Logo
    Search

    Podcast Summary

    • EFF's Threat Lab Protecting At-Risk Digital UsersEFF's Threat Lab focuses on protecting journalists, lawyers, and human rights activists globally with research and prevention of targeted threats like malware while striving for internet privacy.

      The Electronic Frontier Foundation (EFF) has a new project called Threat Lab where they research and help stop targeted threats against at-risk populations such as lawyers, human rights lawyers, activists, and journalists around the world that are being targeted with malware or other digital surveillance techniques. This project started when EFF was representing a woman named Irina Petrushova who is the Editor in Chief of Independent Newspaper which is formally out of Kazakhstan called Respublika. Respublika had been Kazakhstan's only source of independent journalism. The Threat Lab of EFF aims to protect our civil liberties online.

    • Irina Petrushova's Fight Against Government and Hacker Threats to Expose CorruptionJournalists face real dangers when exposing corruption. Educating and equipping them with security measures is crucial to protect press freedom and uncover the truth.

      Irina Petrushova, a Kazakh journalist, was targeted by the government and hackers for exposing corruption through her independent news source. Despite threats and attacks, she continued to write and publish articles. When the government sued her for publishing leaked documents, she contacted EFF for legal help, leading to a victory for the First Amendment. But the threats did not stop there, as she and her brother received spear phishing emails with malware attachments. EFF helped her identify the malware and educate her on journalist security. The malware, called jRat, could capture audio, video, and files on the computer. This story highlights the dangerous reality faced by journalists who uncover corruption and the importance of journalist security.

    • Malware and Command and Control Servers Used in Targeted Hacking with a MotiveTargeted hacking attacks with specific objectives such as surveillance on individuals or organizations are facilitated by malware and command and control servers. The incident of government surveillance on opposition politicians in Kazakhstan highlights the need for cybersecurity measures.

      Targeted hackers have a specific objective on a target, and malware like jRat and Bandook are often used to spy on individuals or organizations. The use of command and control servers, often hosted by companies with a history of protecting illegal content, facilitates the success of such malware. The government of Kazakhstan is suspected of using these tactics to spy on individuals who post negative things about the government. While it is challenging to infer the motives of digital espionage with confidence, leaked e-mails reveal that the government has hired private intelligence companies to conduct surveillance on opposition politicians. This incident highlights the growing need for cybersecurity measures to protect individuals and organizations from targeted attacks.

    • Kazakhstan's history of outsourcing cyber-espionageKazakhstan's government outsources cyber-espionage through hired hacking teams for activities such as surveillance and phishing. Concerns arise that the government can expand its program by outsourcing, highlighting the need for increased research to combat cyber threats.

      Kazakhstan has historically hired independent hacking teams for cyber-espionage activities. The government does not possess cyber-war capabilities but there are companies which provide the services. These for-hire hacking teams carry out activities for clients and engage in digital surveillance, data extraction missions, and spear phishing. The majority of the targets are embroiled in legal disputes with the government or are family members or associates of people involved in those disputes. The concern is that Kazakhstan can ramp up its cyber-espionage program by outsourcing it. Researchers at Lookout, a mobile security company, found some mobile malware which is talking to the same domains discovered in Operation Manul report. There is a need for more research in this area to combat the threats of cyber-espionage.

    • Mobile Malware Investigation Leads to the Discovery of a New Target in Lebanon and SyriaProtect Your Personal Devices from Malware to Prevent the Capture of Sensitive Information by Hackers.

      The investigation into mobile malware related to Operation Manul led to the discovery of a new target in Lebanon and Syria. The data collected from the infected computers that belong to Lebanese civilians, military personnel, and activists provided more information to the Lookout team. The investigation got interesting, and the teams decided not to publish the blog post. The relationship between Kazakhstan and Lebanon is meager. Hence, the earlier assumption that the Kazakhstan government is behind the hacking is now in doubt. The hackers could be from a different origin, and their motives remain unknown. It's crucial to protect personal devices against malware since hackers can quickly capture personal information and sensitive databases.

    • Mobile Malware Poses as Encrypted Messaging Apps to Spy on UsersHackers are using convincing disguises to trick Android phone users into downloading malware, thereby spying on their messages and activity. Always confirm app downloads through verified sources to protect against this type of cyber attack.

      Hackers disguised mobile malware as popular encrypted messaging applications like WhatsApp, Signal, Telegram, Tor, and Threema to spy on Android phone users. They set up a website called secureandroid.info that had the backdoor to Trojanized copies of these apps. The attackers would lure victims into downloading the malware by sending an email or text to an Android phone saying, 'Let's talk securely, download WhatsApp from this URL, and then we can have a secure chat.' The fake version looked like the real app and could spy on users in the background, reading their messages and sending them to the command and control server. The team of Lookout and EFF analyzed the data and figured out the hacking campaign's modus operandi, thereby mapping out the world's IP addresses of all the victims.

    • Lookout researchers identify global hacking operation targeting dissidents and activists.A large hacking campaign targeting individuals in 21 countries has been attributed to a nation state actor, but determining who is behind the attack and their motives is a complex process.

      The global threat of a large hacking operation targeting dissidents, activists, lawyers and journalists is attributed to a nation state actor by the researchers at Lookout who used Diamond Model method to identify the tools and techniques used in the attack. The unsophisticated nature of the malware indicates that it is not a work of advanced nation state actors. However, the magnitude of the campaign and victims from 21 countries suggests that it is not the result of any one government acting alone. The researchers also faced challenges in publishing their report due to the ongoing hacking campaign being active and live. Attribution is a complex process that involves solving the puzzle of how, who, what, and to whom the attack was carried out.

    • Researchers at Lookout uncover global phone spying operation.Hackers are collecting vast amounts of personal information from people's phones, potentially through confiscation at border crossings. Vigilance is necessary to protect personal data.

      A researcher at Lookout discovered the hacker behind a massive operation which involved collecting 264,000 files, 486,000 SMS messages, 250,000 contacts, 150,000 call records, 92,000 browsing history URLs, 1,000 authentication accounts; username and password combinations, and 206,000 unique WiFi SSIDs. Cooper and Jack were able to gather evidence by logging all the URLs and IP addresses since the hackers left open a page called Apache Stats which shows you real-time information about the server. By analyzing the data they gathered, they speculate that some people's phones may have been confiscated at locations like airports or border crossing. They discovered the hackers were spying on people all around the world, and traced the IP addresses of people logging into the admin sections of the command and control servers to specific locations in Beirut. They also found evidence that all the first infected phones that had uploaded to the server had connected to the same WiFi network.

    • Using Wigle App to Trace Government-Sponsored HackingWigle app can be used to collect data on all WiFi SSIDs globally, helping to track the origin of a potential cyberattack. This tracing can reveal government agencies or contractors working as cyber-mercenaries.

      The team uses Wigle, an Android app that collects data on all the WiFi SSIDs being broadcast globally from phones that have the app running and sends it to the app's website. They use it to locate the origin of an SSID called BLD3F6 to a building in downtown Beirut belonging to Lebanon's intelligence agency - The General Directorate of General Security. Multiple test devices that were infected had only ever connected to this one WiFi access point. While it is not a smoking gun, it is strongly suggested that the Lebanese government is behind all this hacking. Cyber-mercenaries may work for governments as government agencies or contractors, like in this case.

    • Unveiling Dark Caracal: the Mysterious Cyber-Mercenary GroupDark Caracal is a group of cybercriminals that offers hacking services to countries using different types of malware. Its real identity is unknown, making it a challenging group to trace and prosecute for its criminal activities.

      Dark Caracal is a mysterious and shadowy cyber-mercenary group that sells hacking services to different countries, including Lebanon and Kazakhstan. The group uses several malware such as CrossRAT, Bandook, and Dark Caracal mobile malware to infiltrate their targets' computers. All these malware use a similar pattern of communication when communicating with the command and control servers. Prince Ali is one of the suspects and is known to have written the Bandook malware. EFF and Lookout release a report outlining Dark Caracal's activities, shedding some light on its shady dealings. The investigation shows that Dark Caracal has various potential criminal and espionage campaigns going on in different countries. It is difficult to ascertain who is behind Dark Caracal, leading to its being dubbed a real-life game of Clue.

    • Dark Caracal Campaign and the Creation of the EFF's Threat LabThe Dark Caracal campaign showed the danger of state-sponsored cyber-mercenaries and the need for the Threat Lab to investigate spyware targeting vulnerable communities. The report exposed the reality of digital espionage and the need for antivirus companies to flag stalkerware as malware to prevent domestic partner spying.

      The Dark Caracal campaign exposed the threat of state-sponsored cyber-mercenaries targeting activists, journalists, and human rights lawyers. This research paved the way for the EFF to create the Threat Lab to investigate spyware targeting at-risk communities. The report highlighted the need for more awareness regarding lurking threats in the shadows of the internet, with the warning that corrupt governments may continue to outsource spying capabilities to cyber-mercenaries. This is a new world where citizens' personal devices can be compromised by nation-state actors, and their lives are put at risk. The Threat Lab exposed the alarming reality of digital espionage and the need for antivirus companies to flag stalkerware as malware for mitigating domestic partner spying on phones.

    Recent Episodes from Darknet Diaries

    147: Tornado

    147: Tornado

    In this episode, Geoff White (https://x.com/geoffwhite247) tells us what happened to Axie Infinity and Tornado cash. It’s a digital heist of epic proportions that changes everything.

    This story comes from part of Geoff’s book “Rinsed” which goes into the world of money laundering. Get yours here https://amzn.to/3VJs7pb.

    Darknet Diaries
    en-usJuly 02, 2024

    146: ANOM

    146: ANOM

    In this episode, Joseph Cox (https://x.com/josephfcox) tells us the story of anom. A secure phone made by criminals, for criminals.

    This story comes from part of Joseph’s book “Dark Wire” which you should definitely read. Get yours here https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691.

    Darknet Diaries
    en-usJune 04, 2024

    145: Shannen

    145: Shannen
    Shannen Rossmiller wanted to fight terrorism. So she went online and did. Read more about her from her book “The Unexpected Patriot: How an Ordinary American Mother Is Bringing Terrorists to Justice”. An affiliate link to the book on Amazon is here: https://amzn.to/3yaf5sI. Thanks to Spycast for allowing usage of the audio interview with Shannen. Sponsors Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet. Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free. Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    144: Rachel

    144: Rachel
    Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm. Learn more about Rachel by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/ Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/. Sponsors Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet. Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free. Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    143: Jim Hates Scams

    143: Jim Hates Scams
    Jim Browning has dedicated himself to combatting scammers, taking a proactive stance by infiltrating their computer systems. Through his efforts, he not only disrupts these fraudulent operations but also shares his findings publicly on YouTube, shedding light on the intricacies of scam networks. His work uncovers a myriad of intriguing insights into the digital underworld, which he articulately discusses, offering viewers a behind-the-scenes look at his methods for fighting back against scammers. Jim’s YouTube channel: https://www.youtube.com/c/JimBrowning Sponsors Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more. This episode is sponsored by Intruder. Growing attack surfaces, dynamic cloud environments, and the constant stream of new vulnerabilities stressing you out? Intruder is here to help you cut through the chaos of vulnerability management with ease. Join the thousands of companies who are using Intruder to find and fix what matters most. Sign up to Intruder today and get 20% off your first 3 months. Visit intruder.io/darknet. This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    142: Axact

    142: Axact
    Axact sells fake diplomas and degrees. What could go wrong with this business plan? Sponsors Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more. Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com. This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    141: The Pig Butcher

    141: The Pig Butcher
    The #1 crime which results in the biggest financial loss is BEC fraud. The #2 crime is pig butchering. Ronnie Tokazowski https://twitter.com/iHeartMalware walks us through this wild world. Sponsors Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more. Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries. This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    139: D3f4ult

    139: D3f4ult
    This is the story of D3f4ult (twitter.com/_d3f4ult) from CWA. He was a hacktivist, upset with the state of the way things were, and wanted to make some changes. Changes were made. Sponsors Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free. Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools. Support for this show comes from Quorum Cyber. Their mantra is: “We help good people win.” If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and especially if you are interested in Microsoft Security — reach out to Quorum Cyber at www.quorumcyber.com/darknet-diaries. Sources https://www.vice.com/en/article/z3ekk5/kane-gamble-cracka-back-online-after-a-two-year-internet-ban https://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/ https://www.hackread.com/fbi-server-hacked-miami-police-data-leaked/ https://archive.ph/Si79V#selection-66795.5-66795.6 https://wikileaks.org/cia-emails/John-Brennan-Draft-SF86/page-7.html Learn more about your ad choices. Visit podcastchoices.com/adchoices

    138: The Mimics of Punjab

    138: The Mimics of Punjab
    This episode is about scammers in the Punjab region. Tarun (twitter.com/taruns21) comes on the show to tell us a story of what happened to him. Naomi Brockwell (twitter.com/naomibrockwell) makes an appearance to speak about digital privacy. To learn more about protecting your digital privacy, watch Naomi’s YouTube channel https://www.youtube.com/@NaomiBrockwellTV. And check out the books Extreme Privacy (https://amzn.to/3L3ffp9) and Beginner’s Introduction to Privacy (https://amzn.to/3EjuSoY). Sponsors Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free. Support for this show comes from SpyCloud. It’s good practice to see what data is getting passed around out there regarding you, your employees, your customers, and your business. The dark web is a place where this data is traded and shared. SpyCloud will help you find what out there about you and give you a report so you can be aware. Then they’ll continuously monitor the dark web for any new exposures you should be aware of. To learn more visit spycloud.com/darknetdiaries. Support for this show comes from ThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthen your infrastructure from the ground up with a zero trust posture. ThreatLocker’s Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more at www.threatlocker.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    Related Episodes

    Ep 21: Black Duck Eggs

    Ep 21: Black Duck Eggs
    Ira Winkler's specialty is assembling elite teams of special forces and intelligence officers to go after companies. Ira shares a story about a time he and his team broke into a global 5 company. A company so large that theft of intellictual property could result in billions of dollars of damage. Ira's consulting company: Secure Mentum. His books: Spies Among Us, Advanced Persistent Security, Through the Eyes of the Enemy.  Learn more about your ad choices. Visit podcastchoices.com/adchoices

    54: NotPetya

    54: NotPetya
    The story of NotPetya, seems to be the first time, we see what a cyber war looks like. In the summer of 2017 Ukraine suffered a serious and catastrophic cyber attack on their whole country. Hear how it went down, what got hit, and who was responsible. Guest Thanks to Andy Greenberg for his research and sharing this story. I urge you to get his book Sandworm because it’s a great story. Sponsors This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project. Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices – all in one place. Visit honeybook.com/darknet to get 50% off your subscription. This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit cmd.com/dark to get a free demo. For more show notes visit darknetdiaries.com/episode/54. Learn more about your ad choices. Visit podcastchoices.com/adchoices