The CyberWire Daily Podcast 12.2.24
Ep 2200 | 12.2.24

The international effort making digital spaces safer.

Transcript

A major cybercrime crackdown by Interpol nabs hundreds of suspects and millions in stolen funds. Zabbix has disclosed a critical SQL injection vulnerability. A novel phishing campaign exploits Microsoft Word’s file recovery feature. Researchers track the Rockstar 2FA phishing toolkit. Critical vulnerabilities are found in Advantech’s industrial wireless access points. North Korea’s Kimsuky hacking group shifts their tactics. The U.N. forms an advisory body to address growing threats to critical undersea cable infrastructure.The U.K. is laser-focused on AI security research. Russian authorities arrest the Wazawaka ransomware affiliate. Our guest is Marshall Heilman, CEO of DTEX Systems, sharing his experience with a nation-state actor's attempt to gain employment at his company. OpenAI opens the door for encrudification. 

Today is Monday December 2nd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major cybercrime crackdown by Interpol nabs hundreds of suspects and millions in stolen funds. 

An international cybercrime crackdown led by Interpol targeted cyber-enabled fraud across 40 countries between July and November 2024. Operation Haechi V resulted in over 5,500 arrests and the seizure of $400 million in stolen funds, encompassing virtual assets and government-backed currencies. It focused on crimes such as voice phishing, romance scams, online sextortion, investment fraud, illegal gambling, business email compromise (BEC), and e-commerce fraud.

A notable achievement occurred in East Asia, where South Korean and Chinese authorities dismantled a voice phishing network linked to $1.1 billion in losses. The scammers, impersonating police, victimized over 1,900 individuals, leading to 27 arrests. In another high-profile case, Singaporean police intercepted $39.3 million of a $42.3 million sum stolen through BEC. Seven suspects were apprehended, and $2.6 million in additional funds recovered.

Key to these successes was Interpol’s Global Rapid Intervention of Payments (I-GRIP) initiative, enabling swift action to halt stolen funds in transit. 

This operation, supported by the South Korean government, is the fifth in the Haechi series, achieving record results compared to 2023, including nearly double the number of solved cases and tripling the blocked virtual asset accounts. Interpol’s Secretary General emphasized the importance of international cooperation in combating the borderless threat of cybercrime, highlighting the devastating impacts on individuals and businesses alike.

Zabbix has disclosed a critical SQL injection vulnerability. 

Open-source enterprise networking monitoring solution Zabbix has disclosed a critical SQL injection vulnerability. Exploitable by non-admin users with API access, it allows attackers to escalate privileges and compromise systems. Over 83,000 internet-exposed servers are at risk. Patches were released in July, and users should update immediately. No active exploitation has been reported.

A novel phishing campaign exploits Microsoft Word’s file recovery feature. 

A novel phishing campaign exploits Microsoft Word’s file recovery feature by using intentionally corrupted Word documents to bypass email security software. These attachments, disguised as HR or payroll-related files, evade detection due to their damaged state but remain recoverable by Word. Once opened, the document prompts users to recover the file, displaying a phishing message instructing them to scan a QR code, which redirects to a fake Microsoft login page to steal credentials.

The campaign, identified by Any.Run, embeds base64-encoded strings in filenames to obfuscate intent. The attachments lack malicious code, helping them avoid antivirus detection on platforms like VirusTotal. Recipients are urged to remain vigilant, delete suspicious emails, and confirm unexpected messages with administrators to avoid falling victim to this tactic.

Researchers track the Rockstar 2FA phishing toolkit. 

Researchers from Trustwave have linked the advanced phishing toolkit ‘Rockstar 2FA’ to a rise in adversary-in-the-middle (AiTM) phishing attacks targeting Microsoft 365 (O365) users. This toolkit creates fake login pages to harvest credentials and bypass multifactor authentication (MFA), using AiTM techniques to intercept session cookies. Campaigns have escalated since August 2024, leveraging car-themed web pages and domains with over 5,000 hits since May.

Rockstar 2FA, a phishing kit offered as a service (PaaS) for $200, features 2FA bypass, antibot protections, randomized codes, and Telegram bot integration, making it attractive to cybercriminals. Phishing emails use themes like HR alerts, document sharing, and MFA lures, often evading detection by exploiting trusted platforms and obfuscation methods.

Experts warn these cost-effective kits enable credential theft, account takeovers, and business email compromise (BEC), posing ongoing risks.

Critical vulnerabilities are found in Advantech’s industrial wireless access points.  

Researchers at Nozomi Networks Labs identified 20 critical vulnerabilities in Advantech’s industrial wireless access points, widely used in critical infrastructure. The flaws allow remote code execution with root privileges and denial-of-service attacks, even without authentication. Vulnerabilities also enable lateral movement across networks and exploit wireless data packet management scripts. Firmware updates have been released to address the issues. 

North Korea’s Kimsuky hacking group shifts their tactics. 

South Korean researchers have uncovered a shift in the tactics of the North Korean hacking group Kimsuky, which now employs malwareless phishing attacks to evade endpoint detection and response (EDR) systems. These attacks focus on researchers and organizations studying North Korea, using phishing emails that impersonate entities such as financial institutions and public agencies.

A notable change is Kimsuky’s switch from Japanese to Russian email services, making their campaigns harder to detect. They also leverage domains from free Korean registration services and fabricate phishing sites using themes tied to financial matters.

These phishing attempts often include URLs without malware, making them harder to flag as threats. 

The U.N. forms an advisory body to address growing threats to critical undersea cable infrastructure.

The United Nations, alongside the International Telecommunication Union (ITU) and the International Cable Protection Committee (ICPC), has formed the International Advisory Body for Submarine Cable Resilience to address growing threats to critical undersea cable infrastructure. Submarine cables handle over 99% of global data exchanges, making their security vital. The advisory body will focus on enhancing cable protection, promoting best practices, and ensuring timely repairs.

The initiative follows recent incidents, including damage to cables connecting Finland, Germany, Sweden, and Lithuania, under investigation for possible sabotage. The ICPC reports 150–200 annual cable damage incidents, mainly from ship anchors, fishing, or natural disasters, necessitating weekly repairs.

The 40-member body, co-chaired by Nigeria and Portugal, will meet twice annually, working with industry experts. The U.S. has also launched projects to bolster cable security, including partnerships with Pacific Island nations.

The U.K. is laser-focused on AI security research. 

The U.K. has launched the Laboratory for AI Security Research (LASR) to combat nation-state cyber threats, particularly from adversaries like Russia. Initially funded with $10.3 million from the government, the lab expects additional support from private sector partners. LASR aims to harness artificial intelligence to bolster cybersecurity and intelligence capabilities, collaborating with organizations like GCHQ, the Alan Turing Institute, and top universities such as Oxford and Queens University Belfast.

The lab also seeks international partnerships, including with NATO and Five Eyes allies. Chancellor Pat McFadden highlighted AI’s dual role in amplifying cyber threats and enabling advanced defense tools. LASR’s creation reflects the U.K.’s commitment to addressing emerging AI-driven cyber challenges as part of a broader global strategy.

Russian authorities arrest the Wazawaka ransomware affiliate. 

Russian authorities have reportedly arrested Mikhail Matveev, known as “Wazawaka,” a high-profile ransomware affiliate linked to groups like Babuk, Conti, DarkSide, Hive, and LockBit. Matveev faces charges under Russia’s Article 273 for creating malware to extort commercial organizations by encrypting data and demanding ransom. If convicted, he could face up to four years in prison or fines.

Matveev, indicted by the U.S. in 2023 and offered a $10 million bounty by the State Department, allegedly participated in major attacks, including the 2021 ransomware attack on Washington, D.C.’s Metropolitan Police Department. Despite his crimes, he previously claimed to live freely in Russia.

Russia rarely prosecutes domestic hackers, especially those targeting foreign entities, but recent arrests, including members of REvil and SugarLocker, suggest a shift in strategy.

I can’t resist putting this out there - Wazawaka? A Russian threat actor? I mean, we’ve got to go with Fozzie Bear, right?

 

Coming up, we’ve got my conversation with CEO of DTEX Systems Marshall Heilman about how HR can spot fake IT works. Marshall shares their experience with a nation-state actor's attempt to gain employment at his company. We’ll be right back. 

Welcome back. You can find a link to the story in our show notes. 

OpenAI opens the door for encrudification. 

Well, it was bound to happen. OpenAI, the company that wowed us all with ChatGPT, is considering—wait for it—advertising. Yes, folks, the tech darling that made us believe in the magic of AI might just join the dark side of internet monetization, trading user delight for ad revenue.

The Financial Times reports that OpenAI’s CFO, Sarah Friar, confirmed the company is exploring ads as a potential revenue stream. While she insists there are “no active plans” yet, the writing on the wall is as clear as a programmatic banner ad: they’re hiring ad veterans from Google and Meta, and their Chief Product Officer is Instagram’s former ad architect. Friar assures us they’ll be “thoughtful” about ads, but isn’t that what they all say?

This isn’t just a cash grab—it’s a necessity. OpenAI may be pulling in $4 billion annually, but training cutting-edge AI models is an expensive endeavor. They’re burning through cash faster than you can say “monetization strategy,” and with a $5 billion spend forecast, even their enviable $150 billion valuation needs some heavy lifting.

To be fair, ads work wonders for companies like Google, but let’s be real: nothing ruins a seamless AI chat like a pop-up screaming about discount mattresses. OpenAI claims it’ll be careful not to alienate its 250 million weekly users. Let’s hope so, because once the ad floodgates open, there’s no going back. After all, when has “thoughtful advertising” ever lived up to the promise?

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.