The Daily Decrypt The Digital Security Collective

In today's episode, we delve into the findings of a recent investigation conducted by Insikt Group on an influence network known as CopyCop, likely operated from Russia and aligned with the Russian government. This network extensively employs generative AI to create and disseminate political content aimed at specific audiences, focusing on divisive issues and undermining Western governments. The episode also highlights the challenges posed by CopyCop's AI-generated disinformation content and the broader implications on election defense strategies and the risks posed to media organizations. Check out the detailed technical analysis and insightful recommendations shared in the episode links: Recorded Future Analysis, AT&T Microsoft 365 Delay, and IoT Device Security Regulations.



00:00 Intro



01:02 Unveiling CopyCop: Russia's AI-Driven Disinformation Campaign



03:43 The Spam Wave: AT&T and Microsoft 365's Email Blockade



05:51 The IoT Security Challenge: Navigating New Regulations



Search Phrases:




AI-generated disinformation threats



Addressing CopyCop network disinformation



Protecting content against AI plagiarism



Impact of Russian-operated networks on disinformation



AT&T email delivery delay issues



Microsoft 365 email spam wave



Gmail service disruption due to spam



IoT security regulations compliance



Preventing vulnerabilities in IoT devices



Exploitation in connected products due to security flaws




A Network operated by the Russian government called CopyCop is using generative AI to plagiarize and disseminate divisive political content targeting Western audiences.



Raising concerns about AI generated disinformation and amplification by known Russian influenced actors in this the year of our election. How can private media organizations



Protect their content and reputation against this growing trend.



AT& T's email servers are currently blocking Microsoft 365 due to a spam wave, causing significant delays in email delivery.



Who knew that spam could DDoS your email service?



And finally, IoT device manufacturers are facing increased pressure to improve security measures in compliance with new regulation standards in order to prevent exploitation and potential dangers stemming from the vulnerabilities in these connected products.



You're listening to The Daily Decrypt.



Alright, well, you officially heard it here first, folks. Russia is meddling in our election. I know you all are surprised and you've never heard such an outrageous claim before, but it's true. And now with the



use of large language models like OpenAI,



they can do a whole lot of damage, particularly in the realm of disinformation and divisive talk, so trying to get us to turn against each other. And they can do this automatically, using code, to grab articles from Reputable news sources and repost them by injecting AI generated content



to try to sway the results of the election.



So coming to you from recorded future, CopyCop utilizes generative AI to plagiarize and translate content from mainstream media outlets to create biased narratives, targeting specific audiences in the United States, the UK, and France, focusing on divisive domestic issues and supporting pro Russian viewpoints. The network is connected to disinformation outlet DC Weekly and Russian state sponsored influence actors, amplifying content to undermine Western policies and create distrust between these governments.



The network has expanded to operate a self hosted video sharing platform and a forum named Exposedum. Indicating growing ambitions AI generated content with truly human produced content. Making it even harder to spot the fake stuff.



So there is plenty of purely AI generated content out there.



But that's not the most effective way to spread disinformation. The most effective way to spread disinformation is to take factual articles written by legitimate sources and change them a little bit.

In today's episode, a massive fraud ring operating as 'BogusBazaar' managed to deceive over 850,000 people in the US and Europe, stealing credit card information through over 22,500 fake webshops. Meanwhile, the FBI has issued warnings about the financially motivated hacking group Storm-0539 targeting retail companies through sophisticated phishing attacks, aimed at stealing employees' login credentials to generate fraudulent gift cards. Also, the US Department of Justice charged Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the LockBit ransomware group, involved in extorting at least $100 million from over 2,000 victims worldwide. Original URLs for further reference: https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-steals-credit-cards-from-850-000-people/, https://www.bleepingcomputer.com/news/security/fbi-warns-of-gift-card-fraud-ring-targeting-retail-companies/, https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/



tags: BogusBazaar, online shops, consumers, webshop fraud



search phrases:




online shop scams



protect from webshop fraud



verify online shops legitimacy



avoiding credit card theft



Storm-0539 hacker group



phishing attacks prevention



fraudulent gift cards warning



defending against hacking group Storm-0539



Dmitry Yuryevich Khoroshev charges



LockBit ransomware impact




May9



​



A sprawling network of over 75, 000 fake online shops called Bogus Bazaar has scammed over 850, 000 victims in the U. S. and Europe, resulting in the theft of credit card information and the attempted processing of over 50 million in fake orders.



How can you, as a consumer, protect yourself against these fake online shops?



Retail companies in the United States are being targeted by the financially motivated hacker group Storm0539,



who is using advanced social engineering and phishing tactics to infiltrate gift card departments in order to create fraudulent gift cards.



It's a tale as old as time, but how can you protect yourself against these social engineering attacks?



And finally, the FBI wasn't bluffing with WHOISLOCKBITSUP, dimitri Korochev has been charged as the boss of the LockBit ransomware group, extorting over 100 million in ransom from over 2, 000 victims, including small businesses, hospitals, and government agencies.



You're listening to The Daily Decrypt.



Alright, I don't know about you, but it seems like I can't scroll on any social media for more than two minutes without getting bombarded by ads for online retailers.



And a lot of the products they sell look great and are like specifically targeted towards me and I catch myself clicking on them quite often.



And the sites that I get redirected to look pretty good. If it was five to 10 years ago, I would definitely be buying these products from these sites. But now the internet is flooded with these fake scam sites with products that don't even exist



that are just trying to get a hold of your credit card information.



As a matter of fact, there's a network of over 75,000 fake online shops named Bogus Bazaar that has scammed over 850,000 individuals.



These individuals were just like me, except they went through with these purchases.



Which resulted in them losing their credit card information,



as well as placing orders in total of over 50 million dollars.



Now, the stolen credit card credentials were sold on the dark web, which enables other threat actors to conduct unauthorized online purchases with the compromised card numbers. Now, if you catch it in time, your credit card company will reimburse you, but that does take a lot of monitoring and maybe they're gonna charge you for a dollar or two dollars and you might not even notice, but across enough credit cards, they're gonna get their money's worth.



And after looking at the geography area of the victims, which is primarily the United States and Western

In today's episode, UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee about the ransomware attack on Change Healthcare, revealing that legacy tech at Change amplified the attack's impact. Stolen credentials and lack of multifactor authentication allowed attackers to move within Change's systems, leading to the deployment of ransomware. UnitedHealth's response included bringing in multiple incident response firms and cybersecurity experts to aid in recovery efforts. Original URLs: https://www.cybersecuritydive.com/news/unitedhealth-change-attack-tech-takeaways/715200/, https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html, https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/#google_vignette



Tags: UnitedHealth, ransomware, Change Healthcare, technology infrastructure, Tinyproxy, Remote code execution, Security flaw, Cyberattacks, LockBit, Law enforcement, Data leak site



Search phrases:




Preventing data breaches in healthcare systems



Upgrade technology infrastructure in healthcare



Protecting against ransomware attacks



Tinyproxy security flaw solutions



Remote code execution prevention



Cybersecurity measures for critical security flaws



LockBit ransomware impact on operations



Law enforcement actions against ransomware gangs



Data leak site revelations



Identifying ransomware operators




More than 50, 000 hosts are at risk of remote code execution due to a critical unpatched flaw in the TinyProxy service.



How can users protect their devices from this critical tiny proxy flaw?



Law enforcement has revived a seized LockBit ransomware data leak site, teasing new announcements to come including potential revelations about the identity of LockBit's operator.



Is law enforcement bluffing or do they actually have this information?



And finally, we've got the five key security takeaways from the Change Healthcare Ransomware Attack, as summarized by Cybersecurity Dive, to include outdated technology, stolen credentials, multifactor and more. You're listening to The Daily Decrypt.



A critical unpatched security flaw in the TinyProxy service is leaving over 50, 000 hosts exposed to remote code execution threats. The vulnerability has a high CVSS score of 9. 8 out of 10 and affects versions 1. 10 and 1. 11.



This vulnerability in the TinyProxy service allows attackers to execute malicious code through specially crafted HTTP



an unauthenticated threat actor could exploit this flaw by sending a specific HTTP connection header, triggering memory corruption that could lead to remote code execution on vulnerable systems.



Data from Census shows that approximately 57 percent of the 90, 000 publicly accessible hosts are running vulnerable versions, with a significant number of these hosts located in the United States, South Korea, China, France, and Germany.



In order to mitigate this risk, it's recommended to upgrade to the most recent version of Tinyproxy. And, if at all possible, don't expose your tiny proxy service to the public facing internet.



Law enforcement agencies, including the NCA, FBI, and Europol, have resurrected a previously seized lockbit ransomware data leak site, hinting at potential new revelations set to be disclosed today.



During Operation Kronos on February 19th, authorities dismantled LockBit's infrastructure, taking down 34 servers hosting the DataLeak website, cryptocurrency addresses, decryption keys, and the affiliate panel. In a response to the disruption, the police repurposed one of the DataLeak sites into a platform for sharing insights gained during the operation, including details on affiliates, as well as LockBit's deceptive practices regarding stolen data deletion post ransom payment.



One of the blog posts is titled, Who is LockBit Sup?, which is a reference to the individual or group of individuals who are running this ransomware organization.

In today's episode, we delve into the warning issued by the NSA and FBI regarding the APT43 North Korea-linked hacking group's exploitation of weak email DMARC policies to conduct spearphishing attacks. The podcast also covers a significant counterfeit operation involving fake Cisco gear infiltrating US military bases, creating a $100 million revenue stream. Lastly, we explore how Iranian hackers posing as journalists are utilizing social engineering tactics to distribute backdoor malware, breaching corporate networks and cloud environments. To read more about the topics discussed, visit https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/, and https://arstechnica.com/information-technology/2024/05/counterfeit-cisco-gear-ended-up-in-us-military-bases-used-in-combat-operations/, and https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/



00:00 Massive Counterfeit Scam Unveiled: A Decade of Deception



01:08 Deep Dive into the Counterfeit Cisco Gear Scandal



04:14 The Art of Social Engineering: A Hacker's Best Tool



07:05 Protecting Against Cyber Threats: Insights and Recommendations



08:46 Wrapping Up: Stay Informed and Secure



Tags: North Korea, APT43, DMARC, spearphishing, hacking, group, email, policies, attacks, intelligence, journalists, academics, organizations, prevent, security, policy, configurations, counterfeit, scam, Florida resident, gear, revenue, networking gear, US military, security, Air Force, Army, Navy, officials, stop, operation, Iranian, APT42, Nicecurl, Tamecat, hackers, backdoor, malware, social engineering, tactics, custom, blend operations, evade detection.



Search Phrases:




How to prevent APT43 spearphishing attacks



Counterfeit scam Florida military security risk



Actions to stop massive counterfeit operation



Iranian hackers impersonating journalists



APT42 malware tactics



Nicecurl and Tamecat backdoor malware



Techniques to breach corporate networks and cloud environments



Evading detection in cyber attacks



North Korea hacking group APT43



US military response to counterfeit gear scam




May6



A Florida man was just sentenced to six and a half years in prison for running a massive counterfeit scam that ran from 2013 to 2022 where he sold fake Cisco networking gear to the US military. This resulted in over 100 million of revenue for this man while also putting our US military operations at risk. How did he get away with this for so long?



Iranian hackers are impersonating journalists to distribute backdoor malware known as APT42



in order to harvest both personal and corporate credentials



in an attempt to infiltrate corporations at large.



What social engineering tactics are they using



to help blend in with normal operations and evade detection?



And speaking of impersonating journalists,



a North Korean hacking group is exploiting DMARC policies to conduct spear phishing attacks aimed at collecting sensitive intelligence, while impersonating journalists and academics to do so. What actions can organizations take to prevent these spear phishing attacks? You're listening to The Daily Decrypt.



So just last week on Thursday, a Florida man named Onur Aksoy, who is also known by Ron Axoy and Dave Durden, which sounds almost like a Fight Club reference to me, was sentenced to 78 months, or 6 and a half years, for orchestrating a counterfeit scheme that generated over 100 million in revenue,



all by selling fake Chinese Cisco networking gear to the US military. This clearly would pose a significant risk to the US military's security.



Because it was utilized in critical applications, including combat operations and classified information systems.



This man, who I'm going to refer to as Dave Durden because I like alliteration and I like Fight Club,



has been partaking in this counterfeit operation s

In today's episode, Microsoft reveals the "Dirty Stream" attack impacting Android apps, recognizing vulnerabilities in apps with over four billion installations like Xiaomi's File Manager and WPS Office. Meanwhile, a new SOHO router malware named Cuttlefish targets cloud accounts and enterprise resources, allowing criminals to steal credentials and establish persistent access to cloud ecosystems. Law enforcement shuts down 12 fraudulent call centers in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, arresting 21 suspects and preventing thousands of scam calls. Find more information using these URLs: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-dirty-stream-attack-impacting-android-apps/, https://www.helpnetsecurity.com/2024/05/02/cuttlefish-soho-routers/, https://www.bleepingcomputer.com/news/security/police-shuts-down-12-fraud-call-centres-arrests-21-suspects/



tags: Dirty Stream attack, Microsoft, Android apps, developers, Cuttlefish, malware, SOHO routers, cybercriminals, law enforcement, call centers, fraud, apprehended



search phrases:




Preventing Dirty Stream attack in Android apps



Cuttlefish malware and SOHO routers



Protect devices from Cuttlefish malware



Law enforcement crackdown on fraudulent call centers



Stopping fraudulent calls in Europe



Cybersecurity measures against malware attacks



Securing Android apps from malicious attacks



Preventing data theft in Android applications



Law enforcement actions against cybercrime



Measures to apprehend cybercriminals




May3



Law enforcement officials in Europe



shut down 12 call centers that were behind thousands of daily scam calls. They apprehended 21 individuals and seized assets of over 1 million euros.



How will this affect the amount of spam calls you get on a day to day basis?



The Cuttlefish Malware is infiltrating SOHO routers and stealing account credentials for cloud services.



Creating a potential gateway. For cybercriminals into company resources.



If you work from home,. How can you prevent this malware from expanding throughout your own network?



And finally, the dirty stream attack discovered by Microsoft poses a threat to Android apps by allowing malicious apps to overwrite files in other applications home directories.



How can Android developers



prevent this type of attack? You're listening to The Daily Decrypt.



Law enforcement conducted coordinated raids in Albania, Bosnia,



Kosovo, and Lebanon. Resulting in the closure of 12 fraudulent call centers responsible for thousands of scam calls each day.



German authorities, alongside international counterparts, arrested 21 individuals and seized approximately 1 million euros worth of evidence, including data carriers, documents, and cash.



This operation was named Operation Pandora, and it targeted a criminal network. engaged in various fraudulent activities,



but most notably fake police calls, investment fraud, and romance scams.



There have been over 28, 000 fraudulent calls that have been traced back to the arrested suspects, all within a 48 hour time frame, which just highlights the scale of this criminal enterprise.



so this whole project started back in december of 2023



When someone came into a bank and attempted to withdraw 100, 000 euros. The bank teller was slightly suspicious, so they reported it to the actual police,



and it was later discovered that the individual attempting to withdraw that money was involved in a fake police officer scam.



From there, more than a hundred German investigators



got down to work and intercepted and monitored conversations in real time. They secured over 1. 3 million conversations and blocked 80 percent of all financial fraud attempts,



which they claim could have led to damages of up to 10 million euros.



So I'm sure we all hate scam calls just as much as I do, but I often forget the motives behind these scam calls are to cheat you out of money, usually. It's b

In today's episode, we discuss how a developer nearly faced a $1,300 bill due to a poorly named AWS S3 storage bucket, attracting unauthorized access (https://arstechnica.com/information-technology/2024/04/aws-s3-storage-bucket-with-unlucky-name-nearly-cost-developer-1300/). We also delve into the repercussions faced by Change Healthcare after a ransomware attack due to compromised credentials and lack of MFA (https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/). Lastly, we explore a new Android malware named Wpeeper that utilizes compromised WordPress sites to conceal C2 servers, posing a threat to unsuspecting users (https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html).



00:00 Intro



00:55 Change Health Care



04:10 The High Cost of a Naming Mistake: A Developer's AWS Nightmare



07:54 Emerging Threats: The Rise of WPeeper Malware







AWS, S3, Storage Bucket, Unauthorized Access,Change Healthcare, AlphV, ransomware, cybersecurity,Wpeeper, malware, WordPress, command-and-control



Search phrases: 1. Ransomware group AlphV 2. Change Healthcare 3. Compromised credentials 4. Multifactor authentication 5. Ransomware consequences Change Healthcare 6. Cybersecurity breach consequences 7. Security measures for cybersecurity breach prevention 8. Wpeeper malware 9. Android device security protection 10. Compromised WordPress sites protection



Change Healthcare's CEO just testified in front of the House Subcommittee that the service they used to deploy remote desktop services did not require multi factor authentication. Which led to one of the most impactful ransomware attacks in recent history.



In other news, a very unlucky



developer in his personal time accidentally incurred over 1, 300 worth of charges on his AWS account overnight. What was this developer doing and how did it lead to such high charges in such a short amount of time?



Wpeeper Malware is utilizing compromised WordPress sites to hide its C2 servers, posing a significant threat to Android devices, with the potential to escalate further if undetected.



How can users protect their Android devices from falling victim to this malware? You're listening to The Daily Decrypt.



The CEO of Change Healthcare, which is a subsidiary of UnitedHealthcare that was breached, it's been all over the news, it's all over the news. Revealed in written testimony that Change Healthcare was compromised by Ransomware Group. accessing their systems with stolen credentials. Which we all knew, but the ransomware group used these compromised credentials to remotely access a Citrix portal,



which is an application used to enable remote access to desktops.



And this portal did not require multi factor authentication.



I don't know much about Change Healthcare's inner infrastructure, but any portal that allows remote access to other desktops should be locked down pretty hard.



And the fact that just a simple username and password can grant access can grant all of these different desktops is pretty terrible.



And means that this attack could have likely been avoided had they enabled multi factor authentication.



So if you're brand new to cybersecurity and you're listening to this podcast for the first time,



you need to know that there are a few very easy things you can do to improve your posture online. Don't reuse passwords. Step one, one of the easiest way to do that is to use a password manager and have them generate your passwords for you. Number two, enable multi factor authentication that way, if someone does come into your username and password combination, they still have to get through some sort of device based authentication, like a ping on your cell phone or something like that, to allow them to log into your account.



Now, in the case of United and Change Healthcare, one thing that they also could have done To help mitigate their negligence in not enabling multi factor authenticat