CyberWire Daily - Phishing kits in the C2C market. Cyberespionage, Pyongyang and Beijing editions. Ransomware under the radar. A new hacktivist group says it doesn’t much care for NATO corruption.
Episode Date: August 25, 2023Telekopye and the rise of commodified phishing kits. Lazarus Group fields new malware. Implications of China's campaign against vulnerable Barracuda appliances. Abhubllka ransomware's targeting and lo...w extortion demands. Malek Ben Salem of Accenture outlines generative AI Implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. And a new hacktivist group emerges, and takes a particular interest in NATO members. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. eBay Users Beware Russian 'Telekopye' Telegram Phishing Bot (Dark Reading) Telekopye: Hunting Mammoths using Telegram bot (ESET) Lazarus Group's infrastructure reuse leads to discovery of new malware (Cisco Talos Blog) FBI fingers China for attacks on Barracuda email appliances (Register) Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) (FBI) Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants (Netenrich) Ransomware ecosystem targeting individuals, small firms remains robust (Record) Ransomware With an Identity Crisis Targets Small Businesses, Individuals (Dark Reading) Hacking group KittenSec claims to 'pwn anything we see' to expose corruption (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Telecopia and the rise of commodified fishing kits.
The Lazarus Group finds new malware.
Implications of China's campaign against vulnerable barracuda appliances.
Otho Bilko ransomware's targeting and low extortion demands.
Malek Ben Salem from Accenture outlines generative AI implications to spam detection.
Jeff Welgen, chief learning officer at N2K Networks,
unpacks the NICE framework and strategic workforce intelligence.
And a new hacktivist group emerges and takes a particular interest in NATO members.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, August 25th, 2023.
ESET describes Telecopia, an easy-to-use telegram bot that allows unskilled cyber criminals to launch scams.
ESET says, we were able to detect several versions of telecopia, suggesting continuous development.
All of these versions are used to create phishing web pages and send phishing email and SMS messages.
In addition, some versions of telecopia can store victim data, usually card details or email addresses, on disk where the bot is run. The toolkit can automatically create phishing pages
based on information entered by the scammer. The phishing webpages are designed to mimic
different payment and bank login sites, credit or debit card payment gateways, or simply payment pages of
different websites. Telecopia caters to russophone buyers in the C2C market.
So, Telecopia is a spearfishing kit. Our anglophone listeners might well think that
it's based on tele as in telephone or telegram and copy as in photocopy. Turns out it's not.
It's a Russian portmanteau of telegram
and the Russian word for spearhead, kopya.
So the tip of the spear.
The purveyors of telekopya call its targets mammoths,
and so ESET, following the same logic,
call the users Neanderthals,
since presumably mammoths would have been hunted
and speared by those wily Neanderthals, since presumably mammoths would have been hunted and speared by
those wily Neanderthals back in the day, but somehow we doubt that ESET intends it as a
compliment. ESET says most of these Neanderthals work from Russia, followed by some Russophones
who operate from Ukraine and Uzbekistan. Cisco Talos has discovered a new remote access Trojan collection rat that's being
used by North Korea's Lazarus Group. Talos says collection rat consists of a variety of standard
rat capabilities, including the ability to run arbitrary commands and manage files on the
infected endpoint. The implant consists of a packed Microsoft Foundation-class library-based
Windows binary that decrypts and executes the actual malware code on the fly. Malware developers
like using MFC even though it's a complex, object-oriented wrapper. MFC, which traditionally
is used to create Windows applications' user interfaces, controls, and events, allows multiple components of malware to seamlessly work with each other
while abstracting the inner implementations of the Windows OS from the authors.
The researchers also observe that Lazarus Group appears to be changing its tactics,
increasingly relying on open-source tools and frameworks in the initial access phase of their attacks
as opposed to strictly employing them in the post-compromise phase.
New tricks for an old dog.
The U.S. FBI has released an alert warning that Barracuda's email security gateway appliances
remain vulnerable to compromise by suspected Chinese government threat actors. The FBI states,
The cyber actors utilize this vulnerability to insert malicious payloads onto the ESG appliance
with a variety of capabilities that enabled persistent access,
email scanning, credential harvesting, and data exfiltration.
The FBI strongly advises all affected ESG appliances be isolated and replaced immediately,
and all networks scanned for connections to the provided list of indicators of compromise immediately.
Netenrich is tracking a new variant of malware belonging to the Ophabilka ransomware family,
active since August 1, 2023.
The ransomware targets individuals and small businesses
and tells victims to visit a Tor-based portal to open a ticket for negotiations.
The attackers demand between $800 and $1,600 for the decryption key.
The researchers note,
The ransomware operator appears unwilling to negotiate,
holding firm on the initial demand for decryption
keys. The operator would not provide a decrypted sample screenshot to the victim directly,
but instead provided one on an image hosting service. This confirms there is a working
decrypter present within the group. They seem to have flown under the radar by hitting smaller businesses and making relatively low ransom demands.
And finally, there seems to be a new hacktivist crew operating in cyberspace.
Hello, KittySec.
Cyberscoop reports being in touch with a hacktivist group that's calling itself KittenSec.
KittenSec says they're a new outfit, although CyberScoop writes they acknowledge connections to other hacktivist groups, including ThreatSec and GhostSec.
GhostSec is known for an online campaign against Islamic activity it began after 2015's Charlie Headbow murders in Paris.
It's also known to have acted against Russian targets during the present war. It styles itself as an
opponent of oppression. ThreatSec positions itself in much the same way. KittenSec says it's an
opponent of corruption. Its first target set hit at the end of July was Romanian. Since then, it's
been active against targets in Greece, France, Chile, Panama, and Italy, but it disclaims any political allegiance and says
its operations have nothing to do with Russia's war in Ukraine, the operation against Romania.
The group told Cyberscoop is retaliation against the countries of NATO for their attacks on human
rights. KittenSec doesn't appear to be financially motivated. Many hacktivist groups are fronts for state intelligence services,
and Kittensek's particular animus against NATO suggests the possibility of a Russian connection,
although that remains a matter of circumstantial speculation.
In any case, keep an eye out for Kittisek, especially if you're in a NATO country.
Coming up after the break, Malek Ben-Salem from Accenture outlines generative AI implications to spam detection.
Jeff Welgen, Chief Learning Officer at N2K Networks
unpacks the NICE framework and strategic workforce intelligence. Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And it is my pleasure to welcome to the show one of my N2K colleagues, our Chief Learning Officer, Jeff Welgan.
Jeff, welcome.
Hey, Dave, thanks. Thanks for having me on the show. You know, one of the things that I was really excited about when the CyberWire merged with CyberVista and we became N2K Networks was having access to all of the learning facilities
and expertise that you all have on the CyberVista side of things.
And today we're going to take advantage of that.
I want to talk to you today about the
NICE framework and how folks can implement that and really expand on it as well. Can we start off
with some high-level stuff here for folks who might not be familiar with it? Can you describe
NICE for us? Yeah, yeah, absolutely. So NICE actually is an acronym that stands for the
National Initiative for Cybersecurity Education.
It sits within the Department of Commerce under NIST.
So they have created a while back, sometime around 2010, earlier workings were around 2008,
cybersecurity workforce framework to address these issues that we see day today in this industry related to what the heck are the
job roles, what's expected out of job roles, and how do we actually create a framework around that
for employers? Well, let's dig into that. I mean, how do people both on the government side and in
the private sector typically come at implementing this NICE framework? Yeah, so I think one of the
big challenges that NICE was
addressing when they put out the framework was that they needed a common lexicon for the industry.
I'm sure you're well aware, Dave, that when you go out into the market, you can call a SOC analyst.
There's a number of different job titles for that. So they wanted to normalize just work role titles,
particularly for the
government side, just so they can kind of organize the workforce in a way that made sense with
different job identification codes, et cetera. So that's really where it started. And then I think
as such, they really needed to identify, well, what are the expectations for those work roles?
Like what knowledge, skills, abilities, tasks are required for those.
So if you ever hear the term KSAT, that's kind of where that term came out of those knowledge,
skills, abilities, and tasks that since evolved to like TKS statements, tasks, knowledge, and skills.
So they're constantly playing around with it and tweaking it and making improvements to it.
And so for folks who are using it as an organizing framework here,
I mean, how do they typically come at that?
How do they measure success?
Yeah, I think it really comes down to,
I think a lot of commercial entities that are leveraging it
use that for job classifications,
just trying to organize the workforce.
So it becomes part of a human capital
strategy related to how do we title these particular job roles and what are the expectations
for those people in those roles when we're trying to do talent acquisition. Now, there are challenges
to that. Leveraging the NICE framework one-for-one can be challenging because people who are familiar with it, as you examine some of the work roles that they've identified in there, they don't always match up one-to-one to what commercial entities would actually call a work role.
analyst. I say SOC analyst, everybody knows what a SOC analyst is. If you put that out as a job rack on Indeed or whatever your talent acquisition recruitment tool is, people who are in those
fields are drawn to that. NICE actually defines that work role as a cyber defense analyst.
Okay, you can make the connection, but it's not necessarily something that's as common in the
commercial industry to see cyber defense analysts versus a SOC analyst.
So I think that's one of the drawbacks of the framework, although it is also one of those things they're trying to solve for because of that problem of job titling and the variations of job titles that exist for certain professions.
What about expanding beyond the NICE framework? Are folks using it as a
foundational element and then going beyond that, fine-tuning it to their own organizations?
You see a range, right? The earliest adoption of it, the folks are just kind of dabbling with it.
A lot of times they're just doing a one-for-one matchup. Okay, these job titles kind of line up
to this work role per NICE,
and it's a straight line. Organizations that are a little bit more familiar with it may actually
go a little bit further and start looking at some of the KSAs or TKS statements, or actually looking
at the competencies that are defined within NICE to kind of align those two work roles.
At N2K, we kind of go above and beyond all of that to kind of say, you know what,
at N2K, we kind of go above and beyond all of that to kind of say, you know what,
job roles are pretty unique at companies. A software engineer at JPMorgan Chase may be a little bit different than the regional bank, right? So the hats you wear at those organizations
can vary significantly from company to company. So what we want to do is not necessarily lean in on just the
work roles and the predefined list of KSAs or TKS statements. We want to work with customers and say,
okay, well, what does your software engineer look like there? What do you expect for that particular
work role? And above and beyond NICE, we want to actually define like proficiency levels of those
work roles, because NICE does not say, oh, you need to understand encryption,
subject matter expertise mastery, or beginner level mastery.
They do not do that work.
So at N2K, we kind of do that with our customers.
We want to say, okay, sure, encryption is important,
but how important is it to the work role?
And we'll quantify that for our customers.
important, but how important is it to the work role? And we'll quantify that for our customers.
So it's a matter of establishing where people are in their educational journey of expertise and then figuring out where they need to go as well? That's right. That's right. There's also one
other thing that we've done at N2K to kind of account for some of these, what I would call nuances or gaps within the framework
to help it translate a little bit better for the commercial world. The structure of the NICE
framework with these seven categories and 33 specialty areas, I feel are very much like putting
a work role into a box and your pigeonhole into that box, at least definitionally.
What we've done is we've created another layer of taxonomy on top of NICE that we've mapped to. So we've created these, what we call functional tags, 14 functional tags or groups that are a
little bit more common in or in line with what you would see from a team structure within
cybersecurity at any organization. So we've created things like
analysis and analytics or cyber defensive operations or GRC or leadership and IT and
cyber leadership. That way, it kind of translates a little bit better to the org chart of like,
okay, I know I have identity access management analysts here. They fit within that functional
team, right? So they fit within that functional team, right? So
they fit in that functional group. And on our back end, we've kind of done the mapping back to NICE
to kind of say, hey, this is how it maps back to the NICE framework. Here are the KSAs or competencies
or the specialty areas that associate with those functional groups we've identified.
All right. Well, Jeff Welgen is the Chief Learning Officer here at N2K Networks, my colleague.
Jeff, thanks for joining us.
It's a pleasure to be here. Thanks for having me, Dave.
And it is always my pleasure to welcome back to the show Malek Ben-Salem.
She is Managing Director for Security and Emerging Technology at Accenture.
Malek, great to have you back.
You know, those of us who have been in the online world for a long time
remember when spam was a terrible, terrible problem.
It seems to me like in the past few years,
spam I would consider to be mostly a solved problem.
Like very little spam makes it through to my email box.
But I know something you and your colleagues have had an eye on
is this notion that with generative AI,
that could change the game when it comes to spam.
Yes, absolutely.
So I think, I mean, luckily, we've seen that reduction in spam in our inboxes
because our abilities to detect spam has significantly improved.
But with Gen AI, I think the abilities of these cameras are improving
because now they have this assistance of generative AI models to
produce high quality spam, believable spam. And therefore, we need to improve our detection
capabilities again in order to meet the improvements on the attack side. I've seen people saying, you know, we're not going to see, you know, those scams or emails that we get that look really like spam, like that have those spelling mistakes, right?
I've seen people throwing out the argument that, you know, we're not going to see that anymore because the attackers have Gen AI assistance to them.
But others said, no, no, we're going to continue to see that
because that's done on purpose.
Those spelling mistakes are done on purpose
in order to screen the most likely victims to these scams, right?
The most gullible people, if you will.
Those people will respond to those emails, even though they see that there are spelling
mistakes in them.
I mean, I don't think that's going to be valid anymore because that argument relies on how expensive it is for the scammers to be able to, sorry,
to respond to large numbers of people who fall for those scams, right?
Once they respond to that first initial contact, the first email, the scammers do not have the resources to continue
that conversation with the potential victim, right? Because it requires people to, you know,
interact with them. But now that they have AI tools, they can carry on that conversation
using automated tools, right? They don't have to spend the resources themselves, the time,
the attention, et cetera, to respond individually to these people. Because of that, then, you know,
the trade-offs change or the numbers change. Now they're all of a sudden interested in more
numbers to respond to them as opposed to interested in weeding out or screening out
the potential victims from that first contact. So what are the options that are available to
defenders then to adapt to this? So I think that's why we need to emphasize, first of all, you know, rely more on detecting these, rely less on looking for
spelling mistakes in spam to, you know, classify it as spam. So our spam detectors would have to
emphasize more other features in spam. That's for sure. And they're doing so, right?
But I'm saying if their tools are anomaly detection-based tools,
they're probably assigning different weights for the different features.
And maybe they need to de-emphasize the types of features
that are related to spelling mistakes
and emphasize the weights of other features.
And then for our security training, this is what I think we need to pay attention to.
When we do security awareness training for our employees or for the larger population,
we need to highlight or emphasize that, understand the entire context, understand who's sending
you this email and what they're asking for, as opposed to focus on finding spelling mistakes
in the spam email that you're receiving.
I think that has been a key message that we've been providing people before.
Look for spelling mistakes.
That's a bad sign.
I don't think that we're going to see
those types of mistakes as often in the future.
So we need to focus on other indicators.
All right.
Well, it's interesting.
The cat and mouse game continues, right?
Oh yeah, absolutely.
That continues in security all the time.
All right. Well, Malik Ben Salem, thank you for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025. Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities. Up to $500,000 in total contributions.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Tal Skverer from Asterix Security.
We're discussing their work Ghost Token,
exploiting GCP application infrastructure
to create invisible, unremovable Trojan app on Google accounts.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.