Operation Endgame: Hackers' hideouts exposed.

Operation Endgame takes down malware operations around the globe. A major botnet operator is arrested. Ticketmaster’s massive data breach is confirmed, and so is Google’s SEO algorithm leak. Journalists and activists in Europe were targeted with Pegasus spyware. Okta warns users of credential stuffing attacks. NIST hopes to clear out the NVD backlog. On our Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, joins us to discuss software security. LightSpy surveillance malware comes to macOS. ChatGPT briefly gets a god mode.

Today is Thursday May 30th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Operation Endgame takes down malware operations around the globe. 

An international law enforcement operation, codenamed 'Operation Endgame,' has seized over 100 servers used by major malware loader operations like IcedID, Pikabot, and Trickbot. The operation, conducted from May 27-29, 2024, spanned Europe and North America. Authorities arrested four individuals, one in Armenia and three in Ukraine, and identified eight fugitives who will be added to Europol's 'Most Wanted' list.

The seized infrastructure hosted over 2,000 domains providing illicit services. Operation Endgame was a collaborative effort involving police forces from Germany, the U.S., the U.K., France, Denmark, and the Netherlands, with support from cybersecurity experts from various organizations, including Bitdefender and Proofpoint.

Malware droppers, which establish initial access to devices, were central to this operation. These tools often come through malicious emails or trojanized installers and employ evasive tactics like code obfuscation. Once installed, they can deploy more dangerous payloads, including information stealers and ransomware.

Europol reported that one suspect made over €69 million ($74.5M) by renting out their infrastructure for ransomware deployment. 

It is worth noting the conspicuous swagger that international law enforcement is displaying in their online promotion of Operation Endgame. The campaign features a custom website with a prominent countdown timer, movie-trailer-style videos and foreboding text warning bad actors that there is no where to hide. Operation Endgame could be subtitled Operation Mindgame. 

A major botnet operator is arrested. 

The U.S. Department of Justice (DOJ) arrested YunHe Wang, the alleged operator of the 911 S5 anonymity service, which was backed by one of the world's largest botnets. The arrest, made in Singapore, coincided with the seizure of the 911 S5 website and infrastructure. The service used "free VPN" products to turn computers into traffic relays, facilitating billions in online fraud.

From 2015 to July 2022, 911 S5 sold access to compromised Windows computers as proxies. The service was popular for its low prices and reliability among cybercriminals. Wang is charged with computer fraud, wire fraud, and money laundering, facing up to 65 years in prison. Authorities also seized $30 million in assets linked to the operation.

Ticketmaster’s massive data breach is confirmed, and so is Google’s SEO algorithm leak. 

We reported yesterday on speculation that Ticketmaster had suffered a major data breach, and since then multiple confirmations have been reported. 

The hacker group, ShinyHunters, claims to have stolen data from over 500 million Ticketmaster customers. They are selling the 1.3 terabyte trove for $500,000, which includes full names, addresses, phone numbers, email addresses, order history, and partial payment data.

This breach follows a U.S. Justice Department antitrust lawsuit against Ticketmaster's parent company, Live Nation Entertainment, for monopolistic practices in the live music industry. Australia's Home Affairs Department has confirmed a "cyber incident impacting Ticketmaster customers," but the company has yet to comment. ShinyHunters claim to have attempted to notify Ticketmaster but received no response.

Speaking of confirmations, Google confirmed the authenticity of 2,500 leaked internal documents detailing data collection practices, some potentially used in its search ranking algorithm. The leak offers an unprecedented glimpse into Google’s operations but remains murky. Google warned against drawing conclusions from what they say are out-of-context, outdated, or incomplete information.

SEO experts Rand Fishkin and Mike King first analyzed the documents, revealing data Google representatives claimed were not used for rankings, like clicks and Chrome user data. While the exact use of this data remains unclear, the leak is expected to impact the SEO, marketing, and publishing industries by providing new insights into Google's highly secretive search algorithm.

Journalists and activists in Europe were targeted with Pegasus spyware. 

A new investigation revealed that at least seven journalists and activists in Europe were targeted with NSO Group’s Pegasus spyware from August 2020 to April 2023. The investigation, by Access Now, Citizen Lab, and researcher Nikolai Kvantaliani, found that Russian, Belarusian, Latvian, and Israeli individuals were targeted, especially following Russia’s invasion of Ukraine in 2022.

The report highlights the ongoing threat to European civil society and calls for a moratorium on digital surveillance technologies until proper human rights safeguards are established. The EU has been criticized for its lack of action against spyware abuse despite multiple scandals and recommendations for stronger regulations.

Okta warns users of credential stuffing attacks. 

Okta warns customers of credential stuffing attacks targeting the Customer Identity Cloud's cross-origin authentication feature. Threat actors are using stolen username and password combinations from phishing, malware, or data breaches to compromise customers' tenants.

Customers should review logs for suspicious activity, such as failed or successful cross-origin authentication attempts and logins with leaked passwords. Okta advises rotating compromised passwords, enrolling in passwordless authentication, enforcing strong passwords, implementing MFA, disabling unused cross-origin authentication, restricting permitted origins, and enabling breached password detection.

This warning follows a cyberattack in October 2023, where customer support system user data was stolen. 

NIST hopes to clear out the NVD backlog. 

The National Institute of Standards and Technology (NIST) has awarded a contract to help process incoming Common Vulnerabilities and Exposures (CVEs) for the National Vulnerability Database (NVD). They aim to clear the backlog of unprocessed CVEs by September 30.

NVD's slowdown in CVE enrichment became evident in February. NIST is implementing a multi-pronged solution, including improved tools, automation, and a consortium to address challenges. They have started ingesting CVE 5.0 and 5.1 records hourly since May 20.

NIST is committed to modernizing the NVD and addressing the growing volume of vulnerabilities with technology and process updates, ensuring the program's sustainability and supporting automated vulnerability management.

LightSpy surveillance malware comes to macOS. 

A macOS version of the LightSpy surveillance framework, previously known for targeting Android and iOS, has been discovered. LightSpy, used to steal data such as files, screenshots, and location information, has been active against targets in the Asia–Pacific region.

Security firm ThreatFabric reports that the macOS implant has been in the wild since January 2024 but is currently limited to testing environments and a few infected machines used by cybersecurity researchers. The attackers exploit WebKit flaws to compromise macOS devices.

The macOS version uses ten plugins, including sound recording, browser data extraction, and screen recording, to exfiltrate data. ThreatFabric's access to the control panel revealed potential implants for Windows, Linux, and routers, although their usage remains unclear.

 

 

Eric Goldstein is currently the Executive Assistant Director for Cybersecurity at CISA. Not long ago, Eric announced that he’s leaving CISA for a position in the private sector. While at CISA, Eric has kept us apprised of their work on important cybersecurity topics and we recently discussed software security. We will have a closing discussion with Eric about his work at CISA in the coming weeks. Stay tuned. 

In this Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Greg brings a wealth of knowledge from his military background and applies a disciplined, adaptive approach to securing one of America's most vibrant educational institutions. They discuss how Greg's cybersecurity strategies, ranging from comprehensive awareness campaigns to dark web monitoring, protect the campus community from emerging threats like phishing, ransomware, and social engineering. Greg shares how he builds a culture of cybersecurity, the importance of proactive and adaptive strategies, and how empowering students and faculty transforms them into crucial allies in protecting the digital campus. Tune in to discover how collaborative ideas shape resilient security measures and how adaptable strategies ensure success in this ever-evolving field.

We’ll be right back

Welcome back. And a reminder that we will have a fuller discussion with Eric Goldstein coming up about his time at CISA and in the next few weeks.

ChatGPT briefly gets a god mode. 

And finally, a white hat hacker and AI enthusiast named Pliny the Prompter unveiled "GODMODE GPT," a jailbroken version of OpenAI's GPT-4. Pliny proudly announced on X (formerly Twitter) that GPT-4o is now free from its restrictive guardrails, offering users an "unchained" AI experience.

"GPT-4o UNCHAINED! This very special custom GPT has a built-in jailbreak prompt that circumvents most guardrails, providing an out-of-the-box liberated ChatGPT so everyone can experience AI the way it was always meant to be: free," Pliny boasted, complete with a smooch emoji.

Pliny shared screenshots showcasing the bot’s newfound freedom, advising on meth recipes and napalm creation using household items. However, the celebration was short-lived. OpenAI’s spokesperson Colleen Rize quickly responded, stating, "We are aware of the GPT and have taken action due to a violation of our policies."

Despite its brief existence, the hack underscores the ongoing battle between OpenAI and those eager to bypass its restrictions. Jailbreaking AI models like ChatGPT has become increasingly difficult, but Pliny's GODMODE managed to slip through the cracks. Testing the jailbreak confirmed its willingness to assist with illicit queries, from making LSD to hotwiring a car.

GODMODE employs "leetspeak," replacing letters with similar-looking numbers (e.g., "E" becomes "3" and "O" becomes "0"). This trick seems to bypass OpenAI's defenses, although the exact mechanics remain unclear.

This latest hack highlights the cat-and-mouse game between AI developers and hackers, showing that as long as there are people like Pliny, OpenAI will have its hands full keeping its systems secure.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.