The CyberWire Daily Podcast 4.18.24
Ep 2049 | 4.18.24

From phishing to felony.


A major Phishing-as-a-service operation gets taken down by international law enforcement. US election officials are warned of nation-state influence operations. The house votes to limit the feds’ purchase of citizens personal data. A Michigan healthcare provider suffered a ransomware attack. Critical infrastructure providers struggle to trust cybersecurity tools. Cloudflare reports on DDoS. Kaspersky uncovers new Android banking malware. Kubernetes cryptominers leverage previously patched flaws. The Massachusetts Attorney General emphasizes the responsible use of AI. Our guest Caleb Barlow, CEO of Cyberbit, joins us to talk about badge swipe fraud as more are returning to the office. Colorado passes a law to keep big tech out of our heads. 

Today is April 18th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major Phishing-as-a-service operation gets taken down by international law enforcement. 

In a major global crackdown, the LabHost phishing-as-a-service (PhaaS) platform has been dismantled following a year-long international law enforcement operation, leading to the arrest of 37 suspects, including the platform's original developer. Launched in 2021, LabHost facilitated cybercriminals in orchestrating phishing attacks against North American banks and services through a subscription model. The platform offered phishing kits, hosting infrastructure, and tools for automatic email phishing.

Digital security firm Fortra flagged LabHost's burgeoning popularity in February 2024, as it began outperforming established PhaaS providers. Coordinated by Europol with support from 19 countries and private sector giants like Microsoft and Trend Micro, the operation identified over 40,000 phishing domains and 10,000 global users linked to LabHost. One of LabHost's standout tools, LabRat, enabled real-time management of phishing attacks, including capturing two-factor authentication tokens.

Actions peaked between April 14 and 17, 2024, with simultaneous raids at 70 locations worldwide, arresting key figures behind LabHost and seizing 207 servers in Australia alone. The UK's Metropolitan Police took into custody four individuals, pinpointing the platform's core developer. Before its disruption, LabHost amassed roughly $1.17 million from subscriptions. Following the operation, authorities have begun notifying 800 users of impending investigations, uncovering that LabHost facilitated the theft of nearly half a million credit cards and a million passwords. Despite a significant outage in October 2023, which sparked exit scam rumors, LabHost resumed full operations by December, with its eventual takedown casting doubt on the outage's connection to law enforcement activities.

US election officials are warned of nation-state influence operations. 

US election officials have been alerted by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) about potential nation-state influence operations from Russia, China, and Iran aiming to disrupt the 2024 elections, including the Presidential Election. These operations intend to erode confidence in democratic institutions and sway public opinion by exploiting societal divisions using methods ranging from generative AI to deepfakes. Tactics include masquerading as legitimate media, voice cloning, cyber intrusions, creating false evidence of incidents, paying influencers without their knowledge of the operation's origin, and using social media to spread disinformation. To combat these threats, the agencies recommend educating the public and election staff on recognizing and countering disinformation, securing IT systems, and using authentication measures for public content. Voters are also encouraged to scrutinize information sources critically, especially for AI-generated content.

The house votes to limit the feds’ purchase of citizens personal data. 

The House of Representatives has passed the "Fourth Amendment is Not for Sale Act," aiming to limit the government's ability to purchase Americans' data from data brokers without a warrant or subpoena, despite opposition from the Biden administration citing national security concerns. The bill, which prohibits federal agencies from buying commercially available information (CAI), passed with a 219-199 vote, seeing bipartisan support and opposition. The White House, alongside some Biden administration officials, criticized the bill as a threat to national security and counterterrorism efforts, calling it "unworkable" and "devastating." However, proponents argue it protects Americans' privacy rights against unreasonable search and seizure, addressing concerns over the unregulated sale of sensitive personal data by data brokers. This legislative move follows revelations about the extensive governmental use of CAI and the risks associated with data brokers' business practices.

A Michigan healthcare provider suffered a ransomware attack. 

Healthcare provider Cherry Street Services (Cherry Health) in Michigan has informed over 180,000 individuals about a ransomware attack on December 21, 2023, that compromised personal data, including Social Security numbers and health information. After initially disclosing the incident in early January, Cherry Health confirmed ransomware involvement and completed risk assessment by March 25, 2024. Affected individuals are being offered free credit monitoring and identity protection services. Cherry Health, with more than 20 locations and 800 healthcare professionals, continues to respond to the aftermath of the attack.

Critical infrastructure providers struggle to trust cybersecurity tools. 

A report from security firm Bridewell indicates that critical national infrastructure (CNI) providers are experiencing diminished trust in cybersecurity tools, exacerbated by sophisticated nation-state attacks, particularly from China and Russia. Interviews with over 1000 CISOs in the US and UK reveal a 121% increase in concerns over cybersecurity tool trust from last year. Additionally, cybersecurity budgets have sharply decreased, with allocations for IT and operational technology (OT) dropping significantly. Despite financial constraints, 30% of CNI victims of ransomware paid extortionists, potentially risking legal issues. Moreover, ransomware attacks have had psychological impacts on employees. Bridewell advocates for robust security strategies to mitigate these risks and avoid the difficult choice of paying ransoms.

Cloudflare reports on DDoS. 

Cloudflare's most recent DDoS threat report, covering Q1 2024, reveals a 50% year-over-year increase in DDoS attacks, with 4.5 million incidents mitigated. DNS-based attacks surged by 80%, remaining the most common vector. A notable spike occurred in Sweden, with attacks up 466% following its NATO acceptance, echoing Finland's previous experience. The report also highlighted the persistence of Mirai-variant botnets, responsible for a 2 Tbps attack against an Asian hosting provider. Additionally, concerns about sophisticated DNS-based DDoS threats prompted the introduction of Cloudflare's Advanced DNS Protection system. Despite overall increases in DDoS activity, budget allocations for cybersecurity within IT and OT sectors have decreased, underscoring the growing challenge of defending against these evolving cyber threats.

Kaspersky uncovers new Android banking malware. 

'SoumniBot', a new Android banking malware, employs a novel obfuscation technique by manipulating the Android manifest parsing process, thus dodging standard security measures on Android phones for info-stealing activities. Kaspersky researchers found that SoumniBot alters the manifest file's compression value and size, and uses excessively long XML namespace strings to confuse analysis tools. Once installed, it stealthily performs malicious activities like data theft and command execution, while primarily targeting Korean users. The malware's discovery has prompted notifications to Google regarding the limitations of the APK Analyzer against such evasion techniques.

Kubernetes cryptominers leverage previously patched flaws. 

Attackers are exploiting critical vulnerabilities in OpenMetadata, an open-source data catalog platform, to conduct a Kubernetes cryptomining campaign. Microsoft discovered the campaign, leveraging flaws patched on March 15. These vulnerabilities allow for remote code execution and authentication bypass, enabling attackers to install cryptomining malware on unpatched, internet-exposed systems. The malware, hosted on a server in China, aims to mine cryptocurrency, with attackers leaving notes soliciting Monero donations. They maintain access through reverse shell connections and scheduled cronjobs. Admins are advised to update their software and secure their systems against these exploits.

The Massachusetts Attorney General emphasizes the responsible use of AI. 

The Massachusetts Attorney General, Andrea Campbell, has issued a warning that developers, suppliers, and users of artificial intelligence (AI) must adhere to state consumer protection, anti-discrimination, and data privacy laws amid the rising use of AI and algorithmic decision-making. The advisory emphasizes the application of existing laws to AI technologies, highlighting concerns over bias, lack of transparency, and potential harms. Campbell underscored the balance between AI's potential benefits and the risks it poses, such as discrimination and privacy breaches. Misrepresentation of AI capabilities, using AI for deceptive practices, and failing to disclose AI interaction to consumers could violate state laws. The advisory also focuses on ensuring AI systems are free from bias before market entry and stresses the importance of transparency in AI interactions.

Coming up Cyberbit’s CEO Caleb Barlow joins us to talk about badge swipe fraud as more people are returning to the office. Caleb wonders if your employees are faking their badge swipes?

We’ll be right back

Welcome back

Colorado passes a law to keep big tech out of our heads. 

In an era where the line between science fiction and reality increasingly blurs, Colorado has taken a pioneering step to safeguard the sanctity of our innermost thoughts. With the stroke of Governor Jared Polis's pen, the state has boldly declared that our neural data— the intimate electrical whispers of our brains— deserves protection from the voracious appetite of emerging technologies.

By expanding the definition of "sensitive data" to include our biological and neural information, the state is not just protecting us from today's privacy intrusions but also those of a future we're still trying to fathom. It's a reminder that as technology leaps forward, our legal frameworks must evolve too, to preserve our dignity and autonomy.

Colorado lawmakers say this isn't about stifling innovation or putting a damper on the potential benefits that neurotechnologies could bring. It's about proceeding with caution and respect for individual rights in uncharted territories. After all, the essence of who we are—our thoughts, emotions, and memories—should not be up for grabs.

It's a bold move, acknowledging the profound implications of neurotechnology and its potential to transcend the boundaries of personal privacy. In a world where your brain's data could reveal more about you than your social media profiles ever could, Colorado is setting a precedent for the rest of the nation, perhaps even the world, to follow.

The legislation isn't just about protecting privacy; it's about maintaining our autonomy—ensuring that as we stand on the brink of this new technological era, we retain control over the most private parts of ourselves. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.