The CyberWire Daily Podcast 12.5.24
Ep 2203 | 12.5.24

Dismantling the Manson cybercrime market.

Transcript

Europol dismantles the Manson cybercrime Market. Operation Destabilise stops two major Russian-speaking money laundering networks. New details emerge on China’s attacks on U.S. telecoms. Black Lotus Labs uncovers a covert campaign by the Russian-based threat actor “Secret Blizzard”. Cisco issues patches for a high impact bootloader vulnerability. Trend Micro researchers uncovered Earth Minotaur targeting Tibetan and Uyghur communities. Payroll Pirates target HR payroll systems to redirect employee funds .Pegasus spyware may be more prevalent than previously believed. Our guest today is Jon France, CISO at ISC2, with insights from the ISC2 2024 Workforce Study. How businesses can lose customers one tip at a time.

Today is Thursday December 5th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Europol dismantles the Manson cybercrime Market. 

Europol announced the dismantling of the Manson Market cybercrime marketplace and a network of phishing websites. The investigation, launched in 2022, revealed Manson Market facilitated the sale of stolen personal and financial data, including bank account information sorted by region and balance. Scammers also operated fake online shops to steal payment details for resale on the marketplace.

Authorities seized over 50 servers and 200 TB of evidence, with arrests made in Germany and Austria. Visitors to Manson Market’s site are now greeted with a notice stating law enforcement possesses all user information.

This takedown follows recent operations against Crimenetwork, a major German-speaking illegal marketplace, and Matrix, an encrypted messaging service used by criminals. Europol monitored Matrix for three months before shutting it down, demonstrating continued efforts to disrupt cybercrime infrastructure across Europe.

Operation Destabilise stops two major Russian-speaking money laundering networks. 

The UK’s National Crime Agency (NCA) has dismantled two major Russian-speaking money laundering networks, Smart and TGR, in Operation Destabilise. These networks laundered millions for cybercriminals, including the Ryuk ransomware group, and helped Russian elites bypass sanctions. They operated in 30 countries, collecting cash in one location and transferring equivalent amounts, often as cryptocurrency, elsewhere.

The NCA made 84 arrests and seized £20m in cash and crypto. Key figures include Smart leader Ekaterina Zhdanova and TGR boss George Rossi, both sanctioned by the US Treasury. 

The operation delivered a blow to the networks’ operations, severely impacting their finances. NCA Director Rob Jones emphasized the UK is no haven for money laundering, disrupting these schemes at every level.

New details emerge on China’s attacks on U.S. telecoms. 

A Chinese hacking campaign has compromised at least eight U.S. telecom firms and affected dozens of countries, according to Deputy National Security Adviser Anne Neuberger. The attack, dubbed “Salt Typhoon,” targeted senior U.S. government officials, political figures, and private individuals, enabling Beijing to access phone calls and texts. Though no classified information was compromised, ongoing risks remain as affected companies work to fully expel the hackers.

The breach, believed to have started one to two years ago, appears regionally focused and impacts a “low couple dozen” countries. The FBI and CISA have issued guidance urging telecom firms to enhance encryption, centralize systems, and monitor networks to mitigate risks.

China denied the allegations, accusing the U.S. of cyberattacks. The White House emphasizes that improved cybersecurity standards, similar to those implemented after the Colonial Pipeline ransomware attack, are critical to preventing future intrusions.

The FBI, CISA, and allied agencies are urging the use of end-to-end encryption (E2EE) following revelations that China’s Salt Typhoon group exploited backdoors in public telephone networks. CISA’s Jeff Greene emphasized the need for encrypted communications to secure networks long-term.

Senators Ron Wyden and Eric Schmitt highlighted vulnerabilities in unencrypted DoD communications, advocating for Matrix, a decentralized E2EE platform used by NATO allies and the US Navy. Matrix offers enhanced security and digital sovereignty over centralized systems like Microsoft Teams.

Black Lotus Labs uncovers a covert campaign by the Russian-based threat actor “Secret Blizzard”. 

Black Lotus Labs uncovered a covert campaign by the Russian-based threat actor “Secret Blizzard” (Turla), targeting Pakistani actor “Storm-0156” over two years. Secret Blizzard infiltrated 33 command-and-control (C2) servers operated by Storm-0156, known for espionage under the “SideCopy” and “Transparent Tribe” clusters.

Secret Blizzard gained access in December 2022, embedding their malware, TwoDash and Statuezy, into Afghan government networks by mid-2023. By April 2023, they infiltrated Pakistani operators’ workstations, acquiring data on Storm-0156’s tools, credentials, and exfiltrated intelligence.

Expanding operations in 2024, they appropriated and repurposed Storm-0156’s malware, including CrimsonRAT, previously used against Indian government and military targets. This allowed Secret Blizzard to exfiltrate additional data from prior operations, showcasing their expertise in hijacking adversarial infrastructure. Lumen Technologies credited Microsoft Threat Intelligence Team for their collaboration in addressing this threat.

Cisco issues patches for a high impact bootloader vulnerability. 

Cisco has issued patches for a high-impact vulnerability (CVE-2024-20397) in its NX-OS software bootloader that could allow attackers to bypass image signature verification and load unverified software. Exploitation requires physical access or administrative privileges but no authentication.

Over 100 device models are affected, with no workarounds available. Cisco has released patches and plans to address all devices by month’s end, except for discontinued switches. No active exploitation of this vulnerability has been reported, but users are urged to update promptly.

Trend Micro researchers uncovered Earth Minotaur targeting Tibetan and Uyghur communities. 

Trend Micro researchers uncovered Earth Minotaur, a group using the updated MOONSHINE exploit kit to target vulnerabilities in Android instant messaging apps, primarily impacting Tibetan and Uyghur communities. MOONSHINE, now with over 55 servers, exploits Chromium-based browser flaws and delivers the DarkNimbus backdoor to both Android and Windows devices. DarkNimbus targets apps like WeChat, posing a cross-platform threat. Researchers emphasize the importance of regular software updates to mitigate these attacks and protect against MOONSHINE’s evolving capabilities.

Payroll Pirates target HR payroll systems to redirect employee funds.

Silent Push Threat Analysts have uncovered an extensive phishing campaign by the “Payroll Pirates,” targeting HR payroll systems to redirect employee funds. Using domains spoofing major organizations like Workday, Kaiser Permanente, and New York Life, attackers lure victims to fake HR pages through malicious search ads. Once inside employee portals, scammers use stolen credentials to alter banking details for fund redirection.

The group utilizes website builders like Mobirise and popular registrars, creating hundreds of domains linked to dedicated IP ranges. Silent Push identified evolving tactics, including phishing campaigns targeting unemployment portals and credit unions. 

Pegasus spyware may be more prevalent than previously believed. 

An investigation by iVerify revealed significant insights into mobile threats, highlighting the hidden prevalence of spyware like Pegasus. Through scans of 2,500 user devices, the investigation uncovered seven Pegasus infections, showing compromises spanning years and affecting devices running multiple iOS versions. This challenged the perception that spyware primarily targets only high-profile individuals like journalists or government officials.

Pegasus, developed by NSO Group, uses sophisticated methods like zero-click attacks and exploits operating system vulnerabilities to achieve full device control. The investigation’s results—2.5 infections per 1,000 scans—suggest that spyware is more common than previously thought.

This research emphasizes the need for broader, scalable detection to uncover threats often hidden from traditional security measures. By examining a larger sample, the findings offer a clearer understanding of the scope of mobile device compromises in an evolving threat landscape.

 

Next up, we’ve got ISC2’s CISO JonFrance joining us to share details on their recently released ISC2 2024 Workforce Study. After Jon, we’ve got some info on how businesses can lose customers one tip at a time. 

We’ll be right back.

Welcome back. You can check out links to the report and other resources in our show notes. 

How businesses can lose customers one tip at a time. 

Ever felt like you’re under a spotlight while choosing how much to tip? You’re not alone. Digital tipping systems, with handheld devices or countertop screens displaying your selection, are making tipping feel like a high-stakes social performance. Researchers from the the University of Richmond studying “tip surveillance” analyzed 36,000 transactions and ran experiments with over 1,100 participants to uncover its impact.

The findings? Being watched while tipping is bad for business. Customers scrutinized during tipping were less likely to return or recommend a business. While privacy often made customers feel more generous, the “eyes-on-you” approach led to resentment and reduced loyalty. Interestingly, people enjoy being observed while donating to charity—but tipping feels more like an obligation than a choice.

Businesses hoping to cash in on pressure tactics might be disappointed. The research revealed no clear link between surveillance and higher tip amounts. In fact, when tipping privately, customers tipped similar amounts but felt more in control, fostering positive experiences.

With tipping expectations skyrocketing (hello, “tipflation”), companies need to strike a balance. Training employees to respect tipping privacy while ensuring fair wages could enhance customer loyalty and build a better reputation.

Ultimately, the debate about tipping’s future isn’t just about dollars—it’s about creating systems that protect workers, ensure fair pay, and foster a sense of goodwill. After all, tipping should leave everyone smiling—not sweating under the payment panopticon.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.