Interpol romance baiting, TikTok at court, TP-Link investigation - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines - December 19, 2024

Host: Rich Stroffelino
Podcast: CISO Series
Episode: Interpol romance baiting, TikTok at court, TP-Link investigation

1. Interpol Renames "Pig Butchering" to "Romance Baiting"

In recent years, the term "pig butchering" has been widely used to describe online relationship and investment scams. This term metaphorically represents threat actors fattening up potential victims for substantial financial theft. However, Interpol has officially recommended retiring the term in favor of "romance baiting."

Europol highlighted that "pig butchering dehumanizes and shames victims," advocating for "romance baiting" to better emphasize the emotional manipulation tactics employed by fraudsters. By adopting more descriptive terminology, Interpol aims to foster a more empathetic understanding of the victims' experiences and encourage them to come forward. This initiative is part of a broader effort to enhance collaboration between the cybersecurity community, media, and law enforcement agencies to combat these sophisticated scams.

Notable Quote:
“Pig butchering dehumanizes and shames victims, and that romance baiting highlights the emotional manipulation in these schemes,” said Europol spokesperson at [02:15].

2. Supreme Court to Hear TikTok's Ban Challenge

The United States is on the verge of a pivotal Supreme Court decision regarding a potential TikTok ban. In April, Congress enacted a law mandating ByteDance, TikTok's parent company, to divest its U.S. operations or face the app being removed from app stores and web hosting services by January 19th.

On December 6th, the D.C. Circuit Appeals Court upheld the government's stance, affirming that concerns over the Chinese government's ability to access user data and manipulate content viewed by Americans represent a "compelling national security interest." TikTok has appealed this ruling, and the Supreme Court has agreed to hear the case.

The upcoming hearing, scheduled for January 10th, will feature the now-outgoing Biden administration presenting the government's case against TikTok. This decision could have far-reaching implications for app-based platforms and the broader landscape of digital privacy and national security.

Notable Quote:
“The government's concerns over data security are well founded and represent a compelling national security interest,” stated a representative of the D.C. Circuit Appeals Court at [04:30].

3. US Investigates TP-Link for National Security and Antitrust Concerns

The U.S. government is intensifying scrutiny of TP-Link, a leading router manufacturer with a 65% share of the U.S. home router market. Separate investigations have been launched by the Commerce, Defense, and Justice Departments:

Defense Department: Examining potential national security vulnerabilities in TP-Link routers, particularly those manufactured in China. Concerns stem from the possibility that these devices could be exploited for cyber espionage or to disrupt critical infrastructure.
Justice Department: Investigating whether TP-Link's pricing strategies, specifically selling routers below cost, violate antitrust laws. Such practices could undermine competition and distort the market.

The spotlight on TP-Link follows a report from Microsoft in October, which revealed that Chinese threat actors were utilizing a botnet composed predominantly of TP-Link routers, known as Covert Network 1658, to compromise Azure accounts. This revelation has heightened fears about the security of widely used networking equipment and the potential for large-scale cyber attacks.

Notable Quote:
“TP-Link accounts for roughly 65% of the US home router market,” emphasized Rich Stroffelino at [06:50], underlining the significance of the investigations.

4. Yokai Backdoor Targets Thai Officials

Researchers at Netskope have identified a sophisticated cyber campaign employing the Yokai backdoor to target Thai law enforcement officials. The campaign involves:

Initial Infection: Victims receive link files disguised as important documents with enticing titles such as "Urgently" or "United States Authorities Ask for International Cooperation in Criminal Matters."
Exploitation: Opening these files triggers a legitimate Windows command line tool that writes an alternate data stream, ultimately deploying a dropper to install the ITOP data recovery tool. This serves as an entry point for the Yokai backdoor.
Persistence and Control: Once installed, Yokai attempts to communicate with its Command and Control (C2) server, allowing attackers to execute shell commands and maintain access. The communication protocols are highly structured, indicating a high level of sophistication.

However, a replication bug within Yokai causes system instability, making infected machines easier to detect and disrupt.

Notable Quote:
“Communications with the C2 server are highly structured, indicating some sophistication,” noted the Netskope research team at [08:10]. “However, Yokai appears to have a replication bug that quickly makes systems unstable and easy to spot.”

5. Russia Designates Recorded Future as First "Undesirable" Cybersecurity Firm

In a significant development, Russia's Prosecutor General's Office has labeled the threat intelligence firm Recorded Future as "undesirable." This designation typically applies to non-governmental organizations (NGOs), effectively banning the company from operating within Russia.

The press release accused Recorded Future of providing technical support and information for misinformation campaigns targeting Russia and supplying data to Ukraine to aid military and cyber operations. In response, Recorded Future's CEO, Christopher Ahlberg, remarked with a sense of irony:

Notable Quote:
“Some things in life are rare compliments, this being one,” stated Christopher Ahlberg at [11:45], reflecting a surprisingly positive outlook despite the severe designation.

This move underscores the escalating tensions between Russia and cybersecurity firms that provide open threat intelligence and support to global clients.

6. Cisco Data Leak Exposes Source Code and Encryption Keys

A significant data breach at Cisco has come to light, with the threat actor group Intel Broker claiming responsibility. The breach involved the unauthorized access and publication of sensitive data, including source code and encryption keys.

The investigation revealed that the data was accessed from Cisco's public-facing DevHub environment—a platform intended for hosting source code and materials for public use. Due to a configuration error, some private data was inadvertently made accessible. To mitigate the impact, Cisco has removed the affected content and issued a statement:

Notable Quote:
“Since its initial incident report on the leaked data, Cisco removed a statement saying it found no evidence that personal information or financial data was compromised,” Rich Stroffelino reported at [13:20].

Intel Broker has published 2.9 gigabytes of data from DevHub and claimed to have obtained a total of 4.5 terabytes. While the primary concern revolves around the exposure of technical assets, Cisco assures that there was no compromise of personal or financial data.

7. Hubfish Campaign Harvests Credentials from European Companies

Palo Alto Networks Unit 42 has uncovered a credential theft campaign named Hubfish, which targets European companies in the automotive, chemical, and industrial compound manufacturing sectors. The campaign employs a multi-stage attack strategy:

Phishing Lures: Victims receive spoofed DocuSign invitations designed to appear legitimate, prompting them to fill out forms created using the HubSpot form builder service.
Credential Extraction: After submitting information, victims are redirected to a fake Office365 Outlook application hosted on the Buzz top-level domain (TLD), where their login credentials are harvested.
Persistence Mechanism: With obtained credentials, attackers create new devices within the victim's Azure infrastructure, ensuring continued access and control.

This campaign underscores the persistent threat of targeted phishing attacks and the importance of robust authentication mechanisms to protect corporate environments.

Notable Quote:
“Once access was obtained, the threat actors create a new device in Azure to gain persistence,” explained a Unit 42 analyst at [15:40], highlighting the strategic depth of the Hubfish campaign.

8. BlueSky Faces Authentication Shakedowns and Domain Squatting

Decentralized social networks like BlueSky and Mastodon offer users the ability to self-authenticate by placing specific tokens on their own domains, rather than relying on a central moderation team for identity verification. However, this system has been exploited for malicious purposes:

Impersonation and Extortion: Users have been targeted by individuals who purchase their domain names and attempt to sell them back at exorbitant prices. For example, Bloomberg columnist Connor Senn reported an attempt to extort $60,000 for his domain [17:05].
Fake Verified Accounts: Attackers have registered multiple verified accounts that mimic prominent figures in business and investing. This tactic confuses legitimate users and undermines trust within the platform.

Ernie Smith from Tedium highlighted the growing problem, noting that domain squatting, while not new, poses unique challenges in the context of decentralized authentication systems.

Notable Quote:
“Domain squatting isn't new, but using it as a backdoor for verification is proving a little problematic,” stated Ernie Smith at [17:45], emphasizing the innovative exploitation methods within decentralized networks.

Closing Remarks

Rich Stroffelino wrapped up the episode by encouraging listeners to subscribe to the CISO Series on YouTube for a variety of content, including interviews, platform demos, and previews of upcoming shows. Additionally, he promoted the "Week in Review" show, which provides contextual analysis of the week's cybersecurity news and fosters community engagement through live chats.

Final Quote:
“Remember to subscribe to the CISO Series on YouTube. We're always hosting relevant interviews, interesting demos on the latest platforms, and snippets from our upcoming shows,” Rich signaled at [19:30], inviting listeners to stay connected and informed.

Conclusion

This episode of Cyber Security Headlines delivered a comprehensive overview of critical issues affecting the cybersecurity landscape, from international law enforcement terminology shifts and high-stakes legal battles over popular applications to intricate cyber-espionage campaigns and emerging threats in decentralized platforms. The discussions highlighted the evolving nature of cyber threats and the significant efforts by global entities to address and mitigate these risks. For cybersecurity professionals and enthusiasts alike, staying informed through such detailed analyses is crucial in navigating the complex and ever-changing digital environment.

For more in-depth stories and updates, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Rich Stroffelino
From the CISO series, it's Cybersecurity Headlines These are the cybersecurity headlines for Thursday, December 19, 2024 I'm Rich Stroffelino Interpol Kills Off Pig Butchering in recent years, the proliferation of online relationship and investment scams have made pig butchering a fairly common thing to hear on. The show derives from the idea that threat actors are metaphorically attempting to fatten up a potential victim for a more significant return on their thievery. Now Interpol is calling on the cybersecurity community, media and law enforcement to retire the term in favor of the more descriptive romance baiting, Europol said, referring to the practice as pig butchering dehumanizes and shames victims, and that romance baiting highlights the emotional manipulation in these schemes, with more emphasis put on the threat actors tactics. This comes as part of a broader effort by Interpol to encourage victims of these frauds to come forward to authorities Supreme Court to Hear TikTok Ban Challenge the long road to a TikTok ban in the US might be approaching a final stop. As a refresher, Congress passed a law in April that would require ByteDance to divest TikTok or see the app cut off from app stores and web hosting services in the U.S. that law is set to go into effect on January 19th. On December 6th, a D.C. circuit Appeals Court ruled that the government's concerns over the Chinese government's ability to potentially gather data and and manipulate content that were seen by Americans were well founded and represented a compelling national security interest. Now the US Supreme Court will hear TikTok's challenge to that ruling. On January 10th, the outgoing Biden administration will present the government's case. US weighs TP link Ban in other Banning Things from China News, the Wall Street Journal sources say that investigators at the U.S. commerce, Defense and Justice departments have each opened separate investigations into the router maker TP Link. The Defense Department is reportedly investigating national security vulnerabilities in routers from China, and the Justice Department will look at if TP link price discrepancies violate antitrust laws for selling below cost. TP Link accounts for roughly 65% of the US home router market. Back in October, Microsoft reported multiple Chinese threat actors were using a botnet made up almost entirely of TP link routers called Covert Network 1658 to compromise Azure accounts. Yokai Backdoor hits Thai officials Researchers at Netscope documented a campaign using link files disguised as documents with juicy names like Urgently United States Authorities ask for International Cooperation in Criminal matters. The file names indicate a focus on Thai law enforcement agencies. Opening the files triggers a process using a legitimate Windows command line tool to write an alternate data stream to ultimately pull a dropper that would install the ITOP data recovery tool. This would be used as a gateway for a full backdoor. Once on the system, Yokai attempts to contact the C2 server and can run ordinary shell commands. The researchers note the communications with the C2 server are highly structured, indicating some sophistication. However, Yokai appears to have a replication bug that quickly makes systems unstable and making it easy to spot. And now, thanks to Today's episode sponsor ThreatLocker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com Russia designates first undesirable cybersecurity firm Russia's Prosecutor General's Office issued a press release putting the undesirable designation on the threat intelligence firm. Recorded Future Russia typically uses this designation for NGOs, effectively banning the company from operating. The press release accused Recorded Future of technical support and information for misinformation campaigns targeting Russia, as well as providing data to Ukraine to assist with military and cyber operations. Recorded Futures CEO Christopher Ahlberg didn't seem too broken up about it, saying some things in life are rare compliments, this being one. Cisco data Leaked In October, the threat actor Intel Broker claimed to have obtained data from Cisco in a breach including source code and encryption keys. A company investigation found this data was obtained from a public facing Dev Hub environment. This ordinarily hosts source code and other materials meant for public consumption, but Cisco said a configuration error caused some private data to be inadvertently published. This week, intel broker published 2.9 gigabytes of data obtained from DevHub, claiming they obtained a total of 4.5 terabytes. Since its initial incident report on the leaked data, Cisco removed a statement saying it found no evidence that personal information or financial data was compromised. Hubfish used for credential theft Researchers at Palo Alto Network Unit 42 discovered a campaign dubbed Hubfish, which targeted European companies in the automotive, chemical and industrial compound manufacturing sectors to harvest credentials and access Azure infrastructure. This used spoof DocuSign lures to redirect users to forms in the HubSpot form builder service. This then took victims to a faked Office365 Outlook app to obtain login credentials most commonly hosted on the Buzz top level domain. Once access was obtained, the threat actors create a new device in Azure to gain persistence. BlueSky sees authentication shakedowns One of the standout features of decentralized social networks is the ability to self authenticate rather than go through a platform's moderation team to verify identity. BlueSky and Mastodon do this by putting specific tokens on a domain under a user's control. However, Ernie Smith at Tedium reports seeing people trying to game the system for impersonation or to shake down money. This was highlighted when Bloomberg columnist Connor Senn posted that someone purchased his titular domain and attempted to sell it back for tens of thousands of dollars. This was complicated when an account verified to Sam Parr, founder of the media outlet the Hustle, suggested this wasn't extortion and that he should just pay. It was then discovered that this account was also fake and that someone had registered several verified accounts to prominent posters with backgrounds in business and investing, which were all used to confuse who were legitimate accounts. Domain squatting isn't new, but using it as a backphone for verification is proving a little problematic. Remember to subscribe to the ciso series on YouTube. We're always hosting relevant interviews, interesting demos on the latest platforms, and snippets from our upcoming shows. Plus, you can catch our Week in Review show live on YouTube each and every Friday at 3:30pm Eastern, where you can not only get some context for the week's news, but chat along with your fellow viewers. Just search for ciso series on YouTube and you'll find us. Reporting for the CISO series, I'm Rich Stroffelino, reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. It.