CyberWire Daily - Remote monitoring and management tools abused. Russian and Iranian cyberespionage reported. The world according to the CIO. And if volume is your secret, maybe look for a better secret.
Episode Date: January 26, 2023Joint advisory warns of remote monitoring and management software abuse. Iranian threat actors reported active against a range of targets. UK's NCSC warns of increased risk of Russian and Iranian soci...al engineering attacks. A look at trends, as seen by CIOs. Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan Jones. Kyle McNulty, host of the Secure Ventures podcast shares lessons from the cybersecurity startup community. And the DRAGONBRIDGE spam network is disrupted. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/17 Selected reading. CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software (CISA) Protecting Against Malicious Use of Remote Monitoring and Management Software (CISA) CISA: Federal agencies hacked using legitimate remote desktop tools (BleepingComputer) 'Malicious' cyber attacks launched by groups connected to Iran's regime (ABC)Â Abraham's Ax Likely Linked to Moses Staff (Secureworks) SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest (NCSC) NCSC: Russian and Iranian hackers targeting UK politicians, journalists (Computing) State of the CIO Study 2023: CIOs cement leadership role (Foundry) U.S. says it 'hacked the hackers' to bring down ransomware gang, helping 300 victims (Reuters) Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022 (Google TAG) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A joint advisory warns of remote monitoring and management software abuse.
Iranian threat actors are reported active against a range of targets.
The UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks.
A look at trends as seen by CIOs.
Harold Terrio ponders health versus privacy with former BBC guru Rory Keflin-Jones.
Kyle McNulty, host of the Secure Ventures podcast, shares lessons from the cybersecurity startup community.
And the Dragon Bridge spam network has been disrupted.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 26, 2023.
Thank you. have released a joint advisory outlining the abuse of legitimate remote monitoring and management software.
The advisory describes a large financially motivated phishing campaign that managed to compromise many, as the advisory puts it,
federal civilian executive branch networks.
The advisory explains,
In this campaign, after downloading the RMM software,
the actors used the software to initiate a refund scam.
They first connected to the recipient's system and enticed the recipient to log into their bank account while remaining connected to the system.
The actors then used their access through the RMM software to modify the recipient's bank account summary.
The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money.
The actors then instructed the recipient to refund this excess amount to the scam operator.
The agencies note that while this campaign was financially motivated,
the access could lead to additional malicious activity against the
recipient's organization from both other cyber criminals and APT actors. So this time around,
it's ordinary crime. The next time, it could be espionage or sabotage. Iranian threat actors
are reported active against a range of targets. Those targets appear to be in Australia and
Israel. ABC Australia reported Tuesday that cyber attacks targeting Australian organizations for
data extortion, believed to be the work of Iranian Revolutionary Guard-affiliated actors,
were seen in a tabled parliamentary report. In other campaigns, SecureWorks' counter-threat unit has also
analyzed the activities of the Moses Staff and Abraham's Axe persona, active in September 2021
and November 2022, respectively. Commonalities between attributes of the hacktivists fuel
researchers' beliefs that they are operated by the same entity. The researchers believe both
persona are operated under the umbrella of the Iranian Cobalt Sapling threat group. Cobalt
Sapling saw emergence in October of 2021, according to SecureWorks, as a pro-Palestinian
hacktivist group targeting Israeli entities. The UK's National Cyber Security Centre, the NCSC,
warned this morning that Russian and Iranian intelligence services are increasing their
phishing attempts, stating, the Russian-based Cyborgium and Iran-based TA-453 actors continue
to successfully use spear phishing attacks against targeted organizations and
individuals in the UK and other areas of interest for information gathering activity.
The campaigns are selective and highly targeted, prospecting people who work in academic,
defense, and governmental organizations, in NGOs and think tanks, as well as politicians,
journalists, and activists. The campaigns
are independent and not coordinated. Both efforts use open-source intelligence during their
reconnaissance phase, impersonate well-known figures in a field of interest to the targets,
and employ official-looking documents as their fish bait. They're both espionage campaigns
engaged in collecting information.
Their immediate goal is development of rapport with the target and eventually credential theft that might enable further social engineering campaigns.
Computing reports that the ultimate goal of the collection
seems to be the gathering of compromising material
that could later be used to recruit the targets.
Foundry this morning released their annual State of the CIO report,
analyzing CIO attitudes toward finances, the evolution of the CIO role,
and the anticipated initiatives in focus in the coming year.
They think that economic instability may not spell an end to tech budget increases. The research details
the continued optimism shared among CIOs in terms of finances in 2023, with over half of those
surveyed expecting increased budgets despite the state of the economy. Reasoning for budget
increases is believed to include a need for security improvements, a need to upgrade outdated IT infrastructure,
application modernization, investments in new skills and talent, and product innovation.
Over half of respondents report that the CIO has a budget of their own in the company,
separate from the IT budget. We'll have more on this tomorrow, but in a developing story, the U.S. FBI says it's taken down the notorious Hive ransomware gang.
The Bureau has been quietly working at it since last summer,
infiltrating Hive, taking decryption keys, and restoring lost funds to Hive's victims.
Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying,
using lawful means, we hacked the hackers.
We turned the tables on Hive.
The Bureau says it stopped Hive from collecting around $130 million in ransom
for more than 300 victims.
This morning, Hive's site was replaced with a notice.
The Federal Bureau of Investigation seized this site
as part of coordinated law enforcement action
taken against Hive Ransomware.
Bravo, FBI.
And finally, remember the old radio ads that began with an amazed customer adding,
Eddie, how do you do it?
And then Eddie would answer, what's my secret?
Volume.
Our history of advertising desk says they never really got how that would work
either. I mean, how could selling one suit below cost result in a loss, but selling a hundred below
cost would turn a profit? Weird. But apparently the approach is still making sense to some out
in the influence arena. Google's threat analysis group has released a report outlining its efforts to disrupt the massive spam network Dragon Bridge.
It's got a small audience, but it pumps out a lot of spam through hundreds of thousands of inauthentic or hijacked accounts.
Dragon Bridge is a China-based influence network that works across several platforms.
several platforms. The researchers note that most of the network's posts are low-quality content without a political message populated across many channels and blogs. Tag has taken down more than
100,000 of the network's accounts. Despite the network's size, Dragonbridge has received very
little engagement from real people. 95% of its blogs received fewer than 10 visits, and most of its videos have fewer
than 100 views. The researchers also note that most of the engagement the posts received were
from other Dragonbridge accounts. Even Crazy Eddie never did that. Maybe the problem is the quality
of the content. Tag says, most of their posts are spammy, nonsensical material without
an overt political message, often clips of animals, landscapes, food, sports, and other content.
Blurry visuals, garbled audio, poor translations, malapropisms, and mispronunciations are also
common. The content is often hastily produced and error-prone, for example, neglecting to remove lorem ipsum text from a video.
The researchers also note that a small fraction of the accounts
push more coherent posts relating to current events, adding a pro-China spin.
Most of these posts were written in Mandarin and focused on negative stories about the U.S.
So yeah, we got your lorem ipsum right
here. Since they're letting some Latin slip into the text, consider some advice from Ovid.
If you want to be loved, be lovable. Or in this case, if you want to persuade, be persuasive.
Don't just phone it in. We know, we know, Lenin said, quantity has a quality all its own, but
how's that working out for you, CCP?
Coming up after the break, Carol Terrio ponders health versus privacy with former BBC guru Rory Keflin-Jones.
Kyle McNulty, host of the Secure Ventures podcast,
shares lessons learned from the cybersecurity startup community.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
From time to time, we like to highlight security podcasts that have caught our attention
and that we believe deserve wider notice.
You may have heard of a little independent show we promoted a few years ago called
Darknet Diaries. It's done quite well for itself in the meantime. Kyle McNulty is host of the
Secure Ventures podcast, where he focuses on the cybersecurity startup community. He joins us with
insights from the interviews he's done and the things he's learned along the way.
It's basically telling founder stories and the stories of their companies.
So the same way you just asked me about my kind of origin story, it's understanding how these different security founders have made it into this entrepreneurship world.
Some of them have longtime security backgrounds, 25 plus years.
Some of them have never worked a security job
and were doing something somewhat related.
There was one guest who was doing media
and kind of stumbled into the privacy space
and ended up starting a successful cybersecurity company from there.
And then telling the story of
what is that company actually focusing on?
What are the challenges that they're working through?
What does the longer-term vision for that company look like?
And helping tell lessons for other founders and investors
and even practitioners as far as how they can do something similar.
Are there any common threads that you've discovered
as you've done these interviews?
Any things that these folks with entrepreneurial spirit have in common?
To be sure.
And obviously, there's lots of nuance to each individual story,
but there's certainly themes that shine through.
One really interesting one that stuck out to me over time
is the emphasis on customer interviews before actually launching a product.
So rather than just saying, hey, I have this idea,
let's go ahead and start building it.
I have what I think could potentially work.
But before I trust my conviction, let me go ahead and speak with, let's say, 20, 50 different professionals in the industry, whether that's CISOs, other practitioners, other founders, investors, get their perspective on it.
get their perspective on it.
And even if they are validating the idea as part of that process,
they're giving you feedback
as far as the features that are important to them,
what they really want out of that product.
And sometimes even more importantly,
that's some very helpful customer diligence
that you're doing and relationships that you're building,
which can then convert into easier sales
once you actually have that product up and running.
You know, I think it's easy to think of folks
in the venture world as
being very successful and because so many of them are, but I think there's a lot of lessons to be
learned from the failures as well. And that's an area that you discuss with your guests also.
To be sure, not every person who's come on the podcast has every single startup that they've
created be successful. Failure is
certainly a part of it. Oftentimes, you hope for smaller failures as opposed to massive,
large-scale failures where $100 million has already been invested. But a big part of being
a founder is learning from those experiences. So even if I'd say one thing that I find very common,
especially with the folks who are doing podcasts and putting a lot of attention on their media opportunities, is they might be a repeat founder.
So they built a company, sold it, and they decided, hey, I want to do something bigger.
I want to do something more grand.
And so even though that's not truly a failure, it's what sort of learnings can you apply from that experience?
What sort of learnings can you apply from that experience?
What does it look like to, rather than maybe look for an early acquisition, say, hey, this time around, I want to build something that has a much broader vision and try to take
this to a public exit.
What does the timeline look like for that?
Who are the people that you need around you?
What are the investors that you want on your team and in your corner?
And what do you really need to do differently from day one to prepare for that vision?
You know, in the conversations that you've had along the way,
are there any lessons that you've taken away from it for yourself?
Anything that's surprising or unexpected?
One interesting piece that stuck out is the idea of really mapping your customer segment.
And so this was on a conversation with Dan at CyberOwl.
They're a shipping security company, so maritime security
company. And they went through a detailed exercise in terms of understanding how their different
customer segments are clustered to one another. So what sort of supplier relationships involve
each of those different companies? And how can they target specific clusters before moving into
the next one? So almost like a network map
of your customers. And it was an additional level of customer diligence that had never even occurred
to me at that kind of minute scale. And it just gave me a renewed understanding and importance
on understanding what your target market really looks like and how you can potentially penetrate
that market. And I think that applies whether it's to the podcast,
whether it's to consulting,
whether it's to starting a new business,
whether it's even to just growing your own professional brand
is how can you apply that same sort of
very meticulous customer understanding,
customer mapping,
and use that to just increase your efficiency
with outreach to your target audience.
What is your sense for the outlook for the coming year
with the folks that you talk to?
Are folks optimistic that we're in for a good one here?
I think the general consensus is certainly not,
but it's always a hard prediction or a hard position to be in
as far as making predictions about the market.
And I think anyone who
acknowledges that the outlook is bleak generally also acknowledges that there's a great deal of
uncertainty. And so it's less about saying with certainty, the outlook is bleak and more about
saying that there's a lot of uncertainty that exists ahead as far as exactly what the next
year will look like and understanding that the range of
outcomes is much broader than maybe it's been obvious for the last couple of years. And so
just preparing for that worst case scenario and putting your business in a position where it can
be successful in the next year in that range of outcomes. What do you get out of doing the show
personally, having these conversations, talking to these folks? What are the takeaways for you?
Well, we talked already about the different lessons that I've learned just from talking
to these folks and how that's helping me be a better professional, whether it's building a
business, working on these different side projects, understanding the cybersecurity market more
clearly. But it's also been an amazing experience to build content that so many people are excited
about. Really getting some of
that feedback when someone listens to a recent episode and shoots me a text or a LinkedIn
message and says, hey, I really enjoyed that episode. It's very gratifying that something
that's enjoyable for me to actually do on a daily basis is also enjoyable for other folks to listen
to. That's Kyle McNulty. He's producer and host of the
Secure Ventures podcast.
Carol Terrio is our UK correspondent and also co-host of the Smashing Security podcast.
She recently checked in with former BBC guru Rory Keflin-Jones about health versus privacy.
Carol Terrio files this report.
I recently interviewed Rory Keflin-Jones.
interviewed Rory Keflin-Jones. Until recently, he worked at the BBC and for decades had been the lead technology journalist on all things digital. Now, Rory retired a few years ago
and then announced that he had been diagnosed with Parkinson's. Rory now runs the Rory's
Always On newsletter on Substack and focuses primarily on the issues frustrating the tech progress in healthcare.
I mean, privacy is important, but this is a heavy cost to those of us facing serious
medical conditions. Here I ask him to expand on this debate. I've heard you talk on your
newsletter and actually in person about how there's a kind of fight between privacy and shared data, because people want to be private
about healthcare issues, yet that data is so valuable to share amongst all the different
institutions that provide a healthcare service, be they private, consultants, GPs, emergency rooms,
all that. Yeah, it's a very interesting debate. And I've long felt that it's a bit unbalanced so for obvious reasons
everybody is very concerned that their health data should be private that it shouldn't get into
uh the wrong hands and that concern yes it's genuine but, but it's really holding up quite often the potential there is for using that data for good.
So in the UK, the National Health Service is an extraordinary pressure trove of data.
It's the biggest centralized generator of health data in the world, probably.
So if you could harness that, you you know maybe you could develop new drugs
maybe you could do a lot more preventative medicine maybe you could find a cure for parkinson's
but every time somebody comes up with a scheme the government comes up with a scheme and they
they never handle them very well uh to to take for instance gp records a local doctor your your family doctor
records which are are really important um because they give a sort of long-term view of somebody's
uh health and how that relates to demographics and so on uh every time such a scheme is proposed, it's kind of held down for privacy reasons. And what
you hear is always about the dangers rather than the potential. So the latest such scheme was
theoretically launched a couple of years ago, but quickly died a death or was put in a deep freeze.
The first headline I read about it in a in a british
liberal newspaper was referred to an nhs data grab you know very negative language yeah and as i say
there are there are proper you know questions to be asked for instance do do we want big technology companies? Google is a great example to be involved in this.
But I think we can construct systems where there are safeguards for privacy, and yet
this data can be put to good use.
Someone right now who may be in a situation similar to yours, where they're trying to
navigate complicated doctor relationships and making sure everyone has that information that they need at the right time.
Do you have any advice for them?
Is there any like secret tricks that you've learned along the way where you're like,
I couldn't do without this?
I wish I did.
I mean, what's happening in this country is that gradually that interaction between patients and doctors is being digitized, is being made better.
For instance, every drug, new drug now, is probably going to come with an app to kind of guide the patient
or maybe provide feedback to the doctor about how the drug is working.
There's a lot of work going on in using smartphones.
This is coming back to where we started,
the benefits of smartphone technology to provide that interaction
between patient and doctor and to provide remote monitoring.
I was in the eye hospital I visit regularly the other day,
and they were promoting an app where you could do your own eye test at home.
Patients who, you know, being monitored didn't necessarily need to come in to have their eyes tested.
They could do their own eye test using this app, and that would be analysed probably by an algorithm.
And, you know, if there was something of concern,
then they would be called in. So there you have it. Healthcare may be lagging behind when it comes
to digitisation. And there's a long way to go before we can do all our own diagnostics. But
we are definitely heading in this direction. It's kind of fascinating to imagine where we'll be in
20 years' time.
This was Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. Thanks for listening. We'll see you here tomorrow. Thank you.