CyberWire Daily - APT37 has some new tricks. Multilingual BEC attacks. A look at the cyber phases of Russia’s war, and how being a crime victim may now be another way of serving the state. Influencers behaving badly.
Episode Date: February 16, 2023North Korea's APT37 is distributing M2RAT. Multilingual BEC attacks, and how they happen. Assessing the cyber phase of Russia's war as the first anniversary of the invasion approaches. Killnet's atte...mpt to rally hacktivists and criminals to the cause of Russia. Dinah Davis from Arctic Wolf describes continuous network scanning. Our guest is Dr. Inka Karppinen of CybSafe with a look at cyber security through the lens of a behavioral psychologist. And Grand Theft Auto is now also a TikTok challenge. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/32 Selected reading. RedEyes hackers use new malware to steal data from Windows, phones (BleepingComputer) Multilingual Executive Impersonation Attacks (Abnormal Intelligence) Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group) Following the Money: Killnet’s ‘Infinity Forum’ Wooing Likeminded Cybercriminals (Flashpoint) Hyundai, Kia patch bug allowing car thefts with a USB cable (BleepingComputer) Hyundai and Kia Launch Service Campaign to Prevent Theft of Millions of Vehicles Targeted by Social Media Challenge (NHTSA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
North Korea's APT3737 is distributing M2 rat, multilingual business email compromise attacks and how they happen.
Assessing the cyber phase of Russia's war as the first anniversary of the invasion approaches.
Killnet's attempts to rally hacktivists and criminals to the cause of Russia.
Dinah Davis from Arctic Wolf describes continuous network scanning.
Our guest is Dr. Inka Karpenen of CybSafe with a look at cybersecurity through the lens of a
behavioral psychologist. And Grand Theft Auto is now also a TikTok challenge.
From the CyberWire Studios and DataTribe, I known as Red Eyes or StarCraft,
is distributing a new strain of malware dubbed M2Rat, according to a report from OnLab Security Emergency Response Center, ASEC.
ASEC spotted M2Rat being distributed via phishing emails last month.
The emails contain documents that will execute shell code
by exploiting an EPS vulnerability in the Hangul word processor,
which Bleeping Computer Notes is commonly used in South Korea.
The shell code will download a JPEG image to the victim's machine,
then use steganography to extract code that will download M2RAT. The malware is designed
to exfiltrate data via keylogging and screenshotting. M2RAT will also scan for
mobile devices that are connected to the infected machine and will transfer any documents or voice recordings to the PC.
ASEC explains that APT 37 usually targets human rights activists, journalists, and North Korean defectors.
The researchers note that since the threat actor targets individuals and personal devices
rather than companies with expensive security solutions,
the victims often don't know they've been compromised.
Abnormal Security today detailed insights into multilingual business email compromise attacks in a report
and insights into two actors, Midnight Hedgehog and Mandarin Capybara,
who launched these campaigns in multiple languages concurrently.
who launched these campaigns in multiple languages concurrently.
BEC attacks may be somewhat less prevalent than their phishing and identity theft counterparts,
abnormal security researchers say,
but the availability, affordability, and accessibility of software and technology lower the barrier to entry in targeted multiple-language attacks.
These attacks use common sales and marketing online services for malicious purposes.
The research states, using these resources, BEC actors tend to collect target contact
information, referred to as leads, within a certain geographic area, usually a single
country or state.
Google Translate doesn't hurt either. While it's not
flawless, it is free and allows for quick translation and turnaround to victims of varying
tongues. The approach of the first anniversary of Russia's invasion of Ukraine has prompted a
number of retrospective assessments of the cyber phases of Russia's war. The Washington Post cites expert
opinion that sees a general Russian failure to integrate its cyber efforts into a more general
combined arms operation. This failure has led Russia's cyber campaigns to be far less effective
than expected. Dmitry Alperovich, executive chair of the Silverado Policy Accelerator,
Dmitry Alperovich, executive chair of the Silverado Policy Accelerator,
told the Post, For cyber to be effective on a battlefield, it has to be deeply integrated into conventional military plans.
They've utterly failed in achieving any tactical or strategic success,
Biasat aside, which actually was a combined arms operation with significant effects.
And, despite the efforts of Russia's cybercriminal
auxiliaries, large-scale and devastating cyberattacks against nations sympathetic to
Ukraine have also fallen short of expectations. CISA Director Easterly said, I think all of us
were surprised, somewhat, that there have not been more significant attacks outside of Ukraine.
somewhat, that there have not been more significant attacks outside of Ukraine.
In a report issued this morning titled Fog of War, How the Ukraine Conflict Transformed the Cyber Threat Landscape, Google's threat analysis group Mandiant and Trust and Safety Groups
offered an appreciation of how the cyber phases of the war have developed.
Google makes no pretense of neutrality in the war, which it
directly calls Russian aggression. Russian cyber operations have so far fallen short of pre-war
expectations and may well continue to do so, but Google thinks that the war has shown that cyber
operations are likely to remain an enduring feature of future wars. Flashpoint offers an update on the Infinity
criminal-to-criminal marketplace, which Kilnet, the Russian cyber-criminal auxiliary, has opened
to attract more talent to the Russian cause. It continues to offer strong financial incentives
to those willing to work for the Kremlin. One interesting conclusion the researchers arrive at is that
Infinity's rules are much less fastidious about permitting financially motivated crime
against Russian organizations than other Russian criminal forums have been. The researchers state,
notably, the forum does not seem to discourage members from selling data breached from Russian
entities, such as malware logs or passports,
which traditionally is frowned upon or downright forbidden on most Russian-speaking forums.
So, Russian businesses and individuals may be on their way to becoming collateral damage,
or, if you prefer, friendly fire casualties.
And that, too, from Moscow's point of view, may simply be another
way of serving the state. Finally, here's the latest threat to your car. Dimwits yucking it
up on TikTok. Car manufacturers Hyundai and Kia have rolled out free theft deterrent software for
vehicles that don't have an immobilizer, the United States Department of Transportation said in a press release on Tuesday. Social media giant TikTok, known for
its short-form video format, has seen the promotion of a so-called Kia Challenge observed since July
of last year, in which users share videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire the car, Leaping Computer wrote yesterday.
This challenge went viral, and Los Angeles, California saw an 85% increase in Kia and Hyundai thefts in 2022, with Chicago seeing a nine-time increase for the same brands.
with Chicago seeing a nine-time increase for the same brands.
The issue resides with a flaw in the vehicle's turn-key-to-start system that allows for bypassing of the immobilizer that verifies the authenticity of the code
in the key's transponder to the car's ECU.
This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle.
The NHTSA says that the update provides an extended alarm duration from 30 seconds to one
minute and requires a physical key in the ignition to start. More updates for more models are
anticipated in June. We leave comment about the malign imbecility of social media influencers as an
exercise for you, dear listener. Remember the Tide Pod Challenge? Yeah, we wish we could forget it,
too. And good luck to Hyundai and Kia drivers, as CISA would put it, apply updates per vendor
instructions.
Coming up after the break,
Dinah Davis from Arctic Wolf describes continuous network scanning.
Our guest is Dr. Inka Karpanen of CybeSafe
with a look at cybersecurity
through the lens of a behavioral psychologist.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Dr. Inka Karpanen is a behavioral scientist at behavioral analytics platform provider Cybesafe.
I reached out to her for insights on the human side of cybersecurity through the lens of a behavioral scientist.
CSOs work in different industries.
They work in retail industries,
they work in banking, financial services,
as well as more service-related industries.
And the top tip for any of these industries is to listen to your people, talk to your people,
know who your employees are,
because that's the only way you're actually going to then find out
what you need to do for your cybersecurity initiatives
for the year, for example.
So it is really check out the practices,
especially if people are using what we call shadow practices
in cybersecurity.
So you might have training procedures,
you have policies in cybersecurity,
you know, things you do and you don't,
what is allowed, what's not.
And we need to make sure that those policies,
for example, and procedures are clear.
They are concise.
They are understandable by all the people
in the organizations.
And obviously, different organizations consist of different types of people.
So really, if you're going to talk to people, even during the coffee machine break, whether
you send a Slack message or whether it's a simple survey, you can find out a lot about
them.
And if you then ask, okay, what, you know, what do you guys know about
multi-factor authentication, for example? And you know that you've given that training,
you know, earlier in the year. They say, oh, actually, I don't know what it is.
Now, if you find that one person who doesn't find what it is, I bet you there is about, you know,
multiple of others. So depending on organizational size, you can multiply those people.
And finding out what are the knowledge gaps, why people,
even if they know how to use multi-factor authentication,
why are they not using it?
Ask, are you using it?
How are you using it?
Do you find it, you know, does it help with your productivity?
Does it hinder your daily job? you know, does it help with your productivity? Does it hinder your daily
job? You know, is it a pain? And you might find something really, really interesting. And then
you can help them to actually either break the beliefs or myths or break the procedures
in a more digestible format. How do you nurture those good habits?
How do you encourage them to do the right thing?
That's a very interesting question
because it can be applied to anywhere,
whether it's your personal health or diet.
Now we're talking about cybersecurity,
which is something that it's a bit of a,
for a person, they don't see it.
So when cyber security is good, kind of nothing happens. And when something goes wrong, then
the train kicks in, everybody goes in a panic mode, and then something happens. So actually
encouraging good habits means that you actually have to communicate during those times that things are good.
You know, if you do a fishing simulation, for example, I identify my fishing.
This is a simulation.
I press report button at my end.
Well, I just don't get any feedback, basically.
Well, what if you would get a feedback?
How good does it make
you feel when you actually correctly did something? So that's the kind of open feedback environment
that could actually potentially help a lot on these matters. And I've actually received something
like this myself a few weeks ago when I reported a phishing email correctly. And even somebody who
works in the industry, I thought, oh, this made me really happy. I've done something correct, even that tiny little
bit. Although I work in an industry and, you know, I know about this stuff, but it just makes people
feel good. And it's collaboration. So listening to people, asking, you you know if you do have a mistake you recognize that
you clicked on a link that you shouldn't have um report it tell us tell somebody about it whether
you tell to your line manager whether you tell the it or somebody in your security team you know let
us know because that's the way we protect organization. We protect you as an
employee. And because we're going to be protecting you, we also protect your family because we are
doing well. You get to, you know, still have a good organization to work to. We will survive tough
times and it's more personal. So it kind of hits the point of,
actually, why are we doing this thing?
We are fighting against cybercrime together.
We are not like individual players in a team
and one team is only responsible of this.
Everybody's in the same boat
and everybody benefits from good cybersecurity hygiene,
including your family.
So let's encourage that.
And that's how you probably get through the difficult part of explaining to people
why something should matter to them.
You make it more relatable to themselves.
It's a bit like the health behaviors.
So you look at, you know, stop smoking, drinking campaigns.
It is pretty much about the benefits of what happens when you do so in your body, for example.
That's Dr. Inka Karpenen from Cybesafe. And I am pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, always a pleasure to welcome you back.
I saw over on the Arctic Wolf website, you all had an article about continuous networks scanning.
I think that's a topic worth discussing here. What can you share with us?
Yeah. So, you know, attackers are working around the clock to try and get into our corporate
networks, right? And one important technique to thwart that is continuous network scanning.
But, you know, okay, so what is that, right? So it's monitoring
for intrusions around the clock. You want to be able to reduce the likelihood that an IT system
will be breached to steal that data. And if it does happen, you find it quickly, right? And that
really does need that continuous monitoring. But it also requires continuous and automatic alerts, right?
So that when something happens, somebody gets notified so you can look at that.
And then the other part of continuous network scanning that is good is it helps you build reports so that you can evaluate your defense posture, basically.
What about alert fatigue?
I mean, you say you get all these alerts.
We talk about the fire hose of alerts
and people get tired of it and start turning them off.
And the next thing you know,
you're kind of working against yourself.
How do you fight that fight?
So alert fatigue is a real problem.
You have one of two choices, really. You can spend a lot of time tuning your system to make sure you're only getting what you really care about so you don't get alert fatigue, or you can go with a managed provider.
And with Arctic Wolf, that's what we do. We only notify our customers when something really bad is happening, but we do take everything in. And we've written all kinds of rules and algorithms to figure out what is important so that our security engineers don't get alert fatigue as well. It's important even in our internal SOC for them not to get alert fatigue. So there is a balance there.
And it is very important how you set it up.
And if you don't set it up correctly, you could end with that for sure.
I see.
What are the different types of network scans that are out there and that people should know about?
Yeah, so first there's two methods of network scanning, right?
So there's the passive network scanning and
so that's the tools that are going to like watch the data and activities that are flowing through
your system and then there's active network scanning where you're actively trying to poke
holes in places right so um you want to be doing both but obviously the passive is easier to do
kind of around the clock whereas the active is something you can only do every once in a while, right?
Because you have to actually do something about that.
So important, the first one I would say is external vulnerability scans.
It's a passive scan.
And what it's trying to do is, you know, look at your network from the hacker's perspective, like from the outside, hence the external and external
vulnerability scan. And it's looking at external IP addresses, at domains, at ports. Are they open?
Are they not? These types of scans are what happen, like are used or like have been used to find those open permissions on GitHub repositories and things like that. So you can
use it in that way. Internal vulnerability scanning is also very important. That is done
from inside the network. And it's running scans on everything in your network. And it's noting
every software version that it's running,
and then good software will be comparing that to the latest software that you have, as well as
comparing to see if there's any major security issues with the version you're running, and then
recommend an upgrade for you, right? These can be run automatically at regular intervals, both of those things. And the third passive scan would be a host-based agent scan.
So software that actually lives on the devices in your organizations to track active progress,
like applications and Wi-Fi networks you're connecting to, USB drives that don't conform
with company policies, that kind of stuff.
It really watches those types of things.
And then finally, you have the active scan,
which is basically penetration testing,
or in the lingo, pen testing, if you hear that.
And it's really testing the effectiveness
of your cybersecurity efforts,
identifying potential weak spots.
And not only is it testing your software,
but it's often testing your human response capabilities as well, right? So if you do a
true pen test and your team actually sees it and thinks it's real, they're going to react and you
can see your whole organization, how they're going to work. Or they might not react appropriately,
and then you can know where you need to go and do some training.
Or they might not react appropriately, and then you can know where you need to go and do some training.
All right. Well, interesting stuff.
Dinah Davis, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant. Thank you. 2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by John
Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com