Criminal networks crumble.

Interpol pursues West African cybercrime groups. Bassett Furniture shuts down manufacturing following a ransomware attack. A gastroenterologist group notifies patients of a data breach. An Apache HugeGraph flaw is being actively exploited. Octo Tempest updates its toolkit. Satori uncovers evil twin campaigns on Google Play. The cost of the Change Healthcare breach crosses the two billion dollar mark. Cybersecurity venture funding saw a surge last quarter. Cyber regulatory agencies face legal challenges. On our Industry Insights segment, Trevor Hilligoss, Vice President of SpyCloud Labs at SpyCloud, joins us to talk about exploring the intricate world of cybercrime enablement services. Fighting disinformation is easier said than done.

Today is Wednesday July 17th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Interpol pursues West African cybercrime groups. 

Interpol has dealt a significant blow to several West African cybercrime groups, including the infamous Black Axe syndicate, through Operation Jackal III. Running from April 10 to July 3 across 21 countries on five continents, the operation resulted in 300 arrests and the seizure of $3 million in assets. Police identified 400 suspects and blocked over 720 bank accounts. Black Axe, known for decades of criminal activity, has profited heavily from romance fraud, business email compromise (BEC), and other financial crimes. Additionally, a Nigerian-led international criminal network was dismantled in Argentina after a five-year investigation, linked to money laundering in over 40 countries and victimizing 160 individuals. Portuguese police also disrupted a Nigerian criminal network involved in recruiting money mules and laundering illicit funds across Europe. 

Bassett Furniture shuts down manufacturing following a ransomware attack. 

Bassett Furniture Industries, one of the largest U.S. furniture companies, was forced to shut down its manufacturing facilities following a ransomware attack that began on July 10. The hackers encrypted data files, leading Bassett to activate its incident response plan and shut down some IT systems. While retail stores and the e-commerce platform remain open, the company's ability to fulfill orders is impacted. Bassett is working to restore systems and reduce disruption but admitted the attack has materially impacted operations. No ransomware group has claimed responsibility. This incident occurred as Bassett reported a 17% revenue decrease for Q2 2024. The attack also highlights the growing number of 8-K filings to the SEC regarding cybersecurity incidents, following new disclosure rules effective since December.

A gastroenterologist group notifies patients of a data breach. 

MNGI Digestive Health, an independent group of certified gastroenterologists which operates roughly a dozen clinics and endoscopy centers around the Twin Cities metro area, is notifying over 765,000 individuals about an August 2023 data breach that compromised personal information, including names, Social Security numbers, medical and financial details. Although the breach occurred on August 20, 2023, it took nearly a year to identify the affected individuals and their addresses for notification. MNGI assures that there's no evidence of misuse of the data. The company is offering 12 months of free credit and identity protection services. The Alphv/BlackCat ransomware group claimed responsibility for the attack.

An Apache HugeGraph flaw is being actively exploited. 

Threat actors are exploiting a recently patched vulnerability in Apache HugeGraph, an open-source graph database system. The flaw, CVE-2024-27348, allows remote command execution and was patched in version 1.3.0. The Shadowserver Foundation reported seeing exploitation attempts from eight IP addresses starting June 6, with an increase last week. Proof-of-concept exploit code became available in early June, and SecureLayer7 rated the flaw as 'critical,' warning that it enables attackers to bypass sandbox restrictions and take control of the server.

Octo Tempest updates its toolkit. 

Microsoft reports that the Octo Tempest cybercrime gang, also known as Scattered Spider and 0ktapus, added RansomHub and Qilin ransomware to its toolkit. Active since early 2022, Octo Tempest is notorious for the 0ktapus campaign, compromising hundreds of organizations, including Twilio, LastPass, and DoorDash. The gang excels in social engineering, identity compromise, and targeting VMWare ESXi servers with BlackCat ransomware. The Qilin ransomware group, active since August 2022, employs a double-extortion model, recently impacting Synnovis and causing significant disruptions in London hospitals.

Satori uncovers evil twin campaigns on Google Play. 

The Satori Threat Intelligence Team, funded by HUMAN Security, revealed a massive ad fraud operation named Konfety. Cybercriminals are using the CarmelAds SDK to create "evil twins" of legitimate Google Play Store applications. These decoy apps are used to commit ad fraud and redirect users to malware-laden websites. While not directly fraudulent, these apps are disseminated through malvertising, leading to browser extensions, web search monitoring, and sideloading malicious code. Over 250 such apps have been identified. The SDK itself isn't malicious but was exploited to display ads, sideload APKs, and connect to command-and-control servers. Lindsay Kaye of HUMAN Security notes this attack vector is likely being adopted by multiple threat actors. Organizations are urged to pressure ad networks for better security and educate users about the risks of mobile apps.

The cost of Change Healthcare breach crosses the two billion dollar mark. 

The cost of the Change Healthcare breach has reached $2 billion, according to UnitedHealth Group (UHG). The February ransomware attack on Change Healthcare, part of UHG's Optum unit, resulted in $1.98 billion in costs by June 30, with projections reaching up to $2.45 billion. This includes $1.3 billion in direct costs and additional expenses from restoring services and managing higher medical costs due to disrupted care management. Despite the breach, UHG reported a 6% increase in Q2 revenue, totaling $98.9 billion. UHG paid a $22 million ransom to the BlackCat group, and ongoing efforts to notify affected individuals continue, potentially impacting up to a third of the U.S. population. State attorneys general advise vigilance against identity theft and fraud due to the exposed sensitive information.

Cybersecurity venture funding saw a surge last quarter. 

Venture funding for cybersecurity startups surged 144% year-over-year in Q2 2024, reaching $4.4 billion across 153 deals, according to Crunchbase. This marks the best quarter since Q1 2022, driven by significant nine-figure funding rounds despite a decrease in deal count. Notably, cloud security startup Wiz raised $1 billion, contributing to the uptick. Other large rounds included Cyera’s $300 million Series C and Island’s $175 million Series D. The first half of 2024 saw $7.1 billion in venture capital, a 51% increase from H1 2023. Factors contributing to this growth include increased cyber hacking, threat proliferation due to AI, and renewed enterprise spending on cybersecurity. Investors remain optimistic about supporting robust security startups poised to challenge industry giants.

Cyber regulatory agencies face legal challenges. 

In a piece for WIRED,  Eric Geller reports that the Commerce Department's proposal to require cloud companies to verify customer identities and report activities faces potential legal challenges. Critics, including a major tech trade group, argue the regulations may exceed congressional authority. Lawsuits might also target other regulations, like those from the FTC and FCC, based on outdated laws. The EPA's withdrawal of cybersecurity requirements for water systems after court challenges highlights this issue. Federal judges could issue differing rulings, complicating enforcement. Experts suggest Congress must pass new, clear laws to empower agencies to mandate cyber improvements. Despite Congress’s slow pace, there's bipartisan agreement on the need for action in cybersecurity. Indeed,  GOP’s recently announced platform prioritizes securing critical infrastructure, indicating possible progress regardless of election outcomes. 

 

Coming up on our Industry Insights segment, I speak with SpyCloud’s Vice President of SpyCloud Labs Trevor Hilligoss about exploring the intricate world of cybercrime enablement services. We’ll be right back.

Welcome back. You can find out more about SpyCloud Labs and their work in our show notes. 

Fighting disinformation is easier said than done. 

And finally, in a chaotic election year, Ruth Quint, a volunteer with the League of Women Voters of Greater Pittsburgh, is doing her best to fight disinformation using a variety of tactics, but she’s uncertain about their effectiveness. Despite her efforts, including online tutorials, debunking videos, and a pilot project using AI, the overwhelming flow of false information remains daunting. Researchers have identified common toxic content and how it spreads, but effective countermeasures like fact-checking and warning labels have limited impact. A massive study with 33,000 participants showed these interventions only improve the ability to judge true from false headlines by 5-10%. Experts worry that sophisticated disinformation schemes will outpace weak defenses, influencing elections globally. Online platforms are burying political posts, making it harder for Quint to reach audiences. Despite extensive efforts, disinformation continues to undermine trust and engagement. The problem is complex, with disagreements on solutions and definitions. Strategies like fact-checking and content moderation help, but millions still believe false narratives. Researchers hope combining multiple tactics will provide some defense. However, educators and volunteers like Quint feel their efforts are Sisyphean, fighting a flood of disinformation with limited resources. Solutions such as redesigning online spaces and AI as a "hall monitor" are being explored, but the challenge remains immense. Jonathan Stray, from the Center for Human-Compatible AI, stresses that while there is a retrenchment in the field, abandoning the project is not an option. The ongoing search for effective strategies to rebuild trust and ensure information integrity is crucial in this battle against disinformation. It may be daunting, but folks like Ruth Quint need to keep fighting the good fight. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.