Threats Without Borders - Issue 120
Matt's Cyber-Financial Crime Newsletter, Week ending March 5, 2023
My favorite annual report was published last week – the Global Threat Report by Crowdstrike. Yes, they turn the threat groups into cartoon characters and give them silly names, but the information is rock solid, and they are candid in their reporting.
I found this year’s report harder to digest though. Maybe it was written by a different author than in previous years. It just seemed more wordy and technical.
I suggest you read 2023’s edition yourself or at least give it a skim.
Four observations from my first read of the report:
1) The average “break-out” time dropped from 98 minutes in 2021 to 84 minutes in 2022. This is one measurement where less is worse. This finding means you have 84 minutes to detect the intrusion before the attacker begins to move laterally in your system. One hour and twenty-four minutes. Yeah right, only the most advanced security operations are going to be running on that timeline.
2) Crowdstrike observed a 20% increase in attackers exfiltrating data and moving to extortion without ever releasing a ransomware variant. We are moving into the post-ransomware era. Back-ups are irrelevant. We have moved on to straight Cyber-Extortion.
3) Log4Shell, CVE-2021-44228, is still being exploited. Basic cyber-hygiene is not being practiced by many organizations. PATCH and UPDATE!
4) The report offers a list of five steps to make any organization more secure. One of these steps is “Practice Makes Perfect” which details the importance of running table-top exercises to identify gaps and weaknesses in an org’s response plan. I’ll take this a step further and say that organizations shouldn’t just simulate cyber incidents. The response to incidents of fraud, insider threats, natural disasters, and supply disruption should also be practiced.
Well, it’s government
The current presidential administration released a new “National Cybersecurity Strategy” and everyone has their own take on it. I could not care less, because well, it’s government, and they will undoubtably screw it up. The plan looks great in writing…the implementation will be nothing of the like.
Let me question this though. Pillar 2 reads:
Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States, including by: Strategically employing all tools of national power to disrupt adversaries; Engaging the private sector in disruption activities through scalable mechanisms;
Are we now openly “hacking back”? Because it surely reads that way!
Email security organization Avanan proposes we are now at Business Email Compromise 3.0 as characterized by the following:
Hackers are using actual services to unleash the attack
Hackers will create a legitimate account in PayPal or QuickBooks, or RingCentral and use that to release the attack
Essentially, you no longer get a fake invoice; you get a legit invoice from QuickBooks with a fraudulent configuration
See how we got here: https://www.avanan.com/blog/business-email-compromise-scam-tries-to-trick-company-into-payment
A new attack is exploiting the ability to “tap” your ATM card and access your account. It seems the ATM machine doesn’t automatically end the session when a tap-login function is used. This makes sense since it doesn’t need to return the card to the customer. If the customer doesn’t manually end the session the machine doesn’t know when to do it. This allows the next person in line to hijack the session, and the account. https://abc7news.com/atm-scam-tap-card-chase-bank-function/12905397/
The Pennsylvania State Police arrested two New Jersey men in connection to a “grandparent scam” targeting a 86 year-old woman. The woman was instructed to send $25,000 to a delivery point through a ride-share service. The driver was intercepted and correctly agreed to cooperate. The police arrested the two men when they attempted to retrieve the package. The worse people in the world right here. https://www.pennlive.com/news/2023/02/out-of-state-scammers-trick-central-pa-woman-out-of-25000-police.html
Happy fraud-iversary to us
Not so happy for you. The BidenCash cybercrime forum released a massive dump of over 2 million credit cards - for free - to celebrate their one-year anniversary. Many of these cards are certainly dupes and even more have already been canceled, but there’s got to be some diamonds in all that broken glass. Cyble further reports “the data within the leak included Personally Identifiable Information such as names, emails, phone numbers, home addresses, and the main offering: payment card numbers, expiration dates, and CVV codes, with the expiration dates ranging from early 2023 up to 2052” https://blog.cyble.com/2023/03/01/over-2-million-cards-leaked-by-bidencash/
Zoom attacker flooded Federal Reserve event with porn https://www.reuters.com/world/us/feds-waller-virtual-event-canceled-after-zoom-hijack-2023-03-02/
Cryptocurrency wallet Trezor warns of a massive phishing campaign targeting crypto accounts. https://www.bleepingcomputer.com/news/security/trezor-warns-of-massive-crypto-wallet-phishing-campaign/
Two New York City men arrested for stealing over 1 Million Dollars from ATM’s throughout the city. https://www.justice.gov/usao-sdny/pr/two-defendants-arrested-stealing-over-1-million-atms-throughout-bronx
Director of Fraud Investigation - SoFi. https://www.sofi.com/careers/job/?gh_jid=5530487003
Manager of Dark Web Threat Intelligence - Navy Federal Credit Union. https://nfcucareers.ttcportals.com/jobs/12080474-manager-cyber-advanced-analysis-dark-web-threat-intelligence
Enroll your own companies website, or personal site, and be notified if it gets altered (or defaced). https://visualping.io/
100 centenarians give 100 tips for a life well lived. https://www.theguardian.com/science/2023/feb/18/100-centenarians-100-tips-for-a-life-well-lived
The BSides Harrisburg conference is this Saturday (March 11th, 2023). Come out and support a great event with a solid line-up of speakers. I’m volunteering so come up and say Hey! https://bsideshbg.com/
Thank you for opening this weeks email and making it to the bottom of the newsletter. Please consider sharing with colleagues. Feel free to reply with comments, concerns, praise, or hate.
“Focus is repeatedly saying no to almost everything” - someone with more focus than me.
What’s this newsletter all about?
Being a voracious reader, I joke with my colleagues, “I read the Internet so you don’t have to”. Over the course of a week I consume a voluminous amount of information presented by numerous reporting organizations, email lists, news aggregators, and blogs. Most of my regular reading involves the realms of cybercrime, cybersecurity, digital forensics and financial crime investigations.
Published every Tuesday, I summarize and comment on the articles that interested me the most through the week and share active threat intelligence for the financial industry. This curated newsletter will be of interest to anyone who is involved in the prevention or investigation of financial crime facilitated through the use of digital technology.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.