Join the State of Cybercrime team, Matt, David, and Dvir, to learn about the numerous tools hackers use for cred stuffing, examples of when these tactics have been used in organizational attacks, and what you can do to protect yourself.
Few breaches have drawn as much social media fervor as the recent 23andMe incident, in which the genomics company was victim to a massive credential stuffing attack that leveraged leaked and reused passwords to target accounts without MFA.
What differentiates this attack from others is that 23andMe itself was not breached, but an entire wave of its users was targeted individually. There are claims that these profiles — including genetic and geographic ancestry data — are available on hacking forums, but the legitimacy of those claims is still being investigated.
Join the State of Cybercrime team, Matt, David, and Dvir, to learn about the numerous tools hackers use for cred stuffing, examples of when these tactics have been used in organizational attacks, and what you can do to protect yourself.
[00:00:00]
Matt Radolec: Hello everyone. Thank you and welcome to another exciting episode of State of Cybercrime. I know it's been a little while since we last connected, and David and Dvir and I are super, super eager to chat with everybody today. I'm dialing in from Sacramento, California. What about you, David?
David Gibson: I am in Connecticut.
Hello, everybody. Love to see where you guys are dialing in from.
Matt Radolec: Yeah, let's see where everybody's coming in from.
Jersey City, Ontario, Denver, Florida, Virginia [00:01:00] Beach, Springfield, Missouri, Minneapolis, Wales. Shout out another one from the UK. Another one from Canada. A couple more from the UK. What an exciting day. Thanks for checking in, everybody. So we've got a jam packed agenda to go through. And we are super excited to dive in and share that with you guys.
We'll go through our usual segments today. We'll start out by covering some good news. We'll talk about a couple of things that should be top of mind for everybody in the danger zone. We'll go over a few vulnerable vulnerabilities. By way of intros, I guess we shouldn't skip the pleasantries here. My name is Matt Radolec, co host, joined by David.
Do you want to say hello, David.
David Gibson: Hi, David Gibson.
Matt Radolec: As well as Dvir from Varonis Threat Labs.
Dvir Sason: Hi, good morning. Nice to meet you.
Matt Radolec: So oftentimes in cybersecurity, everybody likes to talk about doom and gloom. Everybody wants to know what the latest happenings are or whether or not anyone is doing anything good in the cyberspace. And oftentimes we don't hear enough of that good news. And so that's really what we wanted to share first and foremost with you guys.
We [00:02:00] wanted to be able to show you some good news. So let's talk a little bit about Sebastian Raoul aka Seizo Kaizen, who was arrested last year in Morocco and extradited to the USA for activities related to his role in the Shiny Hunters hacking group. Shiny Hunters and Raoul, would hack into organizations to steal customer data that they later sell on various forums and darknet marketplaces and telegram channels.
It's estimated they stole somewhere in the realm of several hundred million records of sensitive information and did later plead guilty to wire fraud and aggravated identity theft in the U. S. District Court of Seattle, unknown what sentencing is going to be, but looks like up to 27 years behind bars.
David Gibson: Yeah, it was pretty interesting to see how data centric all these attacks are and how much damage or estimated damage they were able to do with these, I think it was over 6 million they estimated, right?
Matt Radolec: Yeah, the other thing I think is important here, people are always asking me what is it that people actually get [00:03:00] convicted for?
And when we look here and we see wire fraud as the primary conviction and aggravated identity theft as the second one, you might think it would be related to violations of the Computer Fraud Abuse Act, the actual hacking parts, but it's a lot more to do with the downstream financial crimes or identity crimes associated with the hack than it seems the hack itself.
David Gibson: That's right. And so you should always use wireless if you're going to hack.
Matt Radolec: Now, there's a tremendous amount of buzz on the internet about AI. And I'm curious if anybody in our audience recognizes what this logo on the screen has to do with AI.
David Gibson: There we go.
Matt Radolec: Yeah, there you go. Thanks. Thanks, Benjamin. It does have to do with attribution of AI generated images. This is actually Adobe's new icon, which they would like to see widely adopted even outside of the Adobe ecosystem as part of an initiative to show what work is AI generated.
Now, David and Dvir, I know this is a topic that we are all super, super passionate about. [00:04:00] Always talking about stuff like who owns the data generated by AI, derived by AI, are the original works which AI used to derive newly generated content, are people receiving royalties, are we protected? I know only time's going to tell, but I do see it as good news that Adobe wants there to be a watermarker on AI content.
It sure would make fake news a bit harder.
David Gibson: Sure would. I actually, I'm a little surprised that we didn't also go the other way, and maybe we could crowdsource this if somebody could come up with a CR image of a person, like this was not created by AI. I think that's also important. But I think it's good that we're starting the conversation of all right, how do we distinguish content that was created by a human where there was an image that was not manipulated from an AI derived image or piece of art from all sorts of standpoint, intellectual property as well as just veracity and things like that.
Dvir Sason: Yeah, I absolutely agree. I think this is the stepping stone when it comes to properly distinguishing between created content by [00:05:00] AI or just like any other ones.
And I think legislation on that specific matter is important, and we should see more and more initiatives in that sense.
Matt Radolec: Yeah, and what I'm always wondering, and curious to see what our audience thinks about this is, when something goes into AI that a person didn't have the copyright for, Is there anything to stop the AI from generating and deriving content from that that isn't going to then be licensed or royalties paid or copyright claims paid?
It seems like this is going to be one of the areas that we end up talking about a lot.
Now outside of the good news or the threat of AI, we want to talk a little bit about some vulnerabilities that should be top of mind for everyone. Now, David, you're always the most passionate when it comes to network related and protocol abuse.
You want to tell us about this?
David Gibson: Yeah, this is a distributed denial of service attack that was a little bit different from some of the ones that we've seen over the years. A lot of the DDoS attacks that I remember diving [00:06:00] into were what I would call response attacks. The earliest example of this was like IP directed broadcasts where somebody would ping a subnet and all of a sudden there'd be these walls of ICMP traffic heading towards whichever address they spoofed.
There was some more of that kind of attack with DNS. This one, however is a stimulus and it's taking advantage of a vulnerability in HTTP2 which I didn't really know about the functionality that's being exploited here. Apparently in HTTP2, you can multiplex requests over a single TCP connection.
And the way the exploit works, if I understand it correctly, is it's making a whole bunch of these requests and then canceling them. And this actually reminds me of the original style SYN attack, where SYN flood, where you basically take up host memory by making all these connections.
This is similar but taking advantage of this additional functionality. And essentially, the effect is when you're sending these requests and then canceling them really quickly, [00:07:00] it overwhelms the web server. Essentially, Making it seem like it's down. So there are a lot of web server vendors have created patches for this.
And this is something that I think we'll probably see you know, as another tool in the toolbox that attackers can use.
Dvir Sason: Absolutely. I couldn't say it myself. I think also CDNs were affected on that as well. And again, I did look on the applicative level. It's not easy to come by.
Matt Radolec: Now, that's not the only kind of interesting thing in the news. Spain's third largest airliner Air Europa, disclosed a recent data breach and also urged their clients to review and cancel their associated airline credit cards.
Unauthorized actors that were not clear who they are, were able to retrieve credit card data, including things like card numbers, expiry dates, and CVV codes. And this isn't the first time that Air Europa has been a victim of a data breach. In 2021, they experienced a data breach that subsequently led to a fine by Spain's chapter of the GDPR enforcement realm, around 600, 000 euros.
And I think that what this [00:08:00] points out though, it really, airlines are a common target for ransomware extortion actors, really due to the kind of sensitive and life dependent nature of their day to day operations. So certainly isn't the first and probably won't be the last breach that we see targeting airlines.
David Gibson: Yeah, very high value target. And those credit cards, they're getting much more popular.
Matt Radolec: Now, David, I know we all love airplanes, but you also know I really love cats. Why is it that you get to do the cute cat.
David Gibson: Just lucky, I guess. Of course we've seen Black Cat before, and of course, they're the rebranded Darkside or Black Matter, I believe, or at least they're associated with those groups, the next evolution of those.
But they are recently in the news because of an attack on the state courts from Northwest Florida and which I guess is part of the first judicial circuit and they have accessed a lot of the personal data including a lot of information about judges and other court employees. And of course they, have, looks like a lot of [00:09:00] information that they could use to establish persistence, like a network map and things like that.
And it also looks like that the First Judicial Circuit is not playing ball and not paying the ransom. Which I believe is why it's being made public, if I'm guessing correctly.
Matt Radolec: Yeah, and not the same story as we always see with AlphaV/Black Cat, right?
If the ransomware doesn't work, it's extortion. If that doesn't work, it's usually even downstream infections on some of the suppliers. Now, in the spirit of cat we do have to talk about the Hello Kitty ransomware that ended up getting leaked. A threat actor, Cappuccino very eloquently spelled Cappuccino, also known as Gookie purportedly leaked the source code for the first version of the Hello Kitty ransomware.
Now the actors behind the Hello Kitty ransomware claim they're going to move on to more powerful encryptors and capabilities akin to things like LockBit. And when you actually unpack this, one thing that we learned from the leaked source code was there is some leveraging of Microsoft Visual Studio as well as Entrue Encrypt for the actual file encryption part.
Now, for those of you that kind of have lost sight of where Hello [00:10:00] Kitty got its name they're a ransomware operation known for targeting corporate networks, stealing data, encrypting systems, doing that double extortion scheme, and they made a lot of headlines back in 2021 when they targeted CD Projekt Red.
Now, with so many different ransomware as a service offerings, it's really unclear whether this leak will lead to more use of Hello Kitty ransomware, but I think, if anything, if other actors may choose to use, this leaked code as maybe a layer of obfuscation or even for doing more extortion.
David Gibson: Yeah, the first thing that I think is really important is we can tell by the name that this threat actor is probably operating out of a coffee shop. And would probably be good to look there if you want to apprehend him, but I thought this was interesting, Matt, when we've seen when actors are releasing source code for ransomware as a service before, that the usage of that gets picked up and used by other groups more rapidly and I, I'm curious, if it looks like This might have been an intentional leak by the actor, if I'm reading that correctly, by the Hello [00:11:00] Kitty author, because they're coming out with something so much worse or so much more effective for their purposes.
And I'm curious of what that's going to be, and I hope we don't find out, but I think we probably will.
Dvir Sason: Yeah, that wasn't the case with Bubble Clocker and other.
Matt Radolec: Now as we jump on the highway to the danger zone and we talk about this double helix heist, David, that, that titled our show today, you want to talk a little bit about the breach of 23andMe and what some of the uniqueness are.
I know I'll have some things to add here as well.
David Gibson: Yeah I think there's a lot to unpack here and it looks like the source of this is people not having MFA enabled and a credential stuffing attack, so it's a very basic kind of attack. I don't see any evidence that 23andMe itself has been compromised, and correct me if you've seen anything different there, but it looks like the source of the compromise is basically attackers logging into other people's accounts.
Now, what really disturbs me about this is anybody that is [00:12:00] using 23andMe and has opted into their family find genetic relatives thing, you've been inadvertently included in this breach because you can find relatives.
And I feel like from a phishing perspective and a social engineering perspective, this has a lot of ramifications, right? It might be really easy for attackers to start to put together who you might know and who's in your family. Also, there's medical history. What struck me is MFA's not mandatory?
Oh god. I don't know what your big takeaway was there.
Matt Radolec: Yeah. You know the idea that instead of targeting like the backend of an app, what you target the user accounts on the app. I think we saw the first time becoming really prevalent when before World Warcraft implemented multifactor authentication and so many people's wow accounts were being targeted.
And this was one of these things where, you know is it activation Blizzard? Is it Blizzard? I think at the time it was Blizzard, or is it the players were having weak passwords or reusing their passwords? And I think it brings up this point we're sitting here, it's 2023, [00:13:00] MFA is pretty ubiquitous, it's widely available for many different providers, it isn't just a luxury security control anymore.
At what point should, like a, someone in the chat even mentioned that a lot of airlines don't have MFA on their logins.
At what point do, we as consumers, you demand MFA to protect things that are tied to our identities or our genetics or our airline miles. I think that this is the balance that needs to be revisited as it doesn't make sense in a way. This is something you'd hope someone would be able to catch, but in the absence of being able to catch it, if the security is on the hands of the user, at least offering or mandating MFA certainly would have prevented this.
David Gibson: Yeah, you can cancel your credit cards from the earlier breach, but what do you do here?
Matt Radolec: Yeah, it's like the DNA is your DNA. Now, this wasn't the only kind of cyber news going on. It does seem like there's an uptick in cyber attacks primarily in Israel, and that's why we brought Dvir.
Dvir, you want to [00:14:00] talk to us about what cyber attack techniques that are being observed in Israel are?
Dvir Sason: Yeah. Without going into the politics of everything that's going on, we're just gonna stick to the cyber security part of it. There's a lot of interesting developments when it comes to the activity going on from attackers or threat actors with trying to represent each side of the conflict.
I think the personal initiatives and sometimes more organized initiatives, trying to target both the billion type of infrastructure and other types of more complex infrastructure. We've seen a couple of main groups, such as AnonGoat and Goats of Palestine, versus Red Evils. And everyone's tried to do other stuff in that sense.
When it comes to Red Evils, they are just trying to leak and dump as much personal information and critical information from specific populations regarded in Palestine, in the West [00:15:00] Bank or in Gaza, and Iran. And when it comes to AnonGoats and Goats of Palestine, it it is also comprised of attempts to DDoS or attack PLCs with water treatment facilities and to properly attack these infrastructures. In that sense, Anand Ghosh has also was able to gain access to the API keys related to the Red Alert system and publish wide events and alerts, with regard to missile attacks, imminent missile attacks. In that sense, this is still developing.
I can tell you that ISPs are being targeted. Anything that has Internet connectivity in that region is currently targeted. And that includes individuals. So con beliefs of Israeli citizens and Palestinian citizens are being constantly attacked in order to try and gain access to the Facebook account, Instagram account, Twitter.
And this is why password reusage is something that we definitely try to avoid and [00:16:00] we definitely try to recommend all the time, use complex passwords and MFA and in order to protect yourself from any sort of attack, not specifically around this field, but generally speaking, because passwords do leak, and we need to make sure that We use safe and secure passwords at all given time, with different ones for each site and service, and of course, enabling MFA.
Matt Radolec: Yeah, thank you, Dvir. Now, as always, we've always got some time built in to the end of our shows to answer questions from you, our audience, as well as just generally say thanks for tuning in. We always get excited when there's something fun and interesting to talk about, or something novel that you know, like a threat vector, a vulnerability, an attacker that we think you guys should know about.
Our show is made possible by you, our audience, so thank you guys for attending.
David Gibson: Yeah, just had some people piping in about MFA, right? And, I guess Federated Authentication, things like that, how that should probably be required and not cost more, I assume, right? I don't know if [00:17:00] anybody's charging to enable multi factor authentication.
That seems like a crazy thing. It's almost like charging for the logs you would need to secure yourself.
Matt Radolec: Yeah, I think I was going to say, I think a lot of popular providers do. I want to say even Twitter got into the mix with charging for MFA at one point, if I remember, or Twitter, formerly known as Twitter, I think is the appropriate name.
According to Rundry in the chat, it looks like Atlassian does. Cornet, Dan's mentioning there's not a lot of airlines that are using it. Moira, Box, yeah. Interesting. Might even be worth us looking into this more and maybe writing about this, David, this could be, we could have uncovered the first stone here.
David Gibson: I think so. I think so. With the recent Microsoft breach and them saying, yeah, you know what, we're going to give you guys the logs you need to know whether you've been breached or not, or know what data was compromised. I think that this is, it's about time that this functionality just became table stakes for anything on the web that matters. And FIDO too, right? As [00:18:00] well. Maybe extending it.
Matt Radolec: If there's nothing else, I think that just about covers it. As always, thank you to the audience for making our show possible. And thanks to the co hosts, David and Dvir. We appreciate you guys, and we hope to chat again soon on another episode of State of Cybercrime.