The CyberWire Daily Podcast 9.6.22
Ep 1656 | 9.6.22

Notes on the C2C market. A new cyberespionage threat actor has surfaced. Sharkbot made a brief return to Google Play. Privateering and catphishing in the hybrid war.


Dave Bittner: A phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Sharkbot malware reemerged in Google Play. BlackCat and ALPHV claim credit for an attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 6, 2022. 

Phishing-as-a-service offering on the dark web bypasses MFA.

Dave Bittner: Yesterday, researchers at security firm Resecurity reported an interesting discovery in the criminal-to-criminal market. They found a new C2C offering called either EvilProxy or Moloch that sells phishing-as-a-service. And we note in passing that the hoods are growing increasingly direct and literal in the way they name their wares. EvilProxy is interesting in that it shows some ability to bypass multifactor authentication. It's a commodity service, but an advanced one. As Resecurity observes, the productized underground service like EvilProxy enables threat actors to attack users with enabled MFA on the largest scale without the need to hack upstream services. That is, it represents a more direct mode of attack than the recent Twilion compromise did. It also represents an advance in criminal capability. Reverse proxy and cookie injection attacks have been seen before as ways of evading multifactor authentication. But hitherto, it had been state-directed intelligence services who had been observed using these techniques. The methods are now being made available to criminals. 

Worok cyberespionage group active in Central Asia and the Middle East.

Dave Bittner: Security firm ESET has released research into a threat group it's calling Worok. They characterize it as sophisticated, and while sophisticated is thrown around a lot, in this case, ESET uses it with some justice. They say Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools to compromise its targets. The motive is espionage. Stealing information from their victims is what they believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities. It's unclear whom Worok is working for, despite some circumstantial overlap with other groups, some of them associated with Beijing. ESET says, activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Their custom toolset includes two loaders, one in C++ and one in C# .NET and one PowerShell backdoor. And ESET invites contributions from other researchers, saying, while our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information. 

Prynt Stealer and the evolution of commodity malware.

Dave Bittner: Zscaler researchers report that Prynt Stealer, an info stealer being traded in the C2C market, turns out to have been designed to defraud the criminal customers who bought and employed it. The malware itself has been developed from open sources and legacy malware, mostly ASyncRAT and StormKitty. Zscaler says, many parts of the Prynt Stealer code that have been borrowed from other malware families are not used but are still present in the binary as dead, unreachable code. AsyncRAT gives Prynt Stealer a multifunctional remote access Trojan. And StormKitty contributes the information stealer. Code similarities suggest that Prynt Stealer's developers may also have been involved with WorldWind and DarkEye malware. 

Dave Bittner: What the criminal customers don't count on getting with their purchase is a backdoor the developers inserted to funnel the stolen information back to themselves. Zscaler says, the backdoor sends copies of victims' exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder's developers. While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow. The bad faith is interesting but not particularly surprising. What's most striking about Prynt Stealer is the waypoint it marks in the continuing evolution of malware into a poorly constructed but good enough commodity suitable for operation and even development by relatively unsophisticated threat actors. 

Sharkbot malware reemerged in Google Play.

Dave Bittner: NCC Group's Fox-IT unit reports that Sharkbot has resurfaced in an improved form, versions 2 and 2.5, carried by two compromised apps that were made available in Google Play, Mister Phone Cleaner and Kylhavy Mobile Security. The two compromised security apps between them attracted some 60,000 downloads before being removed from Google Play. The newer versions of Sharkbot retain the malware's original functionality, including key logging, SMS interception, overlay attacks that display a phishing site and remote control over affected devices. To these, version 2.5 adds a cookie stealer. The operators have also expanded their targeting to include victims in Spain, Australia, Poland, Germany, the United States and Austria. 

BlackCat/ALPHV claims credit for attack on Italian energy sector.

Dave Bittner: The BlackCat/ALPHV ransomware privateers have claimed responsibility for an attack against Italian renewable energy provider GSE. This is the most recent in a string of attacks against Western European energy sector targets, BleepingComputer reports. It had earlier hit Eni SpA, the largest energy company in Italy, with minimal effect on the utility's operation and has also claimed the attacks against natural gas pipeline and electrical grid operator Creos Luxembourg S.A. and the German oil supply company Oiltanking. BlackCat/ALPHV is a Russian gang widely believed to represent a rebranding of the BlackMatter/DarkSide group. And so this seems to be a continuation of privateering in Russia's hybrid war. 

US military doxed, possibly by Conti remnants.

Dave Bittner: Vx-underground claims that someone is posting 11.84 gigabytes of United States military contractor and military reserve data. The data was acquired in a 2022 breach of databases in Puerto Rico. And those who are advertising the data dump on Telegram say they're making the data available in response to the atrocious acts that U.S. has been involved with all these years without regard for human lives. It's unclear who's leaking, but vx-underground speculates, we suspect the now-defunct Conti ransomware group is distributing United States military data they acquired when they breached Puerto Rico. So those responsible might be a Conti successor, Conti alumni or even a revenant Conti itself. Vx-underground is an online repository for malware, a not-for-profit that collects malicious code. It's not a criminal organization but rather a resource for researchers. 

Catphishing for target indicators.

Dave Bittner: Social media continue to present an opsec challenge to Russian forces. Ukrainian operators are said to be catphishing Russian soldiers using dating profiles to induce the lovelorn to reveal unit locations and other sensitive information. It seems unlikely that targets could actually be developed in this way, but target indicators certainly might. A target is something you can shoot at. A target indicator is something, roughly, that tells you where to look for something to shoot at. In any case, there's an enduring lesson here. Don't be a sucker on social media. Shakespeare knew that. As he wrote, wars and lechery - nothing else holds fashion. 

Los Angeles Unified School District hit with ransomware over the weekend.

Dave Bittner: And finally, school's back in session, even if the big school district gets schooled with ransomware. Details are sparse, but the Los Angeles Unified School District has disclosed a ransomware attack it discovered over the weekend. School remains in session, and the district has called in lots of federal help, saying, after the district contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to provide rapid incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies. At the district's request, agencies marshaled significant resources to assess, protect and advise Los Angeles Unified's response, as well as future planned mitigation protocols. So from Van Nuys to Canoga Park, from Northridge to San Pedro, cheer your teacher up, Los Angeles kids, and bring a nice apple sometime this week. 

Dave Bittner: After the break, Joe Carrigan has the latest stats on social engineering, and our guest Angela Redman from BARR Advisory with six cybersecurity KPIs. Stay with us. 

Dave Bittner: Security and compliance firm BARR Advisory recently released a white paper outlining how business leaders can use key performance indicators, or KPIs, and scorecards to measure and manage their organization's cybersecurity posture. Angela Redmond is director of BARR Advisory's Cyber Risk Advisory practice. 

Angela Redmond: Starting kind of at a high level, cybersecurity KPIs are a group of metrics that encompass a cybersecurity scorecard, and a cybersecurity scorecard is really an evaluation and a collection of metrics that can be used to measure the overall effectiveness of a cybersecurity program from a high level. So you can think of the scorecard as a report card that gives users a snapshot into their organization's security posture at any given time. And the scorecards themself will have several KPIs, each of which will provide a quantified measure against a predetermined cybersecurity indicator. 

Angela Redmond: And when thinking about KPIs, you want to make sure that they are metrics that are digestible, actionable and measurable. So what does that mean? We can use an example. The number of open vulnerabilities is more of a data point. It doesn't provide you with much insight alone. You probably need a little bit more context to understand the pervasiveness of the issue. A better KPI could be the percentage of vulnerabilities closed on time or the number of critical open vulnerabilities. It really all depends on what matters to your organization. 

Dave Bittner: Well, do all of these get weighted equally? I mean, is it fair to say each organization may prioritize different things? 

Angela Redmond: Absolutely. So what we like to say at BARR is, think about what you would want to know if you were sitting on a beach away from your job. You would - you don't really want to know absolutely everything cybersecurity-related at your organization because you're on vacation. You want to enjoy yourself. You really want to focus on what truly matters and what can give you comfort to sleep at night. 

Dave Bittner: Well, if we look at the list here, I mean, the six items you have - things like things being unpatched, unknown devices on a network, open security incidents, multifactor authentication, users with privileged access and open risks from security assessments - it's a pretty comprehensive list here. Which ones - if I were to prioritize, is that even something that it's fair to do? 

Angela Redmond: It's absolutely fair to do. But you do need to remember that you need to see the whole picture of cybersecurity on your scorecard. So you really want to focus on, you know, making - not all of these in the list might be applicable to your organization, but most of them probably are. 

Dave Bittner: How do you make sure that you're not just, you know, sort of playing - I don't know - regulatory bingo here and checking off things but making sure that it actually has an impact on how the organization handles things? 

Angela Redmond: Absolutely. That's very important. At BARR Advisory, we do audits, which sometimes can be a little bit more of a check-the-box mindset for some of our clients. With cybersecurity scorecards and KPIs, you really want to make sure that you have a conversation across your organization on what truly matters. Focus on what you care about and what impacts your business. 

Dave Bittner: What about translating this information to people throughout the organization? You know, I would imagine sharing this sort of information with an IT team or a security team, you're going to have to use different language than you would, say, with the board of directors. 

Angela Redmond: Absolutely. You do want to make sure that each individual KPI is assigned to one person. That's the person that's responsible for owning it. But overall, the management team owns the scorecard itself. So the management team is not necessarily going to want to care about every single KPI. They just want to see how - they just want to get a pulse of how the organization is doing. We recommend at BARR Advisory that organizations have periodic reporting to the board of directors, but at more of a high level. 

Dave Bittner: What are your recommendations for organizations who want to get started with this sort of thing? How do you set down this path? 

Angela Redmond: Absolutely. It's important to make sure that you have multiple perspectives from your organization. So what matters to one department could be critical, but they may be missing out on a key indicator that another group is responsible for. So when you're starting out putting together a scorecard, you want to make sure that you have representation throughout the organization together to discuss what's critical. 

Dave Bittner: And what about the frequency of taking these measurements? How do you establish that? 

Angela Redmond: That can vary based on - from organization to organization. We recommend at least monthly at first to take each measurement. Another thing that's critical from a frequency perspective is also making sure you're refreshing the KPIs. So KPIs can go stale from time to time if we're not really assessing and evaluating how the KPI - what purpose it's serving. We recommend at BARR Advisory at least twice a year that the KPIs themselves are reviewed for relevance. 

Dave Bittner: That's Angela Redmond from BARR Advisory. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: There's a story we covered last week on the CyberWire. This is a release from the folks over at NordVPN... 

Joe Carrigan: Survey results. 

Dave Bittner: ...Written by Charles Whitmore. And it's titled "How Widespread are Social Engineering Attacks?" I want to swing back around to this and get your take on what's going on here, Joe. What caught your eye? 

Joe Carrigan: Well, first off, I love when people do surveys. 

Dave Bittner: OK. 

Joe Carrigan: It's interesting. They surveyed thousand Americans... 

Dave Bittner: Yeah. 

Joe Carrigan: ...To find out some information about social engineering attacks. And they found that 84% of the people surveyed have experienced some kind of social engineering behavior, some kind of social engineering attack. One of the telling things here is that only 46% of the people surveyed have heard the term social engineering. And, you know, I am not a big fan of the term... 

Dave Bittner: Yeah? 

Joe Carrigan: ...Because the first time I heard the term, I didn't think cybersecurity-related stuff at all, right? The first thing - first time I hear the term, I think building a better society, right?... 

Dave Bittner: Oh, I see. Yeah. 

Joe Carrigan: ...Or attempting to build a better society. 

Dave Bittner: Like intentionality in building communities... 

Joe Carrigan: Right. 

Dave Bittner: ...That sort of thing. Yeah. OK. 

Joe Carrigan: That's what I think of. That's - that was the first thing I thought of when I heard the term. And I said, what does it mean in this context? And they say, oh. But the thing about it is, it's a piece of jargon. And the value of jargon is that it quickly communicates a broad piece of information in two words - social engineering. 

Dave Bittner: Right. 

Joe Carrigan: So while I don't like the term, it's the term of art that we have. 

Dave Bittner: Right. Right. 

Joe Carrigan: So I deal with. 

Dave Bittner: We're stuck with it now. Yeah. Yeah. 

Joe Carrigan: Right. We're stuck with it. Social engineering - the term is here to stay. 

Dave Bittner: Yeah. 

Joe Carrigan: So social engineering is the vast array of techniques that bad guys use to get people to operate against their own interests. And it's a lot easier than saying that and just to say social engineering, right? 

Dave Bittner: Right. 

Joe Carrigan: Interesting that 84% of people have experienced these kind of attacks. Like, 48% have received suspicious emails with links or attachments. 

Dave Bittner: Yeah? 

Joe Carrigan: I'll bet that's 48% of the people know that they receive that. 

Dave Bittner: Sure. 

Joe Carrigan: I think that it's probably much higher than - I think these statistics are probably low. 

Dave Bittner: Yeah. 

Joe Carrigan: Suspicious texts - 39% of receive those. Thirty-seven percent have received pop-up advertisements that are difficult to close. 

Dave Bittner: Ugh (laughter). 

Joe Carrigan: Yeah. I know... 

Dave Bittner: Where's the X? Where's the X? 

Joe Carrigan: Right. I want to know where the other 63% are browsing... 

Dave Bittner: Right. 

Joe Carrigan: ...'Cause that's where I want to browse. 

Dave Bittner: Yeah. Right. Exactly. 

Joe Carrigan: Here's a good one. Thirty-two percent have received suspicious emails from someone posing as an important person asking them to wire funds. 

Dave Bittner: Wow. 

Joe Carrigan: Thirty-two percent - that's a third of people surveyed - have received impersonation scams. And the reason that is so high - I think that might be accurate 'cause it's pretty easy to spot that. 

Dave Bittner: Yeah. 

Joe Carrigan: But that's so high because it works. 

Dave Bittner: Yeah. 

Joe Carrigan: It works. It works - when it works, it pays out big. Let's see, 26% of a virus on their phone or computer, and 19% have had malware on the device redirect them to a fake version of a website. I've had - there is one incident I had early on in my career where somebody got into my host file on my computer or somehow replaced the host file on my computer to stop me from going to Google. And I think it was when I installed some software that I got from a web browser. This was years and years and years ago... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Before I was even in the security field and very early in my computer science field. 

Dave Bittner: Yeah. My father fell victim to that once where his Google, you know, got replaced by some other service... 

Joe Carrigan: Right. 

Dave Bittner: ...That would show you ads. 

Joe Carrigan: Yeah, couldn't even go to Google because the host file was directing me somewhere else. 

Dave Bittner: Wow. 

Joe Carrigan: 36% have fallen victim to phishing emails. I think that might be accurate. It might be higher than that. But, you know, I mean, it depends on what you mean by falling for phishing emails, right? I've fallen for a phishing email - an impersonation-based phishing email. I tell that story frequently on "Hacking Humans" about how embarrassed I was when I went downstairs ready to talk with my boss after responding to an email from some imposter and having somebody come out and go, that was a fake email, like, oh, it's so embarrassing, you know. Here I am, Joe Carrigan, cybersecurity expert, falling victim to a phishing email. 

Dave Bittner: Right. 

Joe Carrigan: But it happens to everybody. 

Dave Bittner: Right. 

Joe Carrigan: Well, at least 36%. 

Dave Bittner: It can, yeah. 

Joe Carrigan: Interesting stats in here - 18% of people have had email accounts, social media or financial accounts locked because - as a result. 14% have had personal login details like usernames and passwords stolen or items paid for and not received... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is interesting. 11% of people who responded have been scammed into investing their money by bogus promises of quick riches. So 11% of people have admitted to going into some investment scam and losing money in the deal. 

Dave Bittner: That's a lot. 

Joe Carrigan: That is a lot. That's huge. 11% have also had their work details - login credential stolen, which I think is also a lot. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know how long - how far back in the time horizon this is, but it's interesting. 

Dave Bittner: What do you suppose - I mean, these are - I find some of these statistics surprising. 

Joe Carrigan: Right. 

Dave Bittner: But what - how do you think we come at this? Which the - it sounds like to me a lot of this is awareness or lack of awareness. 

Joe Carrigan: Yeah. I think you're right. The big issue is that people - a lot of people don't understand that - well, security is not on top of mind. I have this theory about this. And this is just my speculation, right? 

Joe Carrigan: Yeah. 

Joe Carrigan: And it's that the rapid development of of computer technology over the past couple of years, the past couple of decades, let's say - right? - has really - I mean, it's vastly different today than it was 30 years ago. So from a human perspective, a lot of this stuff is a black box to people. And people believe that computers are these magical boxes or these, you know, these technological marvels, if you want to call it that, not magical boxes. I don't want to seem like I'm belittling people. 

Dave Bittner: Yeah. 

Joe Carrigan: But they are technological marvels. But it seems that people forget that on the other end of that communication channel may not be someone who is everything they say they are. And the explosion of this availability of this kind of communication, we've never had this before in human history. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? It's all new, so we're kind of working our way through that. So really, we have to, as a species, come to understand what it is that we've created here, what this thing, the internet, is, you know. 

Dave Bittner: Right. 

Joe Carrigan: And that not everybody on it is an honest and upright person. And that when a computer says something, it only says that because a human told it to say that. 

Dave Bittner: Right. 

Joe Carrigan: Right? And that human may not be a good guy, maybe a bad guy. 

Dave Bittner: Yeah. 

Joe Carrigan: And I think that's important. Everybody has to realize that. 

Dave Bittner: Yeah. And spread the word. 

Joe Carrigan: And spread the word. Right. 

: All right. Well, again, this is a report from the folks over at NordVPN, definitely some interesting stats there. Worth a look. 

Joe Carrigan: Yeah, I love these articles with all the stats. I probably bored your listeners by going through draw all the stats, but I'm like, ooo, stats. 

Dave Bittner: All right. Joe Carrigan, thanks for joining. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.