CyberWire Daily - What the cybercriminals are up to: improving their tools and carrying out the same old dreary social engineering. Budworm APT sightings. And the state of Russia’s hybrid war.
Episode Date: October 13, 2022Emotet ups its game. COVID-19 small business grants as phishbait. Google Translate is spoofed for credential harvesting. Research on the Budworm espionage group. Kevin Magee from Microsoft shares why ...cybersecurity professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. And Internet outages during missile strikes, and the prospects of Russia’s hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/197 Selected reading. Emotote’s evolution. (ESET) Fresh Phish: Small Business COVID-19 Grants Designed for Disaster (INKY) Spoofing Google Translate to Steal Credentials (Avanan) Budworm: Espionage Group Returns to Targeting U.S. Organizations (Symantec Blog) Internet outages hit Ukraine following Russian missile strikes (Bitdefender) Starlink helped restore energy, communications infrastructure in parts of Ukraine - official (Reuters) Ukraine’s Vice PM Thanks Starlink for Help to Restore Connections After Missile Attack from Russia (Tech Times) We must tackle Europe’s winter cyber threats head-on (POLITICO) The conflict in Ukraine makes us rethink cyberwar (The Japan Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet me.com slash N2K code N2K.
Emotet ups its game. COVID-19 small business grants as fish bait.
Google Translate is spoofed for credential harvesting.
Research on the budworm espionage group.
Kevin McGee from Microsoft shares why cybersecurity professionals should join company boards.
Our guest is Chris Nickel from Okta with a look at identity shortfalls
and internet outages during missile strikes and
the prospects of Russia's hybrid war.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, October 13th, 2022.
ESET researchers tweeted yesterday that the criminal operators of Emotet have been improving their product's
system info module with changes that enable malware operators to improve the targeting
of specific victims and distinguish tracking bots from real users. They've also changed the
system attributes Emotet collects and reports back to its command and control. The new list
includes processor brand, size of physical memory in megabytes,
and an approximate percentage of it being in use.
Inky has published a report on the use of small business grants as phishing lures.
Scammers are impersonating the U.S. Small Business Administration
to distribute phony grant applications hosted on Google Forms.
The SBA has stopped accepting applications for COVID-19 relief,
but the scammers are counting on their victims having overlooked that.
The Google Form asks the user to submit their personal and financial information,
including their social security number, driver's license details, and bank account information.
The usual marks of a scam are present
as well as Google's report abuse button and its customary warning, never submit passwords through
Google Forms. Those last two don't normally find their way into phishing scams. Researchers at
Avanon describe phishing emails that are impersonating Google Translate in order to steal users' email credentials.
The emails inform users that they have pending incoming emails, and they'll need to confirm their account within 48 hours in order to receive the emails.
If the user clicks the links, they'll be taken to a phony Google Translate page with a login field.
taken to a phony Google Translate page with a login field.
Avanon's researchers explain,
in the background you can see the HTML that goes into turning this site into a Google Translate lookalike.
One of the JavaScript commands they use is the unescape function.
This is a classic command that helps obfuscate the true meaning of the page.
Further, when decoding the JavaScript, you'll see that the security service would see a bunch of gibberish. The phishing page looks fairly convincing, but users
should note that the phishing page's URL looks very suspicious, ending with translate.goog
doesn't quite cut it. The Symantec Threat Hunter team this morning released research on the Budworm cyber espionage group.
Budworm has recently been observed targeting a Middle Eastern government,
a multinational electronics manufacturer, a U.S. state legislature, and a hospital in Southeast Asia.
The group leverages log4j vulnerabilities to compromise Apache Tomcat for installation of web shells.
Budworm makes extensive use of Hyperbro malware, often installed through DLL sideloading.
This involves attackers placing a malicious DLL file where a legitimate one can be expected.
The payload is executed when the application runs.
Budworm has also been seen using CyberArk Viewfinity,
an endpoint privilege management tool, to sideload.
While Hyperbro has been Budworm's primary choice recently,
researchers have also observed the PlugX CorePlug Trojan in use.
The group has historically targeted Asia, the Middle East, and Europe,
but has now, for the second time,
been linked to an attack on a U.S. target. Researchers say that the shift to U.S. targets
could mean a directional change for Budworm. Also known as APT27 or Emissary Panda,
Budworm is generally believed to operate on behalf of the Chinese government,
according to the Hacker News and others.
According to Bitdefender, some areas of Ukraine experienced internet outages,
mostly associated with power failures and physical disruption of communication links
during Monday's Russian missile strikes. Bitdefender says data from Cloudflare indicated
a 35% dip in Internet availability
as multiple explosions caused power outages.
Reuters reports that both electrical and communications services have largely been restored.
Ukrainian officials credit Starlink with an important role in the swift recovery.
The massive Russian cyber attacks, almost universally expected
when Mr. Putin went to war against his smaller neighbor back in February, have not materialized.
Apart from some early and quickly remediated successes with wiper malware in the opening days of the invasion,
Russian offensive cyber-ops have been largely confined to nuisance-level defacements and DDoS. Some acts of physical sabotage against European
infrastructure, followed by some recent dark musing by President Putin about how terrorism
holds the globe's infrastructure at risk, have again elevated concern about the possibility
of a destructive Russian campaign that this time around might actually work as advertised.
Mr. Putin's remarks are playing a double game
in a double narrative. He'd like the world to think the sabotage, like the war itself,
is the work of his present boogeyman and boogie women, those Anglo-Saxon British and the Americans.
But he'd also like to remind the world that the sabotage could just as easily be Russian work,
and that their pipelines,
telecommunications, or power grids could be next. An essay in Politico argues that subscribing to
a narrative of fear with respect to Russian cyber attacks against infrastructure would be,
in effect, doing the Kremlin's work. The essayists argue that energy infrastructure is an obvious
target, but that the war so far has shown how effective cyber resilience can be in thwarting attacks.
More to the point, there's the risk of disinformation and influence operations,
creating the appearance of an effective threat where there may in fact be none in the offing.
To some extent, the failure of the bears, fancy, cozy, energetic, the whole cuddly
ursine tribe, to show up in a big way may reflect the same sort of underperformance seen elsewhere
in Russia's military operations. The U.S. Deputy National Security Advisor for Cyber, Ann Neuberger,
outlined Russia's record in cyberspace during the war at a Washington Post conference this morning.
So, defense can work with preparation, cooperation, resilience, and resolution.
Shields up.
Coming up after the break, Kevin McGee from Microsoft shares why cyber professionals should join company boards.
Our guest is Chris Nickel from Okta with a look at identity shortfalls.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
The security strategy of zero trust has been gaining momentum, with some saying this year is a tipping point when it comes to widespread adoption.
Security firm Okta recently published their 2022 State of Zero Trust report.
Chris Niggle is regional chief security officer of the Americas at Okta, and I checked in with him for some highlights from the report.
for some highlights from the report.
We've been generating the state of zero trust report since 2019 when we found that businesses were kind of discrediting
the concept of zero trust networking.
And what we saw was a real need for organizations
to understand the importance of the adoption of this technology.
Where are some of the common misconceptions that you see?
Where is there an understanding gap here? I think the understanding gap is organizations see zero trust as another
formative network change where they need to make kind of a big bang change in how they're
approaching security. And really, zero trust is a journey. It's something
that we're all working towards and really is an extension of the changes that we're seeing
in the security posture right now of moving from on-prem to cloud technologies.
What were some of the key findings in the report that caught your eye?
Some of the key findings in this year's report were really focused on a significant increase
in adoption of zero-trust networking across organizations. Most significantly, we saw a huge jump in the adoption of zero-trust networking by
our government customers, driven, I think, primarily to the zero-trust memo that came out.
We've also seen a significant change in the adoption for healthcare, which I think is a
very important change given the importance of that sector to
all of our lives. Where do you suppose we're headed here? I mean, it really seems like
there's a lot of momentum behind this With the COVID pandemic, all organizations needed
to make a very rapid change to different technologies, different capabilities to allow
their employees to work from home. And with the zero trust adoption, we're now seeing organizations build the security
controls back in that they need to have in order to make good use of those technologies.
What is your response to folks who are still skeptical about the notion of zero trust? I mean,
there are still folks out there who when they hear the term,
they kind of roll their eyes a little bit.
The zero trust concept has definitely been
a bit of a marketing buzzword
over the last couple of years.
And so my response to that would be
to look at what the security needs are
of your new working environment. As organizations adopt
more cloud technologies, there's a need to move the security controls out to the users and to the
data. And if you approach it that way, you're still addressing a zero-trust network model, but you're doing that in a way that's providing direct benefit
to your employees and your organization right now.
What are your recommendations for organizations
who are considering this journey here?
I mean, where do you recommend they get started?
We recommend organizations look at their identity and access management platforms.
When we consider zero trust, the core components of that security model are understanding the
access requirements of the users, of the devices, and of the data. And so identity is a key part
of both the users and the device aspects of those three pillars. By starting with identity management,
you're able to quickly build that first pillar of access and be able to do it in a way that provides an immediate benefit
to your employees, to your customers, to your users in giving them quick access to the things
they need to do to complete their jobs every day. That's Chris Niggle from Okta. Octa.
And joining me once again is Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, always great to welcome you back to the show.
Hi, Dave.
Thanks for having me back.
I want to touch today about the relationship between the cybersecurity pros and boards of directors,
and specifically, you know, those cyber folks getting a seat on the board.
I know you have some thoughts on this.
I know a lot of the discussion we have now is about, you know, how we should communicate to the board and whatnot as cybersecurity professionals. I think we're missing the opportunity to actually sit on the board as cybersecurity professionals.
And I think the root of it is, it's sort of like a grade eight dance. Someone's got to get it all
started and bring the two sides together. So every board I talk to wants to have a cybersecurity
professional on it. And every cybersecurity professional I talk to would love to be on a board, but there seems to be this mismatch and difficulty in bridging that gap that I'm really
interested in figuring out how to solve. What do you think is going on here? I mean, I see
from time to time, I see people say that chief security officers, chief information security
officers, they'll say they're chiefs in name only, that they have the title, but maybe not
the status within organizations. Is there something to that? Well, it doesn't even have to be the
board of the organization you're on. In fact, I think it's better if you look at another alternative
organization that you could be on a board of, either a charity or not-for-profit. In Canada,
hospitals have independent boards, startups have boards. It's a great
opportunity to really not only expand your understanding of how the business works so
that you can have better conversations back in your day job, but also add some serious value
to the discussions that are taking place around the table because you can add a very unique
perspective as a cybersecurity professional. And that's what I've really found, my sort of unique background. I'm the only person often that's not an accountant or a lawyer on the
board. So I look at things very differently and can provide a very unique perspective.
And I was very intimidated at first because everyone else was an accountant and lawyer,
that I wouldn't be able to add some value. But that's not proven to be the case.
How do the other board members
look at you and the things you can contribute? Well, again, the first time I showed up and I
was very concerned about contributing and wanted to look smart in front of my peers. And I call
this the current ratio epiphany. I was in an audit committee meeting and they're all talking about
the current ratio and everyone seemed rather concerned. But it'd been 25 years since I took
financial accounting and I wasn't quite sure. So finally, at some point, I raised
my hand and I said, what is the current ratio? And should it be bigger? Should it be smaller?
And they took the time to explain to me. And had I not done that, I would have been acting on
information that I didn't know. And why? Because I'm a type A, and I didn't want to look dumb in
front of my peers. And that's when it dawned on me, the accountants, the lawyers, when a cybersecurity issue comes up, same thing happens.
They don't want to look dumb in front of their peers. So they're often acting on information
or making decisions on information where they don't understand. And they're often afraid to
ask the question. So having someone with a technical background that can provide that
context, that can be the coach and whatnot on the board, can make all the difference to improving the performance of that board. And how do you suggest people go out and
find these opportunities? Finding the first one is always the hardest. I tried five years to get
on a board and then once I finally got on a board, everyone wanted me on their board.
So it can be difficult. It's much like getting that first job. So what I think is just educating
yourself on what the role of a board director or trustee or governance is really all about. And there's some great books online or some great free trainings you can look at to do that. But understanding the role of the governor and then approaching an organization that you have a commitment or a connection to.
I'm on the board of trustees of my university where I graduated from.
A great chance to give back as well, too.
And you have that deep connection that makes it easier to make that first step. But really educating yourself and just going out and asking and seeing who really needs some help in those areas.
Most boards have nominating committees.
So finding out who the nominating committee chair, governance chair is and having a coffee chat or a discussion with that person would be a great idea. Biggest thing is just don't be afraid to do it. Like I said, I was so nervous walking into
that room. I would have nothing to add. And it turns out I have a great deal to add. Imposter
syndrome, I think, sometimes holds us back more than anything from achieving a seat on the board.
All right. Well, Kevin McGee, thanks for joining us. necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.