The Hack-for-Hire Industry: Death by a Thousand Cuts

PLUS: When theft doesn't work... troll

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare and this week's edition is brought to you by Yubico.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

Death by a thousand papercuts, Stable Diffusion

We have removed this item because it largely centres on discussion of an article that is subject to a legal action and is no longer published.

If Data Theft Doesn't Work… Troll

The AlphV ransomware group has filed a US Securities and Exchange Commission (SEC) complaint against one of its victims for failing to disclose that it had been breached.

In the words of AlphV's submission, the victim company MeridianLink "failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules".

According to AlphV, the group breached MeridianLink on November 7 and stole files but did not encrypt company systems.

Beyond the submission being a ridiculous troll, there are also a few more pedantic problems with AlphV's submission. The SEC's four-day disclosure rules don't actually come into effect until the middle of December and they only apply if the company decides the breach is material. MeridianLink told, "based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption". So it doesn't sound like a material incident anyway.

It also looks like AlphV missed a trick here and doesn't appear to have applied for the SEC's whistleblower reward program. This scheme is designed to encourage whistleblowing and monetary fines from SEC enforcement actions that result from submissions can be shared with the whistleblower. This would have been even more absurd and potentially more effective since this caper was all about using publicity to place extra pressure on MeridianLink.

However, cybersecurity professionals and companies should be aware there could be a real opportunity for ransomware groups to apply more pressure here. The SEC's recent case against SolarWinds and its CISO is based on how the company's cyber security practices didn't match the company's public statements. Perhaps the opportunity for ransomware groups is to write penetration testing reports describing weaknesses in a company's cyber security defences and contrasting those findings with the victim's public statements (such as the boilerplate 'we take cyber security extremely seriously'….etc). They could then threaten to send this report to the SEC.

Russia’s War for (Hacking) Talent

The Record has published a recent interview with Victor Zhora, the former deputy head of the Ukraine's cyber security agency (the SSSCIP) discussing the evolving tactics of Russian cyber operations. (The day after the interview took place Zhora was reportedly dismissed from the SSSCIP amid an embezzlement investigation).

Most interestingly, Zhora commented on the difficulties that Russia has recruiting cyber talent, and that it is trying to build a talent pipeline from high schools and volunteer communities. Russia suffered a significant brain drain at the beginning of the invasion as skilled people left the country and this made it difficult for its cyber organisations to grow their capabilities.

He told The Record that, as a result, "they are putting focus on younger people because it's the only way for Russia to scale up and maintain the same intensity of cyberattacks".

Zhora also said that Russian groups were also scouring Telegram channels, presumably ones in which patriotic Russian hacktivists organise their activities:

One way of engaging people to cyber offensive operations against Ukraine and our partners is seeking for talents in different Telegram channels where there’s always an officer of [the] FSB [Federal Security Service] or GRU [military intelligence] searching for the most skilled people and then inviting them to more official military structures.

There is already good evidence of coordination between Russian military intelligence and the country's hacktivist groups. However, it's difficult to trust unvetted groups of internet strangers with important cyber operations, so it makes sense to cherry pick (and vet) talented individuals for more important work.

Zhora also recapped trends in Russian cyber operations that we've covered before. These include that Russian state groups remain focused on Ukrainian critical infrastructure and government organisations, but have shifted from disruptive operations to cyber espionage and data exfiltration. They've also shifted toward 'living off the land' approaches that rely on abusing legitimate tools that are already present in the host environment.

Three Reasons to Be Cheerful This Week:

  1. US SIM swap requirements strengthened: The US Federal Communications Commission (FCC) has adopted new rules intended to protect US wireless telecommunications customers from SIM swap fraud. The new rules say wireless providers must use "secure methods of authenticating a customer", but don't specify what these secure methods are — it's up to providers to figure that out. The FCC writes "while the approach we take today gives wireless providers the flexibility to adapt to evolving threats, it also creates an obligation that they adapt to those threats". [Risky Business News has more coverage]
  2. Hack-for-hire intermediary sentenced: An Israeli private investigator, Aviram Azari, has been sentenced to 80 months in prison for organising global hacking campaigns. Prosecutors say Azari's clients paid him more than USD$4.8m over five years for organising the campaigns. Notable campaigns targeted individuals critical of now-defunct German payment processing company Wirecard and also climate activists who were campaigning against Exxon Mobil. One of the hack-for-hire firms Azari used was Indian firm BellTrox.
  3. Binance pinged for USD$4.3bn: Binance, the world's largest cryptocurrency exchange, will pay USD$4.3bn to settle violations of US anti-money laundering law. Its CEO Changpeng Zhao (aka CZ) will also step down. We are calling this good news because the terms of the settlement will help clamp down on ransomware payments. The US Treasury Department said that Binance didn't report ransomware payments despite "transacting millions of dollars of ransomware proceeds involving at least 24 different strains of ransomware".

In this Risky Business News sponsor interview, Tom Uren talks to Derek Hanson, Yubico VP of Solutions Architecture and Alliances, about the state of authentication and what Passkeys are all about.


Twitter's Flagging Flagging Efforts

Bloomberg analysed hundreds of viral posts on X, the website formerly known as Twitter, relating to the Israel/Hamas conflict and found that the site's efforts to address misinformation were not keeping up with the speed with which misleading posts were going viral.

Since Elon Musk's takeover of Twitter he has dismantled much of the company's trust and safety function, so mechanisms it previously used to manage misinformation don't exist any more.

One recent innovation that attempts to address misinformation on the platform is 'Community Notes', a mechanism that gathers other X users' opinions to add context to posts and flag them as potentially misleading.

In theory, this could work because it harnesses users to address misinformation more broadly than a centralised Twitter team ever could. However, Bloomberg found that Community Notes correcting or adding context to posts typically appeared hours or even days after misleading posts had gone viral. Often these posts contained photos or videos that were repurposed from other conflicts (or even video games) and appear to be designed to be deliberately inflammatory.

Of course, Twitter's former role as a site to follow breaking news events is at odds with the slower pace that would come with the careful assessment of posts for misinformation.

How to Join the Active Defence Party

German digital technology think tank SNV (Stiftung Neue Verantwortung) has published a paper on how states should responsibly conduct 'Active Cyber Defence' operations. Its definition of active cyber defence is pretty broad and encompasses state action that ranges from telling ISPs to block or sinkhole malicious traffic to what this newsletter calls ‘offensive cyber operations’ designed to disrupt cyber criminals, as per the UK's National Cyber Force.

Some states already carry out these kinds of operations and we expect that over time more states will take part. The paper is a sensible policy blueprint on how states can join the party.

I'm In Jail With a Broken Nose…

Now here's an AI-enabled scam that will work. In this video attorney Gary Schildhorn describes a scam which started with a phone call from his son saying that he'd been in a car accident in which he'd broken his nose and injured a pregnant woman.

The AI technology required is the ability to clone a voice, which could then be combined with a soundboard to trigger pre-prepared phrases. But this is a targeted attack that requires the scammers to do some homework beforehand. Firstly, the scammers need to identify individuals with enough speech available online such that their voice can be cloned. They then need to find relatives and contact details. But once they've done that we suspect their success rate will be pretty good.

Fortress Australia, Cyber Edition

The Australian government released its latest cyber security strategy this week and on the whole we approve.

The strategy takes a defence-in-depth approach framing with six 'cyber shields' ranging from "strong businesses and citizens" to "protected critical infrastructure". The third shield, "World-class threat sharing and blocking", is interesting. It takes a 'fortress Australia' approach and aims for whole-of-economy threat intelligence sharing, coupled with threat blocking at ISPs and telcos.

The strategy extends out to 2030, however, and there are not a lot of new funds given the extended time frame. A reasonable chunk of the new money is allocated to help Pacific countries both improve their cyber security and also to respond to crises.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how being more open about cyber security threats is great for marketing but has also forced cyber security companies to pick sides and make value judgements.

From Risky Biz News:

DIALStranger vulnerabilities disclosed after four years: Turkish security researcher Yunus Çadirci has discovered vulnerabilities in the DIAL protocol and misconfigurations in vendor equipment that can be used to force TVs and other capable devices into forcibly playing an attacker's video content.

The DIALStranger flaws were discovered way back in 2019, but Çadirci kept the original report private for four years as the protocol received patches and vendors slowly updated devices.

[more on Risky Business News, including how the flaw could be used for "mass-rickrolling"]

NTMC leak: Bangladesh intelligence agency NTMC has left a sensitive database exposed on the internet and leaked the personal details of an unknown number of citizens. The leaked data contained more than 120 data points for each citizen, ranging from real names to Twitter IDs, criminal records, and phone call records. Discovered by Viktor Markopoulos of CloudDefense.AI, the researcher says he reported the database to Bangladesh officials, but the server was never secured. Instead, it was wiped and replaced with a ransom demand, presumably in an automated attack. [Additional coverage in Wired]

Tor Project removes 1k relays linked to cryptocurrency scheme: The Tor Project has removed an estimated 1,000 relay servers from its network, citing their involvement with a for-profit cryptocurrency scheme.

The scheme allegedly promised cryptocurrency tokens for users who set up and ran Tor relays.

In a blog post on Monday, Tor admins said they removed participating servers to protect the integrity and reputation of their project. The removal was subject to a community vote that passed last week.

[more on Risky Business News, including Tor's funding sources]