CyberWire Daily: "Pay the Ransom or Risk Data Carnage" Summary

Release Date: February 28, 2025
Host: N2K Networks
Guest: Keith Milarsky, Chief Global Ambassador at Q Intel and former FBI Special Agent

1. Qilin Ransomware Attack on Lee Enterprises

The episode opens with a discussion on the Qilin ransomware group claiming responsibility for a significant attack against Lee Enterprises, a major newspaper publisher based in Iowa. The group disclosed that they had exfiltrated approximately 350 gigabytes of sensitive data, encompassing investor records, financial arrangements, and communications with journalists.

• Impact: Over 75 publications across 25 U.S. states were disrupted following the attack on February 3.
• Threat: Qilin demands a ransom, threatening to release the stolen data on March 5 if their demands are not met.
• Statement: Maria Varmazes highlights the severity, stating, "The attackers encrypted critical applications and exfiltrated certain files, causing widespread disruption." ([01:32])

Despite the gravity of the situation, Lee Enterprises refrains from labeling the incident explicitly as ransomware in their SEC filing, though the nature of the attack clearly aligns with ransomware tactics.

2. Arrest of a Singaporean Cybercriminal in Thailand

The podcast reports on the Thai police's arrest of a 39-year-old Singaporean man suspected of orchestrating over 90 data leaks across the Asia Pacific region. Assisted by Group IB, the joint operation targeted companies in Thailand, Singapore, Malaysia, Indonesia, and India, among others.

• Modus Operandi: The suspect primarily focused on exfiltrating personal data and coerced victims into paying to prevent public disclosure.
• Aggression: If unpaid, rather than leveraging dark web forums, the hacker directly notified media outlets or data protection regulators to amplify reputational and financial damage.
• Quote: "He used direct notifications to pressure victims into submission, inflicting greater reputational and financial harm." – Group IB Press Release ([02:50])

This arrest underscores the growing international collaboration in combating cybercrime and the increasing sophistication of cybercriminals in manipulating data for extortion.

3. JavaGhost Exploits AWS for Phishing Campaigns

Palo Alto Networks' Unit 42 has identified a new threat actor, JavaGhost, exploiting misconfigured AWS environments to propagate phishing campaigns.

• Tactics: JavaGhost gains unauthorized access through exposed long-term access keys and leverages legitimate AWS services like Amazon SES and WorkMail to dispatch phishing emails.
• Defense Recommendations:
  • Limit administrative access.
  • Regularly rotate IAM credentials.
  • Utilize short-term access tokens.
  • Implement multi-factor authentication ([05:15])

By using legitimate services, JavaGhost’s phishing attempts are more likely to bypass traditional security filters, emphasizing the need for stringent configuration and monitoring of cloud environments.

4. Lotus Blossom Cyber Espionage Targeting Southeast Asia

Cisco Talos has been tracking Lotus Blossom, a threat actor engaged in extensive cyber espionage campaigns targeting governmental, manufacturing, telecommunications, and media sectors in Vietnam, Taiwan, Hong Kong, and the Philippines.

• Tools Used: The campaigns utilize the Sage Run X remote access tool, uniquely employed by Lotus Blossom, which abuses cloud services like Dropbox, Twitter (now X), and Zimbra for command and control (C2) communication.
• Attribution: While Cisco Talos does not directly link Lotus Blossom to a specific nation-state, Microsoft has previously associated the group with China.

This espionage highlights the persistent threats faced by Southeast Asian nations and the sophisticated methods employed by adversaries to infiltrate and control critical infrastructure.

5. Exploitation of Microsoft Dev Tunnel Service by Malware

A novel abuse of Microsoft’s Dev Tunnel service has been uncovered, where cybercriminals utilize it to facilitate data transfer between malware-infected devices and command and control servers.

• Malware Utilized: Variants of NJRAT are found exploiting Dev Tunnels to communicate via hidden URLs, making detection by traditional security systems challenging.
• Spread Mechanism: The malware can spread through USB devices, further compromising systems.
• Recommendation: Organizations not using Dev Tunnels should monitor DNS logs for suspicious tunnel URLs to identify potential breaches early ([06:45])

This exploitation underscores the adaptability of malware in leveraging legitimate services to obfuscate malicious activities.

6. Pass the Cookie Attacks Bypassing Multi-Factor Authentication (MFA)

Longwall Security alerts to the rise of pass the cookie attacks, a technique where attackers hijack session cookies to gain unauthorized access without triggering MFA.

• Mechanism: Attackers use info stealer malware like Luma C2 to extract authentication cookies directly from browsers.
• Black Market: Stolen cookies are traded on dark web marketplaces, facilitating undetected account access.
• Defense Strategies:
  • Shorten session expiration times.
  • Monitor login behaviors.
  • Educate users on phishing threats ([07:30])

As MFA remains a cornerstone of cybersecurity, attackers’ ability to bypass it using session hijacking necessitates enhanced protective measures.

7. Cyber Threats to Agriculture and the Farm and Food Cybersecurity Act

The episode highlights the Farm and Food Cybersecurity Act, reintroduced in Congress to safeguard the U.S. food supply chain from digital threats.

• Provisions:
  • Mandates the USDA to perform biennial cybersecurity assessments.
  • Requires coordination of crisis response exercises with homeland security and intelligence agencies.
• Rationale: Recent incidents, like the 2021 JBS ransomware attack, have exposed vulnerabilities in precision agriculture and food production sectors.
• Statistics: A report cited that 90% of cyberattacks leverage readily available tools and 83% involve spear phishing.
• Support: The bill enjoys backing from key industry groups, emphasizing that food security equates to national security ([08:15])

This legislative effort aims to bolster cyber resilience in a sector critical to national infrastructure and public health.

8. Interview with Keith Milarsky on Cryptocurrency and Cybersecurity

The core segment features an in-depth conversation between Dave Bittner and Keith Milarsky, exploring the intersection of cryptocurrency and cyber threats.

a. The Rise of Crypto as a Target

Keith Milarsky outlines the transformation of cryptocurrency from a fringe interest to a mainstream investment avenue, attracting significant attention from cybercriminals due to its high liquidity and anonymity.

• Quote: "Crypto has evolved from a side activity to a mainstream investment, attracting both legitimate investors and cybercriminals alike." ([12:27])

b. Challenges in Tracking Crypto-related Crimes

Milarsky explains the complexities law enforcement faces in tracing crypto transactions compared to traditional financial systems.

• Anonymity: Despite blockchain's transparency, the use of crypto mixers and rapid coin conversions (e.g., Bitcoin to Monero) complicate tracking efforts.
• Quote: "The anonymous nature of crypto transactions makes it significantly harder to trace compared to traditional money laundering methods." ([13:47])

c. Cryptocurrency as an Enabler for Ransomware

The discussion highlights how cryptocurrency has amplified ransomware operations by providing a streamlined avenue for ransom payments and laundering.

• Impact: Instances where entities like North Korea have exploited crypto to fund their operations are cited.
• Quote: "Cryptocurrency has been pivotal in enabling ransomware to flourish, providing an efficient means to launder multi-million dollar ransoms." ([15:07])

d. Lack of Regulation and Consumer Protections

Milarsky emphasizes the urgent need for regulatory frameworks to protect consumers investing in cryptocurrency, pointing out the absence of safeguards like FDIC insurance.

• Personal Impact: He shares a personal anecdote about a friend losing substantial crypto holdings to malware, highlighting the dire consequences of inadequate protections.
• Quote: "Without regulations, consumers have no recourse when their crypto investments are compromised, leading to significant financial losses." ([18:24])

e. Recommendations for Protecting Crypto Assets

To mitigate threats, Milarsky suggests three primary methods for safeguarding cryptocurrencies:

1. Using Reputable Exchanges: Although exchanges are targets, selecting reliable ones can offer some level of security.
2. Physical Storage: Storing crypto on a USB drive or employing cold storage solutions.
3. Regulatory Advocacy: Pushing for comprehensive regulations to enforce security standards and protect consumers.

• Quote: "While no method is foolproof, combining these strategies can significantly reduce the risk of crypto asset theft." ([19:34])

Milarsky concludes by stressing the necessity of public trust and regulatory measures to ensure the sustainable growth of cryptocurrency as a legitimate financial tool ([20:49]).

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of current cybersecurity threats, ranging from ransomware attacks on major publishers to sophisticated cyber espionage and emerging threats targeting the burgeoning cryptocurrency market. Through expert analysis and insightful discussions, particularly with Keith Milarsky, listeners gain a deeper understanding of the evolving cyber threat landscape and the imperative for enhanced security measures and regulatory frameworks.

For those seeking to stay ahead in cybersecurity, this episode underscores the critical need for vigilance, proactive defense strategies, and informed policy-making to safeguard both organizational and personal digital assets.