In today’s episode, we delve into the warning issued by the NSA and FBI regarding the APT43 North Korea-linked hacking group’s exploitation of weak email DMARC policies to conduct spearphishing attacks. The podcast also covers a significant counterfeit operation involving fake Cisco gear infiltrating US military bases, creating a $100 million revenue stream. Lastly, we explore how Iranian hackers posing as journalists are utilizing social engineering tactics to distribute backdoor malware, breaching corporate networks and cloud environments. To read more about the topics discussed, visit https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/, and https://arstechnica.com/information-technology/2024/05/counterfeit-cisco-gear-ended-up-in-us-military-bases-used-in-combat-operations/, and https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/
00:00 Massive Counterfeit Scam Unveiled: A Decade of Deception
01:08 Deep Dive into the Counterfeit Cisco Gear Scandal
04:14 The Art of Social Engineering: A Hacker’s Best Tool
07:05 Protecting Against Cyber Threats: Insights and Recommendations
08:46 Wrapping Up: Stay Informed and Secure
Tags: North Korea, APT43, DMARC, spearphishing, hacking, group, email, policies, attacks, intelligence, journalists, academics, organizations, prevent, security, policy, configurations, counterfeit, scam, Florida resident, gear, revenue, networking gear, US military, security, Air Force, Army, Navy, officials, stop, operation, Iranian, APT42, Nicecurl, Tamecat, hackers, backdoor, malware, social engineering, tactics, custom, blend operations, evade detection.
Search Phrases:
- How to prevent APT43 spearphishing attacks
- Counterfeit scam Florida military security risk
- Actions to stop massive counterfeit operation
- Iranian hackers impersonating journalists
- APT42 malware tactics
- Nicecurl and Tamecat backdoor malware
- Techniques to breach corporate networks and cloud environments
- Evading detection in cyber attacks
- North Korea hacking group APT43
- US military response to counterfeit gear scam
May6
A Florida man was just sentenced to six and a half years in prison for running a massive counterfeit scam that ran from 2013 to 2022 where he sold fake Cisco networking gear to the US military. This resulted in over 100 million of revenue for this man while also putting our US military operations at risk. How did he get away with this for so long?
Iranian hackers are impersonating journalists to distribute backdoor malware known as APT42
in order to harvest both personal and corporate credentials
in an attempt to infiltrate corporations at large.
What social engineering tactics are they using
to help blend in with normal operations and evade detection?
And speaking of impersonating journalists,
a North Korean hacking group is exploiting DMARC policies to conduct spear phishing attacks aimed at collecting sensitive intelligence, while impersonating journalists and academics to do so. What actions can organizations take to prevent these spear phishing attacks? You’re listening to The Daily Decrypt.
So just last week on Thursday, a Florida man named Onur Aksoy, who is also known by Ron Axoy and Dave Durden, which sounds almost like a Fight Club reference to me, was sentenced to 78 months, or 6 and a half years, for orchestrating a counterfeit scheme that generated over 100 million in revenue,
all by selling fake Chinese Cisco networking gear to the US military. This clearly would pose a significant risk to the US military’s security.
Because it was utilized in critical applications, including combat operations and classified information systems.
This man, who I’m going to refer to as Dave Durden because I like alliteration and I like Fight Club,
has been partaking in this counterfeit operation starting in 2013 all the way to 2022, receiving multiple cease and desist letters throughout those years, yet still continued to get fake Cisco networking gear into the hands of the US military. So since this has been going on for so long, and so much money has been spent on this, these pieces of fake Cisco networking equipment have spread out across the country, across the world, and will be very difficult to remove from the US military as a whole. Because they’ve been integrated into critical systems. And anyone who works in IT knows that it’s very hard to even patch one of these devices, let alone swap it out for something with different components, because this isn’t an actual Cisco router.
And as reported by Ars Technica,
technica. Cisco estimates that their products being sold on the quote IT gray market is costing them about 1. 2 billion dollars, billion with a B, each year.
Along with the unmeasurable
reputational risks that go along with fake gear touting your brand name.
And with a price tag that high, I would imagine Cisco should spin up a whole department that could cost less than 1. 2 billion dollars a year just to track down these counterfeit marketers. And who knows, maybe they do have that. If you work for one of these departments or you know of them, please leave a comment and let me know.
But yeah, this really just highlights the need for more robust security measures in the military IT supply chain. By no means am I an expert in military spending, but
I do know that there are actual laws, rules, and regulations that govern how the military spends money, and it involves opening up a bid for very large purchases where the lowest bidder wins the contract.
So in this case, the gear that this man, Dave Durden, sold to the U. S. military was valued well over a billion dollars.
Yet the reason he was so successful is he was willing to sell it for 80 90 percent off, making only 100 million off of this gear. And though that is the fiscally responsible thing to do with U. S. taxpayers money, You can see how this would sort of breed this environment for counterfeit gear,
because you can’t make the actual gear cost less than the counterfeit gear, so the counterfeit gear is going to win. And with the ease of spinning up eBay and Amazon Marketplace,
I’m sure we’ll see a lot more cases like this coming out in the near future.
So in case you didn’t know this, social engineering, which is the art of As it sounds, engineering other people to do what you want them to do is one of the most effective hacking techniques out there. And it doesn’t involve writing a single line of code, or even using a computer at all, if you know what you’re doing.
It’s just like it sounds, manipulating people into doing what you want them to do. So in this case, the Iranian state backed threat actor. known as APT42, has been using social engineering tactics, impersonating journalists and academics to breach corporate and cloud environments of Western and Middle Eastern targets.
So they’re essentially posing as these people to build trust and rapport with their targets. And then eventually they ask the target. to download a Dropbox document or article or something related to their conversations. But
instead of a document, they’ll be downloading some custom backdoors named Nice Curl or Tame Cat in order to gain command execution and data exfiltration capabilities.
Now if you’re curious to see what these accounts and fake journalists look like, check out the article by Bleeping Computer in the show notes. It contains some fun screenshots of profiles that are being used and they look very convincing.
The documents that the targets will end up downloading often use what’s called macros, which when opened up it’s like Word asks you if you’d like to enable macros to Utilize the full potential of this document. And after having trust built with these threat actors, targets are much less likely to think twice when clicking accept.
People, especially in corporate environments, are used to accepting security risks and accepting toggle boxes and all this stuff constantly throughout the day, so it’s almost become mundane to do so. And this is just another example of that.
But there is a good rule of thumb on this. If you download a document from the internet and you don’t personally know someone who’s sending it to you, don’t enable macros, especially if it’s just full of information. Macros are used to have more interactive documents because it allows these documents to open up applications and interact with other applications on your computer.
You don’t need that for journalistic articles or academic articles.
Because, yeah, this allows for the document to do anything on your computer, depending on the permissions requested, such as launch custom backdoors and install malware.
For the listeners who work in the InfoSec community, the article linked in the show notes by Bleeping Computer references a report by Google’s Mandiant that contains some YARA rules in detecting these custom backdoors. So make sure to check those out and implement them in yours or your customers environments.
And speaking of impersonating journalists, the NSA and FBI have issued a warning regarding the APT43 North Korea linked hacking group exploiting weak email, domain based message authentication, reporting, and confirmance DMARC policies to carry out spear phishing attacks.
The attackers are able to utilize misconfigured DMARC policies to send spoof emails, posing as credible sources like journalists and academics specializing in East Asian affairs. The goal of these spear phishing campaigns orchestrated by the DPRK is to gather intelligence on geopolitical events, foreign policy strategies of adversaries, and any information impacting the DPRK interests by illicitly accessing targets private documents and communications. The primary mission of APT 43 operatives, which is also known as KimSuki, is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and experts.
So I personally don’t know any policy analysts or experts, especially in
this type of realm, but if you happen to be listening to this and you happen to be somebody who might be affected by this, pay extra attention to
the emails you receive validating their authenticity, especially from researchers. in eastern asian affairs again, if you work in information technology, the FBI recommends updating your DMARC security policies to utilize configurations outlined in another article by Bleeping Computer in the show notes below.
This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.
Leave a Reply