Interpol romance baiting, TikTok at court, TP-Link investigation
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Interpol kills off Pig Butchering
In recent years, the proliferation of online relationships and investment scams has made “Pig butchering” a fairly common thing to hear on this show. It derives from the idea that threat actors are metaphorically attempting to fatten up a potential victim for a more significant return. Now, Interpol is calling on the cybersecurity community, media, and law enforcement to retire the term in favor of the more descriptive “romance baiting.” Europol said referring to the practice as pig butchering dehumanizes and shames victims and that romance baiting highlights the emotional manipulation in these schemes, with more emphasis put on the threat actor’s tactics. This comes as part of a broader effort by Interpol to encourage victims of these frauds to come forward to authorities.
Supreme Court to hear TikTok ban challenge
The long road to a TikTok ban in the US might be approaching a final stop. As a refresher, Congress passed a law in April requiring ByteDance to divest TikTok or see the app cut off from app stores and web-hosting services in the US. That law is set to go into effect on January 19th. On December 6th, a DC Circuit appeals court ruled that Americans saw concerns over the Chinese government’s ability to gather data and potentially manipulate content as “well-founded” and represented a “compelling national security interest.” Now, the US Supreme Court will hear TikTok’s challenge to that ruling on January 10th. The outgoing Biden administration will present the government’s case.
(CBS)
US weighs TP-Link ban
In other “banning things from China” news, the Wall Street Journal’s sources say that investigators at the US Commerce, Defense, and Justice departments have opened separate investigations into the router-maker TP-Link. The Defense Department is reportedly investigating national-security vulnerabilities in routers from China, and the Justice Department will look at if TP-Links price discrepancies violate antitrust laws for selling below cost. TP-Link accounts for roughly 65% of the US home router market. Back in October, Microsoft reported multiple Chinese threat actors were using a botnet made up almost entirely of TP-Link routers called CovertNetwork-1658 to compromise Azure accounts.
(WSJ)
Yokai backdoor hits Thai officials
Researchers at Netskope documented a campaign using LNK files disguised as document files, with juicy names like “Urgently, United States authorities ask for international cooperation in criminal matters.docx.” The file names indicate a focus on Thai law enforcement agencies. Opening these files triggers a process using a legitimate Windows command line tool to write to alternate data streams to ultimately pull a dropper that would install the iTop Data Recovery tool. This would be used as the gateway for a full backdoor. Once on the system, Yokai attempts to contact a C2 server and can run ordinary shell commands. The researchers note the communications with the C2 server are highly structured, indicating some sophistication. However, Yokai also appears to have a replication bug that quickly makes systems unstable, making it easy to spot.
Huge thanks to our sponsor, ThreatLocker
Russia designates first “undesirable” cybersecurity firm
Russia’s Prosecutor General’s Office issued a press release, putting the “undesirable” designation on the threat intelligence firm Recorded Future. Russia typically uses this designation for NGOs, effectively banning the company from operating there. The press release accused Recorded Future of technical support and information for misinformation campaigns targeting Russia, as well as providing data to Ukraine to assist with military and cyber operations. Recorded Future CEO Christopher Ahlberg didn’t seem too broken up, saying, “Some things in life are rare compliments. This being one.”
Cisco data leaked
In October, the threat actor IntelBroker claimed they had obtained data from Cisco in a breach, including source code and encryption keys. A company investigation found this data was obtained from a public-facing DevHub environment. This ordinarily hosts source code and other materials meant for public consumption, but Cisco said a configuration error caused some private data to be inadvertently published. This week, IntelBroker published 2.9 gigabytes of data obtained from DevHub, claiming they obtained a total of 4.5 terabytes. Since its initial incident reports on the leaked data, Cisco removed a statement saying it found no evidence that personal information or financial data was compromised.
HubPhish used for credential theft
Researchers at Palo Alto Networks Unit 42 discovered a campaign dubbed HubPhish, which targeted European companies in the automotive, chemical, and industrial compound manufacturing sectors to harvest credentials and access Azure infrastructure. This used spoofed Docusign lures to redirect users to forms in the HubSpot Form Builder service. This takes victims to a faked Office 365 Outlook app to obtain login credentials, most commonly hosted on the .buzz top-level domain. Once access is obtained, the threat actors will create a new device in Azure to gain persistance.
Bluesky sees authentication shakedowns
One of the standout features of decentralized social networks is the ability to self-authenticate rather than go through a platform’s moderation team to verify identity. Bluesky and Mastodon do this by putting specific tokens on a domain under the user’s control. However, Ernie Smith at Tedium reports seeing people trying to game this system for impersonation or to shakedown money. This was highlighted when Bloomberg columnist Conor Sen posted that someone purchased his titular domain and attempted to sell it back for tens of thousands of dollars. This was complicated when an account verified to Sam Parr, founder of the media outlet The Hustle, suggested this wasn’t extortion and that he should just pay. It was discovered that this account was also fake and that someone had registered several verified accounts to prominent posters with backgrounds in business and investing, which were all used to confuse who were legitimate accounts. Domain squatting isn’t new, but using it as a backbone of verification is proving problematic.
(Tedium)