Stealing from the best? An enigma in the criminal-to-criminal market. CISA’s holiday caution. Someone’s impersonating the SEC. Three weekend cyberattacks.

Tre Hester: The Lazarus Group seems interested in learning from - by which they mean stealing from - some of the world's leading state-sponsored cyber operators. Void Balaur remains an enigma, but it's the only player in the C2C market. CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays. Some scammers are impersonating the U.S. SEC. Dinah Davis from Arctic Wolf on what security gifts to get your family this year. Our guest today is Carole Theriault on online gaming during the pandemic. And cyberattacks are reported on an airline, a utility and a manufacturer of wind turbines.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Monday, November 22, 2021. 

Tre Hester: In an apparent effort to up its offensive security game, the Daily Beast reports North Korea's Lazarus Group is phishing Chinese security researchers. It's not clear whether they've enjoyed any success, according to researchers at security firm CrowdStrike, which tracks the Lazarus Group as Stardust Chollima. But they appear to be interested in obtaining zero-days in particular. 

Tre Hester: Quote, "for vulnerability research in particular, that would be interesting. It in effect allows you to collect and steal weapons that you can use for other operations. You can also give them insight into new techniques they're not aware of and how research is being conducted," end quote. CrowdStrike's vice president of research, Adam Meyers, told the Daily Beast, quote, "it also lets you know what the security posture looks like in other countries," end quote. 

Tre Hester: CrowdStrike reads the campaign as aimed at obtaining new attack tools that can be used for the financially motivated hacks Pyongyang uses to address the pariah regime's chronic fiscal shortfalls. The phishing techniques themselves are nothing out of the ordinary, either the threat group actors in general or the Lazarus Group in particular. But they are interesting in that they seek to instill the kind of urgency social engineers seek to induce in their victims. The lures in this case aim at making the recipients uneasy, rushed and fearful. They warn of urgent tasks, they reference sensitive information about the recipient, or they represent themselves as coming from the boss. And what, after all, is scarier than that? 

Tre Hester: The Lazarus lures, which reference Chinese government security authorities, were designed for Chinese security experts. Quote, "in China, generally any email coming from any governmental-sounding body is considered the highest priority for any individual in the country," end quote. Vikram Thakur, a technical director at Symantec, told the Daily Beast, quote, "if a researcher gets a technical-sounding email from the government, the chances of that researcher clicking on the lure is extremely high," end quote. 

Tre Hester: If you're an active or aspiring criminal, you could develop your own tools, steal them as Lazarus Group seems to be doing, or you could buy them. The Rockethack group, which security firm Trend Micro researchers have been tracking as Void Balaur, is shaping up as an increasingly important player in the C2C market, CSO writes in an overview of the gang. Void Balaur is unusual in that it both advertises in Russophone criminal circles and hits Russian targets, which is an uncommon combination. 

Tre Hester: CSO speculates about the possibility that Void Balaur has succeeded in compromising insiders at various Russian enterprises, but that, of course, remains speculation. The targets they've been prospecting don't suggest any particular agenda beyond straightforward criminal financial gain. It will be interesting to see how long they remain in business until the authorities shut them down. 

Tre Hester: It's Thanksgiving weekend in the U.S., and the Cybersecurity and Infrastructure Agency, CISA, and the FBI have issued a joint advisory reminding organizations, and in particular their critical infrastructure partners, to be especially vigilant during the holiday season. Organizations should be in a heightened state of alert for phishing scams and fraudulent sites spoofing reputable businesses. It is possible malicious actors will target sites often visited by users doing their holiday shopping online and unencrypted financial transactions. They advise organizations to review their response plans and remind them that CISA has made playbooks available that should be helpful in keeping those plans up to snuff. 

Tre Hester: CISA has also issued an infrastructure dependency primer intended to help state and local governments in particular improve their resilience by understanding and planning for the ways in which dependencies shape risk. 

Tre Hester: What do we mean by dependencies? If you're not familiar with the concept, CISA offers this brief account. Quote, "dependencies are relationships of reliance within and among infrastructure assets and systems that must be maintained for those systems to operate and provide services," end quote. Dependencies can be unidirectional or bidirectional, and they often cross functional and jurisdictional boundaries, which make them easier to overlook than one might wish. In any case, if you're reviewing your response plans, consider taking a look at CISA's primer. 

Tre Hester: The U.S. Securities and Exchange Commission warned late Friday of spoofed communications that appear to come from the SEC but in fact originate with scammers. The communications arrive in many modalities, including phone calls, voicemails, emails and even old-school physical letters. 

Tre Hester: The caution they offer is familiar, but, unfortunately, as always, worth remembering. Quote, "SEC staff do not make unsolicited communications, including phone calls, voicemail messages or emails, asking for payments related to enforcement actions, offering to confirm trades or seeking detailed personal and financial information. Be skeptical if you are contacted by someone claiming to be from the SEC and asking about your shareholdings, account numbers, PIN numbers, passwords or other information that can be used to access your financial accounts," end quote. Apply the same caution to calls that claim to be from other agencies, especially if the phone call has all the background noise you'd expect from someone phoning it in from a low-rent boiler room. 

Tre Hester: And finally, there were several criminal cyberattacks over the weekend that deserve mention. Mahan Air, Iran's largest private airline, said that they successfully stopped an attack on what it characterized as internal systems. Bloomberg reports that Mahan's website went offline for a while Sunday, but the domestic flights continued without disruption. 

Tre Hester: In this case, text messages claimed responsibility for the attack. A group calling itself the Observants of Fatherland claimed that they were behind the incident, which they represented as a reprisal against Mahan Air for cooperating with Iran's Revolutionary Guards. The text said, according to the Daily Sabbah, quote, "cyberattack against Mahan for complicity by the terrorist Guardians Corps," end quote. There was no evidence provided in support of the claim, and just two of the Observants of the Fatherland might be hacktivists or a deniable cat's paw for hostile intelligence services - remains unknown. 

Tre Hester: Riviera Utilities told Fox 10 News on Friday that its email systems were under attack. The Alabama utility said that no other systems were affected and that operations continued normally. 

Tre Hester: And Vestas, the world's largest manufacturer of wind turbines, disclosed that it sustained what Reuters describes as, quote, "a cybersecurity incident and has shut down its IT systems across multiple business units and locations to contain the issue," end quote. The incident took place on November 19. But beyond that, Vestas has provided little in the way of details. The company is investigating, working to restore its systems and is cooperating with law enforcement. 

Tre Hester: Our U.K. correspondent Carole Theriault joins us to discuss online gaming during the pandemic. 

Carole Theriault: So when I was a kid, we had a ColecoVision as a gaming console, and us three kids would save up our allowances from summer jobs like mowing the lawn or weeding the garden to buy games like Pac-Man and Donkey Kong. And we only had two handsets, so you can imagine the fights we had and the deals we made to get extra time on the controller. Like, we loved playing, but as we only had a single television for us all to share, we were naturally limited to how often we could play. I mean, "The Muppet Show" or "Magnum, P.I." or "Moonlighting" took precedence, obviously. 

Carole Theriault: Now we all have our own devices, and that gives us unlimited access to all manner of online gaming. Now we can game during commutes, in bed before we sleep and after we wake, even during toilet breaks. And we all took to gaming like fish to water. We fit it around our lives - school, work, the gym, hobbies, outings with friends, family. 

Carole Theriault: But my, oh, my, did the pandemic change things. No real surprise - most of us faced some pretty strict lockdowns, meaning you had to find some distraction somewhere, and online gaming welcomed millions of new players and saw existing players play tons more. 

Carole Theriault: The University of Glasgow published a report in May on the impact of the pandemic on online gaming. Pre-pandemic, 10% of those that took part in this research played several times a day. Post-outbreak, that number skyrocketed to 40%. 

Carole Theriault: But the research reveals that, overall, the impacts of gaming were positive on the subjects. Gaming seemed to provide stress relief through escape. It allowed people to socialize in a way that did not contravene the rules. It is a welcome distraction from the news. There's a feeling of control within the context and confines of the game, something that we were all missing when news was coming out every day about the pandemic. 

Carole Theriault: Now, the University of Glasgow just looked at adults. But what about kids? According to National Geographic, it seems the findings were the same. Pre-pandemic, most kids in the United States were already clocking in at least an hour a day on games, with Roblox and Minecraft among the most popular for kids. But with schools closed and in-person socializing limited, those numbers exploded. 

Carole Theriault: Quote, "the Pew Research Center of Internet and Technology found that video games are a major venue for creation and maintenance of friendships, especially for boys. According to the study, more than half of teens made new online friends, and a third of them came through video games." 

Carole Theriault: So why has China further restricted access to online gaming for kids and teens to one hour a day on weekends and holiday evenings? The Chinese administration said, according to The New York Times, quote, "recently, many parents have reported that game addiction among some youths and children is seriously harming their normal study, life and mental and physical health." 

Carole Theriault: So is online gaming good for kids? I think only time will tell. But, gosh, ask any parent or adult living alone during the pandemic. I suspect they'll say that online gaming was a lifesaver. I mean, why not ask the kids and teens in your immediate circle? How many of them could cope with just a few hours a week access to online gaming platforms or services? I bet many a jaw will drop. In fact, I bet many would offer to eat plain gruel every morning than have to give up their online gaming practices. Feel free to tweet us their answers. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is VP of R&D operations at Arctic Wolf and also the founder and editor-in-chief at Code Like a Girl. Dinah, it is always great to have you back. You know, we're coming up on the holiday season here, and I know for me personally, there is nothing I like to have in my Christmas stocking than some sort of security gift. 

(LAUGHTER) 

Dave Bittner: I thought maybe you and I could go over how to be the most popular person in your family. What sort of security gifts do you have in mind this year? 

Dinah Davis: I can help you be that person this year. 

(LAUGHTER) 

Dave Bittner: Oh, terrific. Go on. 

Dinah Davis: But I think - I mean, security is important, and I think we do want to help - gently help our friends and family improve their security, right? 

Dave Bittner: Sure. 

Dinah Davis: So there's a couple of things that we can do. You can gift someone a password manager subscription. That might be great for your parents. They may not want to spend the money on that or understand the value in it. 

Dave Bittner: Right. 

Dinah Davis: But it is quite important, and you can help them with that. Another one is - especially maybe for your teens - a webcam cover. They may not realize how often people could actually see what they're doing, and maybe they don't want that. Well, we should, you know, be helping them understand that they don't necessarily want that. 

Dave Bittner: Right, right. 

Dinah Davis: And then another one, which is - it's security related but not cybersecurity related - is an RFID blocking wallet. You know, it's really easy - think about all the, like, the tap and pay that happens today. It's - would not be hard for people to get close enough to your wallet if they know where it is and bring up a device and do a tap and pay from your Visa card, right? You can get really nice ones now. Like, I have a beautiful RFID wallet from Fossil. I'm just saying you don't have to get something ugly. 

Dave Bittner: (Laughter) Right, right. Oh, that's interesting. You know, I mean, I suppose you could make sure that everybody gets a YubiKey in their stocking this year. But I guess that part of the downside is for those of us who give out those sort of gifts - I'm thinking of the password manager, for example - that also puts you on the hook for being tech support, right? 

Dinah Davis: Yes, but you were going to be tech support anyway. Let's be real. 

Dave Bittner: Yeah, that's true. There's no getting away from that. There's no getting away from that. 

Dinah Davis: (Laughter) No. If you have cybersecurity professionals in your life, then what you must do is you must buy them a kitschy mug for Christmas. It's a must - you know, like Yoda be - Yoda Best Cybersecurity Expert or hacking cheat sheet on a mug or something like that. 

(LAUGHTER) 

Dave Bittner: Yeah, that's good. I saw one for my "Caveat" co-host, Ben Yelin. I saw a mug that had the names of all of the great Supreme Court cases. 

Dinah Davis: There you go. 

Dave Bittner: You know, it's perfect for him, right? 

Dinah Davis: Yeah, yeah. Exactly, exactly. There's all kinds of stuff out there today. 

Dave Bittner: Yeah, yeah. All right, well, good ideas, thoughtful gifts, as always. Dinah Davis, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening, and we'll see you tomorrow.