CyberWire Daily - In a hybrid war, it’s about the timing. Not quite all quiet on the cyber front. Pyongyand is phishing for wallets (and and other blockchained valuables). Emotet really likes those malicious macros.
Episode Date: April 19, 2022In a hybrid war, sometimes it’s about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really li...kes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it’s our anniversary this week: celebrate with us. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/75 Selected reading. Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg) Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire) Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform) Ukraine War Divides Orthodox Faithful (New York Times) US officials ramp up warnings about Russian cyberattacks (The Hill) NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo) FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire) If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post) North Korean State-Sponsored APT Targets Blockchain Companies (CISA) TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA) US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer) Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Not quite all quiet on the cyber front.
Pyongyang is fishing for crypto wallets and your NFTs and other blockchain valuables.
Emotet really likes those malicious macros.
Joe Kerrigan looks at prompt bombing.
Beck McKeown from Immersive Labs explains human cyber capabilities.
And happy anniversary to us.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 19th, 2022. It's not all quiet on the cyber front, but there's not much news from that phase of Russia's hybrid war against Ukraine.
Presumably, nuisance-level doxing and DDoS continue.
That includes one Azov-themed phishing campaign CERT-UA is warning against, emails marked urgent, and carrying a cobalt strike payload. But no major new cyber attacks are being reported.
For all that, Western governments are not disposed to drop their guard. NATO's locked shields,
a defensive cyber live-fire exercise, is now underway in Tallinn. The
scenario is said to be heavily shaped by events in Ukraine, as indeed it should be.
We've mentioned that Exercise Locked Shields includes not just military participants,
but civilian government and even private sector organizations as well. One such organization is FSISAC,
the Financial Services Information Sharing and Analysis Center,
through which banks and other financial institutions
routinely share cyber intelligence.
Steven Silberstein, CEO of FSISAC, said in an announcement,
Cooperation at this scale reflects the interdependencies
of all critical infrastructure sectors and the public sector.
Leading the financial sector scenario is a natural extension of our role in promoting information sharing and collective defense to strengthen the resiliency of the global financial system.
Estonia's former president has a warning for his Ukrainian counterpart,
and it's based on Estonia's experience with a crippling Russian cyber attack in 2017
that affected media, government agencies, and financial services.
If the war continues to go badly on the ground, expect Russian cyber operators to pull out the stops.
That's according to the Washington Post.
That's according to the Washington Post.
CISA yesterday warned in a joint alert issued in coordination with the FBI and the Department of the Treasury that North Korea's Lazarus Group is conducting a campaign against a variety of organizations
in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges,
decentralized finance protocols,
play-to-earn cryptocurrency video games, cryptocurrency trading companies,
venture capital funds investing in cryptocurrency,
and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens.
The attacks begin with social engineering designed to induce victims to download trojanized cryptocurrency applications.
The malware toolkit, which CISA calls Trader Trader, can infect both Windows and macOS systems.
As usual, CISA offers an extensive set of indicators of compromise and recommended remediations. In this case, as in so many others, the Lazarus Group is financially motivated,
seeking to redress Pyongyang's enduring financial shortfalls
through direct theft.
They're collecting information,
but they're also rifling wallets,
as Bleeping Computer notes.
Ordinet looks at recent Emotet outbreaks
and describes the way the malware is being distributed as the payload carried by malicious files,
Excel spreadsheets and Word documents for the most part, attached to phishing emails.
Since last month, the most common phish hook has been a malicious Excel file.
Fortinet says,
We believe that the authors prefer to use Excel files with Excel 4.0 Macro for malicious documents
to reduce detection by antivirus engines.
Thanks as always for listening and reading, but especially this week.
It's the CyberWire's sixth anniversary as an independent company.
For the past six years, the CyberWire has delivered your daily dose of the top cybersecurity news,
and we're pleased to have
become a trusted source for the industry. To celebrate our big six, and as a special thanks
to all of our CyberWire listeners and readers, for one week we're offering a discount of 60%
on annual subscriptions of CyberWire Pro. Use code CyberWireAnniversary2022 by April 25th to take advantage of this celebratory discount.
Subscribe and save now, but above all, thank you for listening and reading the CyberWire.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews,
and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Immersive Labs recently published their Cyber Workforce Benchmarks Report,
examining the cyber skills, knowledge, and preparedness of organizations
across various
industries, including government, retail, healthcare and financial services.
Bec McKeown is Director of Human Science at Immersive Labs.
My personal background is around crisis response, so that was the most interesting one for me.
And I think a lot of it, or the the most the really interesting part was looking at the
responses to ransomware attacks threats and the decreased confidence levels that people were
showing when they actually countered those threats and to me that's really explained by the fact that
ransomware is very much what we call a wicked problem. So that means it's very complicated. It has an impact in lots of different areas.
You're working at speed, particularly when there's a crisis happening, you've got to do
something quite quickly. You don't have a full amount of information. And generally speaking,
when you make decisions that solve one problem, they'll create a problem in a different area.
It's a bit of a zero sum game.
And that for me is quite interesting from a psychological perspective, because you have to have some slightly different thinking skills and a different way of tackling those problems.
I'm fascinated by, you know, sort of the notion that the psychological approach to something like a ransomware attack.
notion that the psychological approach to something like a ransomware attack, I can't help wondering, are cybersecurity people best prepared to deal with something like this? The tools that
they bring to the table, certainly technical expertise, are they perhaps not well served
when it comes to the emotional aspects of ransomware? I don't think it's quite as clear cut as that,
because I think the technical record, the technical skills and abilities, and certainly
the experience are really, really important. And I think really, rather than sort of looking at the
emotional impact, it's kind of like, well, actually, if people understand how their brains
work, how they react in emergencies, what they can then do is to learn
how to counteract the brain's natural instincts. And that will serve them better in helping them
to increase confidence in working in these difficult situations, but also to know that
they're not just jumping into the first solution they come across and to look at data and to take
their time. And that means
they're more likely to be effective in the decisions they make towards resolving the situation.
How do you make the value proposition case to the powers that be in an organization? You know,
as you say, if exercising these skills every eight weeks or so, that's a significant time investment.
How do you approach that? I think it's really about, to me, it's a change in mindset because a lot of people think, well,
actually, we need to train people. So actually, training involves taking them out of the
organization, sending them on a training course, paying for that training course, then they come
back. To me, it's about looking at continuing professional
development as being part of the day job because in terms of the bottom line the finance of it
it's certainly not going to cost you anymore it's a big big cost to take people out of the business
and get you know consultants or whoever in to do these courses but if you make it part of the day
job certainly from our point of view we we call it micro drilling. So it's
little nibbles constantly throughout, you know, the week, the month, the quarter that helps you
build these skills would probably work out financially and in terms of resource being
away from the business, a lot less costly because you're doing small nibbles regularly at your desk.
That's Bec McKeown from Immersive Labs.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, something we talk about over on Hacking Humans
is this notion of putting your victims into a certain emotional state.
Yes.
Short-circuiting their rational thinking.
Correct.
This article came by that I found interesting.
This is from the folks over at BlackBerry.
And it's titled,
Prompt Bombing, Harnessing the Power of Irritation,
written by Lisa Myers and Gary Davis.
Joe, irritation is something that you're familiar with.
Yes, I am.
Every now and then on H. Yes, I am.
Every now and then on Hacking Humans, I say there's an attack out there for everybody.
And I say that frequently, but every now and then I say, hey, this is one that would work on me.
Yeah.
And one preying on my irritation is certainly one that I have to keep my guard up for.
So what exactly are they outlining here?
So what they're talking about here is they're calling it prompt bombing, which I think is a great name because it tells you exactly what's going on.
Yeah.
But essentially you install an app that then starts prompting you over and over and over again with all kinds of annoying questions. And eventually one of those questions, after you get conditioned to continually hit yes or dismiss or whatever, one of those questions is, hey, can I have permission to your microphone?
Right.
Yes.
Hey, can I read all your phone calls?
Yes.
Yeah.
And that way, this app can then gather all these permissions up or access to your files or whatever and start doing whatever it is that this malicious software does.
Now, you know what struck me about this, Dave, is when I was reading the description of it,
I'm like, you know what? Software companies have been doing this to us for years, right? In order
to proceed, you have to agree to this EULA. I agree to the EULA, right? The end user license
agreement. When was the last time you read an EULA? Oh, goodness. Come on. Are you serious? Nobody does. Yeah. Maybe Ben Yellen does,
but he's a lawyer. Yes. I imagine Ben goes, ooh, let me read this.
Right. Lisa and Gary make a really good point here. These prompts don't have to be just frequent
and annoying. They can be embarrassing, right? Imagine a prompt that
comes up on your screen and shows, you know, like you've been clicking on those ads that say hot
singles in your area, right? And there's pictures of somebody going, hey, I'm a hot single. Look how
hot I am. Right. And here I am looking to meet with you, right? And you're in a meeting or
something, right? And somebody is looking over your shoulder
going, aren't you married? Right. I'm imagining in the car with my wife. Right. Oh, even better.
Yeah. Who's this? Right. Exactly. Exactly. How do I get rid of this as fast as I can?
Yes. Well, that's a social engineering technique to get you to agree to something that you probably
shouldn't agree to. Now, they go on and say in this article that there should be some kind of rate limiting.
I'm not exactly sure what that looks like
and how that works,
but I'm confident it can be done.
What I'd prefer to see is
any app that does this profusely
be pulled from the app stores.
You know, and this idea of push notifications
for apps, I mean, I've hunted down apps that do push notifications and remove them.
Right.
Like, I cannot stand the idea that somebody's sending me a notification for some ad for something.
Yeah, I have to say, this reminded me, there's a desktop app that I use that every now and then it just starts hitting me with, I need to install an
update. Is that okay? I need to install an update. Is that okay? And it just loops back on itself
and it is so aggravating. And this plays right into that, right? That aggregation of just click,
click, click, just go away. I have stuff to do. Just go away. Leave me alone. Leave me alone.
Yeah. Yeah, absolutely. This article points out that evidently prompt bombing has become part of the playbook for some of the groups like Lapsus and Cozy Bear.
Yeah.
They're using it evidently to bypass multi-factor authentication.
And the authors of this article point out that a big component of this is training.
Right.
Yep.
Training and education.
Just make sure that you're aware
of what the possibilities are.
I think that is a huge component.
And I think that's probably
one of the overlooked spots in,
I believe,
the entire social engineering problem
is a blind spot in the security industry.
It's getting less so.
But we all focus very much on these bright, shiny objects,
all these cool technical solutions,
but we don't do the basic stuff like inventory control,
asset management, and security awareness training.
Yeah.
Good thing this article points out that I really think is key here
is establishing an environment where the folks in your organization feel like they can come
to the security people if they've accidentally hit okay while fumbling with their phone, right?
After their phone is peppering them with all these things, they realize that maybe they clicked
something wrong, that they feel like they can come to you and they're not going to be beat up about
it. They're not going to be shamed about it, that you'll help them take care of it and
solve the problem.
But fostering that sort of environment is really going to make a huge difference in
your organization's security posture.
I would agree.
And that is going to be very, very difficult.
And one of the reasons I think that's going to be difficult is just because of human nature.
Yeah.
I mean, I will say that sometimes I get frustrated when I see people doing things that I know are not right, things that they shouldn't do.
Yeah.
Right?
And we have a story about it every week on Hacky Humans where somebody has done something.
And to our audience, it seems like an obvious mistake.
Yeah.
Right?
But you've got to remember, as a security professional,
you live steeped in this environment.
And everybody else doesn't, right?
They live steeped in the environment of maybe like human resources
or in engineering or software development or something.
And yeah, all these things should have some kind of security around them,
but they're really focused on getting their jobs done.
Right. They do not carry the level of cynicism that we do.
Maybe that's why I'm so good at what I do.
The weight of the world has not yet crushed their spirit.
That too.
The weight of the world has crushed old Joe's spirit.
There you go.
But sometimes it's hard, but you have to remember these people are not steeped in this world.
They don't live here.
They don't breathe this stuff.
Yeah.
And I have to remind myself of that from time to time that these people didn't fall for this because of any lack of understanding.
They fell for it because somebody took advantage of them.
And they're human.
And they're human.
They're people.
Yeah.
Right.
All right.
Well, again, this article is over on the BlackBerry blog.
It's titled Prompt Bombing, Harnessing the Power of Irritation.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
I want to share a word of congratulations to our friend Anne Johnson
and her team at Microsoft Security.
Today, Anne's podcast, Afternoon Cyber Tea,
is airing its 50th episode.
That's quite a milestone.
What an incredible journey with amazing guests on the show,
and I'm sure many more to come.
We're fortunate that Afternoon Cyber Tea
joined the CyberWire network last year,
and we look forward to seeing it continue to grow.
If you haven't checked out the show,
you can find it on all of your favorite podcast apps and at thecyberwire.com slash afternoon dash cyber dash t. Congratulations, Anne and the entire ACT team.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz
Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim
Nodar, Joe Kerrigan, Carol Terrio, Ben Yelling, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com