CyberWire Daily - A phishnet for the C-suite. Rootkit delivered by typosquatting. Stream-jacking in YouTube. Risk management. Hybrid war, and the laws thereof.
Episode Date: October 4, 2023EvilProxy phishes for executives. Typosquatting to deliver a rootkit. Stream-jacking on YouTube. A global look at risk management. Assistance from a diverse set of international partners. In our Solut...ion Spotlight segment, Simone Petrella speaks with Diane Janosek, Executive Director of Capitol Technology University's Center for Women in Cyber, about paths to cybersecurity and ways to address cybersecurity workforce intelligence through education. Dave Bittner previews the 3rd annual SOC Analyst Appreciation Day with Kayla Williams of Devo. And some guidelines for hacktivists engaged in hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/190 Selected reading. EvilProxy Phishing Attack Strikes Indeed (Menlo Security) Typosquatting campaign delivers r77 rootkit via npm (ReversingLabs) A Deep Dive into Stream-Jacking Attacks on YouTube and Why They're So Popular (Bitdefender Labs) The C-suite playbook: Putting security at the epicenter of innovation (PwC) European Peace Foundation (EPF) opens cyber classroom for Ukrainian Armed Forces - EU NEIGHBOURS east (EU NEIGHBOURS east) Rethinking Security When So Many Threats Are Invisible (New York Times) 8 rules for “civilian hackers” during war, and 4 obligations for states to restrain them (EJIL: Talk!) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Evil proxy fishes for executives. Typo squatting to deliver a root kit.
Stream jacking on YouTube.
A global look at risk management.
Assistance from a diverse set of international partners.
In our Solution Spotlight segment, Simone Petrella speaks with Diane Janicek,
Executive Director of Capital Technology University's Center for Women in Cyber,
about paths to cybersecurity and ways to address cybersecurity workforce intelligence through education.
Dave Bittner previews the third annual SOC Analyst Appreciation Day with Kayla Williams of Devo,
and some guidelines for hacktivists engaged in hybrid war.
I'm Trey Hester, filling in for Dave Bittner with your Cyber Wire Intel briefing for Wednesday, October 4th, 2023.
Thank you. insurance, property management, real estate, and manufacturing. The threat actors are using the evil proxy phishing-as-a-service platform.
Reversing Labs has discovered a typo-squatting campaign affecting the JavaScript package manager NPM. The malicious package impersonated the legitimate package NodeHideConsoleWindow
and was downloaded more than 700 times. The package installed a Discord bot called DiscordRat 2.0 designed to
deliver the open-source rootkit R7.7. The researchers explained, quote,
Like DiscordRat, R7.7 is an example of open-source malware with extensive documentation
that makes it easy to deploy, even by novice actors. R7.7 is a fileless Ring 3 rootkit that
is able to disguise files and processes and that can
be bundled with other software or launched directly.
R77 is a recent addition to Discord RAT 2.0, with previous versions of that open-source
malware lacking the ability to launch a rootkit.
Also of interest, the Discord RAT 2.0 executable we studied did not use the newest version
of the R77 rootkit, but an older version of the rootkit.
End quote.
Bitdefender looks at streamjacking attacks on YouTube in which cybercriminals compromise
large YouTube channels and use them to host live streams promoting scams. Many of the streams are
Elon Musk-themed, with a particular focus on Tesla news and cryptocurrency investments.
Some of the compromised accounts had millions of subscribers and billions of views. Bitdefender notes that in most of the cases analyzed, it seems that if the malicious
activity is detected by YouTube, the actual channels are deleted altogether. This means
the legitimate owner of that channel will lose everything—videos, playlists, views, subscribers,
monetization, and everything that goes beyond the YouTube channel itself unless talks are undertaken with YouTube.
PwC has published its Global Digital Trust Insights Survey for 2024,
finding that although cloud attacks are the top cyber concern,
about one-third of organizations have no risk management plan to address cloud service provider challenges.
Additionally, more than 30% of companies don't consistently follow what should be standard practices of cyber defense.
The survey also notes that a third of this year's respondents agree that four types of regulation will be most important to securing the future growth of their organization.
Regulation of AI, harmonization of cyber and data protection laws, mandatory reporting of cyber risk management, strategy and governance, and operational resilience requirements.
of cyber risk management, strategy and governance, and operational resilience requirements.
The European Peace Foundation has established a 15-workstation classroom to train Ukrainian military personnel in cyber operations, EU Neighbors East reports.
The classroom was set up by the Estonian Academy of Electronic Governance.
Within the last 18 months, the e-Governance Academy has procured, set up, installed, and configured cybersecurity equipment, security hardware, and software for the Ukrainian Armed Forces and conducted related training.
The New York Times offers an account of how support for Ukraine's cybersecurity has been delivered.
Microsoft, in particular, is mentioned in dispatches.
The vice president of European governmental affairs for Microsoft told the Times,
I think it's appropriate to start with the war in Ukraine.
It's something we've been engaged in very actively from the start,
even before, because of all the signals.
65 trillion signals that we analyze every day
to make sure that our customers are safe.
We have certain insights and information that governments don't have.
So we saw early on that something was going on in Ukraine,
and we collaborated with Ukrainian government
and gave them the information we had, end quote. The get some guidance from the Red Cross.
Two officials of the International Committee of the Red Cross have issued guidance for hacktivists,
published as an essay in the European Journal of International Law. They amount to an extension of existing international norms of armed conflict to
cyberspace, with a view to preserving norms that would protect non-combatants, not only against
attacks against infrastructure, but also from online incitement to atrocity. Certain specific
classes of targets are explicitly prohibited, notably medical and humanitarian facilities. The BBC says that the IT army of Ukraine is unsure whether it can or will abide
by the rules. In particular, the IT army seems to view the rules as constituting an absolute
prohibition of collateral damage, which they state is not always possible to avoid. The group already
avoids attacks against hospitals and similar facilities, but has conducted
nuisance-level DDoS attacks against civilian infrastructure like banks and travel booking
services. The hacktivist auxiliaries on the other side of the war dismissed the ICRC as irrelevant.
Russia's Killnet stated, quote, Why should I listen to the Red Cross? Anonymous Sudan,
which, despite the name, is a Russian hacktivist auxiliary, rejected the ICRC rules
outright, saying the restrictions were not viable and that breaking them for the group's cause is
unavoidable. Cyberspace has a disinhibiting effect on its users, and that disinhibition,
that sense of immunity and impunity, carries over to hacktivism, many of whom act without a sense
of consequences that might restrain them in real life. One of the cautions the ICRC officials emphasize in their essay is that irregular combatants can be treated as
combatants and even, under some circumstances, as criminals. They state, quote, civilian hackers
risk losing protection against cyber or physical attack and may be criminally prosecuted if they
directly participate in hostilities through cyber means. While hacktivism has so far seldom, if ever, risen above the level of nuisance in Russia's war against Ukraine,
that could change.
An essay in Dark Reading lays out the case for taking the threat seriously,
despite its negligible results to date.
Groups like Killnet are taking an interest in wiper malware,
and they increasingly see themselves as a virtual analog of private military corporations like the Wagner Group.
Coming up after the break, in our Solution Spotlight segment, Simone Petrella speaks with Diane Janicek, Executive Director of Capital Technology University's Center for
Women in Cyber, about paths to cybersecurity and ways to address cybersecurity workforce intelligence through education.
Dave Bittner previews the third annual SOC Analyst Appreciation Day with Kayla Williams
of Devo.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Today, I am so thrilled to be joined by Diane Janicek, Executive Director of Capital Technology University for their Center for Women
in Cyber. Diane, thank you so much for joining me today. Oh, thank you, Simone. I'm excited.
I am too. Let's get right to it. Can you start off by telling me a little bit about your own
path into cybersecurity? Oh, sure. I wasn't expecting that one, but we all have different
paths, especially since, as we know, cybersecurity really didn't pick up as an academic discipline until about 20 years ago when it was
in infancy. So folks that are working in the field usually have different paths that may all come
together around a common passion. And so my path was really on the law, policy, and technology side.
I did a lot of, I went into network security policy and I really appreciated that. I also had
to deal with some of the unauthorized disclosures and a lot of our interfaces with the public
and Capitol Hill in terms of protecting information. And then of course, the protection
of privacy and civil liberties. So those all really synchronize. So I'd like to think that
cybersecurity is kind of a nice umbrella because there's multiple things within that that are just really exciting and always changing. Yeah, that's amazing. So tell me,
how do you think that your own experiences have shaped the way that you think about the cyber
talent challenge that we're grappling with as an industry here? That's part of what we like to talk
about and highlight. So where does this kind of land for you as we think about how we solve this?
How we solve it? That's like the million dollar question. I know.
You had a dollar for every idea, but I think what we're looking at as the challenge,
the real challenge is getting the country energized, right? You always have to have a
sense of urgency that there's an issue that we have to rally around, kind of like the World War II, kind of, you know, we can do it and pull together. I usually have to have that as
an impetus before you really get people on board and, you know, get that momentum and get those,
get the buy-in. I think we've had that with enough incidences going on, as well as people
at their home having their own ring doorbells, you know, compromised and, you know, having their
bank accounts constantly having to change out theirbells, you know, compromised and, you know, having their bank
accounts constantly having to change out their credit cards, they were compromised. So people
are feeling it at a personal level. And then they're also seeing it, you know, at a national
level in terms of banks and libraries and Department of State. This is a challenge. It's
real, but not everyone's coming together in terms of how can we make a difference to actually change
this? And I think that part of that issue lays on how the United States is constructed in terms of how can we make a difference to actually change this? And I think that part of
that issue lays on how the United States is constructed in terms of our three branches of
government with our federal and our state, and how that issue has arisen on top of our governance
in the United States. And that's what makes it particularly challenging in terms of,
is there one way forward or not? Or can we all rally together around some common purposes and
goals?
Yeah, it definitely strikes me when I think about having worked in this space, but also previously in the more functional side and operational cybersecurity side, that there are a number of
really impressive initiatives, whether it be through industry, academia, and government,
that are looking to sort of take on this workforce shortage and the talent and
skillset shortage we have head on. What are some of the things that you have found, especially in
your work with Capital Technology University, that have helped to create new pathways, not only for
individuals, but maybe even for the employers that are looking to, you know, employ these graduates
after they go through their programs? Everyone has, you know, an innate need to belong.
They all want to belong to something that's important.
And if we can get people to have a sense of this area is important, you can easily get
them into the pipeline.
But getting them into the pipeline and getting them into the workforce, I think are almost
two different equations, right?
And we're trying to match those up with all the initiatives that are going on right now.
So in that regard, I think
they're looking at all avenues of tapping into talent, starting off young with, you know, some
of the middle schools and high schools, starting off with varying types of degrees and scholarships
and opportunities for associate degrees and bachelor's degrees. They're looking at doing
cross-training for mid-level career people that may want to change and move into the area of
cybersecurity, some cross-training going on. They're looking at, there's initiatives right now with veterans and
first responders. After they may have done their 20 years, they can move on and try something else,
moving naturally into the cybersecurity, retraining and having that paid for,
and having them open up the doors for that. So just opening up the aperture of who might be
interested so that the pull to pull from and to gravitate and get the energy behind it.
There's a bigger mass in which to literally pull from.
From that way forward, from the employer perspective, as you mentioned as well, they have to be creative.
So keeping folks upskilled and current is a whole nother challenge.
So this field is just layered with issues in terms of opportunities and challenges that have to go through it.
So that's why I call cybersecurity a team sport, because there's so much to get the right person in the chair at the right time to fit, you know, to address the right threat.
I've harped on for a while now around the idea that we're often trying to field players on the field without even knowing their positions in a real consistent way. And then we're somehow
surprised when we haven't given them the upskilling or the training to be successful in those roles.
We just expect them to kind of grow on trees. So that resonates with me a lot. One of the things
though, and it's near and dear to my heart,
I know to yours, is how much we've seen statistics over the years around representation in the
cybersecurity field, specifically around diversity of all kinds, women in particular. And this recent
study you're citing shows that the finding of, you know, the statistics we've seen across the industry are mirrored in the CAE
institutions as well, meaning we're still lacking as much diversity as we could in those programs
and in the industry. So my question to you, you know, even as a passion play and having mentored
so many women and worked in this field for so long is what can not only academia, but, you know,
when you think broadly about the industry,
what can our industry partners, what can academia, what can government do, what can organizations do
to really not just talk about diversity and increasing diversity, but what can they really
do in your mind that would start to actually have an impact on those numbers? Well, thank you for that. So in the area of
gender diversity, which I think the numbers are quite low, they're not moving as far as they want,
I believe. No, Jen H. Lee recently commented on that. They're moving some, but not enough.
In the area of gender diversity, they've been doing studies in terms of when a young female
might want to get into a STEM field,
they generally make up their mind by 10th grade,
if not eighth grade.
So you have to start really early.
So they may say, I want to go into science.
And somebody may say, well, but you're so good at writing.
I mean, you are such an amazing creative writer.
Like you don't want to give that up.
And the answer would be, you can do both.
You can do technical and do creative and it all comes together. And cybersecurity is so multi-talented as well.
So what it's really is trying to change that narrative at a young age so that the thought
of where they're going to school, it's planted in their head earlier. So I think we have to start
before they start thinking about what school they want to go to and say, this is an amazing profession. And the first way to do that is to give students role models,
show them, you know, open up the doors for, you know, different gaming opportunities
and competitions and just fun things and, you know, Rubik's cubes contests and different
things that they realize there is a home here and you do belong. Amazing. Thank you so much for joining us here
today. Really appreciate the conversation as usual. And is there anything else that you want
to kind of bring up that maybe I neglected to ask? I just wanted to mention that I often have people
say to me, well, you know, what is cyber about? You know, it's an amazing field to jump into. So it is perfect for
all ages, you know, all genders, all nationalities, and it's just fun.
And we're very supportive of each other. So join in. Kayla Williams is Chief Information Security Officer at security firm Devo.
They're celebrating the third year of their annual Sock Appreciation Day,
an online event highlighting sock analysts as unsung heroes
and encouraging organizations to improve
their job satisfaction and mental well-being. Here's Kayla Williams. Devo established our SOC
Analyst Appreciation Day three years ago to pay some very long overdue kudos and thanks to SOC
analysts who are on the front lines and to encourage organizations to improve job satisfaction
and mental well-being, not just for SOC analysts, but for the security team as a whole.
Well, give us an idea here of what exactly the event entails.
Yeah, so we have some presentations and discussions from some of InfoSec community's
most prolific thought leaders. Not to kind of brag on my own, but I'm moderating a panel.
leaders, not to kind of brag on my own, but I'm moderating a panel. There's a seat for everyone in cyber where we discuss how to identify the complementary skill sets in folks that may not
be a traditional InfoSec person and how to help kind of bring people into our field.
We talk with Peter, one of the co-founders of CyberMinds for a mental health session.
And we have John Hammond.
I don't know if you've seen him on YouTube, but he's going to be doing a SOC hacks session as well.
And who's your target audience here?
I mean, obviously SOC analysts, but folks who are perhaps interested in getting into the industry as well?
Absolutely.
Anybody who is interested in learning more about what it takes to be a SOC analyst, if they're not one already, if they're already
in a security field or in an organization that has a SOC and they want to make that leap over.
In particular, I would love to see and have feedback from folks who are interested in
transitioning into security. Obviously, after the pandemic, quite a few
people have wanted to make the career shift in one way or another. So we would love to see an
uptick in folks who just want to learn more about the industry. For folks who may not be familiar
with what exactly SOC analysts do, can you give us a little description or what's the typical
job description there? So for a SOC analyst, I mean, every day is something different,
but generally speaking, they are the ones on the front lines, their eyes on glass, if you will,
looking at the potential attack vectors that they're seeing on their screens through their
SIEM, their Security Incident and Event Management platform. They're responding to these
alerts, they're triaging, they're working with their business leaders to understand the risks
of the organization so they know what actually is a true risk versus a false positive. There's a lot
of what we like to call a frontline work in protecting their organizations, their employees,
their customers from these potential attacks.
And what is typically the career path for someone in this position? What sort of
requirements are there for someone to be effective here?
In my opinion, there really isn't a traditional path anymore. There used to be a very technical,
you wanted to be in the weeds, if you will, from a technical perspective. But now we're seeing shifts across the industry where people like myself, I don't have a
traditional background. I came from auditing. That was where I got my start in this field.
But we're seeing people who have more of the EQ to handle the stress of being in that type of situation. The desire to want to learn that,
that inherent curiosity of people who,
who love to identify trends analysis and looking through research to,
to understand what they're actually seeing.
They have this sense of justice of, you know,
wanting to stop the bad guys, if you will.
And really, it's a field for everyone more so now than ever before.
Well, the event is coming up.
It is October 18th.
How can people find out more?
They can find more at SockAnalystDay.com.
That's S-O-C-AnalystDay.com.
All right. Terrific.
Well, Kayla, thanks so much for joining us.
Thank you for having me.
It's great speaking to you again.
Kayla Williams is Chief Information Security Officer at Devo. Thank you. I approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is me with original music by Elliot Peltzman. The show is written by our editorial staff. Our executive editor is Peter Kilby. And I'm Trey Hester filling in for Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions Thank you.