The CyberWire Daily Podcast 9.30.22
Ep 1674 | 9.30.22

Espionage, both online and in-person. Sabotage, both kinetic and (maybe eventually) cyber. Waterin holes, deepfakes, and the pushing of naughty words.


Dave Bittner: North Korean operators weaponize open-source software. The SolarMarker info-stealer returns. A quick review of Fast Company's WordPress hijacking incident. Deepfakes and their evolution into an underworld and influence ops tool. Kinetic sabotage in the Baltic raises concerns about threats to infrastructure in cyberspace. Chris Novak from Verizon has a midyear check-in. Our guest is MK Palmore of Google Cloud on why collective cybersecurity ultimately depends on having a diverse, skilled workforce. And the U.S. arrests three in two alleged spying cases.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 22, 2022. 

North Korean operators "weaponize" open-source software.

Dave Bittner: Microsoft warns that the North Korean threat actor the company tracks as ZINC is targeting engineers and technical support employees working at media, defense and aerospace, and IT services in the U.S., U.K., India and Russia. The threat actor is using malicious versions of open-source applications, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording. Microsoft believes the campaign is motivated by traditional cyber-espionage, theft of personal and corporate data, financial gain and corporate network destruction. 

Dave Bittner: Duo Security's Decipher notes that ZINC uses LinkedIn to contact potential victims, then moves to WhatsApp to send the malware, stating, one key piece of the campaigns is the use of LinkedIn personas as initial outreach vectors for victims. ZINC actors create fake personas on LinkedIn, posing as recruiters at defense, tech or entertainment companies, and then luring the victims into moving the conversations onto WhatsApp. ZINC actors would at some point deliver the ZetaNile-compromised application to the victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY too. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking in order to load a malicious DLL onto the victim's machine. 

SolarMarker info-stealer returns in watering hole campaign.

Dave Bittner: Researchers at eSentire reported this morning that the SolarMarker information stealer has resurfaced. eSentire writes, the SolarMarker threat actors are now leveraging fake Chrome browser updates as part of watering hole attacks. This represents a change in tactics. SolarMarker's operators had been known for their reliance on search engine optimization poisoning. 

Fast Company's WordPress hijacking incident.

Dave Bittner: A breach of Fast Company's WordPress systems allowed for a hacker to send obscene notifications via Apple News on Tuesday. The Verge reports that Fast Company was hacked and sent out a push notification via Apple News to many iPhones that was obscene in nature. Apple News addressed the hack on Twitter, saying, an incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled the channel. There's no obvious motive behind the attack beyond whatever slacker lulz (ph) it may have produced. 

Deepfakes, and their evolution.

Dave Bittner: Trend Micro has published a report looking at the current and future impacts of deepfakes. The researchers note that deepfakes have already been used in social engineering attacks, and these attacks will increase as the technology improves. They can now be used to fake the identities of real people or create fictitious persona for people who never existed. The researchers see a particular urgency to securing biometric data across the range of biometric modalities. Some of their concerns include the amount of content readily exposed on social media, the low cost of executing this sort of attack, the ability to steal the identities of both well-known and ordinary people, and the ability to create identities of people who never actually existed for use in fraud schemes. 

Kinetic sabotage raises concerns about threats to infrastructure in cyberspace.

Dave Bittner: NATO has formally declared the four explosions that severed the Nord Stream natural gas pipelines in the Baltic Sea this week to have been acts of sabotage, the Wall Street Journal reports. The Atlantic Alliance stopped short of attributing them to any actor, although Russia is widely suspected, as investigation is still in process. Euractiv quotes U.S. Defense Secretary Austin, who said, until we get further information or are able to do further analysis, we won't speculate on who may have been responsible. That said, Western suspicions centers on Russia, and informed speculation points to a Russian naval operation. CNN cites multiple European sources as saying they observed Russian naval vessels in the area shortly before the explosions. For its part, Russia sees no ambiguity in the situation at all. Who done it? The Anglo-Saxons done it. That is, the British and the Americans are behind it, an allegation that's becoming a routine part of Russian disinformation. Mr. Putin said, as Reuters quotes him, "the sanctions were not enough for the Anglo-Saxons. They moved on to sabotage. It is hard to believe, but it is a fact that they organized the blasts on the Nord Stream international gas pipelines. They began to destroy the pan-European energy infrastructure. It is clear to everyone who benefits from this. Of course, he who benefits did it." He's got one thing right. It is hard to believe. 

Dave Bittner: There are understandably jitters in Europe about the possibility that cyberattacks might disrupt energy infrastructure as winter approaches. Finland's Security Intelligence Service said in its  National Security Overview, published yesterday, that it's highly likely that Russia will turn to the cyber-environment over the winter. That is, The Record explains, Russia is likely to use cyberattacks to increase pressure on Europe to abandon its support for Ukraine. The Voice of America summarizes this week's warnings from Ukraine as CERT-UA predicted a growing likelihood of Russian cyberattacks against energy targets. The U.S. said it's seen no specific indicators that such attacks are imminent. But U.S. defense officials do note that Russia has shown a growing disposition to hit Ukrainian energy infrastructure with missile strikes. 

CISA releases six Industrial Control System Advisories.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency released six industrial control system advisories yesterday, covering Hitachi Energy, Baxter, Informatique and Delta Electronics products. Operators should consult the alerts and consider applying the mitigations. 

Insider Threat Awareness Month ends with three arrests of insiders.

Dave Bittner: And finally, September was Insider Threat Awareness Month, which we trust you celebrated appropriately - getting all your shopping for bossware done, sending the appropriate thanks-but-no-thanks cards to the various insider threats in your life, shaking hands under the snapdragons and, you know, the whole nine yards of this particular seasonal observance. You know who else is observing the insider threats? The FBI. That's who. 

Dave Bittner: Indictments on charges related to alleged spying for the Russians have been handed down in Baltimore and Denver, naming three people accused in two separate incidents. The Colorado case involves a guy, Mr. Jareh Sebastian Dalke, age 30, who apparently worked briefly this summer for the National Security Agency as an information systems security designer. He offered to sell classified documents to someone he thought was a Russian intelligence agent. In fact, it was the FBI. And what followed you can easily imagine. From the Justice Department's statement about the case, his alleged motive seems to have been monetary. He asked for payment in cryptocurrency, which seems a lot more convenient than an envelope full of unmarked bills left in a dead drop. 

Dave Bittner: The Maryland case involves an alleged conspiracy between a married couple - Doctors Anna Gabrielian, aged 36, and her husband, Jamie Lee Henry, age 39. Dr. Henry is, or now was, a U.S. Army major assigned as an internist to Womack Army Medical Center at Fort Bragg, N.C. Doctor Gabrielian had reached out to the Russian embassy with an offer of information, and the couple subsequently met someone they took for a Russian intelligence officer at a hotel in Baltimore. They offered private medical information on military and government patients and their families to the supposed Russian contact who, in fact, was an undercover FBI agent. They explained that they were motivated by Russian patriotism and resentment over the war in Ukraine, where, Dr. Henry explained, the United States is using Ukrainians as a proxy for their own hatred toward Russia. So while all of these accused are innocent until proven guilty, if you're thinking about spying for the Russians, think twice. After all, not every spy gets offered Russian citizenship. 

Dave Bittner: Coming up after the break, Chris Novak from Verizon has a mid-year check-in. Our guest is M.K. Palmore of Google Cloud on why collective cybersecurity ultimately depends on having a diverse, skilled workforce. Stay with us. 

Dave Bittner: MK Palmore is a director in the office of the CISO for Google Cloud. We recently chatted about why collective cybersecurity ultimately depends on having a diverse, skilled workforce and efforts MK Palmore and his Google Cloud colleagues are taking to improve the situation. 

Mk Palmore: The statistics tell us a challenging story. One, we know that, you know, typically speaking, women represent somewhere close to 50, 51% of the population, and there's nearly that much in terms of the workforce. Their presence in technology is somewhere around the low 20% realm. And as you go up the ranks, those numbers get to be smaller and smaller. People of color, Black, Latino, sometimes categorized as roughly 17, 18% of the workforce. And those numbers, as it relates to technology, you'll find hovering somewhere between 5 to 8% at any one point in time when you take snapshots of the industry. 

Mk Palmore: So the struggle for organizations today, like Google and other organizations that are trying to increase the numbers of women and underrepresented minorities in terms of increasing the talent pool, is it moving the needle on those numbers? Where do you go to source the talent that has the requisite skills that you're looking for in order to bring them on board in your organization? How do you subsequently get them on board into the organization? And then how do you - big challenge for all organizations is retention - how do you retain that kind of talent once you have them on board and create a pathway for them to grow and be nurtured within the profession and ultimately succeed? So the numbers are daunting. They've been daunting, quite frankly, for quite some time, for a number of years. And, you know, folks like myself and others who do this professionally are engaged at any one point in time in a number of, you know, for me, internal issues here at Google Cloud, in an effort to help move the needle on this issue and also providing support to outside organizations and nonprofits in this realm to also move the needle and impact change where we can. 

Dave Bittner: Well, so within Google Cloud itself, where are you finding success? What sort of initiatives are making a difference there? 

Mk Palmore: Yeah, so I think that, you know, broadly speaking, what we see in the industry is that if you can train people, if you can give them the requisite skills that they need, baseline skills, in order to be able to compete for entry-level positions, that you oftentimes are helping to set them up for success. In fact, there are some numbers out there that will tell you that training, specific training around cybersecurity introductory skills, is the number one way to translate someone from a zero start into the field. And we have a number of programs, one of which that I am shepherding here under the Google Cybersecurity Action Team and others within Google that are much more mature and much further along that help to enable the existing workforce - in other words, folks out there who show an interest in cybersecurity or want to peak their interest. In other words, they want to take some exploratory courses and try and get some exposure to the industry. We have a number of efforts underway to actually take folks through the training pipeline so that they get some baseline training for entry level positions. And we also have a number of things underway that will help to get exposure to folks who are, again, zero start but potentially interested in the industry. I always say there's two components that you need. You need a level of interest, and you need an aptitude. You don't necessarily need to come to the table with specific skill sets like technology skill sets. But much of what it is that we do in cybersecurity day in and day out can be taught, and certainly, it can be learned. 

Dave Bittner: When you're talking about training here, I mean, is this something that Google offers internally? Or are folks going to outside providers? So how does that all work? 

Mk Palmore: Yes. So it's happening in a number of different lanes. There is an internal effort to increase the availability of cybersecurity training, certainly among our own employees internally. But we also recognize that Google has a responsibility to the industry and society overall to provide assistance in this area because we all see the gap that exist in terms of getting qualified folks into the pipeline. And certainly, expanding the aperture in terms of identifying the folks that we may bring into this profession is in large part of what we're engaged in as it relates to Google. In other words, identifying opportunities, whether it be through nonprofit organizations that exist or our own efforts to deliver cybersecurity-based training, targeting that training to women and underrepresented minorities so that you can, again, gain some traction in an area where we know that folks have an interest and aptitude. And we can point them in the right direction and give them the skills that they're going to need to be able to get some baseline opportunities within the field. And as you well know, once you get in, I mean, it's sort of, you know, pick your poison in terms of how many different areas and domains and other areas of depth that you would like to go into. But we all know that the real barrier is getting that initial job in the industry. And we are, again, putting together programs and have an effort afoot to increase that talent pool and to do it in such a way that we enable folks to do well in that interviewing process, bring or show that they have some experience in terms of gathering the skill sets necessary to get those entry-level jobs, and then, of course, you know, to get in and actually succeed. There are many different lanes, many different efforts underway. 

Dave Bittner: You know, from your own point of view as a leader, why is this something to focus on? What does having diversity in your team provide the organization as a whole? 

Mk Palmore: Yeah. So I think that from a - if we're just talking about cybersecurity workforce, I think that this issue of creating diverse teams in cybersecurity may be the most critical issue that organizations are dealing with now and for the foreseeable future. We have all awakened now at this point in history and time, recognizing the importance of cybersecurity, not just on business operations, but also on our lives. So it impacts us widely as a society but also impacts business operations. And this issue of creating more diverse teams, I think, quite honestly is going to help us get better at solving problems. 

Mk Palmore: At the heart of cybersecurity is this idea of problem solving. And if we're not bringing different and varied mindsets and experiences to the table, we're going to continue to use some of those old approaches to solving security problems. And quite frankly, I think that history has shown us that we are, as an industry, probably not doing as well as we would like to in terms of combating adversarial techniques and tactics. And I think increasing the diversity set, in other words, increasing the diverse teams that we point towards these problems will actually help us solve them more quickly and potentially bring better solutions to protect. 

Dave Bittner: That's MK Palmore from a Google Cloud. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Chris Novak. He is managing director for security professional services at Verizon. Chris, always great to welcome you back to the show. As you and I record this, we are just about midway through this year of 2022. I was going to say it's been an interesting year for cyber, but I don't know that there's any other kind anymore. And I wanted to just check in with you, get a little reality check on what you've been seeing in terms of how this year is comparing to your expectations. 

Chris Novak: Wow (laughter). First off, thanks, Dave. Always a pleasure to be here. Honestly, I don't think if I could have gone back a year and said, let me write down a handful of predictions of what I thought 2022 would look like, I'm not sure that I would have gotten any of them right. It's been a wild, wild year, I think, between what we've seen happening with Russia, Ukraine and some of the the follow-on effects of that into cyber, some of the crazy changes we've seen in ransomware, you know, OT, ICS, cloud. You know, all of these, I think, are things that were on the horizon and we knew could be a concern, but exactly how they've all manifested, wow, it's been something else. 

Dave Bittner: Yeah. Is there anything that sort of rises to the top in terms of, gosh, you know, I wasn't expecting that or, you know, oh, there's a surprise? 

Chris Novak: Well, I mean, I think if we were to roll back into, you know, 2021, looking forward into the first half of 2022, I think there were always some concerns about the Russia-Ukraine situation and how that was kind of bubbling up and boiling over. And then obviously, in February, we saw that go into kind of full swing. And I think that one has been an interesting one to observe and see what comes out of it, because we really haven't seen something like that from a truly substantial, you know, kinetic, you know, war activity that has had relations to the cyber realm. 

Chris Novak: I think everyone has always known that the cyber nexus and war exists and would exist in the future. But I don't think we had really seen an event like that play out historically with an organization or a country, for example, like Russia, that we know to have a really sophisticated and advanced adversarial component to it, the ability for them to pull off the types of attacks that we would worry about in a, you know, in a cyber war, for example. I think some of the kinetic actions that that we've seen the world deal with over the recent years have been largely relegated to kinetic. And in this case, I think we're actually starting to see more of that boil over into the cyber. 

Chris Novak: And I think we're also concerned and watching what happens from a broader geopolitical standpoint, because we expect other countries are watching very closely what's happening between Russia and Ukraine, looking to see, hey, when Russia does X, how does country A, B and C respond? And if another country were to, you know, make an incursion or threaten another, you know, democracy out there, what might that look like in terms of a global response, whether it be kinetic or, in this case, cyber? 

Dave Bittner: Yeah. You know, I mean, looking at the big picture, do you feel as though the cyber defenders out there - are we gaining ground? Are more of the basics, you know, that low-hanging fruit we all talk about it - is the word out there and are people taking care of those things? 

Chris Novak: So I think they are. And it's an interesting question because I'm always a big proponent of cyber hygiene and going after a lot of the foundational elements of cyber before we worry about all the crazy, advanced, sophisticated stuff. And as I talk more and more with organizations, I'm hearing more of them doing it correctly. I feel like the challenge is - it's the groundswell of activity is keeping up or exceeding our ability to go ahead and tackle it all. So I think people now understand what the right things are they need to be doing, and they want to and are executing, but the big thing we hear everywhere we go - I was talking about this at RSA. You know, I asked the audience, how many people have too many cybersecurity people? And everybody just laughed, right? Nobody had them. How many have enough? Everyone just kind of stared around the room looking to see if anyone raised their hand, right? And so the challenge I think that we see is that the talent pool is not able to grow as fast as the need. And I see that as being part of the bigger challenge. I think organizations understand what they should be doing, and they largely want to do the right things. It's a, well, if I'm only going to be at 75% staffing capacity, it means I need to figure out what of my objectives are, what are my security, maturity, desires am I planning to execute on with 75% capacity, for example? 

Dave Bittner: I know this is an unfair question, but I'm going to ask it anyway. As you look in your crystal ball, any thoughts on where we might be headed for the second half of this year? 

Chris Novak: I would say that if I were looking in my crystal ball, I would say that I think we're going to continue to see ebbs and flows in ransomware just because people continue to pay, and, you know, we're continuing to see that pan out for the threat actors. I think we're going to see governments try to choke off the money supply as a way to try to choke off ransomware, in other words, enact other regulations or reporting and disclosure requirements around the globe that might try to inhibit or prevent organizations from paying ransoms as a way to try to knock that down. Effectiveness of that will be TBD. The other thing I also expect to see is continued attacks in the areas of OT and industrial control systems. You know, we've often largely talked about cyber as it relates to data security. And I think that's kind of a holdover from the past of, you know, a lot of the data security laws, notification and disclosure obligations were largely related to unauthorized access to data. I think we're starting to see a shift now where attacks are looking more at OT, industrial control systems. It could be energy and utilities. It could be manufacturing. It could be health care. 

Chris Novak: And so those are the areas where I would say I'd probably be most concerned about the second half of 2022 and beyond because I don't think we've seen what we see as being possible to happen there. And obviously, I don't want to see it happen, but I think that's an area that has been not as well tended to both by the defenders and also by the adversaries. And so as a result, I think we could see more activity develop in those areas. And then obviously, cloud - I think we're going to continue to see an incredible migration of organizations moving to cloud. You know, we saw it really - it was like a shot in the arm of adrenalin to cloud migrations during COVID. And I think that's going to continue to happen. And there'll be some things that I think we're going to see fall out of that in terms of poor hygiene, shadow IT, shadow cloud, other things like that. People are going to be trying to move fast. And as a result, we're going to see some bad behavior that might make its way into, you know, what ultimately results in some incidents and breaches. 

Dave Bittner: Yeah. All right. Well, Chris Novak, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this week's "Research Saturday" and my conversation with David Prefer from the SANS Technology Institute on covert channels using browser bookmark sinking. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.