Ghost accounts haunt GitHub.

Stargazer Goblin hosts malicious code repositories on GitHub. Crowdstrike blames buggy validations checks for last week’s major incident. The Breachforums database reveals threat actor OPSEC. Windows Hello for Business (WHfB) was found vulnerable to downgrade attacks. A medical center in the U.S. Virgin Islands is hit with ransomware. Interisle analyzes the phishing landscape. The FTC orders eight companies to explain algorithmic pricing. Meta cracks down on the Nigerian Yahoo Boys. A fake IT worker gets caught in the act. My conversation with Nic Fillingham and Wendy Zenone, co-hosts of Microsoft Security's "The Bluehat Podcast.” Researchers wonder if proving you’re human proves profitable for Google. 

Today is Wednesday July 24th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Stargazer Goblin hosts malicious code repositories on GitHub. 

A secret network of around 3,000 “ghost” accounts on GitHub has been manipulating the platform to promote malware and phishing links, as revealed by research from cybersecurity firm Check Point. Operating since at least June last year, a cybercriminal group, dubbed “Stargazer Goblin” by Check Point, has been hosting malicious code repositories on GitHub, the world's largest open-source code site.

Antonis Terefos, a malware reverse engineer at Check Point, discovered that these fake accounts “star,” “fork,” and “watch” malicious repositories to make them appear popular and legitimate. This tactic leverages GitHub's community tools to boost the visibility and credibility of harmful pages. The network's activities are coordinated through a cybercrime-linked Telegram channel and criminal marketplaces.

The “Stargazers Ghost Network” spreads malicious repositories offering fake downloads for social media, gaming, and cryptocurrency tools, targeting Windows users. They claim to provide tools like VPNs or licensed software but instead deliver malware The operator behind this network charges other hackers to distribute their malicious content, a service Check Point terms “distribution as a service.”

GitHub has responded by disabling user accounts violating their policies against supporting unlawful activities. With over 100 million users and 420 million repositories, GitHub continues to face challenges from cybercriminals exploiting its platform for malicious purposes.

Crowdstrike blames buggy validations checks for last week’s major incident. 

CrowdStrike has released a post-incident review (PIR) addressing a faulty update that caused 8.5 million Windows machines to crash last week. The issue stemmed from a bug in their test software, which failed to validate a content update correctly. This update was intended to gather telemetry on new threat techniques but led to system crashes.

CrowdStrike’s Falcon software, used globally for malware and security management, typically issues two types of updates: Sensor Content and Rapid Response Content. The problem arose from a 40KB Rapid Response Content file, which despite passing faulty validation checks, contained problematic data that led to Windows crashes.

To prevent future incidents, CrowdStrike is enhancing its testing processes for Rapid Response Content with local developer testing, content update and rollback testing, stress testing, fuzzing, and fault injection. They will also update their cloud-based Content Validator and improve error handling in the Falcon sensor. Additionally, CrowdStrike will adopt a staggered deployment strategy for updates to avoid widespread issues.

The Breachforums database reveals threat actor OPSEC. 

The entire database for the notorious BreachForums v1 hacking forum was leaked on Telegram, exposing member information, private messages, cryptocurrency addresses, and all forum posts. This database originated from a backup allegedly sold by Conor Fitzpatrick, aka Pompompurin, after the FBI seized BreachForums v1 following Fitzpatrick's arrest. The data circulated among threat actors, with one trying to sell it for $150,000.

Initially, only limited member data was leaked by a user named Emo. However, due to ongoing infighting within the BreachForums community, Emo released the complete database, containing records up to November 29th, 2022. This leak reveals extensive details, including hashed passwords and private communications about exploits and stolen data.

Law enforcement already possessed this database, but its public release allows researchers and journalists to assess threat actors' operational security practices.

Windows Hello for Business (WHfB) was found vulnerable to downgrade attacks. 

Microsoft's Windows Hello for Business (WHfB) was recently found vulnerable to downgrade attacks, allowing threat actors to bypass even biometric protections. WHfB, which uses cryptographic keys in a computer's Trusted Platform Module (TPM) with biometric or PIN verification, can be exploited by modifying authentication request parameters.

Accenture security researcher Yehuda Smirnov discovered this flaw last year and reported it to Microsoft, which has since issued a fix. Smirnov will demonstrate the attack and mitigation strategies at Black Hat USA 2024.

The attack involves intercepting and altering POST requests to Microsoft's authentication services, downgrading WHfB to less secure methods using the Evilginx framework. Microsoft’s recent update includes a Conditional Access capability called "authentication strength" to enforce phishing-resistant authentication, preventing such downgrades. This fix ensures only secure authentication methods are used, protecting against similar future attacks.

A medical center in the U.S. Virgin Islands is hit with ransomware. 

Schneider Regional Medical Center (SRMC) in St. Thomas, U.S. Virgin Islands, experienced a ransomware attack on July 21, 2024, disrupting network systems. IT staff detected the attack, which has led to significant operational challenges, including the unavailability of the patient portal and medical records. While all patient care services continue, the hospital is working with law enforcement and third-party vendors to assess and restore system functionality. The extent of data compromise is still under investigation.

Interisle analyzes the phishing landscape. 

Interisle's fourth annual Phishing Landscape study highlights the evolving spectrum of phishing attacks from May 2023 to April 2024, emphasizing the persistent and growing threat of cybercrime. The study reveals a significant increase in phishing incidents, with attackers increasingly exploiting subdomain providers and decentralized platforms like the InterPlanetary File System to launch their schemes.

Following the shutdown of the notorious Freenom service, cybercriminals have turned to inexpensive domains in new gTLDs, demonstrating their adaptability. This shift underscores the need for vigilant domain registration policies, as bulk registrations have become a common tactic for setting up phishing sites.

U.S.-based hosting providers continue to be favored by phishers, highlighting the global nature of the threat and the need for international cooperation. The report stresses that effective phishing mitigation requires robust digital identity verification, automated screening systems, and proactive measures by hosting operators.

Interisle recommends cross-industry collaboration and stronger governmental roles to combat phishing. By adopting these measures, the report suggests that the industry can disrupt the phishing supply chain and protect users more effectively.

The FTC orders eight companies to explain algorithmic pricing. 

The Federal Trade Commission (FTC) has issued orders to eight companies offering surveillance pricing products and services that use consumer data to determine prices. These orders aim to understand the impact on privacy, competition, and consumer protection.

The FTC is investigating how third-party intermediaries use advanced algorithms, AI, and personal information—such as location, demographics, credit history, and browsing history—to set targeted prices. FTC Chair Lina M. Khan expressed concerns about privacy risks and potential price exploitation through personal data.

Using its 6(b) authority, the FTC seeks detailed information from Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey & Co. The inquiry focuses on:

Types of surveillance pricing products and their uses.

Data sources and collection methods.

Customer information and intended uses of products.

The impact on consumers and pricing.

The Commission unanimously approved the orders.

Meta cracks down on the Nigerian Yahoo Boys. 

Meta has banned 63,000 accounts linked to Nigerian cybercriminals known as the Yahoo Boys, targeting users in the U.S. with sextortion scams. These scammers, primarily targeting adult men, coerced victims into sharing explicit images, then threatened to release them unless paid in gift cards, mobile payments, wire transfers, or cryptocurrency. Some attempts targeted minors, reported to NCMEC.

Meta's crackdown follows FBI warnings about the growing threat of financial extortion targeting children. A smaller network of 2,500 accounts, linked to 20 individuals in Nigeria, was also uncovered. These scammers used fake accounts and shared resources for scamming, including scripts and guides.

Meta designated the Yahoo Boys as a banned entity under its strict Dangerous Organizations and Individuals policy. The company is improving detection tactics and sharing information with other tech companies through the Tech Coalition’s Lantern program.

A fake IT worker gets caught in the act. 

At security awareness firm KnowBe4, the search for a new software engineer for their IT AI team seemed to go smoothly. They posted the job, received resumes, conducted interviews, performed background checks, and verified references. Finally, they hired someone who appeared to be an ideal candidate. The new hire was sent a Mac workstation, but as soon as it was received, malware began to load.

KnowBe4’s HR team had conducted four video interviews with the candidate, confirming their identity through the provided photo. The background check came back clear, as the individual was using a stolen, valid US-based identity. The photo was AI-enhanced, making it difficult to detect the deception.

The EDR software detected the malware and alerted the InfoSec Security Operations Center (SOC). When the SOC contacted the new hire, things quickly became suspicious. The employee claimed they were troubleshooting a router issue, but their responses were evasive, and soon they became unresponsive. The SOC team contained the device.

Further investigation revealed a sophisticated scam. The fake worker was part of a North Korean operation, using an address as an "IT mule laptop farm" and VPNs to mask their true location. They worked U.S. hours while being based in North Korea or China, earning money that funded illegal programs.

KnowBe4's controls had caught the breach, but it was a stark lesson. They needed to re examine their vetting processes, remote device scans, and monitoring. Enhanced security measures and improved coordination between HR, IT, and security teams were vital to protect against such advanced threats. This incident underscored the critical need for vigilance and robust security protocols in the hiring process.

 

Coming up, we’ve got an intro to a new show for you. Nic Fillingham and Wendy Zenone, co-hosts of Microsoft Security's "The Bluehat Podcast," join me to share about what to expect on their show. We’ll be right back

Welcome back. You can find out more about The Bluehat Podcast in our show notes. Have a listen every other Wednesday. 

Researchers wonder if proving you’re human proves profitable for Google. 

And finally… Google’s reCAPTCHA—you know, those annoying "prove you’re human" puzzles where you have to click on all the images showing traffic lights—might be more about making money than securing websites, according to some University of California, Irvine researchers. They argue it’s actually a sneaky way to harvest your data and make billions from your unpaid labor.

Originally, CAPTCHAs were supposed to tell humans and bots apart with tricky puzzles. But now, AI can solve them almost as well as we can. Google’s reCAPTCHA, which they acquired in 2009, has evolved, but the researchers say its usefulness is questionable. They found that these puzzles are not just annoying but also time-consuming and resource-heavy, all while being vulnerable to bots.

Apparently, bots were already beating these challenges as far back as 2016. Yet Google stuck with them, possibly to gather data for other uses. The academics claim that in 13 years, we’ve spent 819 million hours on reCAPTCHA, worth about $6.1 billion in wages. Meanwhile, Google profits from the data we unwittingly provide.

The researchers suggest it’s time to ditch these CAPTCHAs. They see them as a massive waste of human effort with little real security benefit. Instead of making the internet safer, they say, we’ve been tricked into doing free labor for Google. 

A Google spokesperson told The Register that reCAPTCHA user data is solely used to improve the reCAPTCHA service, as stated in their terms of service.

Now if you’ll excuse me, I’ve got to train an AI how to identify crosswalks. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.