U.S. rains on Russia’s fake news parade.

The DOJ disrupts Russia’s Doppelganger. NSA boasts over 1,000 public and private partners. The FBI warns of North Korean operatives launching “complex and elaborate” social engineering attacks. Iran pays the ransom to sure up their banking system. Cisco has disclosed two critical vulnerabilities in its Smart Licensing Utility. A Nigerian man gets five years in prison for Business Email Compromise schemes. Planned Parenthood confirms a cyberattack. Our guests are Sara Siegle and Cam Potts from NSA, Co-Hosts of the new show, No Such Podcast. OnlyFans hackers get more than they bargained for.

Today is Thursday September 5th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The DOJ disrupts Russia’s Doppelganger. 

The U.S. government disrupted a significant Russian influence campaign, dubbed “Doppelganger,” aimed at spreading misinformation to influence the 2024 U.S. presidential election. This campaign used cybersquatted domains, AI-generated content, influencers, and social media to push false narratives. Investigators seized 32 domains designed to mimic legitimate news outlets like The Washington Post, tricking users into viewing pro-Russian propaganda. The fake sites displayed fabricated stories, and users were directed to them via social media posts and ads. Two Russian nationals who worked for Russian state media RT were charged with money laundering and other crimes. They funneled millions into U.S. social media campaigns to stoke domestic divisions. In response, the U.S. imposed sanctions on individuals involved and issued visa restrictions. The State Department also offered a reward for information on the hacker group RaHDit, linked to the Russian government.

NSA boasts over 1,000 public and private partners. 

At the Billington CyberSecurity Summit in Washington, D.C., the U.S. National Security Agency (NSA) highlighted its partnerships with over 1,000 public and private organizations to counter emerging cybersecurity threats, especially from China. Officials warned that Beijing is increasingly using artificial intelligence to spread disinformation globally. The NSA’s Cybersecurity Collaboration Center, established in 2020, helps improve threat detection and incident response through public-private cooperation. Jami Wise, deputy chief of the NSA’s China Strategy Center, highlighted efforts to mitigate major threats, including vulnerabilities in industrial control systems. The NSA has also collaborated with international partners, such as the Australian Signals Directorate, to expose Chinese cyber tactics. In 2023, the NSA launched an AI Security Center to secure AI development and counter China’s use of AI in influence operations, such as during Taiwan’s 2023 elections. These efforts aim to set secure AI standards with industry, academia, and government partners.

The FBI warns of North Korean operatives launching “complex and elaborate” social engineering attacks. 

The FBI has issued a warning about North Korean operatives launching “complex and elaborate” social engineering attacks on employees of decentralized finance (DeFi) organizations, aiming to steal cryptocurrency. North Korean state-sponsored groups are conducting reconnaissance and targeting individuals linked to cryptocurrency exchange-traded funds. The attackers use sophisticated tactics, often posing as job recruiters or professional connections on platforms like LinkedIn. They trick victims into downloading malware, sometimes over a prolonged engagement to build trust. North Korea has long targeted cryptocurrency to bypass international sanctions and fund its weapons programs. The FBI highlighted indicators of potential scams, such as unexpected job offers, requests to run scripts or download software, and unsolicited contacts with suspicious links. The agency urges companies and individuals to isolate compromised devices and report incidents to law enforcement immediately.

Iran pays the ransom to sure up their banking system. 

A major cyberattack last month targeted Iran’s banking system, forcing the regime to agree to a $3 million ransom to prevent the release of sensitive data from 20 domestic banks. The group responsible, IRLeaks, threatened to sell millions of Iranians’ account and credit card details on the dark web unless paid. Originally demanding $10 million, they settled for less, likely due to Iran’s urgent need to protect its unstable financial system, already strained by international sanctions. The attack, which forced banks to shut down ATMs across the country, was never publicly acknowledged by the regime. Iran’s supreme leader cryptically blamed the U.S. and Israel for “psychological warfare” without addressing the bank breach. IRLeaks previously attacked other Iranian firms, but this banking hack is considered their most significant breach, gaining access through a company called Tosan, which services Iran’s financial sector.

CISA adds DrayTek software to the KEV. 

A pair of old vulnerabilities in DrayTek’s VigorConnect software, identified as CVE-2021-20123 and CVE-2021-20124, have been exploited by multiple threat groups worldwide, despite being patched in October 2021. These path traversal flaws allow attackers to download files with root privileges. The U.S. cybersecurity agency CISA recently added these vulnerabilities to its Known Exploited Vulnerabilities catalog. Fortinet reported a spike in exploitation attempts in late August 2023, with attackers targeting various industries globally. 

Cisco has disclosed two critical vulnerabilities in its Smart Licensing Utility. 

Cisco has disclosed two critical vulnerabilities in its Smart Licensing Utility (CSLU), CVE-2024-20439 and CVE-2024-20440, with severity scores of 9.8. These flaws allow remote attackers to gain administrative access or collect sensitive information. CVE-2024-20439 involves static admin credentials, while CVE-2024-20440 exposes sensitive data via debug log files. The vulnerabilities affect several CSLU versions, but are only exploitable when the utility is actively running. Cisco has released updates for affected versions (2.0.0, 2.1.0, 2.2.0) and urges immediate upgrades, as there are no workarounds.

A Nigerian man gets five years in prison for Business Email Compromise schemes. 

Franklin Okwanna, a 34-year-old Nigerian man, was sentenced to five years in prison and ordered to pay nearly $5 million in restitution for his role in business email compromise (BEC) schemes. Okwanna, along with co-defendant Ebuka Raphael Umeti, who received a 10-year sentence, participated in schemes that caused over $5 million in losses between 2016 and 2021. They used phishing emails to compromise computer systems and induce wire transfers. Okwanna expressed remorse, citing personal financial struggles as his motive. Family members and a local orphanage requested leniency, highlighting his support for his community. BEC attacks, which involve fraudulent fund transfers, have resulted in $50 billion in global losses from nearly 278,000 incidents between 2013 and 2022, according to the FBI.

Planned Parenthood confirms a cyberattack. 

Planned Parenthood confirmed a cyberattack in late August 2024, affecting its IT systems and prompting portions of the network to be taken offline. The nonprofit, which provides reproductive health services, is investigating the extent of the breach. CEO Martha Fuller praised the swift response of their IT team and ongoing restoration efforts. The ransomware group RansomHub claimed responsibility, threatening to leak 93GB of allegedly stolen data and publishing some documents as proof. Planned Parenthood has reported the incident to federal authorities, including the FBI. The breach raises privacy concerns given the organization’s sensitive services, though it has yet to be confirmed whether any data was stolen. This is not the first ransomware attack on Planned Parenthood; a 2021 breach exposed private records of 400,000 patients.

Coming up, I’ve got some special guests from the NSA. Sara Siegle is Chief, Strategic Communications and Cam Potts, Co-Host, of their new podcast, No Such Podcast. 

We’ll be right back

Welcome back. You can check out the show notes for details on No Such Podcast. The first 2 episodes were released today. 

OnlyFans hackers get more than they bargained for. 

And finally, In a classic case of cybercriminals turning on each other, hackers are being tricked by a fake OnlyFans tool that promises to help them steal accounts, but instead infects them with the Lumma information-stealing malware. Discovered by Veriti Research, this scam is a reminder that even in the world of cybercrime, no one is safe from betrayal. The fake tool, disguised as an OnlyFans “checker” that claims to validate stolen login credentials, actually delivers the Lumma malware. This sneaky malware has been stealing passwords, two-factor authentication codes, and cryptocurrency wallets since 2022. The hackers who fell for this trick learned the hard way that trusting other cybercriminals isn’t always the smartest move. From Disney+ to Instagram, the same tactic has been used to target would-be hackers across various platforms, proving that in the world of cybercriminals, there’s no honor among thieves.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.