CyberWire Daily - Trends among the APTs. Imaginary times and imaginary places. Flubot in Finland. Emotet false alarms in Office. Smishing for Iranian Android users. CISA’s ICS advisories. Moscow on cybercrime.
Episode Date: December 1, 2021RTF template injection is newly favored by APTs. Malware hides in February 31st. Milords and miladies, the Principality of Sealand hath been hacked. Finland's National Cyber Security Center warns of a... large-scale Flubot campaign in progress. False alarms are flagging Emotet where it isn’t found. Iranians victimized by a smishing campaign. CISA issues industrial control system advisories. Kevin Magee from Microsoft is really trying to rid the world of passwords. Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime. And Mr. Putin says Russia’s in favor of international cooperation against cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/229 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
RTF template injection is newly favored by APTs.
Malware hides in February 31st.
The lords and miladies, the principality of Sealand, have been hacked.
Finland's National Cyber Security Center warns of a large-scale FluBot campaign.
False alarms are flagging Emotet where it isn't found.
Iranians are victimized by a smishing campaign.
CISA issues industrial control system advisories.
Kevin McGee from Microsoft is really trying to rid the world of passwords.
Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime.
And Mr. Putin says Russia's in favor of international cooperation against cybercrime.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, December 1st, 2021. Researchers at Proofpoint describe an attack technique recently favored by state agencies,
RTF template injection. The APTs using the technique are associated with China, Russia, and India.
The approach itself isn't new, but its ready availability, effectiveness, and ease of use have made it attractive to APTs.
Proofpoint expects to see the usual trickle-down effect with criminal gangs following the trail blazed by intelligence services.
So, let's see.
30 days, half September, April, June, and November.
All the rest have 31, save February, which has 28, and leap year, that's 29.
So, yes, that is right.
Kids, there is no February 30th, still less a February 31st. But imaginary dates might have the same usefulness for fraud that imaginary places
have. Swampland real estate, imaginary Central American principalities, and the like have
occupied places of honor in the history of fraud for centuries. Now it's the turn of February 31st.
Security firm Sensec observed a novel malware obfuscation technique during the run-up to Black Friday's shopping season.
Cronrat was found hiding in the Linux calendar system in February 31st.
The researchers say, quote,
Cronrat's main feat is hiding in the calendar subsystem of Linux servers on a non-existent day.
This way, it will not attract attention from server administrators,
and many security products do not scan the Linux cron system.
The remote access tool enables server-side Magecart data theft,
which bypasses browser-based security solutions.
End quote.
Is there an imaginary place in the cyber news, too?
Well, yes. Yes, there is, after a manner of speaking.
Mac Observer and others have reported that the website belonging to the Principality of Sealand has been hacked,
infiltrated by cyber criminals who've installed web-skimming malware on the Principality's site.
So what, you might ask, and then, well, where's Sealand? Sealand is an actual physical
place. It's a Second World War vintage Mosul fort about seven and a half miles off the coast of
Suffolk. That's Suffolk, England, not Suffolk, Long Island, we note, for the sake of any provincial
Yankees who may be listening. The Mosulaforts were big, heavy platforms resting on two substantial
concrete pillars. They've all been decommissioned and abandoned for fifty years or more,
but several of them still stand, too robust for easy demolition and removal.
Sealand, which styles itself as an independent principality, although no government in the world
takes that seriously, has in the past made money
with such wheezes as pirate radio stations, now has a revenue stream sustained by selling titles
of nobility. You can become a lord or a lady, a baron or a baroness for the low, low price of just
$44.99. A knighthood will run you $129.99. $299.99 will make you a count or countess,
and for $656.53, you, my lord or my lady, can get yourself created a duke or a duchess.
Each title comes with an attractive certificate suitable for framing.
That the prices are denominated in Yankee dollars suggests, to our shame,
That the prices are denominated in Yankee dollars suggests, to our shame,
that the aspiring Arivistes are more likely to come from Suffolk County, Long Island,
than they are from the county of Suffolk in England.
Anywho, the site's been hacked,
so the prudent wannabe nobles would be advised to search else wither.
FluBot is back in circulation, Finland's National Cyber Security Center warns.
Basically an information stealer used to take paycard information and contacts, FluBot is also used to stage other malware. The present campaign is a two-stage phishing campaign. The initial bait
lures the user to a malicious site, at which point the user is invited to install an app,
which is, of course, malware. The emails are written in Finnish, but are marred by the absence
of certain characters used in that language, and also by what NCSC-FI calls the illogical use of
other irreverent non-alphabetic characters. It's a high-volume campaign. Quote,
non-alphabetic characters. It's a high-volume campaign.
We have received many reports about FluBot messages. During previous campaigns, the malware sent messages to thousands of new victims. According to our current estimate, approximately
70,000 messages have been sent in the past 24 hours. If the current campaign is as aggressive
as the one in the summer, we expect the number of messages to increase to hundreds of thousands So, again, a wary user would hesitate to click and then hesitate to approve a download.
In this case, the users would be well advised to take counsel of their fears.
In this case, the users would be well advised to take counsel of their fears.
Emotet is also back, as many have noted,
and Deep Instinct has an account of the current state of the malicious botnet,
along with tools for detecting it.
But not all Emotet warnings are genuine. According to Bleeping Computer, Microsoft Defender for Endpoint
is blocking some innocent office documents
because false positives indicate Emotet activity.
The Hill reports that a financially motivated smishing campaign
is active against Iranian Android users.
Israeli security firm Checkpoint thinks the activity is unconnected
with either a nation-state or with anti-Iranian hacktivists,
both of which have been suspected in recent high-profile cyberattacks against Iranian targets.
The researchers think this is a case of simple criminality,
the work of a gang and not an espionage service.
But of course, that's an assessment that should,
given the current state of heightened regional tensions,
be taken with appropriate reservations.
The Hill Quotes checkpoint is saying, quote,
The velocity and spread of these cyberattacks are unprecedented.
It's an example of a monetarily successful campaign aimed at the general public.
The campaign exploits social engineering and causes major financial loss to its victims
despite the low quality and technical simplicity of its tools.
End quote. CISA released seven industrial control system advisories yesterday. The affected products
all have patches and mitigations available, so if that is your neck of the woods, check out CISA's
advisories. And finally, we've heard that TASS is authorized to disclose that Russian President Vladimir Putin,
noting the increased rate at which Russia itself experiences cybercrime,
quote,
So that's good.
Everyone should be glad to find Mr. Putin on the side of the angels here,
or at least on the side of John Law. So one might expect some movement against the privateers,
right? Of course, right. Here's one Mr. Putin might consider sending the militia,
the Russian police, after. Mr. Yevgeny Polyanin, allegedly a numero in the Our Evil Gang.
Mr. Polanyan is said to be living it up, insofar as that's geographically and culturally possible,
in the Siberian city of Barnol. Be on the lookout for him tooling around in his favorite ride,
a nicely loaded Toyota Land Cruiser. What? He's, like like too good to drive a Bramok 4x4
like the rest of us?
Oh, the nerve of this guy.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
One of the things that happens when there's a major breach or security incident is that people who are responsible in an organization for knowing all the things about that particular security area
tend to bone up on their skills
and review their knowledge just to be sure they're up on the latest. This gives the providers of
online training a unique view into what security professionals think are critical skills.
Mike Hendrickson is vice president of tech and dev products at online training provider Skillsoft.
President of Tech and Dev Products at online training provider Skillsoft. So in 2021,
we saw large spikes in March and April, which coincided with that more infamous Hafnium state-sponsored attack, and it really showed up quickly in our thing. Microsoft released a report
on Nobilium attacks in late May, and we saw a correlation there again where learning went up.
So the interesting thing is, since 2019, the two years of the pandemic that we've gone through, we've seen a 53% increase in the number of hours that learners are spending on security training.
that learners are spending on security training.
And if you look at where is that happening,
there are definite industry sectors.
80% of all of our industry sectors saw a big increase.
The top five increases in security training were the legal industry,
which is very interesting to be number one.
Energy and utilities,
you can understand the reasons there.
Healthcare, which is important for everyone. Training and development, and then non-profit.
Those are the ones that saw the biggest spikes in increase in their learning and development.
Yeah, that's fascinating. I mean, it really does track as you say them. I'm sort of nodding my
head along like, yeah, that makes
sense. That makes sense. It also strikes me though, I think as you alluded to, that it's a bit
reactive, right? When a bad thing happens and people go out there and they say, you know, I better
make sure that I'm up to date on these things. From an organizational point of view, I suppose
we'd be better off if we were spreading this training out
throughout the year. Absolutely. You know, there's a couple things that I also look at with spreading
it out, but also what's happening in an enterprise. Because security is one of those areas, as I'm sure
you're well aware, that cuts across everything in an organization. You know, you might have a
programming development group, you might have a cloud group. You might have a, you know, software release group, probably infrastructure group, IT oriented things. But security is the one area that cuts across all of them.
courses we're seeing being consumed are things like OWASP top 10 items that people are basically boning up on the fundamentals of security. And then secondly, the second one, and this is,
I think, really tied to the adjacent technologies, cloud security fundamentals
is our number two as far as people consuming security content around cloud.
And that's a really interesting kind of indicates to me there's a little bit more than
lift and shift going on with the cloud that people are actually starting to say, hey,
we have to do this right. We have to make sure that everything is clean and secure both and perform it hopefully as well.
So we're seeing more of this security cuts across so many of the different areas that we work in.
And that's why sometimes it's harder to measure because if you categorize it in programming,
you have to make sure you look for that same sort of, you know, did it land in that area or is it clean in the security area?
So from that perspective, I really like seeing that the fundamentals are really important, as are all the adjacency technologies that are being consumed.
You know, I think security training in particular gets a bit of a bad rap with a lot of organizations and individuals.
If you say to someone, hey, it's time for our annual security training, you rarely have someone say, oh, goody.
But it is necessary, and I think there are organizations who are implementing this as part of their corporate culture who are doing quite a good job.
Are there any common things that you all see
with the organizations that are successful here
for how they implement it into their company culture?
Yeah, there are a couple things
that I think are really key for most organizations.
One is look at your management staff.
So we have a whole new, what we call a spire journey that
takes leaders and decision makers through really stringent security training. So when you think
about it, if your leaders don't really understand all of the concepts and things that are happening
today, you're more vulnerable if they aren't
aware of the right trade-offs to make or someone's selling them, you know, use this tool and all of
our problems are gone when maybe that tool isn't the one they need. First and foremost, make sure
your leadership team has the security training they need to make good decisions for your organization.
And then secondly, I think, and this is probably the most important one, is start to pivot
towards a DevSecOps model where your security is always integrated with your development
programs, that it isn't develop an application,
a service, a product,
and then throw it over the wall to the security guys
to test to make sure it's safe.
Involve them at the very beginning
and make sure you do this from the very start.
So that whole DevSecOps model
is, I think, a really important ingredient in the future.
And if it's working for DevOps,
why shouldn't it be the same thing for security? Always on, always deployed, always secure.
That's Mike Hendrickson from Skillsoft.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Kevin McGee.
He's the Chief Security Officer at Microsoft Canada.
And we note that Microsoft is a CyberWire sponsor.
Kevin, always great to have you back.
You know, Microsoft recently announced that you all are making a big move towards a post-password
secure world, that if people don't want to use passwords anymore when it comes to logging into
their Office 360 stuff, they don't have to. Let's dig into that. Exactly what's going on here? What does
it mean to the users? And where do you all at Microsoft think this is going in the future?
Well, thanks for having me back, Dave. And I love your post-passwordless world. That's a great
vision to move forward to. I'm going to use that going forward. I really just think about when I
was a kid and I had one key and I wore it on a string around my neck and I had to maybe remember my combination for my locker or my bike. And that was even a stretch for me. I can't imagine even how many passwords I have to manage and remember at this point.
media makes fun of sort of the password challenges we're having now. You see in movies, someone hammers the keyboard for a few seconds, says, I'm in, and it's done. Passwords need to go,
and we need to find something better. The problem is we've really struggled to figure out what that
next step is. I've really been torn. If we eliminate the password, where do we go? Is it
going to be more secure? Is it going to be less? I think the next step is really to eliminate the password because it is the easiest attack vector for attackers and move into this
post-password world that you're speaking of and to do it as soon as possible.
So what are our options here? I mean, when you and your colleagues think about it,
what is next? What's both easy for consumers and pros to use,
but at the same time secure?
I think part of the problem is just human nature.
You know, we've, as an industry,
really inflicted horrible password policy decisions
on users for years.
You have to have at least 47 new characters,
no less than 48, no repeats,
has to include a bunch of numbers,
a handful of punctuation marks, several elven runes,
and it can't resemble anything you've ever used before.
It's so frustrating for users.
It should take 30 seconds to change your password.
It takes seven hours, and it leaves you enraged,
emotionally spent, and it starts to affect your work.
So now when you move home,
I have to enter a password on things like an Xbox with a controller and whatnot.
It's just becoming more difficult.
So the incentive of human nature is to make passwords easier to remember and less effective.
So we're fighting human nature.
So taking that away from the user and finding a multi-factor authentication,
and finding a multi-factor authentication.
We use our Microsoft Authenticator app now where it can scan my face
and it saves it on the local device.
It knows it's me,
provides me a number to enter,
not a second factor.
These are simple, easy ways
that users can interact
without having these challenges
or the emotional damage and infliction of
these corporate policies to change your password to just make it easier for individuals to interact
with their applications. And we feel at Microsoft that using digital empathy, making the user
experience great while providing a password alternative will actually make us not just much more compliant to corporate policies,
but also just more willing to use these applications because they're simply easier.
Yeah, I have to wonder if having the big players like Microsoft lead the way with this,
if that's going to get us where we need to be. Because I think it's easy for a lot of businesses to say,
well, if it's good enough for Microsoft,
a big player in the industry,
well then, okay, we're going to take a look at this.
And I think that's exactly right.
We have to have a number of the key vendors in the industry
sort of adopt this approach
and really run with it to ultimately make the difference
and make users feel comfortable using it.
And there was a lot of stir the first week or so when the announcement went out.
And some false reporting, Microsoft's going to allow you to log in without a password.
We're still going to ask you to log in securely.
And in fact, we think even more securely.
But people who have made the change could just never go back.
That's what they're telling me.
And I think about my experience as an employee.
When I open up
my laptop, it scans my face using Windows Hello. It recognizes who I am. I never have to add another
password yet. I can navigate my day and do my work very securely. I can't imagine the horror of going
back to managing multiple passwords for multiple applications. So even as a user, I don't want to
use an application that's not sort of certified
or blessed by my IT department because then I'd have to manage it separately. So that's really
cutting down on users, you know, resorting to shadow IT, which is ultimately reducing the
threat risk to the organization. But it also just makes for much greater experience. Instead of IT
or security being the Mr. No or the thing that's in the way of doing my work, it's actually allowing me to do my work
better, faster, and easier, which is the promise that we've been trying to make for years to
the industry that we were going to solve this. And I think we're finally taking those first
few steps.
Do you think we could see a future where username-password combination is no longer an option, where it's just been phased out completely?
I think we almost have to.
We're starting to really go into a proof phase right now where we're seeing how some of these new ways of authenticating really work.
And the early results are that they're working much better.
They're providing a great deal of more security and whatnot.
It will just be a matter of time to really sort of get the world to shift away from password
because that's the way we've always sort of done things.
So there'll be a cultural change as well.
But also just think of how many systems you have passwords for that need to be updated,
all these legacy systems and whatnot.
It will take time to get there.
So finding ways to
accelerate that really can make a difference. But the customers that I've worked with that have
done pilots and proof of concept, the user feedback is so overwhelmingly positive that I think that's
the number one thing that's driving organizations to rethink it. And then number two, just the cost
savings of not having to manage password resets, the frustration, the lost productivity as well, too.
So those are the two things I really feel are driving most companies to really look at a post-password future much more sooner than they would have otherwise.
Yeah, well, count me in as someone who can't wait for us to reach that day.
Kevin McGee, thanks so much for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Trey Hester,
Brandon Karp,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Thanks for listening.
We'll see you back here tomorrow. Thank you. only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.