The CyberWire Daily Podcast 9.7.22
Ep 1657 | 9.7.22

Albania attributes major cyberattack to Iran. TikTok denies breach. New Linux malware.


Dave Bittner: The Albanian government attributes a disruptive cyberattack to Iran. TikTok says it's found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. U.S. agencies warn of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let's Encrypt.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 7, 2022. 

Albania attributes cyberattack to Iran.

Dave Bittner: Reuters reports that Albania has attributed the extensive disruptive cyberattack it sustained on July 15 to Iran, saying, the in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression. That's according to Prime Minister Edi Rama. Albania has severed diplomatic relations with Iran and ordered Iran's diplomats to leave the country. Prime Minister Rama acknowledged the stringency of the response, but said it was fully justified, stating, this extreme response is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into state records, steal government internet electronic communication, and stir chaos and insecurity in the country. 

Dave Bittner: Albania's foreign minister announced Tirana's response to Tehran in a tweet this morning. As of today, by a decision of the Albanian CoM has severed all diplomatic relations with the Islamic Republic of Iran. All diplomatic and other personnel of Iran's embassy are to leave the territory of the Republic of Albania within 24 hours. It is a decision imposed on Albania by the actions of Iran, which our investigation has shown was behind the massive and unprovoked July 15 cyberattack against Albania's infrastructure and government services. We are confident that our allies and partners will stand shoulder to shoulder with us, facing the present and possible future challenges. Albania is a NATO member, and its action received support from other members of the Atlantic alliance. 

Dave Bittner: The U.S. condemned the Iranian cyberattack and expressed solidarity with Albania. The White House statement issued by the National Security Council is brief enough to be worth quoting in full. The United States strongly condemns Iran's cyberattack against our NATO ally Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace. For weeks, the U.S. government has been on the ground, working alongside private sector partners to support Albania's efforts to mitigate, recover from and investigate the July 15 cyberattack that destroyed government data and disrupted government services to the public. We have concluded that the government of Iran conducted this reckless and irresponsible cyberattack, and that it is responsible for subsequent hack and leak operations. Iran's conduct disregards norms of responsible peacetime state behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provide services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyberactivity by a state that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional and global effects, pose an elevated risk of harm to the population, and may lead to escalation and conflict. We will continue to support Albania's remediation efforts over the longer term, and we invite partners and allies to join us in holding malicious cyber actors accountable and building a secure and resilient digital future. 

TikTok denies breach.

Dave Bittner: Social media giant TikTok says that a reported data breach on the platform may never have actually happened, Hot Hardware reports. Last week, a vulnerability in the TikTok app on Android was revealed by Microsoft that would've allowed threat actors to hijack accounts. The vulnerability was patched before its disclosure, but a Breach Forums user with the name AgainstTheWest reported shortly after Microsoft's disclosure that they had access to a server containing 6.7 terabytes of stolen data from TikTok and WeChat. TikTok denies the breach, saying in a statement to Forbes that our security team has found no evidence of a security breach. We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks or databases. The samples also appear to contain data from one or more third-party sources not affiliated with TikTok. The Hacker News reports that Bob Diachenko, a threat intelligence researcher at Security Discovery, called the breach real, but said that it originated from Hangzhou Julun Network Technology rather than TikTok. 

Dave Bittner: Researchers at AT&T Alien Labs describe Shikitega, a stealthy strain of malware targeting endpoints and IoT devices that are running Linux operating systems. The researchers state, Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system in addition to the cryptocurrency miner that will be executed and set to persist. 

Ransomware targeting the education sector.

Dave Bittner: Yesterday, the FBI, CISA and the MS-ISAC issued a joint advisory warning that the Vice Society threat actor has recently been disproportionately targeting the education sector with ransomware attacks. The advisory states, the FBI, CISA and the MS-ISAC anticipate attacks may increase as the 2022-2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capacities and constrained resources are often the most vulnerable. However, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers. 

Finland prepares to increase its cybersecurity capacity.

Dave Bittner: While the cyber phases of Russia's hybrid war have been relatively quiet as the week opened and largely eclipsed by the risk of a major nuclear accident and the opening days of Ukraine's general counteroffensive, governments geographically close to Russia have continued to take measures to improve their cybersecurity posture. Finland, in the wake of attacks aimed at disrupting its parliament, is moving to offer grants to organizations deemed capable of hardening the country's attack surface. 

Rest in peace, Peter Eckersley.

Dave Bittner: And we close with some sad news. Cybersecurity lost an important contributor on Friday, when Peter Eckersley passed away from cancer far too young at the age of 43. He'll be remembered for his contributions to encryption as the father of Let's Encrypt, for his service at the Electronic Frontier Foundation and for his more recent work on the ethical issues surrounding privacy and artificial intelligence. He'll be missed, and we wish his family, friends and colleagues all comfort and consolation. 

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler has the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their most recent Security Awareness Report. Stay with us. 

Dave Bittner: Lance Spitzner is director of security awareness at the SANS Technology Institute. I checked in with him for insights on the recently released 2022 SANS Security Awareness Report. 

Lance Spitzner: Probably one of the first things that really stood out this year is the need to shift this concept of security awareness to managing human risk. So for example, in the report, one of the most surprising data points is, if you're dedicated full time to security awareness, you're most likely to be paid far less than somebody dedicated part time to security awareness. So the average pay of somebody in security awareness overall is about 110,000. So we're asking people, hey, what's your salary? And this is at a global scale. But what we found is, if you're part time, it's much more. And if you're full time, it's much less. And the reasons we believe that to be the case is if you are part time, your compensation is based on your other security roles, most likely on the technical side. If you're full time, you're getting compensated just on your security awareness role, which leads us to believe that leaders aren't truly valuing what security awareness officers do because we in the security awareness field have actually done a really poor job at communicating what we do and why. 

Dave Bittner: Wow. That's really interesting. I mean, how do you suppose folks go about closing that gap? 

Lance Spitzner: And that's probably the key takeaway of the report. That's a really good question. So if you look at the report, you'll notice the words managing human risk on the report. Traditionally, security awareness has been perceived as just this once-a-year training effort, mainly for compliance. But the field is really going through a fundamental shift where we're now realizing, hey, human risk is a huge part of drivers for breaches today. And once again, go back to the Verizon DBIR. For the past three years, the report has identified people are involved in over 80% of breaches. 

Lance Spitzner: So if cyber represents one of the greatest risks to organizations today, people are one of the greatest risks in cyber when they start working with technology. We're moving this concept from security awareness, where leaders have this perception, you're in the entertainment business. We're trying to migrate to, actually, no, we're in the managing human risk business. This means we're working with the cyberthreat intelligence teams. This means we're applying behavioral science. This means we're using organizational change models to really change and secure people's behaviors because that's where I and the report feels organizations can now, in today's world, have the biggest impact. 

Dave Bittner: So, Lance, you know, I think we're all familiar with security awareness training. And I think a lot of companies also engage with things like phishing simulations, that sort of thing. I mean, based on the information you all have gathered here, what part do those sorts of things have to play in an organization's defenses these days? 

Lance Spitzner: That's a great question, and it comes back to what we were talking about earlier - managing human risk. Security awareness is what we do; managing human risk is why we do it. So five years ago, traditionally, security awareness was all about reaching out to, training people, computer-based training, phishing simulations. But now we're taking it to the next level. And it's really about managing human risk. 

Lance Spitzner: So the first step is actually security awareness teams working with their security teams - the security operations center, cyberthreat intelligence, the incident response team - to really identify what their top human risks are, things like phishing and passwords. Then they roll out the training to change those behaviors. We're no longer trying to just make people aware; we want to change their behavior so they can easily identify phishing attacks, so they start using credentials in a safe and secure manner, sharing or using data in a secure way. So the first step is identifying those top human risks, then all that training is about changing behaviors to manage those risks. So that's why we see things like phishing simulations so popular because that's training addressing a top human risk. 

Dave Bittner: That's Lance Spitzner from the SANS Technology Institute. 

Dave Bittner: And joining me once again is Deepen Desai. He is the chief information security officer and VP of Security Research and Operations at Zscaler. Deepen, it's always great to have you back to the show. I want to touch base today with something you and your colleagues recently posted about. This is - you're tracking an updated version of Raccoon Stealer. What's going on here? 

Deepen Desai: Yeah. So Raccoon Stealer, for those of you that don't know, is a malware family that has been sold as a malware-as-a-service model on the underground forums since early 2019. And as part of our tracking activity, in early July, the team came across a variant of this malware. And there were a few new things that the team observed, which prompted us analyzing and posting this article. 

Dave Bittner: What are some of the details here, some of the - the things that they updated? 

Deepen Desai: Yeah, so a few things we noticed, and these are fairly tactical things. One of the thing was how they're encrypting the internal string literals. They're using basic C4 plus RC4 encryption where they're leveraging dynamic loading of Win API functions. So these two things that I mentioned are more geared towards evading detection, increasing the shelf life of the payloads that are being pushed out. 

Deepen Desai: And then the second big change that we noticed was, the previous version of Racoon Stealer - they were heavily dependent on leveraging Telegram APIs to fetch the list of command-and-control servers. So these are destinations that the malware will communicate with after they have successfully established infection on the endpoint. In this new variant, what we saw is a list of hardcoded IP addresses - and these are mostly threat actor-controlled servers - which are then leveraged to fetch the list of command-and-control servers from where the next two staged payloads will be delivered as well as the C&C commands will be delivered. 

Dave Bittner: What sort of things does Raccoon malware seem to be after? What is it out to steal? 

Deepen Desai: Yeah, so Raccoon Stealer will be responsible for stealing data such as passwords, cookies, your autofill data from web browsers. We have also seen code that indicates that they're support to steal cryptocurrency wallets from the endpoints that they're able to compromise. 

Dave Bittner: And so in your estimation, how sophisticated a threat group are we talking about here? 

Deepen Desai: In terms of sophistication, I mean, I would still think of this as something that is in development and in progress, right? As I mentioned, so the anti-analysis, anti-detection tricks that we observed in this version two - I mean, there are many other families out there that have been using this for long time. 

Dave Bittner: And what are your recommendations for folks to best protect themselves? 

Deepen Desai: Recommendation - always make sure - you know, these stealers can arrive packaged with some of those crack softwares, you know, pirated stuff. So stay away from those. Always rely on legitimate sources when you're downloading your softwares. And then if you notice something spiking CPU activity, any kind of slowness on the system - because this payload was known to do that when we were analyzing it - you should report it to your security team. So that's from the end user perspective. From the security admin perspective, payloads such as this, which are newly packaged, you know, there's continuously going through newer development - you need an inline sandboxing solution to honestly observe the behavior and flag it and block it for your users. 

Dave Bittner: All right. Well, Deepen Desai, thanks for joining us. 

Deepen Desai: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.