CyberWire Daily - Phishing in the Iranian diaspora. Not your grandma and grandpa’s crytper. Malware-as-a-service. Proofs-of-concept (one is a zero-day). Apple sues NSO Group.
Episode Date: November 24, 2021An apparent cyberespionage campaign targets the Iranian diaspora. Babadeda is an emerging crypter seeing use against alt-coin and NFt speculators. RATDispenser is out in the wild, a malware-as-a-servi...ce operation. Proofs-of-concept published for Microsoft exploits. Apple sues NSO Group. Group-IB’s founder asks President Putin for clemency. Caleb Barlow on the difference between working for a company that is funded by VCs, PEs, angels or is public. Our guest today is Karl Sigler from Trustwave on the results of the 2021 Trustwave SpiderLabs Telemetry Report. And there’s a guilty plea in the Wolf of Sophia case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/226 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. The current cyber espionage campaign targets the Iranian diaspora. Baba Daida is an emerging cryptor seeing use against altcoin and NFT speculators.
Rat Dispenser is out in the wild, a malware-as-a-service operation.
Proofs of Concept published for Microsoft exploits.
Apple sues NSO Group.
Group IB's founder asks President Putin for clemency.
Kayla Barlow on the difference between working for a company
that is funded by VCs, PEs, angels, or is public.
Our guest today is Carl Sigler from Trustwave
on the results of the 2021 Trustwave Spider Labs telemetry report.
And there's a guilty plea in the Wolf of Sophia case.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Wednesday, November 24th, 2021. Researchers at security firm Safe Breach this morning issued a report on what they characterize as an Iranian threat actor using a Microsoft MSHTML remote code execution exploit with a new PowerShell stealer.
It appears to be a cyber espionage campaign against Farsi-speaking targets.
The campaign appears to have begun in mid-September.
The geography of the attacks suggests that the targets are either members of the Iranian diaspora
or Farsi-speaking foreign specialists in Iranian affairs.
The malware is spread in phishing attacks,
whose lures include clickbait denouncing
the Islamic Republic and its leaders. As Safe Breach puts it, quote, almost half of the victims
are located in the United States. Based on the Microsoft Word document content, which blames
Iran's leader for the corona massacre and the nature of the collected data, we assume that the
victims might be Iranians who live abroad
and might be seen as a threat to Iran's Islamic regime.
The adversary might be tied to Iran's Islamic regime since the telegram surveillance usage
is typical of Iran's threat actors in Infi, Ferocious Cat, and Rampant Kitten.
Surprisingly, the usage of exploits for the infection is quite unique to
Iranian threat actors, which, in most cases, rely heavily on social engineering tricks.
End quote. The U.S. isn't the only country where Farsi speakers are being prospected,
but it does account for a bit more than 45% of the infestation's safe breaches heat map displays. The Netherlands comes in second,
followed by Russia, Germany, and Canada, neck and neck and neck for third place.
China, Korea, the United Kingdom, and India are all roughly tied for fourth.
Security firm Morphosec late yesterday published a study of an emerging crypto, Babadida, which criminals
are using to mount and obfuscate malware attacks against cryptocurrency traders and NFT speculators.
Quote, targeting cryptocurrency users through trusted attack vectors gives its distributors
a fast-growing selection of potential victims. Once a victim's machine masquerading as a known
application with a complex obfuscation also means that anyone relying on signature-based malware
effectively has no way of knowing Babadida is on their machine, or of stopping it from executing.
End quote. Babadida has been found operating in the popular Discord community,
Baba Daida has been found operating in the popular Discord community,
a good place to be if you're trolling for altcoin and NFT enthusiasts.
The cryptor is probably being used by a Russophone gang.
Its name, which derives from a placeholder used in its code, is Russian for Granny Gramps. But there's nothing homey or domesticated about it.
This isn't your Pop Pop's mom and pop.
me or domesticated about it. This isn't your pop-pops mom-and-pop. Threat researchers at HP describe an evasive JavaScript loader they're calling Rat Dispenser. The name reveals the
function. Rat Dispenser distributes remote access Trojans and associated information stealers to
its targets. It's an initial access tool, and HP thinks it's probably being operated in a malware
as a service play. Rat Dispenser has been observed delivering eight malware families, including
Strat, WishRat, Adwind, Remcos, Formbook, Pandastealer, Ratty, and GULoader.
The most interesting among them is PandStealer, HP says, adding,
First seen in April 2021, this is a new malware family that targets cryptocurrency wallets.
The PandaStealer sample we analyzed were all fileless variants that download additional payloads from a tech storage site, paste.ee.
The least common families were GULoader and RATI.
The least common families were GULoader and RATI.
GULoader is a downloader known for downloading and running various RATs,
while RATI is an open-source RAT written in Java.
End quote.
In November's Patch Tuesday,
Microsoft addressed a high-severity remote code execution issue in on-premises Exchange Server 2016 and 2019. Users are advised to patch.
The flaw is being exploited in the wild, and a proof-of-concept exploit has been published,
Computing and Others report. Bleeping Computer reports that a working proof-of-concept that
bypasses Microsoft's November patch of Windows Installer Elevation of Privilege Vulnerability,
CVE-2021-41379, has been developed. The zero-day opens systems up to privilege escalation attacks.
The researcher who posted the proof of concept to GitHub, as opposed to quietly disclosing it
to Microsoft, says he did so out of frustration over reductions in bug
bounties. A quick note of disclosure, Microsoft is a CyberWire sponsor. Apple has filed a lawsuit
against NSO Group. The complaint includes details about the forced entry exploit, which took
advantage of a since-patched vulnerability to install Pegasus intercept tools in iPhones.
Apple calls NSO Group a state-sponsored group and quotes the evident approval Citizen Lab's
characterization of the Israeli firm as one of the number of mercenary spyware firms.
The text of the lawsuit itself is even harsher, calling NSO Group, quote,
amoral 21st century mercenaries who have created highly sophisticated cyber surveillance machinery calling NSO Group, quote, In addition to seeking unspecified damages,
Apple has asked the federal court for the Northern District of California
to grant a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
The New York Times observes that this is the second major lawsuit a corporation has brought
against NSO Group, alleging damages for abuse of its Pegasus tool. Facebook sued the Intercept
vendor in 2019 for targeting WhatsApp users. Reuters quotes NSO Group's response to Apple's announcement, quote,
Pedophiles and terrorists can freely operate in technological safe havens, and we provide
governments the lawful tools to fight it. NSO Group will continue to advocate for the truth,
end quote. The U.S. Congress has heard over the past year and listened sympathetically about how
encryption can cloak child abuse, and that
sentiment is far from confined to the U.S. It doesn't even appear to operate most strongly in
America. Meta, the newly named parent of Facebook and Instagram, has announced that it will delay
its plans to bring end-to-end encryption to two of its flagship platforms until 2023 at least,
The Telegraph reported earlier this week. In that case,
the delay is prompted, according to The Guardian, by concerns over child safety. The fear,
particularly in evidence among British officials and child protection advocates,
is that end-to-end encryption will place children at risk by cloaking their abusers.
Apple also announced its support for organizations researching abusive cyber surveillance.
Both Citizen Lab and Amnesty Tech
are mentioned in dispatches.
It's offering $10 million to support such work
as well as some in-kind contributions.
Quote,
Apple will also support the accomplished researchers
at the Citizen Lab
with pro bono technical, threat intelligence,
and engineering assistance to aid their independent research mission. And where appropriate, End quote.
Ilya Sokov, founder and head of security firm Group IB, which operates out of Singapore and Moscow,
was jailed in September on charges of
treason for allegedly releasing Russian state secrets. His pre-trial detention has been extended
through February, and Reuters reports that Sokov, who's maintained his innocence, has appealed to
President Putin for release to home confinement at least, comparing himself to a latter-day Dreyfus,
a loyal man being persecuted on trumped-up charges.
No response, so far, from President Putin.
And finally, Bloomberg reports that an Israeli man, who's identified only as Tal Yak-Eziyev
and has his face blurred out in news photos, copped a guilty plea in Munich court to charges
that he served as an accomplice to the Wolf of
Sophia, bubbling investors in Germany and Austria out of lots of cash by running investment scams
through call centers located in various Balkan locations. Mr. Zeef says he's sorry and that it
was really the booze and the blow that sort of made him do it. Bloomberg writes,
Tall Yak E. Zeef consumed two to three liters of whiskey and two or three grams of cocaine every Bloomberg writes, He's seeking to get into rehab and hopes to be transferred to Israel, where his former wife lives with their children.
If she takes him back, well, that's one forgiving ex.
Do you know the status of your compliance controls right now?
Like, right now.
status of your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io. vulnerabilities. It's a mixed bag overall. Organizations understand the need to patch
their systems and in many cases are doing so, but overall it's hard to say they're doing so
in a timely manner. Carl Sigler is manager of the Spider Labs threat intelligence team at Trustwave.
You know, we've seen a massive trend in vulnerabilities being discovered anyway.
In 2020, we saw a little
bit over 18,000 vulnerabilities reported and cataloged by the National Vulnerability Database
from NIST. This year, 2021, we're on track to surpass that. So year after year, we're seeing
more and more vulnerabilities exposed, released, documented. What we aren't seeing is any
improvement in administrators
actually getting those patches in place. And why do we suppose that is? I mean,
do we have empathy for the folks who are out there trying to get this done every day?
What would they say if we asked them? I think we should have empathy for the poor
administrators out there. While we are seeing that administrators aren't putting patches on as quickly as we would like,
the reasons for that are really diverse.
I think there's this mythology that administrators are understaffed.
They are over their heads with too many things to do.
Things fall through the cracks.
Perhaps it's just lack of experience or laziness.
I don't think that's necessarily true.
I think there are a lot of reasons why we're not seeing patches applied.
And not all of that has to do with inexperienced administrators or just lazy administrators.
There are some very good reasons why patches aren't being applied in a very timely fashion.
And what do you suppose some of those are?
So I think complexity plays a huge part of this.
When you have such complex software that interacts clusters of servers rather than just one single server,
a lot of these organizations are globally disparate.
So you have systems that may be spread out across multiple geographies, multiple time zones, administrators with different languages.
Once you have that level of complexity, especially for these larger organizations, that complexity cascades right down to patching.
And it makes the patching process a very difficult one to navigate.
And it makes the patching process a very difficult one to navigate.
And I think that a lot of administrators that work for those large organizations would completely agree with that.
For the smaller organizations, we sort of see sort of the opposite story.
They may not be as complex, but then the staffing isn't as robust or maybe as experienced as some of the larger organizations.
And sometimes those administrators, they are the ones that maybe have had too much put on their plate and patching may be the last priority on the list.
So there's a bunch of different reasons why this occurs.
And I think complexity and just all of the hoops
that need to be hopped through
in order to get proper patching in place is a big part of that.
So based on the information that you've gathered here, what are your recommendations?
I think first off, definitely organizations need to make sure that they have a good inventory of
their networks. I think you mentioned it. It's an important point because first and foremost,
if you don't know what assets you have, you don't know what to patch.
And that involves not just doing a network scan of IP addresses.
That involves talking to your staff.
That involves looking for odd protocols, you know, older protocols like NetBui or, Lord forbid, IPX.
And newer things like IPv6. A lot of people do their inventory just based on IPv4
addresses and don't realize that IPv6 is the de facto standard and there may be exposed systems
just from those addresses. So proper inventory is first. I think that organizations with a proper
inventory will better be able to prioritize which systems are critical to them.
And then assign responsibility to patching, perhaps outside of your administrative staff.
If you make your systems administrators responsible for patching too, a lot of times it's going to be deprioritized.
Administrators, especially in this day and age, they're primarily focused on the availability of their systems to their users.
Patching takes away some of that availability.
So just to avoid issues, they may put that to the bottom of the list.
But if you have a separate team dedicated, which is just making sure you're up to date on patches, that's their primary mission statement, I think you'll find that it gets done a lot faster and a lot more in a cleaner fashion
where it's not causing outages or problems with your infrastructure. And then, of course,
formalize and document the process. Once you actually have it set up, make sure it's documented
and that it's a living document that is constantly updated. That way, if your administrators or your
patching team gets bitten by a rattlesnake on their way to work, they can go ahead and pull that documentation out and follow what the previous admins before them were doing.
That's Carl Sigler from Trustwave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I am pleased to be joined once again by Caleb Barlow. Caleb, always great to have you back. You know, I keep seeing all these headlines in the news about what they're calling the great resignation and people leaving their jobs for different jobs, for better jobs.
I'm not quite sure how that aligns with cybersecurity where we hear about so many open jobs.
And I wanted to check in with you on that.
I mean, where do you think this whole notion of a great resignation is going to
resonate in our vertical? Well, you know, with 4.4 million people quitting their jobs in September,
I think it's going to get interesting. And a lot of this, Dave, is people just kind of
coming back out of the pandemic saying, hey, is the grass any greener on the other side?
Interestingly enough, I'm actually part of that group,
recently finishing up my last gig as a CEO of a public security services company, right?
Right, right.
You need not throw a stick very far before you're going to hit something.
What I think is really interesting about this, Dave, and as I start looking at opportunities
and ventures and entrepreneurial ideas, one of the things I'm paying a lot of attention to that I never have in a job search before is how are the companies I'm
looking at being funded? Now, you know, so you talk about the security industry. Not only are
there a lot of open jobs, but it's also quite unique in that billions of dollars a year flow into this industry through a variety of different funding models.
And how a company's funded may really impact your growth and ultimately your compensation over time.
So, you know, and it's not just, let's face it, this mostly impacts you if you're working for a security vendor.
But the same thought process applies if you're buying products from someone.
How does their funding model impact their growth and the risk of working with them?
Well, let's unpack that some. I mean, what are the various funding models and how would they affect this? Well, let's start with a private company. Let's say, you know, it's founder-led
early on, not uncommon in early stage companies. Some pros here, high passion and commitment from leadership.
But there's also some cons, Dave. Funding, management, and governance are all typically
in the same individual that literally puts all the eggs in one basket. So if anything happens
to that founder, it can cause real issues at the company, whether that's a divorce, a death,
an illness, or just deciding to do something different. And if equity is provided to you,
it may be a decade or more before it becomes liquid. What about some of the other funding
models? Well, I think the other kind of common funding model that we see a lot in the security
space is venture capital. And what this involves is outside capital being brought in to help a
company grow, often multiple rounds. And the game here is that each successive round, the valuation of the company should go up in an effort to offset any dilution
for early investors. Now, what I like about a VC model is governance is typically held at a board
level. So now you're spreading out responsibility to multiple people versus all the eggs in one
basket. Employee equity often becomes really real, Even at some fairly low levels in the organization, there's an opportunity for
upside. But some things you want to look for. Who are the VCs?
What's their success rate? What's the burn rate? How much is the company losing every quarter?
How much are they growing? And there's this thing called the rule of 40.
And I'm not going to explain it here because we don't have time, Dave, but Google it. This is often
how people are evaluating these companies is something called the rule of 40.
Now, the other big thing is what's the valuation?
Just because a company took down a quarter of a billion dollars and we see companies doing that,
remember, they've got to grow into that in order to get that valuation back for the company.
So great upside, lots of equity available, and a much more reasonable risk posture versus a privately held company.
Yeah, it strikes me that everybody has their own ability to deal with uncertainty. And as you go
into different job opportunities, that's part of the equation there, right? I mean, a startup is
going to be different than an established company, an IBM or a Microsoft or any of those big companies that have been
around and are in no danger of going out of business anytime soon. Well, that's exactly right.
And part of what you have to evaluate when you're looking for a job is where are you at in your
career? Where are you at in your life in terms of your ability to take risk, and how do you want to balance what you might get paid versus the opportunity for upside?
And this brings us to private equity. Now, this typically comes in
when a company is established and growth is consistent. Private equity
focuses on optimization, so things like EBITDA, process control, go-to-market.
Think of it this way. Where the company might have been flying via visual
rules, private equity is going to get them flying via instrumentation.
The opportunities for private
equity get really interesting, especially if you're one of the top executives in the company.
It can be very lucrative because your investment, what you might
roll into the company, if you will, goes alongside that PE
firm. Now, the downside is sometimes a
liquidity event might be five or 10 years out, and it comes with gates, right? So, PEs, there's often
not multiple rounds. It's oftentimes a mega grant, right? They buy the company, they put X amount in,
and they want to see a return on that. But often you'll see 12 to 15 percent of that investment reserved
for employees. So these things can be very lucrative. You just got to be really patient
to get there. Are there any red flags here, you know, things that folks should be on the lookout
for or questions they should ask? Well, I think one of the big red flags for me is to look at
the difference between when we go back to a privately funded
company, the difference between a founder chasing a first equity event and a serial entrepreneur.
You know, I love entrepreneurs, including people that come up with an idea the first time,
but trust me on this, a serial entrepreneur, they're going to make decisions very differently
than somebody who's been going through this for the very first time because they recognize that speed and momentum really matter.
All right. Well, interesting insights. Caleb Barlow, thanks for joining us.
And that's the Cyber Wire.
Tomorrow is Thanksgiving here in the U.S., and we wish everyone a happy holiday.
We'll be taking tomorrow and Friday off, but we'll be back as usual on Monday.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It will save you time and keep you informed.
Also, listen for us on your Alexa smart speaker.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
teams and technology. Our amazing CyberWire team is Elliot Peltzman, Brandon Karpf, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Falecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Trey Hester, filling in for Dave Bittner. Thanks for listening, and we'll see you Monday. Thank you.