firefox, and Brave to stop Amazon from tracking you. And here's the thing that really gets me in all this. It's that these are not free service that Amazon are kindly providing to you in exchange for your data. They are charging you for the Kindle and then access to the digital books and they're using that collated data to help build a profile view for their advertising partners. Same goes for the Ring doorbell or the home assistant, and yes, same goes for me, an Amazon Prime user who is paying for these services but also providing them huge amounts of data so they can build a profile about me. Maybe that's why I keep getting retirement and funeral ads. I think they've got my age slightly wrong or they know something I don't. I'm not sure what's scarier. I don't know, it just reeks of unregulated greed, like someone who has cashed in their chips but continues to play poker. Not someone I'd want as a friend or as a business partner, and maybe I really need to think hard about lining Jesus's pockets just so I can stream a few movies. This is Carole Theriault with the CyberWire.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your teams smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.