CyberWire Daily - Reply-chain attacks. Intelligence services go phishing. Civilian targets hit in Israeli-Iranian cyber conflict. The Entity List expands. Russo-Ukrainian tensions rise.
Episode Date: November 29, 2021A reply-chain incident is reported at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails as phish...bait. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the US Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executive really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/227 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Reports of a reply chain incident at a major international furniture and housewares retailer.
North Korean operators are fishing for South Korean marks using bogus Samsung recruiting emails.
Fancy Bear has been seen pawing at Gmail.
A regional escalation to civilian targets in the cyber conflict between Iran and Israel.
More organizations are added to the U.S. entity list.
Johannes Ulrich looks at decrypting cobalt strike.
Our own Rick Howard wonders if executives really need to know how to drive that tank.
And tension between Russia and Ukraine continues to rise.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 29th, 2021.
IKEA has been working to contain a continuing phishing campaign that's afflicting the furniture and houseware chain's internal email system.
Bleeping Computer describes it as a reply chain email attack.
Again, that's not supply chain, but reply chain.
This form of attack is unusual, but not unknown.
The attackers obtain a legitimate corporate email and reply to it.
Bleeping Computer explains,
As the reply chain emails are legitimate emails from a company
and are commonly sent from compromised email accounts and internal servers,
recipients will trust the email and be more likely to open the malicious documents.
End quote.
IKEA is working to contain the problem and so far has said little about how the attackers
succeeded in compromising internal emails.
Among the revelations of last week's Google Threat Horizons report is an account of how
North Korean operators approached South Korean targets online by posing as Samsung
recruiters. Microsoft tracks the responsible threat actor, the record says, as Zinc, which is more
commonly known as the familiar Lazarus Group. Sure, they are recruiters, but not the kind you'd have
in mind. Threat Horizons also has an interesting note on another intelligence
service's social engineering. In this case, the responsible organization is also familiar.
It's Russia's GRU, specifically Fancy Bear. In this case, Google's Threat Analysis Group
describes a Gmail phishing campaign in which, at the end of September, a large-scale phishing effort was mounted against
more than 12,000 Gmail accounts. Threat Horizons writes, quote, the attackers were using patterns
similar to Tag's government-backed attack alerts to lure users to change their credentials on the
attacker's controlled phishing page. The attackers kept changing the email's subject line but used a variation of critical
security alert, end quote. Google says it blocked the messages and that to the best of their
knowledge no one was compromised, but the fish bait in this case seems unusually shiny and plausible.
Fancy Bear wrote, quote, there's a chance this is a false alarm, but we believe that government-backed attackers may be trying to trick you to get your account password. We can't reveal what tipped us
off because the attackers will adapt, but this happens to less than 0.1% of all users. If they
succeed, they can spy on you, access your data, or take other actions using your account. We recommend change your password.
End quote.
Not bad, except for faltering in the last sentence where we recommend change your password
sounds like Ensign Chekhov talking.
The link in the phishing email directed the unwary
to what appeared to be a Gmail account page.
The font wasn't right, but that's easily overlooked
by someone willing to get that far.
And the goal, of course, was credential theft. The shadow quasi-cyber war between Iran and Israel
seems not only to be intensifying, but also, according to the New York Times, which sources
its conclusions to anonymous U.S. intelligence sources, entering a phase in
which both sides seem willing to hit clearly civilian targets. An attack that disrupted
Iranian fuel stations and the doxing of Israeli participants in an LGBTQ online community
both represented themselves as the work of hacktivists, but both incidents seem to be
the work of fronts run from Jerusalem
and Tehran. So, you might ask, what's the difference? Well, U.S. Army Field Manual 6-27,
published to offer guidelines for commanders on the laws of armed conflict and intended to reflect
not just national but international law, is as convenient a place to start as any.
FM 6-27 explains the distinction like this, quote,
An ordinary inhabitant of the enemy state would be a civilian, but a member of the enemy armed
forces or a member of a terrorist group or a non-state armed group would not be a civilian,
end quote. And civilians are supposed to be
protected wherever possible and not to be made targets. Much discussion of protecting civilian
targets from cyber attack has concentrated on critical infrastructure, things like hospitals,
power grids, and the like. And not even the most expansive definition of critical infrastructure
includes discount gasoline, still less a dating
site. Well then, what's the problem with bopping a gas station or a dating site, you might ask?
Think of it this way. Buying gas or swiping right are things people do as people, not as members of
a military formation. You're filling up with regular or arranging lunch, not hauling ammunition or
serving an anti-aircraft gun. And disrupting aspects of ordinary civil life does seem to
amount to an escalation, at least a small one. So swipe left, targeteers. The laws of conflict
in cyberspace are still undergoing development, and neither of the incidents the New York Times
discusses amount to anything close to a war crime, but a little initial restraint might be something
to think about. Just before the Thanksgiving holiday, the U.S. Commerce Department added 28
organizations to its entity list of sanctioned groups. The countries most directly affected are
China, for a range of
technologies including quantum computing with military applications, Pakistan for ballistic
missile proliferation, and Russia for military R&D. Tensions between Russia and Ukraine remain
high. The U.S. Embassy in Kiev last week reiterated warnings to travelers urging them to avoid the Crimea and Ukraine's eastern regions.
The AP reported Saturday that Ukrainian President Zelensky said Kiev's intelligence services
had uncovered Russian plans for a coup d'etat in Ukraine within the week.
Cyber operations can be expected to keep pace with the conflict,
and we hope that things turn out less badly than the worst fears in Kiev, Washington, and elsewhere would predict.
Russia has denied any ill intentions,
as has the oligarch mentioned in dispatches by President Zelensky as the probable figurehead of a pro-Russian coup.
And we end on a sad note. Dark Reading's founder
and longtime editor-in-chief Tim Wilson lost his struggle with cancer last week,
passing away far too early at the age of 59. The excellent magazine he organized and led
is a fitting legacy for a journalist who'll be missed. Our condolences go out to his
family, friends, and colleagues, and we're sure we're not alone in our appreciation for his work.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it's always a pleasure to welcome back to the show, Rick Howard. Of course, he is the
CyberWire's own chief security officer, also our chief analyst. Rick, it's always great to have you
back. Hey, Dave. Welcome back from Thanksgiving vacation.
Thank you. Thank you. Feeling rested, tanned, and ready to go.
So on this week's CSO Perspectives show, you are giving us another one of your Rick the Toolman
episodes, which I got to say, I love. Now, this show caters to security practitioners at all
levels. We're talking
about everybody from the tier one and above analysts to the mid-managers and all the way
up to the security executives who are at a senior level. But it does tend to skew towards the
leadership team. And I'm curious, from your perspective, why should they be interested in
how these security tools work? Isn't that more the part of the day-to-day
security operators? Isn't this a little, I don't know, below the pay grade of those executives?
Well, you know, that's a great point. And I think that many security executives might agree with
you. You know, they would prefer to stay like in policy land and budget land and those kinds of
things. But let me make my case using one of my favorite
World War II movies, the 1970 movie Patton. Do you remember that one? Oh, sure. Yeah. I mean,
George C. Scott playing Patton doesn't get much better than that, right? Doesn't get any better,
right? And so there's a scene early in the movie when Patton's second corps goes up against Rommel's
Africa corps and defeats them. And there's this great little moment when Patton, in victory,
on the battlefield, yells out, Rommel, I read your book.
I love that.
I'm sure that Patton probably knew how to drive a tank,
but that's not the skill set we're looking for here.
What was important was that Patton knew how to deploy the tanks in total
as a tool, as well as the artillery, the infantry, and all of his aviation assets.
I see.
So, if I'm getting what you're saying here, security execs don't necessarily need to know how to configure a firewall,
but they do need to understand all the ways in which you can deploy a firewall.
In other words, they need to understand what it can do, the possibilities, so they can set the direction for their team.
That's exactly right.
And so we talk about cybersecurity first principle strategies a lot in this podcast.
And security executives who don't understand the tools at their disposal
have no hope in pursuing their cybersecurity strategies.
They don't have to know how to drive the tank, so to speak,
but they do have to be able to articulate to their InfoSec team about how they want the tank to be
deployed to support their first principle strategies. All right. Well, so what tank are we
talking about in this week's Rick the Toolman episode? So we're talking about XDR or extended
detection and response. It's a relatively new idea, started around 2018,
and it has a long way to go before it becomes a useful tool for everybody.
But these XDR kinds of tools may become the security orchestration platform
we've all been waiting for.
All right, well, we'll look forward to that.
It is CSO Perspectives, part of CyberWire Pro.
You can find that on our website, thecyberwire.com.
Rick, the tool man, Howard, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute and also the host of the ISE Stormcast podcast.
Johannes, always great to have you back.
I want to touch today on Cobalt Strike
and attempts to decrypt some of their traffic.
What can you share with us today?
Yeah, so Cobalt Strike, of course, is the tool of choice for many attackers
to gain persistent access to a system and to essentially send commands and exfiltrate data.
Cobalt Strike has an option to encrypt the traffic, and it's using AES,
so the Advanced Encryption Standard, which is quite
secure if implemented well, and
Cobalt Strike does implement it
reasonably well. In order
to decrypt the traffic, now you
need a key. And the trick
is, where do you get the key from?
Well, Didier Stevens,
who is one of our Storm Center
handlers and is also a consultant in
Belgium, he's very famous for all these little Python scripts that he came up with to analyze malware.
And he now came up with a script that allows you to not only decrypt Cobalt Strike command control traffic if you have the key, but also to find the key.
And there are really two sources where you can find the key. Number one,
well, some of those keys got leaked. Attackers are leaking their data too. It's not just the
good guys that do that. And in particular, if they're stealing each other's software,
like Cobalt Strike, they end up with the same key. So they took a look at various sort of
leaked Cobalt Strike samples that he found.
And you notice there's actually only a handful of different keys that they used that allows you to decrypt the vast majority of the actual sort of Cobalt Strike installations found in the wild.
So, you know, in his tool added those keys.
The other way how you can get the key is from memory, but that
gets a little more tricky. Now in old versions of Cobalt Strike you could
basically just find the keys in memory. In newer versions of Cobalt Strike they
made that a little bit more difficult. So you first need a little traffic sample
of the encrypted traffic, then you can find the key.
Sounds difficult, but Didier to the rescue,
he now came up with a Python script, of course,
that allows you to take that traffic sample
and use that then to find the keys in memory
of an infected system,
and then you plug it into DDA's next script and
decrypt the traffic for you. You know, where can we find these resources that DDA publishes? What's
the best place to track them down? If you're searching on our Storm Center website for DDA's
post, he links to them. But as usual, just a Google search for
Diddy Stevens and
Cobalt Strike and download the first
binary that comes across.
If it's a binary, it's probably bad.
He only publishes Python scripts.
Fair enough.
Alright, well, one of the good guys
out there helping folks take
care of bad situations.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Off.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Randan Karp,
Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.