CyberWire Daily - Trojanized VPN installers circulate in Iran. A trip down the static expressway. Hacktivism-for-profit. IT incidents disrupt NOTAMs and Royal Mail. HR phishbait.
Episode Date: January 12, 2023Iranian VPN users are afflicted by Trojanized installation apps. Phishing on the static expressway. NoName057(16) hacktivist auxiliaries target NATO. Yesterday’s flight outage appears not to have be...en caused by a cyberattack. Royal Mail is disrupted by a "cyber incident." Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. And HR phishbait dangles raises, and some employees bite. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/8 Selected reading. EyeSpy - Iranian Spyware Delivered in VPN Installers (Bitdefender Labs) Phishing on the Static Expressway. (CyberWire) NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO (SentinelOne) Not a cyberattack, but an IT failure. (CyberWire) FAA NOTAM Statement (FAA) Canadian Pilot-Alert System Reports Outage Hours After U.S. Grounding Order (Wall Street Journal) US air travel resumes but thousands of flights delayed after planes grounded - live updates (The Telegraph) US Flights Latest: Departures Resume After FAA Lifts Ground Stop (Bloomberg) Royal Mail suffers ‘severe service disruption’ after cyber incident (Glasgow Times) Royal Mail issues major disruption warning after 'cyber incident' (Computing) Parcels and letters stuck in limbo as Royal Mail is hit by a suspected hack (The Telegraph) Cyber Incident Hits UK Postal Service, Halts Overseas Mail (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iranian VPN users are afflicted by Trojanized installation apps,
phishing on the static expressway.
No-name hacktivist auxiliaries target NATO.
Yesterday's flight outage appears not to have been caused by a cyber attack.
The Royal Mail is disrupted by a cyber incident.
Carol Terrio thinks Meta needs to step up their game when blocking financial scams.
Our guest is Mark Sassone from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market.
And HR fish bait dangles raises and some employees bite. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, January 12, 2023.
Bitdefender has reported that trojanized versions of VPN installers are staging SecondEye, a monitoring application on victims' devices.
SecondEye is sold legitimately, but this is a surreptitious use of the product to gain insight into user
activity. Many Iranians have sought out consumer VPN products as a way of shielding themselves
from monitoring by their government. Bitdefender calls the campaign iSpy and says that the software
it installs has the ability to fully compromise online privacy via keylogging
and stealing of sensitive information, such as documents, images, crypto wallets, and passwords.
While the researchers don't offer attribution, the victimology suggests an Iranian threat group.
Avanon released a blog this morning detailing a new variation of an attack leveraging Dynamics 365 Customer Voice to bypass security scanners in a technique known as the Static Expressway.
This is a new variation of an attack Avanon reported in November 2022 with the same core structure.
with the same core structure.
Hackers use Microsoft Customer Voice to send a notification to the end user appearing to be from the service,
when in actuality a malicious phishing link is on the site.
This variation does not send a notification of a voicemail like the November version did.
Rather, an email is sent, appearing to be a fax shared on SharePoint,
said to contain particularly sensitive or confidential information.
If the end user clicks on the link in the email,
they'll land on a page with a link to preview or print the document,
which leads to a legitimate customer voice URL.
Linked in the click here to print button is what appears to be a OneDrive login screen,
but in reality is a credential harvesting page. Sentinel-1 describes a Russian hacktivist auxiliary campaign against
NATO organizations. The group bears the paradoxical name NoName05716. We'll call them NoName for short.
The group is known to have been active since March of 2022,
and it specializes in DDoS. The hacktivist group deploys these attacks against websites it regards
as important to countries that have been too friendly to Kiev and too critical of Russia's
war against Ukraine. And that means NATO, No Name is looking at you. Its operations are similar to those of Kilnet.
Indeed, some of the two groups targeting has overlapped.
Sentinel-1 says that no name has been responsible for the action
against the Danish financial services sector that Reuters reported earlier this week.
The threat group has also been active against campaign websites
associated with the upcoming Czech presidential election.
No Name seems to be a genuine hacktivist auxiliary and not merely a front group for a Russian intelligence service.
As the report points out, Sentinel Labs has identified how the group operates over public telegram channels,
a volunteer-fueled DDoS payment program, a multi-OS supported toolkit, and GitHub.
There is a mixture of profit with the patriotism.
The group represents an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful contributors.
So, if Sentinel-1 has it right, and they probably do, expect more of the
same. Hacktivism for profit looks like an incipient trend. The U.S. Federal Aviation
Administration grounded all domestic flights early yesterday morning after an outage of the
Notice-to-Air Mission System, that's NOTAM. A technical failure appears to be behind the approximately 90-minute outage
rather than the work of nefarious actors.
The FAA initially reported the outage at 7.15 Eastern Time Wednesday,
saying they were working to fully restore the NOTAM system
with the order of a pause to all domestic departures until 9 a.m. ET. An update an hour
later resumed departures at the Newark Liberty Airport in New Jersey, as well as the Atlanta
Hartsfield-Jackson Airport in Georgia, due to air traffic congestion in those areas.
In an update released at 8.50 a.m. ET, Bloomberg explains, the ground stop was officially lifted, with normal air traffic operations gradually returning.
The New York Times reports that a later update from the FAA revealed that the preliminary investigation linked the outage to a database file that was damaged.
that was damaged. The Wall Street Journal writes that Canadian provider NAV Canada saw an outage in their NOTAM system as well just after 10 a.m. Eastern Time, which was restored at roughly 1.15
p.m. Eastern Time. While the cause for the Canadian outage has not yet been identified,
according to the New York Times, a spokeswoman for NAV Canada, Vanessa Adams,
said that she did not believe there was a connection to the FAA outage, despite the coincidence.
Mail service in the UK has been disrupted by what the Royal Mail is calling a cyber incident.
Computing explains that it's being called an incident as opposed to an attack because the Royal Mail is still investigating
and is unsure of the cause behind this week's problems with its IT systems.
The National Cyber Security Centre, Britain's NCSC,
is aware of the incident and is investigating.
And finally, it's the time of year when many companies
inform their employees of raises or other changes to their compensation.
Criminals are using this to shape their fish bait.
Proofpoint describes the form the fish bait is assuming, stating,
With bonus and salary reviews coming up, threat actors know it and are using these lures for social engineering.
for social engineering.
On January 10th, 2023,
Proofpoint observed emails with phishing links purporting to be from human resources
and utilizing bonus and pay raise lures.
So be on your guard, workers of the world,
and HR, now might be a good time
for a little bit of that human touch.
After the break, Carol Terrio thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sassone from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. We are facing greater economic headwinds and with that, uncertainty in the
job market. Tech firms are not immune and even cybersecurity, where the demand for qualified
talent continues to outstrip the supply. Mark Sassone is founder and managing
partner of Pinpoint Search Group, a cybersecurity recruitment firm. I reached out to him for
insights into what he's tracking when it comes to the cyber job market. To be clear, the perspective
you'll get from me, Dave, is going to be related to the cybersecurity vendor product community,
as opposed to the quote-unquote end-user cybersecurity practitioners.
And in terms of getting to this point, the cybersecurity market from the vendor perspective
is still really immature, and it's dominated by startups. By my count in 2022, vast majority of funding rounds
in terms of volume of funding went to seed A and B stage companies. So you're in a situation
really due to macroeconomic events where investors are delaying or canceling investments
and founders have to be really careful of the burn rate.
So in this situation, the first thing that'll go are going to be the human resources. So now you've
got more people, professionals in this space, actively seeking opportunities and fewer
opportunities to go around. So the way I see it, it's a supply and demand issue, and it's driving leverage towards
employers. You know, we've seen reports for years now about the shortages of people to fill the
available jobs. Are you seeing a shift there? Every time when I look at the numbers, at least,
you start seeing a shift. The numbers go up at some point. And it's really due,
I think, because of the rapid growth of the industry. So to be clear, the end of the
candidate-driven market isn't an end. It's a lull in being a candidate-driven market.
And again, I really think it's due to macroeconomic events versus what's specifically
happening in cybersecurity. And so because of the nature and
the growth of this particular aspect of technology, I think we're going to be in this situation for a
long time. It's going to take education from an early age to really start filling a lot of the
open positions that just can't get filled today. Well, can we go through together the variety of types of positions
and how you think this might affect them?
And I'm thinking of the person who may be just out of school
or searching for a job for the first time in this market,
all the way up to someone who may be a senior executive.
How do you see this reality affecting those people in those different positions?
I think there's probably a lot of opportunity for people just coming out of school
where the market seems to be deficient in that particular area is matchmaking, so to speak.
Helping people that want to get into the industry figure out how to get in, where they're best suited based on their individual capabilities.
And I do believe that's being worked on.
From an executive level standpoint, and obviously we're jumping through that whole individual contributor and director level class, so to speak. But if you're talking about more
senior level people at the executive level, this is impacting them because there are organizations
trying to do more with less. And so once you get to such a high point in your career,
the question is, where do you go? And so I am talking to quite a few executives,
almost on a daily basis, that are trying to figure out whether they need to bide their time or whether they're going to take a smaller role than they anticipated taking because of the current situation.
Are you seeing a recalibration of the levels of pay for folks throughout the industry?
calibration of the levels of pay for folks throughout the industry?
To an extent. My advice to a lot of people, just picking my brain, given that they're looking around right now, is that they should probably steer away from demanding some of that top-level
compensation that they were being offered maybe even a couple quarters ago
and dialing it back just a little bit. I don't know that compensation is going to take a major
dip. Again, this is an industry that is still in demand. You're looking at people that are
highly qualified individuals. But there was a point where people, at least on the vendor side of the house,
were offering almost ridiculous sums just to attract talent. And now that there's more people
on the market looking, again, the employer's got a little more leverage there. So I think
it's going to level out. I don't think it's going to drastically drop.
What's your advice for the employers in terms of creating an environment
where people want to stick around? Again, I'm big on, based on all the feedback we get, right? This
isn't just me guessing here. This is based on why candidates tend to want to leave. And it largely
comes down to uncertainty, whether an entire
executive team is getting turned over, whether their company is acquired by private equity,
whether there's, again, uncertainty as it relates to how is this company going to stay afloat
financially because we need a round of funding. If you're not finding a way to communicate
those concerns to people you want to keep on board, you're going to lose them.
And so figuring out retention policies associated with eliminating or at least reducing uncertainty for your quality employees is probably one of the first things you want to think about.
probably one of the first things you want to think about. Do you think that this could ultimately be a good thing that we obtain kind of a longer-term sustainable equilibrium here?
I absolutely do. I compare this with people I talk to outside of this industry. I compare what
cybersecurity is going through and tech in general to the housing market. I mean, it's simply overheated. There's something like 2000 cybersecurity vendors, mostly early stage
that are competing for CISO budget and experienced professionals. And for this industry to mature,
ultimately there's going to have to be some consolidation and just a little less money
getting thrown around. And that impacts me negatively.
But for the long-term health of the industry, as you referenced, this has to happen.
That's Mark Sassone from Pinpoint Search Group. Financial scams are everywhere online and especially on social media these days.
Our UK correspondent, Carol Terrio, thinks that Meta in particular needs to step up their game when blocking financial scams.
So according to a UK Consumer Report publication named Witch?
Question mark, known from now on as Witch Magazine,
dodgy investment ads are littering people's online feeds.
The game plan, it seems, is to peddle misleading property and cryptocurrency investments to an unsuspecting audience.
And the question that Witch Magazine poses is, aren't companies like Facebook and Instagram all underneath meta?
Why aren't they doing more about it?
In this recent article, they outlined the findings of their investigation into dodgy ads and call for the government to pass the online safety bill into law without any further delays.
Now, Witch Magazine worked with a consulting team to analyze adverts on Meta's ad library.
This is where you can see which ads are visible to Facebook and Instagram users.
They searched for investment adverts with clear risk factors,
such as those that promised life-changing returns
or failed to include risk warnings.
They also report that repeat offenders are able to persistently post
dodgy adverts on Facebook and Instagram,
meaning consumers could be misled into making risky investment choices
and, in the worst cases, obviously falling victim to fraud. One very concerning collection of
adverts they found was for a piece of software called Tesla. Not Tesla, but Tesla ER.
They spotted 20 different Tesla adverts and each raised eight serious risk flags, such as
not having any risk warnings and promising sensational returns. When one of the Witch
magazine researchers clicked on the ad, they were prompted to enter their contact details. And within
an hour, they were called by a representative of the company and pressured to
set up a trading account amid claims that it is sophisticated algorithm plays the trade with an
87 success rate hmm of all the investment ads that they looked at which state that at least half
were either peddling investment products
or were crypto ads offering impossibly high returns
without clarifying how they might be obtained.
And which also found a small number of adverts for binary options,
a form of trading banned in the UK back in 2019.
The FCA has previously warned that any firm offering binary option services is probably a scam.
But here's the big thing. They say in their article, quote, if a consumer group and another
charity can design algorithms to uncover these adverts, then tech giants should be able to create
effective systems to do the same job on a bigger scale. And I don't think I could agree more.
Boo-hoo if it's difficult to become a monolith in the technology industry and not do your utmost
to block the dodgier ads. Surely a sliver more of your fat profits could go to that.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.