The CyberWire Daily Podcast 12.21.23
Ep 1972 | 12.21.23

Kingdom come, kingdom fall.


German officials take down a dark web market. Google patches a zero-day. Terrapin attack targets SSL. A look at payment fraud. Agent Tesla is spreading through an old vulnerability. An iPhone thief explains his techniques. Ukrainian reprisals for Russia's Kyivstar attack. Israeli officials warn of data wipers. Rick Howard speaks with Scott Roberts of Interpress about Driving Intelligence with MITRE ATT&CK, and leveraging limited resources to build an evolving threat repository. And go ahead and click that like button - just don’t expect to get paid.

It’s Thursday, December 21st 2023.. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

German officials take down a dark web market.

Germany's Federal Criminal Police Office (BKA) and Frankfurt's internet-crime unit (ZIT), in collaboration with international authorities, have seized Kingdom Market, a notorious dark web marketplace known for drugs, cybercrime tools, and fake IDs. Operational since March 2021 and facilitating transactions in cryptocurrencies, Kingdom Market catered to an extensive international user base with over 42,000 items, including a significant portion from Germany. The operation led to the arrest of an administrator in the U.S. and ongoing efforts to identify further operators through server analysis. The seizure has caused a stir among its users and other darknet communities, with reports of significant financial losses and arrests related to the platform's infrastructure. In the wake of the marketplace's closure, other dark web platforms have quickly moved to recruit dislocated users, showcasing the dynamic and competitive nature of illegal online marketplaces.

Google patched zero-day.

Google issued emergency updates for Chrome to fix a zero-day vulnerability, a heap buffer overflow in WebRTC, discovered by its Threat Analysis Group. Google is restricting details on the exploit, which is already active in the wild, to protect users until most are updated. This vulnerability marks the eighth Chrome issue Google has addressed this year.


Terrapin attack targets SSL.

Nearly 30 years after the invention of the Secure Shell Protocol, a new vulnerability known as Terrapin has emerged. This attack targets SSH connections by exploiting specific encryption modes, and it operates through a man-in-the-middle position, allowing attackers to intercept and alter communications during the SSH handshake. Terrapin's prefix truncation technique can disrupt the secure data stream, posing a significant threat as research indicates that a large portion of internet-exposed SSH servers support these vulnerable encryption modes. This development challenges the long-standing security assumptions of SSH, a protocol crucial to the security infrastructure of countless organizations.

A look at payment fraud.

Recorded Future's Insikt Group released its 2023 Annual Payment Fraud Intelligence Report. The study highlighted the persistent use of e-skimmer infections by Magecart actors through platforms like Google Tag Manager and Telegram Messenger. It also noted a rise in targeting restaurants, bars, and online ordering platforms for payment card data breaches, with phishing and scam pages becoming more common for card compromise. The report predicts that in 2024, fraudsters will further refine their techniques, merging advanced technology, intricate workflows, and social engineering to evade rule-based fraud detection systems.

Agent Tesla is spreading through an old vulnerability.

Zscaler identified that cybercriminals are exploiting an old Microsoft Office vulnerability to spread the Agent Tesla keylogger. They send phishing emails with malicious documents, often disguised as 'invoices' or 'orders,' to trick users into downloading attachments. If the user's Microsoft Excel is vulnerable, the opened file silently communicates with a malicious server and downloads further harmful files, requiring no additional action from the user. This exploit emphasizes the need for vigilance against seemingly legitimate emails and the importance of updating software to patch known vulnerabilities.

An iPhone thief explains his techniques.

The Wall Street Journal’s Joanna Stern published a video interview with convicted iPhone thief Aaron Johnson, in which he outlines his journey from homeless pickpocket to being a member of a gang of thieves using social engineering to target unsuspecting victims. Johnson and his associates would befriend their marks at a local bar, casually convince them to reveal their iPhone passcode, then steal the device and drain the victim’s bank accounts and credit cards. Johnson was eventually caught and is currently serving time in a Minnesota Correctional Facility.

Ukrainian reprisals for Russia's Kyivstar attack.

The Ukrainian hacking group BLACKJACK, allegedly aided by Ukraine's Security Service (SSU), retaliated against the recent cyberattack on Ukrainian telecommunications company Kyivstar by targeting Russia's largest private water supplier, Rosvodokanal, disrupting its IT infrastructure and affecting 7 million consumers. The hackers allegedly encrypted over 6,000 computers and deleted 50TB of data, with SSU analyzing 1.5TB of the retrieved information. Additionally, the BLACKJACK group reportedly infiltrated the Russian Ministry of Labor's website and extracted data.  In a related development, the IT Army of Ukraine claimed an attack on Bitrix24's servers, heavily used by Russian companies, causing widespread customer issues. 

Israeli officials warn of data wipers. 

The Israel National Cyber Directorate issued a warning about phishing emails masquerading as F5 BIG-IP security updates, which instead deploy data wipers targeting Windows and Linux systems. The attacks, attributed to pro-Palestinian hacktivist group Handala, are part of a broader trend of cyber aggression against Israel, including destructive data-wiping assaults. The phishing campaign deceives users into downloading malicious executables or scripts, presenting as legitimate updates but ultimately wiping system data. Users are advised to only download files from trusted sources and directly from hardware vendors to avoid such threats.


Next up, we’ve got Scott Roberts of Interpres talking with N2K’s Rick Howard about driving intelligence with MITRE ATT&CK and how to leverage limited resources to build an evolving threat repository. 


Don’t do it for the likes.

And finally, researchers at Bitdefender have exposed a scam where individuals are offered money to like YouTube videos. The scheme begins with a message luring users with payment for engaging with YouTube content. Participants are asked to provide personal details and prove their 'work' by liking videos and posting screen grabs on a Telegram channel. Initially, a small payment is made to the victim to build trust. The scam escalates as victims are encouraged to join a "VIP group" for a fee promising higher earnings. Once paid, the scammers cut communication and block the victim. These deceptive practices are also promoted through Facebook groups under the guise of remote work opportunities. Bitdefender's investigation reveals that this isn't a new tactic, but the small initial payment is a novel twist to engender trust. Users are cautioned against such too-good-to-be-true offers and advised to secure their accounts, report scams, and educate others about these fraudulent practices.

Turns out, 'liking' YouTube videos can lead to an 'unlikeable' bank balance, and can be a real thumbs-down for your wallet.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.