Inside the crypto scam empire.

A major Pig Butchering marketplace has ties to the Cambodian ruling family. Lulu Hypermarket suffers a data breach. GitLab patches critical flaws. Palo Alto Networks addresses BlastRadius. ViperSoftX malware variants grow ever more stealthy. A New Mexico man gets seven years for SWATting. State and local government employees are increasingly lured in by phishing attacks. Hackers impersonate live chat agents from Etsy and Upwork. The GOP’s official platform looks to roll back AI regulation. On today’s Threat Vector, David Moulton from Palo Alto Networks Unit 42 discusses the evolving threats of AI-generated malware with experts Rem Dudas and Bar Matalon. NATO brings the social media influencers to Washington. 

Today is Thursday July 11th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major Pig Butchering marketplace has ties to the Cambodian ruling family. 

A feature story in Wired from Andy Greenberg and Lily Hay Newman examines "pig butchering" crypto scams, which  have evolved into a vast criminal industry, stealing tens of billions annually. This scam ecosystem includes tools and services for targeting victims, laundering stolen funds, and even detaining human trafficking victims forced to work in scam operations. New research by Elliptic, a crypto-tracing firm, reveals that a single Cambodian platform, Huione Guarantee, linked to the Cambodian ruling family, supports this industry.

Huione Guarantee, launched in 2021, facilitates peer-to-peer transactions using Tether cryptocurrency via Telegram. Elliptic traced $11 billion in transactions through Huione Guarantee, with $3.4 billion in 2023 alone, primarily supporting pig butchering scams. The platform offers a range of illicit services, including human trafficking tools, scam target data, fake investment websites, deepfake services, and money laundering.

Elliptic's cofounder, Tom Robinson, describes Huione Guarantee as the largest public platform for illicit crypto transactions. The scam operations are often run from compounds in Southeast Asia, where forced laborers live and work under harsh conditions. 

The report suggests that platforms like Huione Guarantee allow scammers to outsource various aspects of their operations, contributing to the increasing scale of these scams. Sean Gallagher from Sophos notes that pig butchering operations often use identical tools and infrastructure across different scams.

Robinson proposes international sanctions against Huione's leadership to disrupt this criminal industry. He emphasizes the need to target such marketplaces to combat the growing threat of crypto scams.

Lulu Hypermarket suffers a data breach. 

Lulu Hypermarket, based in Abu Dhabi, has reportedly suffered a significant data breach, exposing personal details of at least 196,000 customers. The hacker group IntelBroker claimed responsibility, initially leaking some customer details on BreachForums. They announced plans to release the full database later, which includes millions of users and orders. Leaked details include email addresses and phone numbers, posing risks of phishing and identity theft.

Lulu Hypermarket has not confirmed the breach or specified the types of data affected. IntelBroker has a history of targeting major organizations and remains active on BreachForums, now under ShinyHunters' administration. Lulu customers are advised to stay vigilant.

GitLab patches critical flaws. 

GitLab has issued critical security updates to fix multiple vulnerabilities, including a severe flaw (CVE-2024-6385) with a CVSS score of 9.6, allowing attackers to run pipeline jobs as arbitrary users. The company urges immediate upgrades to versions 17.1.2, 17.0.4, or 16.11.6 for both Community and Enterprise Editions.

The critical flaw affects GitLab versions 15.8 to 17.1.1 and was reported through GitLab’s HackerOne program. 

Palo Alto Networks addresses BlastRadius. 

Palo Alto Networks released patches for multiple vulnerabilities, including a critical bug (CVE-2024-5910, CVSS score 9.3) in its Expedition migration tool, allowing attackers to take over administrative accounts. This was fixed in Expedition version 1.2.92. Additionally, a high-severity file upload issue in Panorama (CVE-2024-5911) could lead to a denial-of-service condition requiring manual intervention. Medium-severity flaws in Cortex XDR and PAN-OS software were also addressed, preventing attackers from running untrusted code and tampering with the file system.

The company provided an advisory on the BlastRADIUS vulnerability, which could enable attackers to bypass authentication and escalate privileges in PAN-OS firewalls using CHAP or PAP protocols. No exploitation of these vulnerabilities has been reported. 

ViperSoftX malware variants grow ever more stealthy. 

Researchers at Trellix report the latest variants of ViperSoftX malware use the Common Language Runtime (CLR) to execute PowerShell commands within AutoIt scripts, evading detection. CLR, part of Microsoft’s .NET Framework, allows code execution in a trusted environment. ViperSoftX leverages this to load code within AutoIt, commonly trusted by security solutions. The malware also incorporates modified offensive scripts for increased sophistication.

ViperSoftX steals system details, cryptocurrency wallet data, and clipboard contents, posing a significant threat. Trellix emphasizes the need for comprehensive defense strategies to detect, prevent, and respond to such sophisticated threats.

A New Mexico man gets seven years for SWATting. 

James Thomas Andrew McCarty, 21, from Kayenta, N.M., was sentenced to seven years in federal prison for making hoax threats, including a call to Westfield High School in 2021 that led to a two-hour lockdown. McCarty pleaded guilty to making false calls and aggravated identity theft, using real students' identities. His hoax calls targeted schools and governmental entities across multiple states, none of which were credible threats. McCarty also admitted to hacking a Ring doorbell in Florida, causing a police response he livestreamed for amusement. The FBI and various local authorities assisted in the investigation.

State and local government employees are increasingly lured in by phishing attacks. 

Phishing attacks on state and local government employees have surged by 360% from May 2023 to 2024, driven by the rise in business email compromise (BEC) attacks, which increased by 70%, according to Abnormal Security's annual report. BEC attacks involve impersonating contractors or accounting employees to reroute payments to attackers. These attacks use social engineering tactics, avoiding clear indicators of compromise and often evading conventional security measures.

State and local government agencies are particularly vulnerable due to their frequent interactions with local contractors and mandated transparency, which provides attackers with detailed information to craft convincing emails. Account takeover attacks also rose by 43%, highlighting phishing as a reliable method for breaching networks. Limited cybersecurity resources in government entities increase the likelihood of undetected compromised accounts, posing significant risks.

Hackers impersonate live chat agents from Etsy and Upwork. 

Hackers are now posing as live chat agents for companies like Etsy and Upwork, tricking victims into providing credit card and banking information. This new phishing scam, detailed by cybersecurity firm Perception Point, exploits users' trust in live chat support. Unlike typical scams, this involves real humans giving real-time responses, making it harder to detect.

Hackers create fake web pages mimicking platforms’ payment pages. When victims attempt to verify payments, they're redirected to a spoofed Stripe page where they enter their credit card details, which are then stolen. The scam escalates with a live chat support feature on the fake Stripe page, further extracting sensitive information.

The phishing kit is described as sophisticated and versatile, with reusable templates across multiple platforms. Users are advised to verify support communications, avoid unsolicited links or QR codes, check website URLs for legitimacy, and use multi-factor authentication.

The GOP’s official platform looks to roll back AI regulation. 

The Republican Party’s new official platform, proposed by Donald Trump, emphasizes a laissez-faire approach to tech regulation. It advocates for boosting cryptocurrency and AI, opposing Biden’s crypto crackdown, and repealing his executive order on AI. The platform promises to support cryptocurrency mining, self-custody of digital assets, and transactions free from government control. Critics argue this could harm consumers and promote fraud. The platform also highlights commercial space exploration, aiming to bolster the industry. Notably, it does not address Section 230 or antitrust enforcement. Consumer advocates and some tech industry voices express concerns about these policies, emphasizing the need for regulations to protect consumers and ensure responsible tech development.

 

Coming up on our Threat Vector segment, David Moulton explores the evolving world of AI-generated malware with guests, Rem Dudas, Senior Threat Intelligence Analyst, and Bar Matalon, Threat Intelligence Team Lead. We’ll be right back

Welcome back

NATO brings the social media influencers to Washington. 

And finally,  NATO has decided to bring social media influencers to their Washington summit to improve their image among young people. That’s right —16 content creators from various countries, along with 27 invited by the U.S. Defense and State Departments, are mingling with world leaders. These influencers, popular on platforms like TikTok, YouTube, and Instagram, met top officials, including at the Pentagon and the White House. The idea is to engage a generation born after the Cold War, using people who make dance videos and "how-to" clips.

Critics argue this approach is misguided. They say NATO, a critical defense alliance, seems more interested in viral videos than substantive engagement. Using influencers to promote NATO's mission might appeal to some, but it risks trivializing serious global security issues. It feels like a desperate attempt to stay relevant, glossing over deeper challenges facing the alliance and its public perception.

On the other hand, by leveraging influencers, NATO aims to combat misinformation and disinformation campaigns, particularly those propagated by hostile state actors. Influencers can play a role in disseminating accurate information and countering false narratives.

It’s a bit of a head-scratcher, but if it fulfills NATO’s strategic PR goals, it may also be the shape of things to come. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.