CyberWire Daily - Warnings on SentinelSneak. The rise of malicious XLLs. Updates from Russia’s hybrid war. An unusually loathsome campaign targets children.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Sentinel's sneak is out in the wild. XLLs for malware delivery. CERT-UA warns of attacks against the Delta Situational Awareness System. FSB cyber operations against Ukraine.

Starting point is 00:02:12 Mr. Security Answer Person John Pescatori offers his sage wisdom. Microsoft's Anne Johnson from Afternoon Cyber Tea speaks with Dr. Chenzi Wang from Rain Capital. And an unusually unpleasant sextortion campaign. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner your CyberWire summary for Tuesday, December 20th, 2022. Researchers have discovered a campaign they're calling Sentinel Sneak, a malicious Python package posing as a Sentinel-1 software development kit, reversing labs reports. Its researchers say that the package, named Sentinel-1,

Starting point is 00:03:14 with no connection to the security firm of the same name, was first seen in the Python Package Index on December 11, 2022. It's described as a fully functional Sentinel-1 client that has a malicious backdoor. Sentinel sneak does not strike immediately after installation, Dark Reading reports. The function lies dormant until triggered into action by another program. It's noted that this shows the threat actor's desire to target the software supply chain as a way to inject compromised code into targeted systems as a beachhead for further attacks. These further attacks likely have not yet occurred, researchers say.

Starting point is 00:03:55 This is just the latest threat leveraging the PyPy repository amongst the use by other actors of strategies like typosquatting, reversing lab's researchers said in their advisory. Researchers at Cisco Talos have published a report looking at the ways in which attackers are using alternative methods to execute malicious code via Office documents as Microsoft phases out support for VBA macros. Threat actors have recently started introducing malicious code

Starting point is 00:04:27 to documents using Office add-ins, which are pieces of executable code in various formats and capabilities that can be added to Office applications in order to enhance the application's appearance or functionality. XLL files specifically are useful for executing malicious code via an Excel document. Talos explains, if the user attempts to open a file with the file name extension.xll in Windows Explorer, the shell will automatically attempt to launch Excel to open the.xll file. This is because.xll is the default file name extension for a specific class of Excel add-ins.

Starting point is 00:05:07 Before an.xll file is loaded, Excel displays a warning about the possibility of malicious code being included. This is a similar approach as the message about potentially dangerous code, which is displayed after an office document containing VBA macro code is opened. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning. Cisco Talos has observed several high-profile threat actors using XLLs to deliver malware,

Starting point is 00:05:40 including the Chinese state-sponsored actor APT10 and the financially motivated gang FIN7. The researchers conclude that XLL abuse is likely to succeed VBA-based attacks as users upgrade their instances of office. The Cyber Peace Institute has published its quarterly analysis of cyber operations by both Russian and Ukrainian forces. Auxiliaries continue to play a significant role on both sides, and DDoS and influence operations retain their prominence among the tactics deployed.

Starting point is 00:06:16 Some of the activity in cyberspace during Russia's war has amounted to fairly conventional espionage. A Washington Post opinion piece argues that Ukraine's ability to deploy and make effective use of modern automated command and control systems to process intelligence and conduct operations has given it the advantage over the invaders. Such systems would be obvious targets for Russian cyber operations, and those indeed seem to have been attempted. CERT-UA reports that over the weekend, it had detected attempts against its Delta system,

Starting point is 00:06:51 an automated situational awareness system. It's a phishing campaign that uses emails and instant messages that misrepresent themselves as spot reports, but which carry FateGrab or Steel Deal information-collecting malware as their payload. CERT-UA offers no attribution and says it's been unable to link the campaign to any specific threat actor, but circumstantially, at least, it looks like a Russian operation. Palo Alto Network's Unit 42 reports that the FSB group Trident Ursa has been highly active lately against Ukrainian targets, stating, since our last blog in early February covering the advanced persistent threat group Trident Ursa, also known as Gamerodon, UAC-0010, Primitive Bear, and Shuckworm, Ukraine and its cyber domain has faced ever-increasing threats from Russia.

Starting point is 00:07:46 Trident Ursa is a group attributed by the Security Service of Ukraine to Russia's Federal Security Service. As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. As has often been the case, the FSB's operations are less sophisticated and more obvious than those of its sister bears, but the FSB doesn't seem to care about this. In its conclusion, Unit 42 writes, Trident

Starting point is 00:08:27 Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts, along with a significant amount of obfuscation, as well as routine phishing attempts to successfully execute their operations. This group's operations are regularly caught by researchers and government organizations, and yet they don't seem to care. They simply add additional obfuscation, new domains, and new techniques, and try again, often even reusing previous samples. Continuously operating this way since at least 2014, with no sign of slowing down throughout this period of conflict, Trident Ursa continues to be successful. For all

Starting point is 00:09:12 of these reasons, they remain a significant threat to Ukraine, one which Ukraine and its allies need to actively defend against. So, you don't have to be excellent, just good enough Anything else, from the threat actor's point of view, is just gravy They're not artists, after all Finally, it would be unpleasant to report this at any time But it's particularly loathsome to have to mention it during the holidays The FBI warned yesterday that it had received, the aggregate more than 7,000 reports over the past year of financially motivated online sextortion of minors. Around 3,000 individual children, mostly boys, are believed to be involved. The scams, for the most part, originate outside the United States, generally in West African countries such as Nigeria and the Ivory Coast. The typical

Starting point is 00:10:06 modus operandi is catfishing, intending to lure the boys into some sort of compromising online behavior, usually the posting of explicit photographs or videos, at which point the criminals extort them for money payable by gift card, credit card, or some other transfer payment. payable by gift card, credit card, or some other transfer payment. The FBI explains that financial sextortion schemes occur in online environments where young people feel most comfortable, using common social media sites, gaming sites, or video chat applications that feel familiar and safe. On these platforms, online predators often use fake female accounts

Starting point is 00:10:44 and target minor males between 14 to 17 years old. But the FBI has interviewed victims as young as 10 years old. And of course, they advise parents and other responsible adults to talk to their children and do what they can to keep them safe. And also, of course, to support and comfort them should they become victims nonetheless. You stay safe out there. Coming up after the break, Mr. Security Answer Person John Pescatori answers your questions. Microsoft's Anne Johnson from Afternoon Cyber Tea speaks with Dr. Chenzi Wang from Rain Capital.

Starting point is 00:11:29 Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.

Starting point is 00:12:18 They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.

Starting point is 00:13:21 Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Mr. Security Answer Person Hi, I'm John Pescatori, Mr. Security Answer Person, coming to you a week early to beat the holiday rush. Our question for today's episode, Hi, we had a pretty good year last year, several fire drills, but no meaningful security incidents and no major noncompliance issues. But I know we had vulnerabilities, and some of those fire drills could have turned into dangerous blazes. You've said earlier that moving to multi-factor authentication should be top of the list for the new year, and I've already started going on a small-scale trial early next year in 2023.

Starting point is 00:14:24 MFA aside, what should my 2023 New Year's resolution project be? Ah, we are a quaint and hopeful species, aren't we? Just because we believe that pinning a fresh new calendar up on the wall somehow empowers us to eat better, get more exercise, and mitigate all of last year's vulnerabilities. But I've actually been thinking about a one-line answer to that question, and I've come up with one. Get security built into at least one non-security process in 2023. This is kind of a sneaky resolution. To many, it sounds kind of like Tom Sawyer

Starting point is 00:14:56 resolving to get someone else to paint Ann Polly's fence for him. That may be skewing old. Read your Mark Twain. But the reality is that IT operations has been essentially getting security to paint their fences for a long time. Asset management, change management, patch management, privilege management, those are functions that IT sysadmins own but often do poorly. Most security teams are not responsible for server, PC, or network assets and don't have the power to do ads, drops, changes, patches, etc. This is a big topic for another day. Let's focus on some simple ways of getting those other groups started on painting their own damn fences.

Starting point is 00:15:36 There's a relatively easy target and a harder target. Let's start with the easy one. Getting security built into cloud computing. easy one, getting security built into cloud computing, specifically infrastructure as a service use such as Amazon AWS, Google Cloud Platform, and Microsoft Azure. The low-hanging fruit is talking with the DevOps lead or cloud computing architect and seeing what they are planning on doing for application performance management and visibility tools. Many of those products look very similar to cloud security posture management tools. If both sides can agree to use one product together, it will grease the skids for increasing

Starting point is 00:16:10 the fidelity of asset inventory and configuration monitoring in the cloud if you can work together. A bit harder, but even more powerful. Convince them to base AWS, Azure, and or GCP infrastructure as a service on the Center for Internet Security hardened images available directly from the cloud service providers. For reasonable increase in cost per CPU per hour you'll be able to show big-time reductions in compliance and incident costs. If you're feeling ambitious or the organizational tailwinds are in your favor, make friends in IT and procurement and get some

Starting point is 00:16:45 key security requirements baked into all requests for proposals, evaluation criteria, and other contract material for any software development or cloud services procurements. Point to the Biden administration recent requirements around supply chain security if you need a bigger breeze to fill the sales. The Safecode organization is a good source for information on software supply chain security, as are NIST and CISA. This can be as simple a start as requiring all software and cloud services vendors to provide evidence that they use commonly available application vulnerability testing tools and or managed bug bounty programs.

Starting point is 00:17:28 Supply chain security is like a snake swallowing a cow. You have to start somewhere. It won't happen in one big gulp. This is a great place to start. An example of this at work is the VeriCode Verified program. Google VeriCode Verified Directory, and you'll see 16 screens full of software companies' logos where their products have been tested by Veracode for secure software development in the absence of known vulnerabilities. Convince your organization to think of buying new software like buying a used car. These days,

Starting point is 00:17:56 just about every used car purchase includes a Carfax check to find vulnerabilities before you buy the car. Let's do at least that for software. I hate to leave you on a depressing New Year's resolution note, but did you know that eating an entire can of Pringles is way more healthy than eating that enormous banana nut muffin you're eyeing at the breakfast buffet? Thanks for listening, and Happy New Year. I'm John Pescatori, Mr. Security Answer Person. Thanks for listening and Happy New Year. I'm John Pescatori, Mr. Security Answer Person. Mr. Security Answer Person. Mr. Security Answer Person with John Pescatori

Starting point is 00:18:37 airs the last Tuesday of each month right here on the Cyber Wire. Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. Microsoft's Anne Johnson is the host of the Afternoon Cyber Tea podcast right here on the Cyber Wire Network. In a recent episode, she spoke with Dr. Chenzi Wang from Rain Capital. Here's some highlights from their conversation. So can you talk about the last few years and how there's been this huge wave of capital invested in cyber? Why has cyber been so attractive? And then what are you seeing right now? So cyber has always been an interesting industry where it may not be as sexy as consumer tech

Starting point is 00:19:34 10 years ago, but it's always been there, the undercurrent of technology that everybody needed. And as you and I both see in the industry in the last five, six years, we've seen more and more regulations and compliance requirements that companies are now do spending more money and require more talent to run their cybersecurity operations. And also the threats have changed tremendously. And we've seen more innovations in cyber in the last 10 years than maybe all the years combined beforehand. And those factors led to what we call a hot rising market in the last two years or so, 2020 and 2021.

Starting point is 00:20:20 And I would say the pandemic accelerated the growth because moving from a campus-centric company culture to remote working, one of the first factors you have to put in is networking and it's secure networking, right? Secure remote communication, secure remote access, and all that came back to security. So we saw a tremendous growth in the requirement, in the investment in security technology through 2020 and 2021, which led to a huge infusion of capital. And I would say that's probably a little overheated, the market. And we saw those unrealistic valuations in 2020 and 2021, which I think we're going through a period of correction right now. And I personally think the correction is needed. We just can't possibly grow the market at the same

Starting point is 00:21:22 rate that it was in 2021. What would you be doing right now to make sure your company thrives and even survives over the next 12 to 18 months? Let's take this question apart from one is if you're raising your first set of capital as founders, what you should do. And the other one is for maybe existing founders who already raised capital, but is taking the company, wanting to take the company to the next phase of growth and obviously may need additional capital as well as how do they sort of structure the business model. is if you are founders that are raising your first set of capital, I would say the criteria of getting over the hump,

Starting point is 00:22:14 acquiring your first set of capital has significantly become more stricter, meaning that you really have to bring your A game. I was just telling this to a founder that I met at reInvent just a few days ago, that it's no longer like two person with an idea with a slide deck and somewhat interesting can raise capital. What you need to do is really do your homework and talking to potential buyers and customers of your solution. Really understand what the market is asking for this type of capability, what the customer journey will be like, what are your relative positions against related products and functions out there. And ideally, not only come with ideas and possibly a prototype product,

Starting point is 00:23:06 but come with four or five potential design partners or folks who have good things to say about your approach and may even put their names behind. That's Anne Johnson from Afternoon Cyber Tea speaking with Chenzi Wang from Rain Capital. You can hear the entire interview on the Afternoon Cyber T podcast. That's right here on the Cyber Wire podcast network. Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,

Starting point is 00:24:12 stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland Thank you. Thanks for listening. We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.

Starting point is 00:26:06 Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Warnings on SentinelSneak. The rise of malicious XLLs. Updates from Russia’s hybrid war. An unusually loathsome campaign targets children.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.