The CyberWire Daily Podcast 10.13.22
Ep 1682 | 10.13.22

What the cybercriminals are up to: improving their tools and carrying out the same old dreary social engineering. Budworm APT sightings. And the state of Russia’s hybrid war.


Dave Bittner: Emotet ups its game. COVID-19 small business grants as phish bait. Google Translate is spoofed for credential harvesting. Research on the Budworm espionage group. Kevin Magee from Microsoft shares why cybersecurity professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. And internet outages during missile strikes and the prospects of Russia's hybrid war.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 13, 2022. 

Emotet ups its game.

Dave Bittner: ESET researchers tweeted yesterday that the criminal operators of Emotet have been improving their products' system info module with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users. They've also changed the system attributes Emotet collects and reports back to its command and control. The new list includes processor brand, size of physical memory in megabytes and an approximate percentage of it being in use. 

COVID-19 small business grants as phishbait.

Dave Bittner: INKY has published a report on the use of small business grants as phishing lures. Scammers are impersonating the U.S. Small Business Administration to distribute phony grant applications hosted on Google Forms. The SBA has stopped accepting applications for COVID-19 relief, but the scammers are counting on their victims having overlooked that. The Google form asks the user to submit their personal and financial information, including their Social Security number, driver's license details and bank account information. The usual marks of a scam are present as well as Google's report abuse button and its customary warning. Never submit passwords through Google forms. Those last two don't normally find their way into phishing scams. 

Google Translate spoofed for credential harvesting.

Dave Bittner: Researchers at Avanon describe phishing emails that are impersonating Google Translate in order to steal users' email credentials. The emails inform users that they have pending incoming emails, and they'll need to confirm their account within 48 hours in order to receive the emails. If the user clicks the links, they'll be taken to a phony Google Translate page with a login field. Avanon's researchers explain, in the background, you can see the HTML that goes into turning this site into a Google Translate lookalike. 

Dave Bittner: One of the JavaScript commands they use is the unescape function. This is a classic command that helps obfuscate the true meaning of the page. Further, when decoding the JavaScript, you'll see that the security service would see a bunch of gibberish. The phishing page looks fairly convincing, but users should note that the phishing page's URL looks very suspicious. Ending with doesn't quite cut it. 

Budworm espionage group squirms to some new branches.

Dave Bittner: The Symantec Threat Hunter Team this morning released research on the Budworm cyberespionage group. Budworm has recently been observed targeting a Middle Eastern government, a multinational electronics manufacturer, a U.S. state legislature and a hospital in Southeast Asia. The group leverages Log4j vulnerabilities to compromise Apache Tomcat for installation of web shells. Budworm makes extensive use of HyperBro malware, often installed through DLL side-loading. This involves attackers placing a malicious DLL file where a legitimate one can be expected. The payload is executed when the application runs. 

Dave Bittner: Budworm has also been seen using CyberArk Viewfinity, an endpoint privileged management tool, to side-load. While HyperBro has been Budworm's primary choice recently, researchers have also observed the PlugX/Korplug Trojan in use. The group has historically targeted Asia, the Middle East and Europe but has now for the second time been linked to an attack on a U.S. target. Researchers say that the shift to U.S. targets could mean a directional change for Budworm. Also known as APT27 or Emissary Panda, Budworm is generally believed to operate on behalf of the Chinese government, according to the Hacker News and others. 

Internet outages during missile strikes.

Dave Bittner: According to Bitdefender, some areas of Ukraine experienced internet outages, mostly associated with power failures and physical disruption of communication links, during Monday's Russian missile strikes. Bitdefender says data from Cloudflare indicated a 35% dip in internet availability as multiple explosions caused power outages. Reuters reports that both electrical and communications services have largely been restored. Ukrainian officials credit Starlink with an important role in the swift recovery. 

Some perspective on a hybrid war.

Dave Bittner: The massive Russian cyberattacks almost universally expected when Mr. Putin went to war against his smaller neighbor back in February have not materialized. Apart from some early and quickly remediated successes with wiper malware in the opening days of the invasion, Russian offensive cyber ops have been largely confined to nuisance-level defacements and DDoS. Some acts of physical sabotage against European infrastructure, followed by some recent dark musing by President Putin about how terrorism holds the globe's infrastructure at risk, have again elevated concern about the possibility of a destructive Russian campaign that, this time around, might actually work as advertised. 

Dave Bittner: Mr. Putin's remarks are playing a double game and a double narrative. He'd like the world to think the sabotage, like the war itself, is the work of his present boogeymen and boogeywomen, those Anglo-Saxon British and the Americans. But he'd also like to remind the world that the sabotage could just as easily be Russian work and that their pipelines, telecommunications or power grids could be next. 

Dave Bittner: An essay in Politico argues that subscribing to a narrative of fear with respect to Russian cyberattacks against infrastructure would be, in effect, doing the Kremlin's work. The essayists argue that energy infrastructure is an obvious target but that the war so far has shown how effective cyber resilience can be in thwarting attacks. More to the point, there's the risk of disinformation and influence operations, creating the appearance of an effective threat where there may in fact be none in the offing. 

Dave Bittner: To some extent, the failure of the Bears - Fancy, Cozy, Energetic, the whole cuddly ursine tribe - to show up in a big way may reflect the same sort of underperformance seen elsewhere in Russia's military operations. The U.S. deputy national security adviser for cyber, Anne Neuberger, outlined Russia's record in cyberspace during the war at a Washington Post conference this morning. So defense can work with preparation, cooperation, resilience and resolution - shields up. 

Dave Bittner: Coming up after the break, Kevin Magee from Microsoft shares why cyber professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. Stay with us. 

Dave Bittner: The security strategy of zero trust has been gaining momentum, with some saying this year is a tipping point when it comes to widespread adoption. Security firm Okta recently published their 2022 State of Zero Trust report. Chris Niggel is regional chief security officer of the Americas at Okta, and I checked in with him for some highlights from the report. 

Chris Niggel: We've been generating the State of Zero Trust report since 2019, when we found that businesses were kind of discrediting the concept of zero-trust networking. And what we saw was a real need for organizations to understand the importance of the adoption of this technology. 

Dave Bittner: Where are some of the common misconceptions that you see? Where is there an understanding gap here? 

Chris Niggel: I think the understanding gap is organizations see zero trust as another formative network change, where they need to make kind of a big-bang change in how they're approaching security. And really, zero trust is a journey. It's something that we're all working towards and really is an extension of the changes that we're seeing in a - in the security posture right now of moving from on prem to cloud technologies. 

Dave Bittner: What were some of the key findings in the report that caught your eye? 

Chris Niggel: Some of the key findings in this year's report were really focused on a significant increase in adoption of zero-trust networking across organizations. Most significantly, we saw a huge jump in the adoption of zero-trust networking by our government customers, driven I think primarily to the zero-trust memo that came out. We've also seen a significant change in the adoption for health care, which I think is a very important change given the importance of that sector to all of our lives. 

Dave Bittner: Where do you suppose we're headed here? I mean, it really seems like there's a lot of momentum behind this transition now. 

Chris Niggel: Dave, I think what we're seeing is that next step in adoption of cloud technologies. With the COVID pandemic, all organizations needed to make a very rapid change to different technologies, different capabilities to allow their employees to work from home. And with the zero-trust adoption, we're now seeing organizations build the security controls back in that they need to have in order to make good use of those technologies. 

Dave Bittner: What is your response to folks who are still skeptical about the notion of zero trust? I mean, I still - there are still folks out there who, when they hear the term, they kind of roll their eyes a little bit. 

Chris Niggel: The zero-trust concept has definitely been a bit of a marketing buzzword over the last couple of years. And so my response to that would be to look at what the security needs are of your new working environment. As organizations adopt more cloud technologies, there's a need to move the security controls out to the users and to the data. And if you'll approach it that way, you're still addressing a zero-trust network model, but you're doing that in a way that's providing direct benefit to your employees and your organization right now. 

Dave Bittner: What are your recommendations for organizations who are considering this journey here? I mean, what - where do you recommend they get started? 

Chris Niggel: We recommend organizations look at their identity and access management platforms. When we consider zero trust, the core components of that security model are understanding the access requirements of the users, of the devices and of the data. And so identity is a key part of both the users and the device aspects of those three pillars. By starting with identity management, you're able to quickly build that first pillar of access and be able to do it in a way that provides an immediate benefit to your employees, to your customers, to your users in giving them quick access to the things they need to do to complete their jobs every day. 

Dave Bittner: That's Chris Niggel from Okta. 

Dave Bittner: And joining me once again is Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, always great to welcome you back to the show. 

Kevin Magee: Hi, Dave. Thanks for having me back. 

Dave Bittner: I want to touch, today, about the relationship between the cybersecurity pros and boards of directors, and specifically, you know, those cyber folks getting a seat on the board. I know you have some thoughts on this. 

Kevin Magee: I know a lot of the discussion we have now is about, you know, how we should communicate to the board and whatnot as cybersecurity professionals. I think we're missing the opportunity to actually sit on the board as cybersecurity professionals. And I think the root of it is - it's sort of like a grade eight dance. Someone's got to get it all started and bring the two sides together. So every board I talk to wants to have a cybersecurity professional on it, and every cybersecurity professional I talk to would love to be on a board, but there seems to be this mismatch and difficulty in bridging that gap that I'm really interested in figuring out how to solve. 

Dave Bittner: What do you think is going on here? I mean, I see - from time to time, I see people say that chief security officers, chief information security officers, they'll say they're chiefs in name only, that they have the title, but maybe not the status within organizations. Is there something to that? 

Kevin Magee: Well, it doesn't even have to be the board of the organization you're on. In fact, I think it's better if you look at another alternative organization that you could be on a board of, either a charity or not for profit. And in Canada, hospitals have independent boards. Start-ups have boards. It's a great opportunity to really not only expand your understanding of how the business works so that you can have better conversations back in your day job, but also add some serious value to the discussions that are having - and taking place around the table, because you can add a very unique perspective as a cybersecurity professional. And that's what I really found. 

Kevin Magee: My sort of unique background - I'm the only person often that's not an accountant or a lawyer on the board. So I look at things very differently and can provide a very unique perspective. And I was very intimidated at first because everyone else was an accountant and lawyer, that I wouldn't be able to add some a value, but that's not proven to be the case. 

Dave Bittner: How do the other board members look at you and the things you can contribute? 

Kevin Magee: Well, again, I - the first time I showed up, and I was very, you know, concerned about, you know, contributing and wanted to look smart in front of my peers. And I call this the current ratio epiphany. I was in an audit committee meeting, and they're all talking about the current ratio. And everyone seemed rather concerned. But it'd been 25 years since I took financial accounting. I wasn't quite sure. 

Kevin Magee: So finally, at some point, I raised my hand. And I said, what is the current ratio? And should it be big, or should it be smaller? And they took the time to explain it to me. And had I not done that, I would have been acting on information that I didn't know. And why? Because I'm a Type A, and I didn't want to look dumb down in front of my peers. 

Kevin Magee: And that's when it dawned on me - the accountants, the lawyers, when a cybersecurity issue comes up, same thing happens. They don't want to look dumb in front of their peers. So they're often acting on information or making decisions on information where they don't understand. And they're often afraid to ask the question. So having someone who - with a technical background that can provide that context, that can be the coach and whatnot of the board can make all the difference to improving the performance of that board. 

Dave Bittner: And how do you suggest people go out and find these opportunities? 

Kevin Magee: Finding the first one is always the hardest. I tried five years to get on a board. And then once I finally got on a board, everyone wanted me on their board. So it can be difficult, much like getting that first job. So what I think is just educating yourself on what the role of a board of director or trustee or governance is really all about. And there's some great books online or some great, you know, free trainings you can look at to do that - but understanding the role of the governor, and then approaching an organization that you have a commitment or a connection to. I'm on the board of trustees of my university, where I graduated from, a great chance to give back as well too. And you have that deep connection that makes it easier to make that first step. 

Kevin Magee: But really educating yourself and just going out and asking and seeing who really needs some help in those areas. Most boards have nominating committees, so finding out who the nominating committee chair, governance chair is and having a coffee chat or a discussion with that person would be a great idea. Biggest thing is just don't be afraid to do it. Like I said, I was so nervous walking into that room. I would have nothing to add. And it turns out, I have a great deal. Imposter syndrome, I think, sometimes holds us back more than anything from achieving a seat on the board. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.