The Daily Decrypt The Digital Security Collective

In today's episode, UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee about the ransomware attack on Change Healthcare, revealing that legacy tech at Change amplified the attack's impact. Stolen credentials and lack of multifactor authentication allowed attackers to move within Change's systems, leading to the deployment of ransomware. UnitedHealth's response included bringing in multiple incident response firms and cybersecurity experts to aid in recovery efforts. Original URLs: https://www.cybersecuritydive.com/news/unitedhealth-change-attack-tech-takeaways/715200/, https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html, https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/#google_vignette



Tags: UnitedHealth, ransomware, Change Healthcare, technology infrastructure, Tinyproxy, Remote code execution, Security flaw, Cyberattacks, LockBit, Law enforcement, Data leak site



Search phrases:




Preventing data breaches in healthcare systems



Upgrade technology infrastructure in healthcare



Protecting against ransomware attacks



Tinyproxy security flaw solutions



Remote code execution prevention



Cybersecurity measures for critical security flaws



LockBit ransomware impact on operations



Law enforcement actions against ransomware gangs



Data leak site revelations



Identifying ransomware operators




More than 50, 000 hosts are at risk of remote code execution due to a critical unpatched flaw in the TinyProxy service.



How can users protect their devices from this critical tiny proxy flaw?



Law enforcement has revived a seized LockBit ransomware data leak site, teasing new announcements to come including potential revelations about the identity of LockBit's operator.



Is law enforcement bluffing or do they actually have this information?



And finally, we've got the five key security takeaways from the Change Healthcare Ransomware Attack, as summarized by Cybersecurity Dive, to include outdated technology, stolen credentials, multifactor and more. You're listening to The Daily Decrypt.



A critical unpatched security flaw in the TinyProxy service is leaving over 50, 000 hosts exposed to remote code execution threats. The vulnerability has a high CVSS score of 9. 8 out of 10 and affects versions 1. 10 and 1. 11.



This vulnerability in the TinyProxy service allows attackers to execute malicious code through specially crafted HTTP



an unauthenticated threat actor could exploit this flaw by sending a specific HTTP connection header, triggering memory corruption that could lead to remote code execution on vulnerable systems.



Data from Census shows that approximately 57 percent of the 90, 000 publicly accessible hosts are running vulnerable versions, with a significant number of these hosts located in the United States, South Korea, China, France, and Germany.



In order to mitigate this risk, it's recommended to upgrade to the most recent version of Tinyproxy. And, if at all possible, don't expose your tiny proxy service to the public facing internet.



Law enforcement agencies, including the NCA, FBI, and Europol, have resurrected a previously seized lockbit ransomware data leak site, hinting at potential new revelations set to be disclosed today.



During Operation Kronos on February 19th, authorities dismantled LockBit's infrastructure, taking down 34 servers hosting the DataLeak website, cryptocurrency addresses, decryption keys, and the affiliate panel. In a response to the disruption, the police repurposed one of the DataLeak sites into a platform for sharing insights gained during the operation, including details on affiliates, as well as LockBit's deceptive practices regarding stolen data deletion post ransom payment.



One of the blog posts is titled, Who is LockBit Sup?, which is a reference to the individual or group of individuals who are running this ransomware organization.

In today's episode, we delve into the warning issued by the NSA and FBI regarding the APT43 North Korea-linked hacking group's exploitation of weak email DMARC policies to conduct spearphishing attacks. The podcast also covers a significant counterfeit operation involving fake Cisco gear infiltrating US military bases, creating a $100 million revenue stream. Lastly, we explore how Iranian hackers posing as journalists are utilizing social engineering tactics to distribute backdoor malware, breaching corporate networks and cloud environments. To read more about the topics discussed, visit https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/, and https://arstechnica.com/information-technology/2024/05/counterfeit-cisco-gear-ended-up-in-us-military-bases-used-in-combat-operations/, and https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/



00:00 Massive Counterfeit Scam Unveiled: A Decade of Deception



01:08 Deep Dive into the Counterfeit Cisco Gear Scandal



04:14 The Art of Social Engineering: A Hacker's Best Tool



07:05 Protecting Against Cyber Threats: Insights and Recommendations



08:46 Wrapping Up: Stay Informed and Secure



Tags: North Korea, APT43, DMARC, spearphishing, hacking, group, email, policies, attacks, intelligence, journalists, academics, organizations, prevent, security, policy, configurations, counterfeit, scam, Florida resident, gear, revenue, networking gear, US military, security, Air Force, Army, Navy, officials, stop, operation, Iranian, APT42, Nicecurl, Tamecat, hackers, backdoor, malware, social engineering, tactics, custom, blend operations, evade detection.



Search Phrases:




How to prevent APT43 spearphishing attacks



Counterfeit scam Florida military security risk



Actions to stop massive counterfeit operation



Iranian hackers impersonating journalists



APT42 malware tactics



Nicecurl and Tamecat backdoor malware



Techniques to breach corporate networks and cloud environments



Evading detection in cyber attacks



North Korea hacking group APT43



US military response to counterfeit gear scam




May6



A Florida man was just sentenced to six and a half years in prison for running a massive counterfeit scam that ran from 2013 to 2022 where he sold fake Cisco networking gear to the US military. This resulted in over 100 million of revenue for this man while also putting our US military operations at risk. How did he get away with this for so long?



Iranian hackers are impersonating journalists to distribute backdoor malware known as APT42



in order to harvest both personal and corporate credentials



in an attempt to infiltrate corporations at large.



What social engineering tactics are they using



to help blend in with normal operations and evade detection?



And speaking of impersonating journalists,



a North Korean hacking group is exploiting DMARC policies to conduct spear phishing attacks aimed at collecting sensitive intelligence, while impersonating journalists and academics to do so. What actions can organizations take to prevent these spear phishing attacks? You're listening to The Daily Decrypt.



So just last week on Thursday, a Florida man named Onur Aksoy, who is also known by Ron Axoy and Dave Durden, which sounds almost like a Fight Club reference to me, was sentenced to 78 months, or 6 and a half years, for orchestrating a counterfeit scheme that generated over 100 million in revenue,



all by selling fake Chinese Cisco networking gear to the US military. This clearly would pose a significant risk to the US military's security.



Because it was utilized in critical applications, including combat operations and classified information systems.



This man, who I'm going to refer to as Dave Durden because I like alliteration and I like Fight Club,



has been partaking in this counterfeit operation s

In today's episode, Microsoft reveals the "Dirty Stream" attack impacting Android apps, recognizing vulnerabilities in apps with over four billion installations like Xiaomi's File Manager and WPS Office. Meanwhile, a new SOHO router malware named Cuttlefish targets cloud accounts and enterprise resources, allowing criminals to steal credentials and establish persistent access to cloud ecosystems. Law enforcement shuts down 12 fraudulent call centers in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, arresting 21 suspects and preventing thousands of scam calls. Find more information using these URLs: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-dirty-stream-attack-impacting-android-apps/, https://www.helpnetsecurity.com/2024/05/02/cuttlefish-soho-routers/, https://www.bleepingcomputer.com/news/security/police-shuts-down-12-fraud-call-centres-arrests-21-suspects/



tags: Dirty Stream attack, Microsoft, Android apps, developers, Cuttlefish, malware, SOHO routers, cybercriminals, law enforcement, call centers, fraud, apprehended



search phrases:




Preventing Dirty Stream attack in Android apps



Cuttlefish malware and SOHO routers



Protect devices from Cuttlefish malware



Law enforcement crackdown on fraudulent call centers



Stopping fraudulent calls in Europe



Cybersecurity measures against malware attacks



Securing Android apps from malicious attacks



Preventing data theft in Android applications



Law enforcement actions against cybercrime



Measures to apprehend cybercriminals




May3



Law enforcement officials in Europe



shut down 12 call centers that were behind thousands of daily scam calls. They apprehended 21 individuals and seized assets of over 1 million euros.



How will this affect the amount of spam calls you get on a day to day basis?



The Cuttlefish Malware is infiltrating SOHO routers and stealing account credentials for cloud services.



Creating a potential gateway. For cybercriminals into company resources.



If you work from home,. How can you prevent this malware from expanding throughout your own network?



And finally, the dirty stream attack discovered by Microsoft poses a threat to Android apps by allowing malicious apps to overwrite files in other applications home directories.



How can Android developers



prevent this type of attack? You're listening to The Daily Decrypt.



Law enforcement conducted coordinated raids in Albania, Bosnia,



Kosovo, and Lebanon. Resulting in the closure of 12 fraudulent call centers responsible for thousands of scam calls each day.



German authorities, alongside international counterparts, arrested 21 individuals and seized approximately 1 million euros worth of evidence, including data carriers, documents, and cash.



This operation was named Operation Pandora, and it targeted a criminal network. engaged in various fraudulent activities,



but most notably fake police calls, investment fraud, and romance scams.



There have been over 28, 000 fraudulent calls that have been traced back to the arrested suspects, all within a 48 hour time frame, which just highlights the scale of this criminal enterprise.



so this whole project started back in december of 2023



When someone came into a bank and attempted to withdraw 100, 000 euros. The bank teller was slightly suspicious, so they reported it to the actual police,



and it was later discovered that the individual attempting to withdraw that money was involved in a fake police officer scam.



From there, more than a hundred German investigators



got down to work and intercepted and monitored conversations in real time. They secured over 1. 3 million conversations and blocked 80 percent of all financial fraud attempts,



which they claim could have led to damages of up to 10 million euros.



So I'm sure we all hate scam calls just as much as I do, but I often forget the motives behind these scam calls are to cheat you out of money, usually. It's b

In today's episode, we discuss how a developer nearly faced a $1,300 bill due to a poorly named AWS S3 storage bucket, attracting unauthorized access (https://arstechnica.com/information-technology/2024/04/aws-s3-storage-bucket-with-unlucky-name-nearly-cost-developer-1300/). We also delve into the repercussions faced by Change Healthcare after a ransomware attack due to compromised credentials and lack of MFA (https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/). Lastly, we explore a new Android malware named Wpeeper that utilizes compromised WordPress sites to conceal C2 servers, posing a threat to unsuspecting users (https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html).



00:00 Intro



00:55 Change Health Care



04:10 The High Cost of a Naming Mistake: A Developer's AWS Nightmare



07:54 Emerging Threats: The Rise of WPeeper Malware







AWS, S3, Storage Bucket, Unauthorized Access,Change Healthcare, AlphV, ransomware, cybersecurity,Wpeeper, malware, WordPress, command-and-control



Search phrases: 1. Ransomware group AlphV 2. Change Healthcare 3. Compromised credentials 4. Multifactor authentication 5. Ransomware consequences Change Healthcare 6. Cybersecurity breach consequences 7. Security measures for cybersecurity breach prevention 8. Wpeeper malware 9. Android device security protection 10. Compromised WordPress sites protection



Change Healthcare's CEO just testified in front of the House Subcommittee that the service they used to deploy remote desktop services did not require multi factor authentication. Which led to one of the most impactful ransomware attacks in recent history.



In other news, a very unlucky



developer in his personal time accidentally incurred over 1, 300 worth of charges on his AWS account overnight. What was this developer doing and how did it lead to such high charges in such a short amount of time?



Wpeeper Malware is utilizing compromised WordPress sites to hide its C2 servers, posing a significant threat to Android devices, with the potential to escalate further if undetected.



How can users protect their Android devices from falling victim to this malware? You're listening to The Daily Decrypt.



The CEO of Change Healthcare, which is a subsidiary of UnitedHealthcare that was breached, it's been all over the news, it's all over the news. Revealed in written testimony that Change Healthcare was compromised by Ransomware Group. accessing their systems with stolen credentials. Which we all knew, but the ransomware group used these compromised credentials to remotely access a Citrix portal,



which is an application used to enable remote access to desktops.



And this portal did not require multi factor authentication.



I don't know much about Change Healthcare's inner infrastructure, but any portal that allows remote access to other desktops should be locked down pretty hard.



And the fact that just a simple username and password can grant access can grant all of these different desktops is pretty terrible.



And means that this attack could have likely been avoided had they enabled multi factor authentication.



So if you're brand new to cybersecurity and you're listening to this podcast for the first time,



you need to know that there are a few very easy things you can do to improve your posture online. Don't reuse passwords. Step one, one of the easiest way to do that is to use a password manager and have them generate your passwords for you. Number two, enable multi factor authentication that way, if someone does come into your username and password combination, they still have to get through some sort of device based authentication, like a ping on your cell phone or something like that, to allow them to log into your account.



Now, in the case of United and Change Healthcare, one thing that they also could have done To help mitigate their negligence in not enabling multi factor authenticat

In today's episode, we dive into the sophisticated DNS activities of the China-linked threat actor known as Muddling Meerkat, who manipulates internet traffic and abuse DNS open resolvers. This cyber espionage endeavor has global implications as explained by Infoblox in an article at The Hacker News (https://thehackernews.com/2024/04/china-linked-muddling-meerkat-hijacks.html). Also, we discuss the FBI's warning about fake verification schemes targeting dating app users, uncovering the scam processes and providing tips to safeguard against such fraudulent activities as detailed in the BleepingComputer article (https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verification-schemes-targeting-dating-app-users/#google_vignette). Lastly, we explore Google's efforts to enhance mobile security by preventing over 2 million malicious apps from entering the Play Store, highlighting their proactive measures and collaborations to safeguard user privacy. Read more about this at The Hacker News (https://thehackernews.com/2024/04/google-prevented-228-million-malicious.html).



00:00 Introduction



02:36 Dating App Scams



04:12 Google's Security Enhancements



06:47 Muddling Meerkat's DNS Manipulation



Generate single use credit card numbers: https://app.privacy.com/join/GL3U7



Tags: Muddling Meerkat, DNS activities, reconnaissance, China, fake verification schemes, dating app users, FBI warning, fraudsters, Google, Play Store, security, review process



Search Phrases:




Muddling Meerkat DNS activities



China Muddling Meerkat reconnaissance



Fake verification schemes dating apps



FBI warning fraudsters



Protect from fake verification schemes



Unauthorized credit card charges prevention



Google Play Store security measures



Prevent sensitive data access



Google app review process



Infiltration prevention in Play Store




Apr30



The FBI is warning that dating app users are being targeted by fake verification scams that are leading to costly recurring subscription charges, as well as theft and misuse of personal information.



How can users protect themselves while using dating apps?



Google blocked over 2 million policy violating apps



from the Play Store in 2023. In a proactive security measure that also saw over 790,000 apps guarded against sensitive data access.



How has Google improved its security features and review process to prevent these malicious apps from infiltrating the Play Store?



And finally, a China linked threat named Muddling Meerkat has been caught manipulating DNS activities globally to evade security measures. They've been conducting reconnaissance since 2019. What are these unique DNS activities that Muddling Meerkat are undertaking, and what is their end goal?



You're listening to The Daily Decrypt.



So the FBI is warning of a new scam that's targeting dating app users,



which can lead to fraudulent recurring subscription charges and even identity theft.



So basically, the scammers will develop a romantic connection with you on the dating app of your choice, whether that's Tinder or Bumble or Hinge or whatever you choose, then they're going to ask to move this conversation to a safer platform to verify that you are in fact a human. Well, we're all on dating apps to try to find someone, so of course I'm going to verify that I'm human.



It's a valid request.



Well, the only way to verify that you're human now is to provide a credit card number and some information. Can't do anything without that.



And that's where they're going to get you. This is going to lead to maybe small, maybe large, but seemingly anonymous charges on your credit card bill. And if you're not paying close attention to that, you might miss them.



So this attack, at its core, is not very complex, but it is remarkably effective, because remember, there are a few different situations that



we put ourselves in where we're a little more desperate and a little le

Protect your website from a severe vulnerability in the WordPress Automatic plugin and prevent potential site takeovers. Discover a sneaky campaign using fake job interviews to distribute malware to software developers, and explore how Japanese police use fake payment cards to safeguard the elderly from online frauds.



URLs:




arstechnica.com/security/2024/04/hackers-make-millions-of-attempts-to-exploit-wordpress-plugin-vulnerability



bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor



bleepingcomputer.com/news/security/japanese-police-create-fake-support-scam-payment-cards-to-warn-victims




Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/



Logo Design by https://www.zackgraber.com/



Tags:
WordPress, Hackers, Vulnerability, Automatic, Dev Popper, Python RAT, Software Developers, Fukui Police Department, Fake Payment Cards, Online Fraud



Search Phrases:
WordPress Automatic vulnerability prevention, North Korean Dev Popper tactic explanation, Protect software developers from Python RAT, Fukui Police Department fake payment cards usage, Tech support scam prevention methods, WordPress security measures against hackers, Identify and avoid Python RAT installation, Elderly fraud prevention with fake payment cards, Preventing online fraud with dummy payment cards, Japanese police anti-scam tactics through payment cards



Transcript:



apr29



?



A police department in Japan is placing fake payment cards in convenience stores to help protect the elderly from Falling victim to tech support scams.



If you're a software developer and you're looking for a job, then congratulations, you're the target of a new North Korean scam called DevPopper. Which uses fake job interviews to deceive software engineers into installing a Python remote access trojan.



What are some signs you can look out for when applying for jobs?



There's a new vulnerability in a WordPress plugin called WordPress Automatic that could allow for complete site takeover.



How can WordPress admins make sure that their sites are safe?



You're listening to The Daily Decrypt



It is unfortunate, but the elderly are a huge target for scams online.



And we don't necessarily need to get into the reasons for this, but attackers know this, and they tend to target the elderly little bit more than the average user



and one of the ways attackers get money is by asking their victims to go buy iTunes gift cards or another type of gift card as a form of payment. Some of the most common scams involve scammers offering to remove Trojans from the victim's computer.



Or, they'd tell the victim that they have a late fee on one of their accounts and they need to pay it in the form of a gift card. So what this police department in Japan is doing is is they've created things that look like gift cards, but with the titles



" Virus or malware removal payment card" or



" Unpaid bill or late fee payment card" and they're sitting right next to Apple iTunes gift cards. You've got Home Depot, whatever that little gift card section in the convenience stores. It has these as well



In the hopes that if an elderly person is being targeted for one of these scams, they'll grab this gift card and go cash out with it. Now, convenience stores who have these gift cards, the



employees understand their purpose and have been instructed to have a conversation with whoever attempts to buy them, letting them know that they're probably being scammed.



And Bleeping Computer reports that there's been around 7. 5 million in financial losses in this town due to online scams such as these.



And in fact, there have been 14 complaints of investment scams in January alone with an estimated damage of 700, 000.



This is such a great example of a creative way to solve this problem, or at least attempt to solve this problem, by getting information in front of people. They could take it a st