The CyberWire Daily Podcast 4.1.21
Ep 1302 | 4.1.21

Holiday Bear’s tricks. Phishing for security experts. Industrial cyberespionage. Human error and failure to patch. EO on breach disclosure discussed. Malware found in game cheat codes.


Elliott Peltzman: U.S. Cyber Command and CISA plan to publish an analysis of the malware Holiday Bear used against SolarWinds. The DPRK is again phishing for security researchers. Exchange Server exploitation continues. Stone Panda goes after industrial data in Japan. Human error remains the principal source of cyber-risk. A U.S. Executive Order on cyber hygiene and breach disclosure nears the president's desk. David Dufour from Webroot on the three types of hackers and where you've seen them recently. Rick Howard checks in with our guest Sharon Rosenman from Cyberbit on SOC Evolution. And gamers? Don't cheat.

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman filling in for Dave Bittner with your CyberWire summary for Thursday, April 1, 2021. 

Elliott Peltzman: And sure, we know it's April Fools' Day, but all of this is for real. Dave really is at home having a well-earned day off. And I can personally guarantee you that everything you're about to hear is true, to the best of our ability to determine. For us, it's April No-Foolin' Day. 

Elliott Peltzman: CyberScoop yesterday reported that U.S. Cyber Command and CISA, the Cybersecurity and Infrastructure Security Agency, were soon to release a malware analysis report detailing the hacking tools used by Holiday Bear in the Russian cyber-espionage campaign that compromised the SolarWinds software supply chain last year. The report is expected to describe 18 pieces of malicious code the Russian operators used and to detail how they were able to move across affected networks. It is also expected to go beyond the reporting so far developed and published by private sector researchers. 

Elliott Peltzman: As BankInfo Security reminds everyone, patching the SolarWinds Orion platform, while necessary, isn't sufficient to secure an organization against this form of attack. You've also got to find the threat and expel it from any affected systems. 

Elliott Peltzman: Google's Threat Analysis Group yesterday published an update on a North Korean campaign that's targeting security researchers. The researchers observed the campaign's beginning back in January, but within the last two weeks have seen it evolve. On March 17, the campaign established fake accounts for fictitious personae represented as working for an equally bogus company, SecuriElite. 

Elliott Peltzman: SecuriElite is presented as an offensive security company based in Turkey that offers penetration testing, assessments and exploits. The fake company has a website and is supported by at least two phony LinkedIn profiles and two equally phony Twitter accounts. Google didn't find malware hosted in any of the come-on sites or accounts, but they've reported the accounts to the appropriate social media platforms and added the website to Google's Safe Browsing as a precaution. 

Elliott Peltzman: Security firm Digital Shadows has today published an overview of where we are with respect to the exploitation of the ProxyLogon vulnerabilities that threat actors have exploited against Microsoft Exchange Server. The principal takeaway Digital Shadows offers is that, even though an estimated 92% of vulnerable Exchange Server instances have been patched, the cyber gangs who've barged in behind Hafnium continue to use the exploits in various crimes - for the most part, cryptojacking and ransomware attacks. 

Elliott Peltzman: This indicates, Digital Shadows says, quote, "that enough damage may already have been done and with more to come in the near future," end quote. 

Elliott Peltzman: Researchers at Kaspersky have outlined a campaign by APT10 directed against Japanese industrial targets. APT10 is the Chinese government advanced persistent threat also known as Red Apollo, MenuPass, Potassium and Stone Panda. The goal is apparently industrial espionage. 

Elliott Peltzman: The campaign is a long-running one that's been active, generally, at least since March of 2019. The most recent surge in activity came this January. According to Kaspersky, quote, "the actor leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions or took advantage of system credentials that were stolen in previous operations," end quote. The Hacker News explains, quote, "The infection chain leverages a multi-stage attack process, with the initial intrusion happening via abuse of SSL-VPN by exploiting unpatched vulnerabilities or stolen credentials," end quote. 

Elliott Peltzman: This morning, Cyberinc, a security company that specializes in zero-trust browser isolation, released its inaugural Cyber Insights Report. This 2021 edition presents the results of an end-user survey on cyberthreats and the ways in which companies are trying to set themselves up to make more informed security decisions. 

Elliott Peltzman: Cyberinc wrote, quote, "the report reveals that in the people-process-technology triad, human error is the top reason for breaches, accounting for 70% of successful attacks. The next biggest cause is vulnerability management through patches and upgrades, accounting for just 14% of successful attacks," end quote. So help your people be successful, and for heaven’s sake, patch while the patching’s good. 

Elliott Peltzman: But don't be too hard on your people either. Remember that for many of them, an essential part of their job involves opening emails and following links. Even the best intentioned and best informed can go astray, unfortunately. Some mistakes are dopey ones, but not all of them are. 

Elliott Peltzman: Nirav Shah, Cyberinc's COO, said in the company's announcement of their study, quote, "it's simply not realistic to expect that employees can make the right judgment call on the credibility of a potentially malicious email. We see examples all the time where individuals unknowingly click on something that looks legitimate and cause their organization to be a victim of a costly malware attack. But it's not their fault. Mistakes are human nature," end quote. 

Elliott Peltzman: Bloomberg reports that the much anticipated executive order on breach disclosure has been drafted but has yet to reach U.S. President Biden’s desk. It’s expected to do so within the next few weeks. Sources tell Bloomberg that, quote, "companies doing business with the federal government would be required to report hacks of their computer networks within a few days," end quote. 

Elliott Peltzman: The executive order would also mandate that federal contractors meet certain software standards, including a requirement that vendors provide a software bill of materials when they delivered their products to federal customers. And there are also provisions that are said to prescribe various improvements to federal agencies’ security practices, including mandatory use of two-factor authentication and improved data encryption. 

Elliott Peltzman: And finally, game cheat codes are a familiar part of the gaming world, even if they’re not quite the thing and not really fair. But now there’s another reason to avoid them altogether. If you won’t listen to your conscience, then at least consult your self-interest. Cisco Talos researchers have discovered that bad actors are introducing malware into files gamers would use to download and install cheat codes. So who cares? Well, if you're a gamer, you should. Not only could the malware injected into your device compromise your privacy, but, if you’re working from home and tending to mingle business with fun, you’re also placing your organization at risk. Come on now. You know who you are. And this is no April Fool prank, either. Stay safe out there. 

Elliott Peltzman: The CyberWire's own CSO, Rick Howard, has been talking to experts about SOC operations. Here's Rick. 

Rick Howard: I got the chance to talk to Sharon Rosenman about the current state of SOC operations. He is the chief marketing officer at Cyberbit, an Israeli company that provides hands-on training for SOC personnel. But when he was younger, he spent 20 years in the Israeli Air Force, and it's that experience that shaped his approach to training SOC personnel. 

Sharon Rosenman: When I didn't fly or train for more than a month, I lost all my certifications. I wasn't allowed to do anything. When I needed to learn how to land or take off, I didn't take a course. 

Rick Howard: (Laughter). 

Sharon Rosenman: I actually went into a flight sim, and I actually did that a few times before I was allowed to actually do it in real life. In a SOC, as a hands-on, completely practical profession, we don't do that. We either send people to courses or we let them learn on the job. In a SOC, you train once every six months, but that's totally fine. Why? It doesn't make sense - right? So we need to maintain our muscle memory, we need to train much more and we need to do it by means of simulation because that's the way that we're going to respond to an incident in real life. We're going to work as a team. There's going to be pressure. We need to see how these things look like before we actually experience in the real world. And today, all the SOC professionals, they've never seen an attack before until they've experienced one on the jump, which doesn't really make sense. 

Rick Howard: What Sharon is getting at is absolutely true. SOC operations is a team sport, and you shouldn't exclusively learn how to do it on the fly. 

Sharon Rosenman: Even before COVID, organizations have been telling us that they have to change the way that they maintain their skill. It's something that used to be done once, twice or three times a year. It's just not enough anymore. Moreover, when you don't even have the option to travel to do a course twice a year, you're basically losing your skill set. Being an incident responder or a SOC analyst is a hands-on skill, just like sports. You haven't done it for a while, there is an incident, you're not performing well. That's something you need to keep maintaining. It's a muscle you need to keep working on. 

Sharon Rosenman: We were running SOC teams in simulations. For some of them, it's the first time they've been put into a real-world, full-scale incident. And we see that the reasons that many of them are failing is not because they don't know how to use Splunk or their firewall and so on, it's because they don't know how to work as a team because it's something they've never done before. 

Rick Howard: Which begs the question, what skill sets to your SOC analysts need to be good at their jobs so that your organization can reduce the chance of material impact due to some future cyberattack? Clearly, they need to be a bit technical. They need to understand the security stack that they are monitoring and the telemetry that they will get from that stack. They also need to understand the intrusion kill chain concept and how they can use the security stack to monitor and prevent a cyber adversary's attack sequence. 

Rick Howard: But those are table stake skills. What may be even more important are the soft skills they bring to the table during a crisis. In other words, how do they communicate the technical risk that they have identified into business risk the senior leaders can understand? You really don't want to start practicing those skills during a crisis. You might want to practice them beforehand. 

Sharon Rosenman: We need to put more focus on our people to help them build skills like critical thinking, for example - like investigation, to develop an open mind and a type of skill set working under pressure and so on - soft skills. I keep getting back there because this is something that organizations haven't really figured out. That being a good incident responder or a good SOC analyst, a lot of that is your soft skills. It's a combination of soft skills and technical skills, and you have to work on both and you have to develop both. 

Sharon Rosenman: When you need to communicate to a CEO or a CFO, for example, during a ransomware incident what's going on, we need to take decisions together. Are we paying the ransom? What are the risks? Currently, what areas of the organization are at risk? Identify the specific point of communicating technical information to non-technical staff is a bottleneck in the incident response process - ties directly into teamwork, communication skills. And communicating non-technical information to non-technical is obviously having the understanding of the tools, they need the understanding of the technologies, they need the understanding of basic IT fundamentals and they need to understand what the attacker techniques look like. In terms of the soft skills, I would look primarily at teamwork and communication skills, which are the most important ones. 

Rick Howard: Anybody that has been in the military, like Sharon in the Israeli Air Force, knows the value of realistic training. In the U.S. Army, where I came from, they have an entire desert base dedicated to force-on-force training called the National Training Center. The idea that we might train SOC personnel in a similar force-on-force simulated environment seems like a no-brainer. In that way, we can train our analysts not only on the technology they will use in a crisis, but also how they will communicate with their peers and leadership. 

Elliott Peltzman: That's the CyberWire's own Rick Howard. 

Dave Bittner: And joining me once again is David Dufour. He is the vice president of engineering and cybersecurity at Webroot. David, great to have you back. I want to touch base on something I know you've been tracking, and that is this notion that you've got three types of hackers that you're dealing with and where we may have seen them recently. What do you want to share with us today? 

David Dufour: Well, yeah. You know, David, we're always talking about what's available career-wise in the cybersecurity industry, and we never seem to talk about if you wanted to go the hacker route - you know, malicious actor - what those job opportunities look like for you, so... 

Dave Bittner: (Laughter). 

David Dufour: We've kind of... 

Dave Bittner: (Laughter) OK. You know there's a reason why we don't talk about that... 

David Dufour: Oh... 

Dave Bittner: ...But go on. 

David Dufour: OK. 

Dave Bittner: Go on (laughter). Go on. 

David Dufour: Well, no, seriously. You know, as we're, you know, teeing up our adversaries and wanting to make sure, you know, we understand what the motivation behind malicious actors are, it's kind of good to really put them in some buckets. And these aren't the definitive buckets, but they really help. And there's really three types. There's the impersonator, the opportunist and then the infiltrator. And most hacking techniques fall into one of these three buckets. 

Dave Bittner: All right. Well, go on. 

David Dufour: All right. So the impersonator, that's someone who's usually using social media, or they're trying to get your bank accounts. So they're trying to act like you to get you to give them information. And so maybe they're acting like your bank, or they're acting like your friend on social media. And really, their goal in the tools they use, the software they implement is trying to make them look like someone other than who they are. Again - because most hackers are trying to do something for a purpose - they're trying to get your banking information or your social media information for some nefarious purpose. 

Dave Bittner: OK. 

David Dufour: Then we have the opportunist. And this is a hacker that typically in a lot of - we're seeing a lot of this with ransomware in small government entities and things like that, where someone is not particularly concerned about who they're hacking, but they've written software that takes advantage of exploits, of problems in software, and they're just blasting the stuff out there to see who they can get to click on something or to see who hasn't patched a computer. 

David Dufour: And their goal is to take advantage of opportunities on scale. They're not so much worried about who they hack as much as they're seeing how many people they can hack and then from that, you know, cause problems or steal or things like that. And then finally is the infiltrator. And this is someone who - you might get confused between the opportunist and the infiltrator. The infiltrator is specifically targeting an industry or a specific company or individual because they - there's some value they have for getting the information in that industry or that person may have. 

Dave Bittner: I mean, that's typically where espionage would fall into, yes? 

David Dufour: Yes. So a lot of times, if you had me, you know, put kind of who's doing what, the impersonator is someone trying to get your bank account information, make some money. The opportunist is that more sophisticated hacker who has the ability to make tools to put out there so that they can, you know, run massive campaigns. This is a lot of times organized crime. And the infiltrator is the one that's typically government or very large entity-backed. 

Dave Bittner: So what are your recommendations for folks to kind of, you know, dial in where they best aim their resources at protecting themselves here? 

David Dufour: Yeah, I think that's a great question. And if I'm a consumer, let's say, I care about the impersonator most, and then I care about the opportunist. Unless, you know, you're Dave Bittner, you don't really care about the infiltrator because no one's really... 

Dave Bittner: (Laughter). 

David Dufour: ...Trying to - there's no massive government out there trying to hack you. But seriously, consumers, they care about the impersonator and the opportunist. And what you got to do there is patch your systems. You got to make sure you've got good antivirus and you're backing up. That's the basics. Now, the infiltrator, that - they're targeting organizations. And there, you probably are big and have deep pockets, and you really do need to put in some money behind your cybersecurity posture where you're doing monitoring, so, you know, you're doing real-time detection, things like that. 

Dave Bittner: Yeah. So the folks who are likely to be the target of the infiltrators, chances are they know it. 

David Dufour: That's exactly right. You know some... 

Dave Bittner: (Laughter). 

David Dufour: Yeah, you know, if you're the welding shop down the road fixing, you know, Jeep Wranglers, you're probably not having the infiltrator come after you. But if you're the, you know, U.S. government building warships or something, people are going to try to hack your systems. 

Dave Bittner: Yeah. Yeah. All right, good information. David Dufour, thanks for joining us. 

David Dufour: Hey, great being here, Dave. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Elliott Peltzman filling in for Dave Bittner. Thanks for listening.