The CyberWire Daily Podcast 12.1.21
Ep 1469 | 12.1.21

Trends among the APTs. Imaginary times and imaginary places. Flubot in Finland. Emotet false alarms in Office. Smishing for Iranian Android users. CISA’s ICS advisories. Moscow on cybercrime.

Transcript

Dave Bittner: RTF template injection is newly favored by APTs. Malware hides in February 31. Milords and miladies, the Principality of Sealand hath been hacked. Finland's National Cyber Security Centre warns of a large-scale Flubot campaign. False alarms are flagging Emotet where it isn't found. Iranians are victimized by a smishing campaign. CISA issues industrial control system advisories. Kevin Magee from Microsoft is really trying to rid the world of passwords. Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime. And Mr. Putin says Russia is in favor of international cooperation against cybercrime.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 1, 2021. 

Dave Bittner: Researchers at Proofpoint describe an attack technique recently favored by state agencies - RTF template injection. The APTs using the technique are associated with China, Russia and India. The approach itself isn't new, but its ready availability, effectiveness and ease of use have made it attractive to APTs. Proofpoint expects to see the usual trickle-down effect, with criminal gangs following the trail blazed by intelligence services. 

Dave Bittner: So let's see - 30 days hath September, April, June and November. All the rest have 31, save February, which has 28 and leap year. That's 29. So, yes, that is right. Kids, there is no February 30, still less a February 31. But imaginary dates might have the same usefulness for fraud that imaginary places have. Swamp land real estate, imaginary Central American principalities and the like have occupied places of honor in the history of fraud for centuries. Now it's the turn of February 31. Security firm Sensec observed a novel malware obfuscation technique during the runup to Black Friday's shopping season. CronRAT was found hiding in the Linux calendar system in February 31. 

Dave Bittner: The researchers say, quote, "CronRAT's main feat is hiding in the calendar subsystem of Linux servers on a non-existent day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system. The remote access tool enables server-side Magecart data theft, which bypasses browser-based security solutions," end quote. 

Dave Bittner: Is there an imaginary place in the cyber news, too? Well, yes, yes, there is, after a manner of speaking. Mac Observer and others have reported that the website belonging to the Principality of Sealand has been hacked, infiltrated by cybercriminals who've installed web-skimming malware on the Principality's site. So what? you might ask, and then, well, where's Sealand? Sealand is an actual physical place. It's a Second World War vintage Maunsell fort about seven and a half miles off the coast of Suffolk. That's Suffolk, England, not Suffolk, Long Island, we note for the sake of any provincial Yankees who may be listening. Maunsell sea forts were big, heavy platforms resting on two substantial concrete pillars. They've all been decommissioned and abandoned for 50 years or more. But several of them still stand, too robust for easy demolition and removal. 

Dave Bittner: Sealand, which styles itself as an independent principality, although no government in the world takes that seriously, has in the past made money with such wheezes as pirate radio stations, now has a revenue stream sustained by selling titles of nobility. You can become a lord or a lady, a baron or a baroness for the low, low price of just 44.99. A knighthood will run you 129.99. 299.99 will make you a count or countess. And for $656.53, you, milord or milady, can get yourself created a duke or a duchess. Each title comes with an attractive certificate suitable for framing. 

Dave Bittner: That the prices are denominated in Yankee dollars suggests, to our shame, that the aspiring arrivistes are more likely to come from Suffolk County, Long Island than they are from the county of Suffolk in England. Anyhoo, the site's been hacked, so the prudent wannabe nobles would be advised to search elsewhither. 

Dave Bittner: FluBot is back in circulation, Finland's National Cyber Security Centre warns. Basically an information stealer used to take pay card information and contacts, FluBot is also used to stage other malware. The present campaign is a two-stage phishing campaign. The initial bait lures the user to a malicious site, at which point the user is invited to install an app which is, of course, malware. The emails are written in Finnish but are marred by the absence of certain characters used in that language and also by what NCSC-FI calls the illogical use of other irrelevant non-alphabetic characters. 

Dave Bittner: It's a high-volume campaign. Quote, "We have received many reports about FluBot messages. During previous campaigns, the malware sent messages to thousands of new victims. According to our current estimate, approximately 70,000 messages have been sent in the past 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," end quote. 

Dave Bittner: So again, a wary user would hesitate to click and then hesitate to approve a download. In this case, the users would be well-advised to take counsel of their fears. 

Dave Bittner: Emotet is also back, as many have noted, and Deep Instinct has an account of the current state of the malicious botnet along with tools for detecting it. But not all Emotet warnings are genuine. According to BleepingComputer, Microsoft Defender for Endpoint is blocking some innocent Office documents because false positives indicate Emotet activity. 

Dave Bittner: The Hill reports that a financially motivated smishing campaign is active against Iranian Android users. Israeli security firm Check Point thinks the activity is unconnected with either a nation-state or with anti-Iranian hacktivists, both of which have been suspected in recent high-profile cyberattacks against Iranian targets. The researchers think this is a case of simple criminality, the work of a gang and not an espionage service. But of course, that's an assessment that should, given the current state of heightened regional tensions, be taken with appropriate reservations. 

Dave Bittner: The Hill quotes Check Point as saying, quote, "The velocity and spread of these cyberattacks are unprecedented. It's an example of a monetarily successful campaign aimed at the general public. The campaign exploits social engineering and causes major financial loss to its victims despite the low quality and technical simplicity of its tools," end quote. 

Dave Bittner: CISA released seven industrial control system advisories yesterday. The affected products all have patches and mitigations available, so if that is your neck of the woods, check out CISA's advisories. 

Dave Bittner: And finally, we've heard that TASS is authorized to disclose that Russian President Vladimir Putin, noting the increased rate at which Russia itself experiences cybercrime - quote, "We suffer from this ourselves. We understand the importance of joint work on this track, and we will be doing it," end quote. So that's good. Everyone should be glad to find Mr. Putin on the side of the angels here, or at least on the side of John Law. So one might expect some movement against the privateers, right? Of course. Right. 

Dave Bittner: Here's one Mr. Putin might consider sending the militia, the Russian police, after - Mr. Yeveniy Polyanin, allegedly a numero in the REvil gang. Mr. Polyanin is said to be living it up insofar as that's geographically and culturally possible in the Siberian city of Barnaul. Be on the lookout for him tooling around in his favorite ride - a nicely loaded Toyota Land Cruiser. What? He's, like, too good to drive a Bremach 4x4 like the rest of us? The nerve of this guy. One of the things that happens when there's a major breach or security incident is that people who are responsible in an organization for knowing all the things about that particular security area tend to bone up on their skills and review their knowledge just to be sure they're up on the latest. This gives the providers of online training a unique view into what security professionals think are critical skills. Mike Hendrickson is vice president of Tech & Dev Products at online training provider Skillsoft. 

Mike Hendrickson: So in 2021, we saw large spikes in March and April, which coincided with that more infamous HAFNIUM state-sponsored attack. And it really showed up quickly in our thing. Microsoft released a report on NOBELIUM attacks in late May, and we saw a correlation there again where learning went up. So the interesting thing is, since 2019, the two years of the pandemic that we've gone through, we've seen a 53% increase in the number of hours that learners are spending on security training. And if you look at where is that happening, there are definite industry sectors. Eighty percent of all of our industry sectors saw a big increase. The top five increases in security training were the legal industry, which is very interesting to be No. 1; energy and utilities - you can understand the reasons there; health care, which is important for everyone; training and development and then nonprofit. Those are the ones that saw the biggest spikes in increase in their learning and development. 

Dave Bittner: Yeah, that's fascinating. I mean, it really does track. As you say them, I'm sort of nodding my head along, like, yeah, that makes sense. That makes sense. It also strikes me, though, I think, as you alluded to, that it's a bit reactive, right? When a bad thing happens and people go out there and they say, you know, I better make sure that I'm up to date on these things, from an organizational point of view, I suppose we'd be better off if we were spreading this training out throughout the year. 

Mike Hendrickson: Absolutely. You know, there's a couple of things that I also look at with spreading it out, but also what's happening in an enterprise because security is one of those areas, as I'm sure you're well aware, that cuts across everything in an organization. You know, you might have a programming development group. You might have a cloud group. You might have a, you know, software release group, probably infrastructure group, IT-oriented things. But security is the one area that cuts across all of them. So it's interesting the top courses we're seeing being consumed are things like OWASP Top 10 items that people are basically boning up on the fundamentals of security. And then secondly, the second one - and this is, I think, really tied to the adjacent technologies - cloud security fundamentals is our No. 2 as far as people consuming security content around cloud. 

Mike Hendrickson: And that's a really interesting - kind of indicates to me there's a little bit more than lift and shift going on with the cloud that people are actually starting to say, hey, we have to do this right. We have to make sure that everything is clean and secure - both - and performant, hopefully, as well. So we're seeing more of this - security cuts across so many of the different areas that we work in. And that's why, sometimes, it's harder to measure because if you categorize it in programming, you have to make sure you look for that same sort of, you know, did it land in that area, or is it in - clean in the security area? So from that perspective, really like seeing that the fundamentals are really important, as are all the adjacency technologies that are being consumed. 

Dave Bittner: You know, I think security training, in particular, gets a bit of a bad rap with a lot of organizations and individuals. You know, if you say to someone, hey, it's time for our annual security training, you rarely have someone say, oh, goody. But it is necessary. And I think there are organizations who are implementing this as part of their corporate culture, who are doing quite a good job. Are there any common things that you all see with the organizations that are successful here for how they implement it into their company culture? 

Mike Hendrickson: Yeah, there are a couple of things that I think are really key for most organizations. One is, look at your management staff. So we have a whole new what we call Aspire journey that takes leaders and decision-makers through really stringent security training. So when you think about it, if your leaders don't really understand all of the concepts and things that are happening today, you're more vulnerable if there aren't - they aren't aware of the right trade-offs to make or someone's selling them - you know, use this tool, and all of our problems are gone, when maybe that tool isn't the one they need. 

Mike Hendrickson: First and foremost, make sure your leadership team has the security training they need to make good decisions for your organization. And then secondly - I think - and this is probably the most important one - is start to pivot towards a DevSecOps model, where your security is always integrated with your development programs, that it isn't develop an application, a service, a product and then throw it over the wall to the security guys to test to make sure it's safe. Involve them at the very beginning, and make sure you do this from the very start. So that whole DevSecOps model is, I think, a really important ingredient in the future. And if it's working for DevOps, why shouldn't it be the same thing for security? Always on, always deployed, always secure. 

Dave Bittner: That's Mike Hendrickson from Skillsoft. 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security officer at Microsoft Canada, and we note that Microsoft is a CyberWire sponsor. Kevin, always great to have you back. You know, Microsoft recently announced that you all are making a big move towards a post-password-secure world - that if people don't want to use passwords anymore when it comes to logging into their Office 360 stuff, they don't have to. Let's dig into that. What - exactly what's going on here? What does it mean to the users? And where do you all at Microsoft think this is going in the future? 

Kevin Magee: Well, thanks for having me back, Dave. And I love your post-passwordless world. I... 

Dave Bittner: (Laughter). 

Kevin Magee: That's a great vision to move forward to. I'm going to use that going forward. I really just think about when I was a kid, and I had one key, and I wore it on a string around my neck. And I had to maybe remember my combination for my locker or my bike, and that was even a stretch for me. I can't imagine even how many passwords I have to manage and remember at this point. This has really become, you know, an area where even in the media makes fun of sort of the password challenges we're having now. You see in movies someone hammers the keyboard for a few seconds, says, I'm in, and it's done. 

Kevin Magee: Passwords need to go, and we need to find something better. The problem is we've really struggled to figure out what that next step is. I've really been torn. If we eliminate the password, where do we go? Is it going to be more secure? Is it going to be less? I think the next step is really to eliminate the password because it is the easiest attack vector for attackers and move into this post-password world that you're speaking of and to do it as soon as possible. 

Dave Bittner: So what are our options here? I mean, when you and your colleagues think about it, what is next? What's both easy for consumers and pros to use but, at the same time, secure? 

Kevin Magee: I think part of the problem is just human nature. You know, we've, as an industry, really inflicted horrible password policy decisions on users for years. You know, you have to have at least 47 unique characters, no less than 48, no repeats, has to include a bunch of numbers, a handful of punctuation marks, several elven runes... 

Dave Bittner: (Laughter). 

Kevin Magee: ...And it can't, you know, resemble anything you've ever used before. It's so frustrating for users. It should take 30 seconds to change your password. It takes seven hours, and it leaves you, you know, enraged, emotionally spent and, you know, starts to affect your work. So now when you move home, I have to enter a password on things like an Xbox with a controller and whatnot. It's just becoming more difficult. So the incentive of human nature is to make passwords easier to remember and less effective, so we're fighting human nature. 

Kevin Magee: So taking that away from the user and finding multifactor authentication, we use our Microsoft Authenticator app now where it can scan my face, and it saves it on the local device. It knows it's me, provides me a number to enter or whatnot, a second factor. These are simple, easy ways that users can interact without having, you know, these challenges or the emotional damage and infliction of these corporate policies to change your password - to just make it easier for individuals to interact with their applications. And we feel at Microsoft that using digital empathy, making the user experience great while providing a password alternative, will actually, you know, make us not just much more compliant to corporate policies but also just more willing to use these applications 'cause they're simply easier. 

Dave Bittner: Yeah. I have to wonder if, you know, having the big players like Microsoft lead the way with this, if that's going to get us where we need to be, where - because I think it's easy for a lot of businesses to say, well, if it's good enough for Microsoft, a big player in the industry, well, then OK. We're going to take a look at this. 

Kevin Magee: And I think that's exactly right. We have to have a number of the sort of key vendors in the industry sort of adopt this approach and really run with it to ultimately make the difference and make users feel comfortable using it. And there was a lot of stir the first week or so when the announcement was - went out and some false reporting - Microsoft's going to allow you to log in without a password. You know, we're still going to ask you to log in securely and, in fact, we think even more securely. 

Kevin Magee: But people who have made the change could just never go back. That's what they're telling me. And I think about my experience as an employee. When I open up my laptop, it scans my face using Windows Hello. It recognizes who I am. I never have to add another password, yet I can navigate my day and do my work very securely. I can't imagine the horror of going back to managing multiple passwords for multiple applications. So even as a user, I don't want to use an application that's not sort of certified or blessed by my IT department because then I'd have to manage it separately. So that's really cutting down on users, you know, resorting to shadow IT, which is ultimately reducing the threat risk to the organization. 

Kevin Magee: But it also just makes for a much great (ph) experience. Instead of IT or security being the Mr. No or the thing that gets in the way of doing my work, it's actually allowing me to do my work better, faster and easier, which is the promise that we've been trying to make for years to the industry; that we were going to solve this. And I think we're finally taking those first few steps. 

Dave Bittner: Do you think we could see a future where a password - you know, a username and password combination isn't - is no longer an option, where it's just been phased out completely? 

Kevin Magee: I think we almost have to. We're starting to really go into a prove phase right now, where we're seeing how some of these new ways of authenticating really work. And the early results are that they're working much better. They're providing a great deal more security and whatnot. It will just be a matter of time to really sort of get the world to shift away from password 'cause that's the way we've always sort of done things. So there will be a cultural change as well. 

Kevin Magee: But also, just think of how many systems you have passwords for that need to be updated, all these legacy systems and whatnot. It will take time to get there. So finding ways to accelerate that really can make a difference. 

Kevin Magee: But the customers I've worked with that have done pilots and proof of concept, the user feedback is so overwhelmingly positive that I think that's the number one thing that's driving our organizations to rethink it. And then number two, just the cost savings of not having to manage password resets; the frustration, the lost productivity as well, too. So those are the two things I really feel are driving most companies to really look at a post-password future much more - sooner than they would have otherwise. 

Dave Bittner: Yeah. Well, count me in as someone who can't wait for us to reach that day. Kevin Magee, thanks so much for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.