Interpol pursues West African cybercrime groups. Bassett Furniture shuts down manufacturing following a ransomware attack. A gastroenterologist group notifies patients of a data breach. An Apache HugeGraph flaw is being actively exploited. Octo Tempest updates its toolkit. Satori uncovers evil twin campaigns on Google Play. The cost of the Change Healthcare breach crosses the two billion dollar mark. Cybersecurity venture funding saw a surge last quarter. Cyber regulatory agencies face legal challenges. On our Industry Insights segment, Trevor Hilligoss, Vice President of SpyCloud Labs at SpyCloud, joins us to talk about exploring the intricate world of cybercrime enablement services. Fighting disinformation is easier said than done.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On our Industry Insights segment, Trevor Hilligoss, Vice President of SpyCloud Labs at SpyCloud, joins Dave to talk about exploring the intricate world of cybercrime enablement services. You can find out more about SpyCloud’s “How the Threat Actors at SpaxMedia Distribute Malware Globally” here.
Selected Reading
Global Police Swoop on Black Axe Cybercrime Syndicate (Infosecurity Magazine)
Furniture giant shuts down manufacturing facilities after ransomware attack (The Record)
MNGI Digestive Health Data Breach Impacts 765,000 Individuals (SecurityWeek)
Apache HugeGraph Vulnerability Exploited in Wild (SecurityWeek)
Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal (Security Affairs)
Report Identifies More Than 250 Evil Twin Mobile Applications (Security Boulevard)
Change Healthcare's Breach Costs Could Reach $2.5 Billion (GovInfo Security)
Cybersecurity Funding Jumps 144% In Q2 (Crunchbase)
The US Supreme Court Kneecapped US Cyber Strategy (WIRED)
Even the Best Tools to Fight Disinformation Are Not Enough (The New York Times)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. What's 2FA security on Kraken? Let's say I'm captaining my soccer team, and we're up by a goal against, I don't know, Soda Springs FC. Do we relax? No way. Time to create an extra line of defense and protect that lead. That's like 2FA on Kraken, a surefire way to keep what you already have, safe and sound. Go to kraken.com and see what crypto can be. Not investment advice. Crypto trading involves risk of loss. Crypto currency services are provided to U.S. and U.S. territory customers by Payward Interactive Inc. P.W.I. DBA Kraken. U.P.W.I.S. Disposures at kraken.com/legal/disposures. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Interpol pursues West African cybercrime groups. Bassett Furniture shuts down manufacturing following a ransomware attack. A gastroenterologist group notifies patients of a data breach. An Apache huge graph flaw is being actively exploited. Octo Tempest updates its toolkit. Satori uncovers evil twin campaigns on Google Play. The cost of the change healthcare breach crosses the $2 billion mark. Cybersecurity Venture funding saw a surge last quarter. Cyber regulatory agencies faced legal challenges. On our industry inside segment, Trevor Hilligos, vice president of spy cloud labs, joins us to talk about exploring the intricate world of cybercrime enablement services. And fighting disinformation is easier said than done. It's Wednesday, July 17th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thank you for joining us. Once again, it is great to have you with us. Interpol has dealt a significant blow to several West African cybercrime groups, including the infamous Black Axe syndicate through Operation Jackal 3. The operation resulted in 300 arrests and the seizure of $3 million in assets. Police identified 400 suspects and blocked over 720 bank accounts. Black Axe, known for decades of criminal activity, has profited heavily from romance fraud, business email compromise, and other financial crimes. Additionally, a Nigerian-led international criminal network was dismantled in Argentina after a five-year investigation linked to money laundering in over 40 countries and victimizing 160 individuals. Portuguese police also disrupted a Nigerian criminal network involved in recruiting money mules and laundering illicit funds across Europe. Bassett Furniture Industries, one of the largest U.S. furniture companies, was forced to shut down its manufacturing facilities following a ransomware attack that began on July 10th. The hackers encrypted data files, leading Bassett to activate its incident response plan and shut down some IT systems. While retail stores and the e-commerce platform remain open, the company's ability to fulfill orders is impacted. Bassett is working to restore systems and reduce disruption, but admitted the attack has materially impacted operations. No ransomware group has claimed responsibility. This incident occurred as Bassett reported a 17 percent revenue decrease for the second quarter of 2024. The attack also highlights the growing number of 8K filings to the SEC regarding cybersecurity incidents, following new disclosure rules effective since December of last year. MNGI Digestive Health, an independent group of certified gastroenterologists, which operates roughly a dozen clinics and endoscopy centers around the Twin Cities metro area, is notifying over 765,000 individuals about an August 2023 data breach that compromised personal information, including names, social security numbers, medical and financial details. Although the breach occurred on August 20th of last year, it took nearly a year to identify the affected individuals and their addresses for notification. MNGI assures that there's no evidence of misuse of the data. The company is offering 12 months of pre-credit and identity protection services. The Alpha Black Cat Ransomware Group claimed responsibility for the attack. Threat Actors are exploiting a recently patched vulnerability in Apache Huge Graph and open-source graph database system. The flaw allows remote command execution and was patched in version 1.3.0. The Shadow Server Foundation reported seeing exploitation attempts from eight IP addresses starting June 6 with an increase last week. Proof-of-concept exploit code became available in early June and Secure Layer 7 rated the flaw as critical, warning that it enables attackers to bypass sandbox restrictions and take control of the server. Microsoft reports that the Octo Tempest Cybercrime Gang, also known as Scattered Spider and Octopus, added Ransom Hub and Quillen Ransomware to its toolkit. Active since early 2022, Octo Tempest is notorious for the Octopus campaign, compromising hundreds of organizations including Twilio, LastPass and DoorDash. The gang excels in social engineering, identity compromise and targeting VMware ESXi servers with Black Cat Ransomware. The Quillen Ransomware Group, active since August of 2022, employs a double extortion model, recently impacting Cinovis and causing significant disruptions in London hospitals. The Satori Threat Intelligence Team, funded by Human Security, revealed a massive ad-fraud operation named Confetti. Cyber criminals are using the Carmel ads SDK to create evil twins of legitimate Google Play Store applications. These decoy apps are used to commit ad-fraud and redirect users to malware-laden websites. While not directly fraudulent, these apps are disseminated through Malvertizing, leading to browser extensions, web search monitoring and sideloading malicious code. Over 250 such apps have been identified. The SDK itself isn't malicious but was exploited to display ads, sideload APKs and connect to command and control servers. Lindsay Kay of Human Security Notes, this attack vector is likely being adopted by multiple threat actors. Organizations are urged to pressure ad networks for better security and educate users about the risks of mobile apps. The cost of the Change Healthcare breach has reached $2 billion. According to United Health Group, the February ransomware attack on Change Healthcare, part of UHG's Optum Unit, resulted in $1.98 billion in costs by the end of June, with projections reaching up to $2.45 billion. This includes $1.3 billion in direct costs and additional expenses from restoring services and managing higher medical costs due to disrupted care management. Despite the breach, UHG reported a 6% increase in second-quarter revenue totaling $98.9 billion. UHG paid a $22 million ransom to the Black Cat Group and ongoing efforts to notify affected individuals continue, potentially impacting up to a third of the U.S. population. But attorneys general advise vigilance against identity theft and fraud due to the exposed sensitive information. Venture funding for cybersecurity startups surged 144% year over year in the second quarter of 2024, reaching $4.4 billion across 153 deals, according to Crunchbase. This marks the best quarter since the first quarter of 2022, driven by significant nine-figure funding rounds, despite a decrease in deal count. Notably, cloud security startup WIS raised $1 billion, contributing to the uptick. Other large rounds included Siera's $300 million Series C and Ireland's $175 million Series D. The first half of 2024 saw $7.1 billion in venture capital, a 51% increase from the first half of 2023. Factors contributing to this growth include increased cyber hacking, threat proliferation due to AI, and renewed enterprise spending on cybersecurity. Investors remain optimistic about supporting robust security startups poised to challenge industry giants. In a piece for Wired, Eric Geller reports that the Commerce Department's proposal to require cloud companies to verify customer identities and report activities faces potential legal challenges. Critics, including a major tech trade group, argue the regulations may exceed congressional authority. Lawsuits might also target other regulations like those from the FTC and FCC based on outdated laws. The EPA's withdrawal of cybersecurity requirements for water systems after court challenges highlights this issue. Federal judges could issue differing rulings complicating enforcement. Experts suggest Congress must pass new, clear laws to empower agencies to mandate cyber improvements. Despite Congress's slow pace, there's bipartisan agreement on the need for action in cybersecurity. Indeed, the GOP's recently announced platform prioritizes securing critical infrastructure, indicating possible progress regardless of election outcomes. Coming up after the break, my conversation with Trevor Hillagoss from SpyCloud, we're talking about the intricate world of cybercrime enablement services. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Using less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. On today's sponsored industry insight segment, my conversation with Trevor Hilligoss, Vice President of SpyCloud Labs at SpyCloud, he joins us to talk about exploring the intricate world of cybercrime enablement services. Yeah, it is kind of a mouthful, too, and I would forgive anybody for not having heard this because I think I first heard this like less than a year ago, but I think it's a pretty good general term that describes kind of an umbrella of tools and services that I would kind of tag as criminal or criminal adjacent. So that could include things that are very explicitly criminal, like commodity malware, info-stealers have been getting a lot of attention lately with some of the high priority high-profile breaches that have been occurring, but it extends to things that folks might not immediately think of when they think about what is being used to commit cybercrime. So the DOJ put out a press release a few weeks ago that was really a fantastic read on their takedown of the 9/11 S5 residential proxy service. And so that was basically a service that allowed people that wanted to commit crimes, especially fraud. I think they cited a crazy statistic in there, like $6 billion worth of fraud just in pandemic unemployment claims that were filed using the service. But it basically allows people to transact their network activity through a router or a computer that's not theirs and appear to be in a place that they're not. So I would summarize kind of CES in general as sort of this umbrella that describes a lot of these sort of related services and tooling that has become this hot market for criminals that are looking to kind of build their own tool belt and commit crimes. Can we run through some of the types of things that these folks are offering? I mean, what are some of the things you and your colleagues there at SpyCloud see out on the market? Yeah. So I guess the headline really is commodity malware. Like I said, I think this has been getting just a ton of coverage lately. A few weeks ago, we got the news that the Medibank ransomware event of 2022 was traced back to an info stealer that hit an employee's personal device that then was able to siphon out credentials that were for Medibank's corporate network. It's really interesting to look at this, I think, because for a long time, we in the research community kind of used sophistication as a buzzword for success when talking about cyber actors online, be it nation state affiliated folks or people that are more financially motivated. But with the rise of kind of the commodification of malware, and malware as a service especially, that's sort of not really the whole truth anymore. You can basically see a situation where a criminal with a few Bitcoin, a few tents of a Bitcoin or hundreds of a Bitcoin kicking around in their digital wallet can take that to somebody who has already crafted a pretty comprehensive stealer, look at something like Redline or Raccoon, for example, and gain access to something that's already built and likely has quite a bit of infrastructure behind it as well. So that poses kind of a high risk to the community because instead of having sort of the smaller pool of high sophistication actors that are able to carry out these really vast and costly cyber attacks, we see that being given to much lower sophistication, lower tech folks that are a much lower barrier to entry to get into this field. Help me understand the spectrum of players here. One of the things that fascinates me about this is that you've got folks who have chosen rather than doing the crimes to provide the tools with which to do the crimes. That's the amazing part of this, right? I remember, years ago, my background is in federal law enforcement in the US and I remember looking at a crypting services, you know, this is many years ago, and these are for your listeners that might not be aware, crypting services are basically small bits of code that can modify the code of a malware application so that it's less likely to be detected by like an antivirus or something like that, right? So I remember having these conversations years ago about these cryptors because they place such a massive role in this ecosystem, right, I mean, you malware's useless unless you can actually deliver it. But you know, they're not really malicious in themselves, right? They're kind of benign if you look at them without the context of how they're used. So those kinds of things, the residential proxies, you know, install brokers probably to a greater degree, they kind of exist on this spectrum of, you know, on one side, you've got like very explicitly illegal stuff, like any rational human being would look at this and say like, okay, there's, you have no legitimate, there's no legitimate purpose for somebody to maintain, you know, install services and deliver malware to people at scale. And then on the other side, you've got, you know, these services and tools that are, you know, oftentimes they have a legitimate purpose, like residential proxies, I mean, you can look online and find legitimate businesses that are selling access to residential proxies. But you also have ones that are much less legitimate and even ones that, you know, maybe you sit in that gray area, but they're used by criminals. So it's kind of muddy when you look at like, how do we pursue this? It's not necessarily as clear of a picture as it would be to go after, you know, a ransomware affiliate or somebody that's developing an infrastructure, for example, you know, you talk about sophistication. Can we talk about the sophistication of the users here that the folks are out here buying these things? And are we really at the point now where someone with very little technical abilities can decide this is something they want to pursue and find the services to enable them to do it? Yeah. Yeah. I mean, largely that's correct. You know, one of the things we've seen in the last couple of years is it used to be, you know, maybe you could get access to a malware somebody's produced and you've purchased it, but there's still some infrastructure you need to set up, right? You got to, you got to find a hosting provider that's not going to boot you. You got to, you know, figure out how to host your command and control server and maybe you got to do a proxy here and there to kind of obfuscate your traffic. Nowadays, you know, while those, those examples definitely still exist, there's this, this kind of whole market that's supporting this like extremely low sophistication, like, you know, using things like Discord and Telegram to actually be the command and control server and to exfiltrate the data through those, you know, what is essentially an application on a phone and so, you know, essentially for the criminals perspective, the person that's buying access to this, you know, they basically need a phone and a Bitcoin wallet, right? And I mean, I'm oversimplifying that, but like, it is kind of incredible how low the barrier to entry has become, we look at cybercrime actors and we say, wow, this, you know, APT is so sophisticated, they've got this whole cyber range that they built and they've got the exact hardware that they're targeting and they're building exploits and while that's definitely true and that happens for the majority of us that, you know, don't work for a three letter agency, that's not the person we need to worry about. We need to worry about the, I mean, quite frankly, kid or young adult that, like I said, has a little bit of Bitcoin, has some basic technical competencies, you know, knows where to look and read some tutorials that are put out there online and then suddenly, by virtue of this decentralized economy, they're able to scale up and be this huge player and be incredibly damaging to, and quite frankly, the global economy. Well, for the folks who are tasked with protecting their organization against these types of things, so what, what are your recommendation, again, you know, you and your colleagues there at SpyCloud, what sort of things are you suggesting for folks to better protect themselves? Yeah, well, unfortunately, there really isn't a silver bullet and, you know, this is such a big problem and it's such a decentralized problem that you can, you kind of have to approach it from a number of different angles. So, you know, we could talk about very, like, specific technical things you can do, like, you know, requiring multifactor authentication is always a good choice, but that's not infallible, right? A lot of these info stealers, for example, almost all of them contain a cookie theft module. So that enables a criminal to grab a session cookie and as long as that's valid, you know, they don't really need to trouble themselves with bypassing or emulating that MFA and, you know, that leads into have very short cookie timeouts if that's within your control to modify it. But I think that the kind of the overarching strategy here is one of awareness. And so what I would recommend is, you know, have visibility into what the criminals have, right? The amount of data that's out there on every single one of us is, you know, quite frankly, pretty staggering when you really look at it. So, you know, companies like SpyCloud, we go out and we try to recapture that data. We, you know, make sure that it is queryable and pivotable and we can notify on that. So, you know, just having kind of the protections in place to stop the attacks, certainly do all of those things. I'm not recommending you turn off your EDR by any means. But, you know, realize that one of the most pervasive parts of this whole ecosystem is that the actual infection event is kind of a blip in the total timeline of the risk. Once the data is stolen, the internet is forever. So, you know, you might think that you've kind of resolved the incident on your network and, you know, likely you have. But that doesn't mean that the data that was stolen is not in the hands of criminals and it might be days, it might be months or years, but eventually that data is going to be used. And it's going to be used for malicious purposes. That's Trevor Hilligos, Vice President of SpyCloud Labs. Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper Security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire. And thanks to Keeper Security for supporting our podcast. And finally, in a chaotic election year, Ruth Quint, a volunteer with the League of Women Voters of Greater Pittsburgh, is doing her best to fight disinformation using a variety of tactics. But she's uncertain about their effectiveness. Despite her efforts, including online tutorials, debunking videos, and a pilot project using AI, the overwhelming flow of false information remains daunting. Officers have identified common toxic content and how it spreads, but effective countermeasures like fact-checking and warning labels have limited impact. A massive study with 33,000 participants showed these interventions only improved the ability to judge true from false headlines by 5 to 10 percent. Experts worry that sophisticated disinformation schemes will outpace weak defenses influencing elections globally. Some platforms are burying political posts, making it harder for Quint to reach audiences. Despite extensive efforts, disinformation continues to undermine trust and engagement. The problem is complex with disagreements on solutions and even definitions. Strategies like fact-checking and content moderation help, but millions still believe false narratives. Others hope combining multiple tactics will provide some defense. However, educators and volunteers like Quint feel their efforts are cicifian, fighting a flood of disinformation with limited resources. Solutions such as redesigning online spaces and AI as a hall monitor are being explored, but the challenges remain immense. Jonathan Stray, from the Center for Human-Compatible AI, stresses that while there is a retrenchment in the field, abandoning the project is not an option. The ongoing search for effective strategies to rebuild trust and ensure information integrity is crucial in this battle against disinformation. It may be daunting, but folks like Ruth Quint need to keep fighting the good fight. And that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carp. Tomon Petrella is our president, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [Music] On September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M.Y.'s, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M.Y.'s features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at my.io/cyberwire. That's my.io/cyberwire. [Music]
