The CyberWire Daily Podcast 11.29.21
Ep 1467 | 11.29.21

Reply-chain attacks. Intelligence services go phishing. Civilian targets hit in Israeli-Iranian cyber conflict. The Entity List expands. Russo-Ukrainian tensions rise.


Dave Bittner: Reports of a reply chain incident at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the U.S. Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executives really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 29, 2021. 

Dave Bittner: IKEA has been working to contain a continuing phishing campaign that's afflicting the furniture and housewares chain's internal email system. Bleeping Computer describes it as a reply chain email attack. Again, that's not supply chain, but reply chain. 

Dave Bittner: This form of attack is unusual but not unknown. The attackers obtain a legitimate corporate email and reply to it. Bleeping Computer explains, quote, "as the reply chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients will trust the email and be more likely to open the malicious documents," end quote. 

Dave Bittner: IKEA is working to contain the problem and so far has said little about how the attackers succeeded in compromising internal emails. 

Dave Bittner: Among the revelations of last week's Google Threat Horizons report is an account of how North Korean operators approached South Korean targets online by posing as Samsung recruiters. Microsoft tracks the responsible threat actor, The Record says, as Zinc, which is more commonly known as the familiar Lazarus Group. Sure, they are recruiters, but not the kind you'd have in mind. 

Dave Bittner: Threat Horizons also has an interesting note on another intelligence service's social engineering. In this case, the responsible organization is also familiar. It's Russia's GRU, specifically Fancy Bear. In this case, Google's Threat Analysis Group describes a Gmail phishing campaign in which, at the end of September, a large-scale phishing effort was mounted against more than 12,000 Gmail accounts. Threat Horizons writes, quote, "the attackers were using patterns similar to TAG's government-backed attack alerts to lure users to change their credentials on the attackers' controlled phishing page. The attackers kept changing the email subject line but used a variation of critical security alert," end quote. 

Dave Bittner: Google says it blocked the messages and that, to the best of their knowledge, no one was compromised. But the phish bait in this case seems unusually shiny and plausible. Fancy Bear wrote, quote, "there's a chance this is a false alarm, but we believe that government-backed attackers may be trying to trick you to get your account password. We can't reveal what tipped us off because the attackers will adapt, but this happens to less than 0.1% of all users. If they succeed, they can spy on you, access your data or take other actions using your account. We recommend change your password," end quote - not bad, except for faltering in the last sentence, where we recommend change your password sounds like Ensign Chekhov talking. 

Dave Bittner: The link in the phishing email directed the unwary to what appeared to be a Gmail account page. The font wasn't right, but that's easily overlooked by someone willing to get that far. And the goal, of course, was credential theft. 

Dave Bittner: The shadow quasi-cyber war between Iran and Israel seems not only to be intensifying, but also, according to The New York Times, which sources its conclusions to anonymous U.S. intelligence sources, entering a phase in which both sides seem willing to hit clearly civilian targets. An attack that disrupted Iranian fuel stations and the doxxing of Israeli participants in an LGBTQ online community both represented themselves as the work of hacktivists, but both incidents seem to be the work of fronts run from Jerusalem and Tehran. 

Dave Bittner: So you might ask, what's the difference? Well, U.S. Army Field Manual 6-27, published to offer guidelines for commanders on the laws of armed conflict and intended to reflect not just national, but international law, is as convenient a place to start as any. FM 6-27 explains the distinction like this. Quote, "an ordinary inhabitant of the enemy state would be a civilian, but a member of the enemy armed forces or a member of a terrorist group or a nonstate armed group would not be a civilian," end quote. And civilians are supposed to be protected wherever possible and not to be made targets. 

Dave Bittner: Much discussion of protecting civilian targets from cyberattack has concentrated on critical infrastructure - things like hospitals, power grids and the like. And not even the most expansive definition of critical infrastructure includes discount gasoline, still less a dating site. 

Dave Bittner: Well, then what's the problem with bopping a gas station or a dating site, you might ask. Think of it this way. Buying gas or swiping right are things people do as people, not as members of a military formation. You're filling up with regular or arranging lunch, not hauling ammunition or serving an anti-aircraft gun. And disrupting aspects of ordinary civil life does seem to amount to an escalation, at least a small one. So swipe left, targeteers. The laws of conflict in cyberspace are still undergoing development, and neither of the incidents The New York Times discusses amount to anything close to a war crime, but a little initial restraint might be something to think about. 

Dave Bittner: Just before the Thanksgiving holiday, the U.S. Commerce Department added 28 organizations to its Entity List of sanctioned groups. The countries most directly affected are China, for a range of technologies, including quantum computing with military applications, Pakistan, for ballistic missile proliferation, and Russia, for military R&D. 

Dave Bittner: Tensions between Russia and Ukraine remain high. The U.S. Embassy in Kyiv last week reiterated warnings to travelers urging them to avoid the Crimea and Ukraine's eastern regions. The AP reported Saturday that Ukrainian President Zelenskyy said Kyiv's intelligence services had uncovered Russian plans for a coup d'etat in Ukraine within the week. Cyber operations can be expected to keep pace with the conflict, and we hope that things turn out less badly than the worst fears in Kyiv, Washington and elsewhere would predict. 

Dave Bittner: Russia has denied any ill intentions, as has the oligarch mentioned in dispatches by President Zelenskyy as the probable figurehead of a pro-Russian coup. 

Dave Bittner: And we end on a sad note. Dark Reading's founder and longtime editor-in-chief Tim Wilson lost his struggle with cancer last week, passing away far too early at the age of 59. The excellent magazine he organized and led is a fitting legacy for a journalist who will be missed. Our condolences go out to his family, friends and colleagues, and we're sure we're not alone in our appreciation for his work. 

Dave Bittner: And it's always a pleasure to welcome back to the show Rick Howard. Of course, he is the CyberWire's own chief security officer, also our chief analyst. Rick, it's always great to have you back. 

Rick Howard: Hey, Dave. Welcome back from Thanksgiving vacation. 

Dave Bittner: Thank you. Thank you - feeling rested, tanned and ready to go. 


Dave Bittner: So on this week's "CSO Perspectives" show, you are giving us another one of your Rick the Toolman episodes, which, I got to say, I love. 


Dave Bittner: Now, this show caters to security practitioners at all levels. We're talking about everybody from the Tier-1-and-above analyst to the mid-managers and all the way up to the security executives who are at a senior level. But it does tend to skew towards the leadership team. And I'm curious, from your perspective, you know, why should they be interested in how these security tools work? Isn't that more the part of the day-to-day security operators? Isn't this a little - I don't know - below the pay grade of those executives? 

Rick Howard: (Laughter) Well, you know, that's a great point. And I think that many security executives might agree with you. You know, they would prefer to stay, like, in policy land and budget land and those kinds of things. But let me make my case using one of my favorite World War II movies, the 1970 movie "Patton." Do you remember that one? 

Dave Bittner: Oh, sure, yeah - I mean, George C. Scott playing Patton. 

Rick Howard: Yeah. 

Dave Bittner: It doesn't get much better than that, right? 

Rick Howard: Doesn't get any better, right? And so there's a scene early in the movie when Patton's II Corps goes up against Rommel's Afrika Corps and defeats them. And there's this great little moment when Patton, in victory on the battlefield, yells out, Rommel, I read your book (laughter). I love that. 


Rick Howard: I'm sure that Patton probably knew how to drive a tank, right? But that's not the skill set we're looking for here, OK? What was important was that Patton knew how to deploy the tanks in total as a tool, as well as the artillery, the infantry and all of his aviation asset. 

Dave Bittner: I see. So if I'm getting what you're saying here, security execs don't necessarily need to know how to configure a firewall, but they do need to understand all the ways in which you can deploy a firewall. In other words, say, they need to understand what it can do, the possibilities, so they can set the direction for their team. 

Rick Howard: That's exactly right. And so we talk about cybersecurity first principles strategies a lot in this podcast. And security executives who don't understand the tools at their disposal have no hope in pursuing their cybersecurity strategies. They don't have to know how to drive the tank, so to speak, but they do have to be able to articulate to their infosec team about how they want the tank to be deployed to support their first principle strategies. 

Dave Bittner: All right. Well, so what tank are we talking about in this week's Rick the Toolman episode? 

Rick Howard: So we're talking about XDR or extended detection and response. It's a relatively new idea - started around 2018. And it has a long way to go before it becomes a useful tool for everybody. But these XDR kinds of tools may become the security orchestration platform we've all been waiting for. 

Dave Bittner: All right. Well, we'll look forward to that. It is "CSO Perspectives" - part of CyberWire Pro. You can find that on our website, Rick "The Toolman" Howard, thanks for joining us. 

Rick Howard: (Laughter) Thank you, Dave. 

Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, always great to have you back. Wanted to touch today on Cobalt Strike and attempts to decrypt some of their traffic. What can you share with us today? 

Johannes Ullrich: Yeah, so Cobalt Strike, of course, is the tool of choice for many attackers to gain persistent access to a system and essentially send commands and exfiltrate data. Cobalt Strike has an option to encrypt the traffic, and it's using AES - so the advanced encryption standard - which is quite secure if implemented well, and Cobalt Strike does implement it reasonably well. 

Johannes Ullrich: In order to decrypt the traffic now, you need to key. And the trick is, where do you get the key from? Well, Didier Stevens, who is one of our Storm Center handlers and is also a consultant in Belgium - he's very famous for all these little Python scripts that he came up with to analyze malware. And he now came up with a script that allows you to not only decrypt Cobalt Strike command control traffic if you have the key, but also to find the key. 

Johannes Ullrich: And there are really two sources where you can find the key. No. 1 - well, some of those keys got leaked. Attackers are leaking their data, too. It's not just the good guys that do that. 

Dave Bittner: (Laughter). 

Johannes Ullrich: And in particular, if they're stealing each other's software like Cobalt Strike, they end up with the same key. So they took a look at various sort of leaked Cobalt Strike samples that he found, and he noticed there's actually only a handful of different keys that they used that allows you to decrypt the vast majority of the actual sort of Cobalt Strike installations found in the wild. So he now, in his tool, added those keys. 

Johannes Ullrich: The other way how you can get the key is from memory, but that gets a little bit more tricky. Now, in old versions of Cobalt Strike, you could basically just find the keys in memory. In newer versions of Cobalt Strike, they made it a little bit more difficult. So you first need a little traffic sample of the encrypted traffic, then you can find the key. 

Johannes Ullrich: Sounds difficult, but Didier to the rescue. He now came up with a Python script, of course, that allows you to take that traffic sample and use that then to find the keys in memory of an infected system. And then you plug it into Didier's next script and decrypt the traffic for you. 

Dave Bittner: You know, where can we find these resources that Didier publishes? What's the best place to track them down? 

Johannes Ullrich: If you're searching on our Internet Storm Center website for Didier's post, he links to them. But yeah, as usual, just a Google search for Didier Stevens and Cobalt Strike and download the first binary that comes across. If it's a binary, it's probably bad. He only publishes Python scripts, so... 

Dave Bittner: (Laughter) Fair enough. All right, well, one of the good guys out there helping folks take care of bad situations. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.