The CyberWire Daily Podcast 10.3.22
Ep 1675 | 10.3.22

Microsoft Exchange zero-days exploited. Supply chain attack reported. New Lazarus activity. Mexican government falls victim to hacktivism. Hacking partial mobilization. Former insider threat.

Transcript

Dave Bittner: Two Microsoft Exchange zero-days are exploited in the wild. A supply chain attack, possibly from Chinese intelligence services. There's new Lazarus activity. The Mexican government falls victim to apparent hacktivism. Flying under partial mobilization's radar. Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. And your off-boarding program. Yeah. How's that working out for you?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 3, 2022.

Two Microsoft Exchange zero-days exploited in the wild.

Dave Bittner: Late Friday, Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. Redmond's initial disclosures said, Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution when PowerShell is accessible to the attacker. 

Dave Bittner: Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. Microsoft says, we are working on an accelerated timeline to release a fix. Until then, we're providing mitigations and the detections guidance to help customers protect themselves from these attacks. Microsoft Security Response Center shared an initial set of mitigations and tools to evaluate the risk, including indicators of compromise. Late Sunday, the Microsoft Security Response Center added this caution - we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. 

Dave Bittner: The vulnerabilities were discovered by Hanoi-based security firm GTSC in the course of security monitoring and incident response services its SOC team was performing early in August. They shared their discovery with the Zero Day Initiative and Microsoft, which led to the mitigations Redmond released Friday. Who's responsible for the observed exploitation isn't clear, but GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. The firm said, we suspect these exploits come from Chinese attack groups based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese. Late Friday, the U.S. Cybersecurity and Infrastructure Security Agency added both of these CVEs to its Known Exploited Vulnerabilities Catalog. In both cases, CISA advises organizations to apply the mitigations Microsoft has provided. U.S. federal executive civilian agencies have until October 21 to take action. 

Supply chain attack, possibly from Chinese intelligence services.

Dave Bittner: CrowdStrike warns that a suspected Chinese threat actor carried out a supply chain attack by compromising a popular commercial chat product distributed by Vancouver-based customer service firm Comm100. The security firm said, malware is delivered via a signed Comm100 installer that was downloadable from the company's website. The installer was signed on September 26, 2022, using a valid Comm100 Network Corporation certificate. 

Dave Bittner: It's not yet clear how many entities downloaded the malicious installer. But Reuters says, a person familiar with the matter cited a dozen known victims, although the actual figure could be much higher. CrowdStrike adds that the Trojanized file was identified at organizations in the industrial, health care, technology, manufacturing, insurance and telecommunications sectors in North America and Europe. The Record notes that Comm100 says it has more than 15,000 customers across 51 countries. 

New Lazarus activity: bring-your-own-vulnerable-driver.

Dave Bittner: Researchers at ESET say that North Korea's Lazarus Group used Amazon-themed spearphishing documents to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium. The goal of the campaign, which occurred last autumn, was data theft. The researchers noted that the attackers exploited a vulnerability in Dell dbutil drivers, which was patched in May 2021. BleepingComputer notes that the threat actor utilized a bring-your-own-vulnerable-driver technique, stating a BYOVD attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system. However, the threat actors can now exploit the driver's vulnerabilities to launch commands with kernel-level privileges. 

Mexican government falls victim to apparent hacktivism.

Dave Bittner: Reuters reports that the Mexican government has fallen victim to a cyberattack. The data compromised belonged to the Defense Ministry and included information about the president's health condition. Other information contained in the hack included information about criminals, transcripts of communications and information monitoring the U.S. ambassador to Mexico. It may have been a hacktivist action. The group has been identified as Guacamaya or macaw in Spanish. The Record by Recorded Future reports that Guacamaya is an environmental collective, and documents released were stolen from a few different agencies with several other Latin American countries. Guacamaya is reported to have used ProxyShell to gain access to the military's systems. 

Flying under partial mobilization’s radar.

Dave Bittner: The partial mobilization recently announced in Russia continues to be both unpopular and apparently capricious, and these features of the call-up have found expression in cyberspace. There seems to be a thriving online black market in goods and services designed to help Russian men avoid being called to the colors. BleepingComputer says that the items on offer include fabricated exemptions, promises to alter official databases to keep the customer's name out of call-up sweeps and gray SIM cards to help evade government surveillance. Some of the offers are legitimate in the sense that they deliver on their promises to helping the customer evade Russian law. But others are, as might have been foreseen, simple scams that leave the buyer as vulnerable to conscription as he was before, only marginally poorer. 

How’s your off-boarding program working out?

Dave Bittner: And finally, the U.S. Attorney's office for the District of Hawaii announced on September 28 that a Honolulu man pleaded guilty to sabotaging his former employer's computer network. Casey K. Umetsu Sr. will be sentenced in January. He'd worked on the IT staff of a financial service company for about two years. And after leaving the company, he used credentials he'd retained to access his former employees' systems to redirect its web traffic to other sites, effectively crippling both its websites and its email. His goal was to get himself rehired at a higher salary. US Attorney Clare E. Connors said in the statement, Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain. Those who compromise the security of a computer network, whether government, business or personal, will be investigated and prosecuted, including technology personnel whose access was granted by the victim. So when thinking about that off-boarding program, HR and job seekers, a pro tip - stop me before I hack again is not a good entry under professional goals. 

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest, Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. Stay with us. 

Unidentified Person: (Singing) It was something from the boss upstairs, but now I'm dealing with this malware. It's looking like I got hacked, reeled in by a phishing attack. 

Dave Bittner: What you just heard is the latest in cybersecurity training. Rachel Tobac is CEO of SocialProof Security and a well-known leader in the area of social engineering. She recently happened upon a bit of a revelation when it came to making security training engaging and memorable. 

Rachel Tobac: So in 2021, there was a TikTok challenge. I'm not sure if you're on TikTok, Dave, but there was a TikTok account. 

Dave Bittner: I am not. 

(LAUGHTER) 

Rachel Tobac: And everybody on TikTok was making sea shanty videos. And I am a very active passive user of TikTok, meaning I just lurk and watch everything. I don't really make any of my own content on there. But I was like, hey, maybe I can make a sea shanty for information security topics. How about I go ahead and try that? And as you know, Dave, I asked you if you would be comfortable mixing that and participating and singing on that, and you did such a fantastic job. We were able to put out just the best awesome product with the community. I mean, we had, I think, 15 different people who lend their voices, thoughts, ideas, mixing to the project, and it got over 100,000 views immediately. And we had - I think there were, like, 50 different companies that reached out, and they were like, hey, can we use this in our security awareness training? And I was like, sure, why not? It's free. Yeah, just use it with your company and let me know what they think. And a bunch of those companies got back to me and were like, for whatever reason, that worked better than everything else we've tried. So can you make more songs? And I was like, sure, OK. So that basically birthed the idea of making the training videos as music videos and spoken content. 

Dave Bittner: Well, I mean, it takes more than just having the idea and, you know, putting something together on impulse. I mean, these are fully produced, fully realized videos that you're putting out here. To what degree was this endeavor everything you thought it would be? 

Rachel Tobac: (Laughter) Yeah, well, once I did the sea shanty and I saw that people liked it and it helped actually move the needle for companies - they were saying that it helped them with people understanding the why behind a lot of the things that they do, like requiring you to use multifactor authentication or a password manager. I decided, hey, it seems like music's always been helpful for people to understand new topics, you know, from everything from "Schoolhouse Rock!" to this now. I only know what a bill is and how it works because of "Schoolhouse Rock!" And I remember that from my childhood. 

Dave Bittner: I'm with you. 

Rachel Tobac: So I studied a little bit of how music works on the brain because I have a background in neuroscience. That's what I studied in school. And during my studies, I focused a lot on music, how that works both in the rat lab and with human subjects. And I guess the whole music neuroscience behaviorism thing started back then when I was in school. But it's finally been realized now, and it's just wild because I have a background in musical theater from when I was a kid, improv. I used to perform improv on weekends before I did hacking full time. So a lot of things are coming full circle here that I just didn't think would happen in my life. 

Dave Bittner: Well, can you walk us through an example of one of the videos here, kind of from concept to completion? How did you go through that process? 

Rachel Tobac: Sure. Let's see. I guess we'll do the phishing song. So the phishing song - I started out by thinking what genre do I want to talk about the topic of phishing for? Because every song has its own genre. We have a malware ransomware song that we're writing now that's going to be an '80s bop. And I was thinking, OK, well, for the phishing song, I would like to use the pun of phishing, like, you know, fishing outdoors in a lake and also phishing online. So I thought it just makes sense to do a stadium country style song. 

Rachel Tobac: So I reached out to some artists that I know online. I know a lot of these artists from TikTok because they post their work online. So reaching out to those folks and saying, hey, this is a project I'm doing. Here's how it works. It's going to be a security awareness training, but it's going to be music and spoken. But the part you're working on is music - and gave them all the source material because I don't expect these artists to, you know, be an expert in phishing. And then from there, they'll come up with, like, a high-level acoustic riff. They'll send it back to me like, what do you think? Something like this sound? And I'll say, yeah, that sounds great. And then they'll record just, like, a low fidelity, you know, what is the rhyme scheme? What can it look like within the beat of this song? And then I help them with the technicality of the lyrics because again, they're not an expert in phishing or whatever song I'm having them write. So once I help them with the phishing lyrics or what have you, then we record in higher and higher-level fidelity until we have the final version of the song. 

Rachel Tobac: And we take the final version, and we use our production team, and we film in the studio. And we get actors to audition for the part, and we come up with all the graphics to explain what phishing is and how to stay safe and come up with the takeaways. And then people buy the product, and then we customize the takeaways for their company and so on and so forth. 

Dave Bittner: And how has the experience been? I mean, what sort of things have you learned along the way? 

Rachel Tobac: What I've learned along the way is it takes a while to write songs. You always got to have one ready to go because people want more and more content as you go, of course. And that's what we're doing. But it takes months to write songs, so I have to always be writing a song in addition to always be filming more content and writing more scripts. So it's kind of like an ongoing process. There's not really breaks. You have to always be working on the next iteration. 

Dave Bittner: And these are not just musical. You're releasing spoken word versions of each of the topics, as well. 

Rachel Tobac: That's exactly right. So when we did the research for the project, we found about 80% of people watched the music content and were like, yes, I connect with that. That helps me remember it better. I love music content. And about 20% of the people were like, I learn a lot better with spoken content. I do not prefer music. So we wanted to make both equally so that no matter what type of person is learning from this - because, of course, it's mandatory at many companies - we want people to be able to learn in the method that works best for them. So I made all of the spoken content and all of the music-based content equal in my mind. 

Dave Bittner: What about for your friendly neighborhood podcast host who also perhaps has a background in musical theater and an interest in music? Might there be a cameo spot in the future... 

Rachel Tobac: (Laughter). 

Dave Bittner: ...In one of these videos for just - I'm just thinking hypothetically for someone like that. Can you envision something like that? 

Rachel Tobac: Hypothetically, for somebody named Dave, yeah, I think... 

Dave Bittner: (Laughter). 

Rachel Tobac: ...There could be something that could be arranged. Yeah, but only if your name is Dave. 

Dave Bittner: All right. Sorry for all - what a crazy random happenstance. My name is Dave. 

(LAUGHTER) 

Rachel Tobac: But, yeah, I've actually had - that's one of the other big pieces of feedback I have - is my clients or my friends are like, how do I get to be an Extra? Or... 

Dave Bittner: Right. 

Rachel Tobac: ...Can I sing? Can I sing in the background of your video? And I've actually - we're working right now with a few different clients. One of my banking clients is like, how do we find a way for our CISO to be in the background of one of these videos? And we're not going to tell our users, like, our employees, until it's just deployed to them. And they're like, wait. What is so-and-so doing in the back of your video? 

Dave Bittner: Oh, I love it. 

Rachel Tobac: Yeah, we have some fun little Easter egg moments that, like, not everybody will get, but it's meaningful to some of the clients who are first movers with us. 

Dave Bittner: Yeah, well, I have to say I am predisposed to love this, but I like it for a lot of different reasons. I wish you all the success with this. And congratulations on the launch. Rachel Tobac, thanks for joining us. 

Rachel Tobac: Thank you, Dave. 

Dave Bittner: And joining me once again is Betsy Carmelite. She's a principal at Booz Allen Hamilton and also their federal attack service reduction lead. Betsy, it's always great to welcome you back to the show. I want to touch today on this ongoing situation with the skills gap in the cyber workforce and the degree to which that is a real thing, to which it's a perceived thing. I'm curious for your take on it. 

Betsy Carmelite: Yeah. Thanks, Dave. I always want to do some stage setting first. Cybersecurity is really about outpacing the adversary - so investigating it, learning from it and then getting ahead of it. And being very realistic, this is an incredibly complex environment to work in, as well as a fascinating one. This is really a collective problem for the government and the private sector, the addressing the skills gap issue. So I think it's definitely beyond perceived and a reality. In today's one battlespace environment, groupthink is really not going to solve the problems we face as a nation and with our economy to tackle this problem. The rapidly increasing shortage of cyber workers poses a true risk for the cybersecurity of the nation. 

Dave Bittner: And so where do you suppose we find ourselves? What's the reality that you're seeing on the ground? 

Betsy Carmelite: America's cyber workforce really needs people with extremely varied experiences, perspectives and approaches to help in this fight against the so-called bad actors. It's not just that cyberthreats are growing at an exponential rate and that cybercrime is really extremely lucrative. Really, it's understanding how we can bring different mindsets for different specialized skills into that fight, as well as to advance the workforce. And secondly, no single organization or approach can tackle that problem alone. We need to be equipped and also equip the workforce with skill sets to match the diversity of that threat. And that's where we hit on the risk of - you know, without specialized cyber talent, organizations and our data are at risk. 

Dave Bittner: What are some of the specific recommendations then? I mean, some of the things that can really move the needle here? 

Betsy Carmelite: I think - and the way that we're looking at this within our cyber workforce, we must have - all the managers and leaders need to be really explicit and intentional about asking our colleagues to evolve. It can be such a challenge just to hire the workforce. And once you have the team or skills, you can sit back and think, they know what they need to do. But you really need to take on an approach - and this is maybe not unique to this industry alone - but you really need to ask our talent to continuously learn, dig in and help them with the how. How do they do that? 

Betsy Carmelite: So we believe that you need to create more entryways into the workforce for new talent. We're exploring university partnerships, feeding the talent pipeline. Military and military veteran partnerships target key populations that have skills-based training. And really, you need to identify the potential or aptitude to learn. We also like to recommend fostering a culture of mobility and collaboration that drives perpetual learning. At Booz Allen, we really want people to experience different clients and missions, cultivate diverse skill sets. And we can't fill these positions today with skill sets of five years ago. It's a constant skill-building approach. After hiring, we need to work on upskilling, training, facilitating venues where people can bring their ideas and thought leadership. 

Dave Bittner: What about diversity itself? I mean, I know that's been a focus for you and your colleagues, as well. 

Betsy Carmelite: Yeah, so I think you can approach diversity with diversity of the demographic of the workforce but also diversity of skills and the functional skills that you need to bring into cybersecurity. So there's a prevailing attitude in cybersecurity that you can't perform a role without prior experience. But that really creates a catch-22 and particularly for underrepresented groups. So, for instance, women reportedly compromise roughly one-quarter of the cybersecurity workforce. Yet they may not apply for jobs if they don't feel that they already have 100% - or they meet 100% of the posted requirements, rather than saying, hey, I meet 50% of the requirements. I'll go for it. So that's an issue, encouraging and really identifying the potential within a resume. It's important to identify skills in someone that have the potential to transfer to the multitude of other cyber disciplines. And some of the best cyber intel analysts that I've hired have law degrees. The critical thinking that is taught and that they love lends well to data collection, processing and analysis. For my own personal experience, I'm also a Russian linguist. I learned to disassemble words, look for patterns, look for structures. And that skill conveys so well to puzzling out an intel problem, in addition to the obvious need for cyber linguists in the field. And I think we must challenge ourselves to consider candidates who bring that wider range of experiences and to recognize the strengths of other backgrounds to the field. You can be a successful cyber professional and have the background in computer science or data science or engineering. Or you can come into the field with a psychology degree, political science, linguistics, law. And in our success, we see these elements to bring together those diverse skills under one team of cyber-mission-focused analysts. 

Dave Bittner: All right. Well, interesting insights, as always. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thanks, Dave. 

Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.