The CyberWire Daily Podcast 10.14.22
Ep 1683 | 10.14.22

Phishing for poll watchers. Impersonating Intrusion Truth. Data breach at the LDS Church. SpaceX asks for help paying for Ukraine’s Starlink. Killnet’s potential. The gamer’s attack surface.


Rick Howard: Hey, everybody. Rick Howard here. Check out the newest episode of "CyberWire-X" from this past Sunday, where I'm joined by Hash Table industry experts, as well as the founder and CEO of PlexTrac, Dan DeCloss, where we all discuss pen testing. It's a really great episode, so make sure you don't miss it.

Dave Bittner: County election workers find themselves targets of phishing. Impersonating Intrusion Truth. The LDS Church discloses data compromise. SpaceX asks for StarLink funding. Does Killnet have potential to do more damage? Deepen Desai from Zscaler on Joker, Facestealer and Coper banking malware on the Google Play Store. Our guest is Maxime Lamothe-Brassard of LimaCharlie to discuss how cybersecurity is following in the footsteps of software engineering. And the gamers' attack surface - it's big, really big. It's big, big. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 14, 2022.

County election workers targets of phishing.

Researchers at Trellix have observed a spike in phishing emails targeting county election workers in Pennsylvania and Arizona ahead of the states' upcoming midterm elections. The emails are attempting to steal credentials or trick the users into downloading malware. The researchers note that an attacker could use this access to achieve several goals - election interference, collection of political intelligence or conventional cybercriminal profit-taking through sale of stolen credentials. None of these, of course, are mutually exclusive goals.

Impersonating Intrusion Truth. 

Dave Bittner: Researcher Dominic Alvieri tweeted that an unknown group is impersonating Intrusion Truth in an attempt to misidentify APT41 as an NSA operation. APT41 is the Chinese threat actor that carries out state-directed operations while engaging in the occasional for-profit side hustle. It's not convincing. There's much mystery about APT41. It's also known as Wicked Panda. They're not the NSA. And you can read all about them in the FBI's wanted poster, among other places, which comes complete with five mug shots of the Wicked Panda boys. Who is Intrusion Truth? It's an anonymous, so far unattributed group that for several years has devoted itself to outing Chinese cyber operators. The impersonation would seem to be a clumsy attempt to discredit both NSA and attribution of APT41 to China. 

LDS Church discloses data compromise (possibly related to espionage).

Dave Bittner: The Church of Jesus Christ of Latter-day Saints yesterday disclosed that it had detected in March unauthorized activity in certain computer systems that affected personal data of some church members, employees, contractors and friends. The disclosure was delayed until this week at the request of law enforcement, who asked for the information to be held to protect the integrity of the investigation. It's not known publicly who was responsible for the intrusion, but the church's statement says U.S. federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals. The church described the scope of the data exposure, stating the breached systems contained personal data, including basic contact information of members of the Church of Jesus Christ of Latter-day Saints. The data accessed may include, if you provided it, your username, membership record number, full name, gender, email address, birth date, mailing address, phone number and preferred language. The affected data did not include donation history or any banking information associated with online donations. What the intruders wanted to gain from the compromise is unclear. 

SpaceX asks for Starlink funding.

Dave Bittner: StarLink founder Elon Musk tweeted last week that this operation providing StarLink service to Ukraine has cost SpaceX $80 million and will exceed $100 million by end of year. CNN now reports that StarLink has said it can no longer bear the cost out of pocket of delivering resilient internet service to Ukraine. The company has asked the U.S. Department of Defense for funding. SpaceX's director of government sales wrote the department early in September to say, we are not in a position to further donate terminals to Ukraine or fund the existing terminals for an indefinite period of time. There's no immediate word on the Pentagon's plans, but Starlink has become essential to Ukrainian command, control and communications. And it seems unlikely, at a time when Western material support for Ukraine is rising, that the service will be permitted to lapse. 

Does Killnet have potential to do more damage than it so far has?

Dave Bittner: Killnet, an auxiliary under the direction of Russian intelligence services, has so far shown itself capable of little more than minor DDoS operations and website defacements. But an essay in Cybernews argues that it would be a mistake to dismiss the group as unlikely to ever amount to more than a low-skilled collection of script kiddies. Killnet had been a known criminal group before turning its attention to operations designed to advance the cause of Russia. It was a botnet-for-hire operation, and the group's criminal background and the support of the Russian state suggests that it could be quickly augmented with the personnel and tools necessary to pose a more serious threat. On the other hand, of course, it's always possible that Killnet has peaked and won't get beyond its present punk-with-a-spray-can identity, hanging out on virtual street corners, sniping butts and throwing rocks at cars. 

Gamers’ attack surface is big, big, really big.

Dave Bittner: Let me ask if any of you are gamers. There's no shame in that. The New York Times has an appropriately lurid account of how the current enthusiasm for online gaming has translated into increased criminal activity in that corner of the world. So let's say you game, as The Times puts it, to cast spells, kill zombies and compete as your favorite athletes. Maybe your guard is down because after all, it's zombies. But the real hoods are up and active. Given the sort of disinhibition one can feel in the middle of crushing it with cascade effect or even doing the "Fortnite" dance, your attack surface can be as open as a biome in a Spleef. The rise of in-game purchases has opened up opportunities for scam artists. The amounts are often small, a few dollars, even a few cents. But as is so often the case with scams, the secret is, as Crazy Eddie used to say, volume. Who's going to think it worth their while to investigate the loss of 60 cents, one father of a disappointed Roblox purchaser pointed out to The Times. But the gaming world has bigger risks. Consider cheat codes, popular among the competitive but lazy segment of the gaming community. The Times summarizes some conclusions from Kaspersky, stating, criminals can use fake cheat programs to disable a target's computer and steal information. In Kaspersky's analysis of threats to 28 popular games, the company found thousands of files of this type, which affected more than 13,600 people from July 1, 2021 to June 30, 2022. So game with caution, friends, and don't cheat. And stay in school. 

Dave Bittner: After the break, Deepen Desai from Zscaler on malware on the Google Play Store. Our guest Maxime Lamothe-Brassard of LimaCharlie discusses how cybersecurity is following in the footsteps of software engineering. Stay with us. 

Dave Bittner: Maxime Lamothe-Brassard is CEO and co-founder at security-infrastructure-as-a-service provider LimaCharlie. I spoke with him about his notion that the cybersecurity of tomorrow will look a lot like the software engineering of today. 

Maxime Lamothe-brassard: We talk about software engineering, really, because that field has had a similar kind of trajectory as an industry. And what I mean by this is there was a point where software development or software products or, like, the industry of building software was a very highly specialized one. And it was very unaccessible, right? You had a lot of product that were sort of in the boxed software kind of realm. You wanted a database - you had to go and buy the shiny box database from one of the three vendors that had, you know, the secret sauce to do database in the world in enterprise space. And what happened is that the industry matured a whole lot. And people started really understanding the big pieces, the big underpinning concepts that allowed for what modern software development is, which is, hey, all of a sudden, everybody knew what a relational database was. Everybody knew what a virtual machine was, what, you know, maybe a load balancer was. So people really got to the point where a lot of those concepts were very well-understood by everybody in the industry. 

Maxime Lamothe-brassard: And as that happened, what we saw was kind of this - the AWS come through. And AWS, I think, for me, is like the catalyst of modern software development where we're saying, hey, you know, if you're doing software development, you don't have to rebuild every single piece at every, you know, single kind of company where you're building software. But instead, you're able to reuse the parts that everybody understands how to build them. And as you do that is how you get to the point where, you know, you can start reasoning around software development, kind of into modern enterprise in really nice ways because you're demystifying a lot of the - you know, the big underlying components. So now you're able to plan how you're going to do a certain product, explain it to people in different industries, explain it to leadership and then produce a repeatable process around that. So said all this to say security, I think, is getting to that same kind of spot where security is no longer, you know, the really kind of arcane knowledge that a couple of people possess, and people aren't talking, and, you know, everybody thinks about it differently. 

Maxime Lamothe-brassard: But rather, now people are getting to the point where we have things like the MITRE framework, right? The MITRE ATT&CK framework, which is a common way for everybody to think about security and the types of attacks, the types of techniques and threats. And as we're putting those pieces of shared understanding in the industry - right? - at the core of everything that we do, now we are getting to the point where we can start talking about how we are going to defend against a specific attack, how we're going to detect it, what it looks like, how it can be tested against - right? - which is kind of one of the really core things in software development. And as you put those pieces of the puzzle kind of all in a line, what you end up with is a very similar kind of mentality to software development, where we're able to - hey, let's start planning about what things need to be done, how we're going to do these things, how they're going to work together to be assembled - what's the outcome going to be? - and how we're going to keep that process going into the future to make sure that, you know, we keep a lot of the value that we build, and we test against it. So it's kind of a long answer to say that, really, it's just a similar kind of trajectory that leads to a more mature industry, you know, how we reason about security. 

Dave Bittner: You know, it strikes me that these sort of transformations can often happen in fits and starts. And, you know, I've heard several people say that we really need to shed this kind of rock star mentality, where, you know, we - there are some cybersecurity superstars out there, you know, names we all know. But if we're going to reach a level of professionalization, we can't continue down that path. And I'm curious what your thoughts are on that. 

Maxime Lamothe-brassard: It's a very interesting question. I think that's a partially correct statement. Here's what I mean. You know, those rock stars - right? - I think, are a symptom - positively, I mean that - of the fact that a lot of people in cybersecurity came to cybersecurity because of passion, because it was a field where they could really push the boundaries, do, you know, more different things, really cool things, kind of go outside the envelope, the challenge. So all those positive feelings, I'd think, are very precious. And it's a great thing for us as an industry to try to keep those, right? I think that's the positive side of what we want to keep. Now, where that statement is correct is that we want to move past that point so that we're not just relying on this idea of, you know, I have three different people, and they're amazing. How, exactly? Well, they're doing a bunch of different things. You know, that's good. But that does not make, to this point, a reliable, well-understood path to becoming more secure, right? It's not a reproducible process. It's one that, like, can work in some cases, but not everybody can have that. So I think where the sweet spot is for us is to be able to keep growing the maturity in terms of repeatability and kind of the, you know, the software engineering approach to things, and really define that as the framework by which we want to grow. And then I think, in my opinion, what it means is that those, you know, those rock stars are, you know - I'll kind of shift that in terms of saying those very passionate people - are able to still, you know, tap into that passion and drive a lot of value, but to do it in a way that very predictably benefits the company. 

Dave Bittner: That's Maxime Lamothe-Brassard of LimaCharlie. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for interview selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Deepen Desai. He is the chief information security officer and vice president of Security Research and Operations at Zscaler. Deepen, it is always great to welcome you back to the show. I wanted to touch base with you today on some stuff that you and your colleagues are tracking. This is some malware on the Google Play store. What are you are looking at here? 

Deepen Desai: Thank you, Dave. Yes, so we have a mobile and IoT threat team that is continuously tracking different sources for, you know, threat actors trying to push those mobile malware onto the devices - user devices. So as part of that tracking activity, we do monitor apps that are being downloaded through a cloud from even official locations like Google Play Store. So in the recent research, we talk about three different families for which we observed the apps making it on the Google Play Store. And there were more than 300,000 downloads combined that we observed for these apps, which were actually malicious in nature. 

Dave Bittner: Well, let's go through them one at a time here. What were you all looking at? 

Deepen Desai: Yeah. So there were three different families involved. The very first one is a fairly prominent malware family. It's the Joker malware. It's known to target Android devices. And despite public awareness of this particular family, it keeps finding its way into Google's official app store by regularly modifying the malware's, you know, trace signatures - so including things like, how do they update their codes? - execution methods and payload retrieving techniques. So that's Joker malware. The second one that we noticed was Facestealer malware. That's specifically targeting, you know, Facebook login credentials. And then the third one is Coper, which is a banking Trojan. And that's targeting various banking applications in Europe, Australia and South America. 

Dave Bittner: Are there any things that stand out about these three? Anything particularly clever about the way that they're going about getting themselves on to the Play Store? 

Deepen Desai: Yeah, I'll mention a few things here. I mean, look. Google is doing a great job of tracking this, vetting it in their sandbox. And they do, you know, end up removing hundreds if not thousands of these before they ever make up - before they ever show up on the Play Store. But there are these more sophisticated family that continue changing their tactics. So one of the techniques that we've seen being more and more successful is where they're pushing this initial app, which is then known to download Stage 2 payload from a different location, right? And that location may be serving something completely benign until the app is live on Google Play Store, right? So the payload retrieving technique - in we saw as part of the code itself, where they will check, is the app live on Google Play Store? And if the answer is yes, then the download that will result from the destination will be, actually, Joker malware payload. So that's one of the thing that we're seeing being fairly successful in evading some of the checks that are being performed. The second thing is where, you know, they will continue to segment the code, obfuscate the code and change the execution flow, as well, to kind of match at times some of the legitimate applications. And that's where probably it's, again, getting through those static analysis modules that might be running on Google's side. One thing I'll mention, though, we've discovered - say if I were to talk about the Joker payload, we saw more than 50 different Joker downloader apps in Play Store. As soon as we report it to the Android security team, they were fairly quick in taking those down, right? So the response time, the tracking time is very good from Google's part. 

Dave Bittner: What is an Android user to do here? I mean, obviously, you know, the Google Play Store is, in terms of sourcing your apps, is a relatively safe place to do this. Are there any additional steps people should be taking to help protect themselves against these sorts of things? 

Deepen Desai: Yeah. So sticking to the official Play Store is always the first thing. I mean, yes, some of these apps were found on Google Play Store, but still, that's very, very safe compared to third-party app stores, where chances of you hitting one of these malicious apps will be much higher. So that's number one. Number two is, you know, it's always a good idea to do second-level check where, you know, install apps that have very high install numbers, relatively positive reviews, and the developer is a known developer, as well. So having that second-level check done always helps for the end users, especially if the app is asking for, you know, a lot of permissions. Now, one permission that I'll mention for the listeners, very important one - don't grant notifications listener permissions - right? - and escalated accessibility permissions to apps that you don't fully trust. The notifications listener service specifically enables the application to be added to enable notification listener provider. And in simple terms, what this means is this app will be able to read notification, and it includes critical access notifications like auto-generated, one-time passwords and PIN codes. So they're able to bypass two factors if you give that level of permission to some of these untrusted apps. 

Dave Bittner: All right. Well, good advice, as always. Deepen Desai, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Brigid O. Gorman from Symantec's Threat Hunter Team. We're discussing "Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics." That's "Research Saturday." Check it out. 

Dave Bittner: This CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.