The CyberWire Daily Podcast 11.2.22
Ep 1696 | 11.2.22

OpenSSL indeed patched. CISA is confident of election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. BEC and gift cards. And that’s one sweet ride.

Transcript

Dave Bittner: OpenSSL patches two vulnerabilities. CISA and election security. Killnet attempted DDoS against the U.S. Treasury. XDR data reveals threat trends. Business email compromise and gift cards. Tim Starks from the Washington Post's Cybersecurity 202 has the latest on election security. A visit to the CyberWire's Women in Cybersecurity Event. And Consequences for Raccoon Stealer from the war in Ukraine.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 2, 2022. 

OpenSSL patches two vulnerabilities. 

Dave Bittner: We begin with a brief note that, as promised, OpenSSL has patched two vulnerabilities in its software. Both of the issues had initially been rated critical, but they've since been downgraded a bit to serious. That's no reason for complacency, since, after all, serious is still serious. And the patches still merit the prompt attention of users. Check your systems. OpenSSL versions 3.0 and above are vulnerable.

CISA and election security. 

Dave Bittner: Yesterday morning, the Center for Strategic and International Studies held a fireside chat with CISA director Jen Easterly and CSIS Senior Adviser Suzanne Spaulding. We sat in on the discussion. Easterly discussed how CISA is the sector risk management agency for multiple sectors, including election infrastructure, and notes how it's local and state officials in charge of elections, not the federal government. She said that CISA's role was to ensure that those officials have the tools, resources, capabilities and information they need to conduct what Director Easterly called safe and secure and resilient elections. She noted the years of cooperative effort among federal, state and local officials. And she expressed confidence that those efforts were paying off. Her conclusion about next week's midterm elections was clear and unambiguous. She said, there is no information, credible or specific, about efforts to disrupt or compromise that election infrastructure. 

Killnet attempted DDoS against the US Treasury.

Dave Bittner: Recent Russian cyber operations, apart from whatever cyber espionage may be in progress, have continued to amount to nuisance-level work with the appearance of hacktivism. Reuters reports that in September, the Killnet gang attempted a DDoS attack against the U.S. Department of the Treasury. That attempt was unsuccessful, Treasury says. The department described the attack as pretty low-level DDoS activity targeting Treasury's critical infrastructure nodes. And the department adds that it was relatively easily parried. That said, shields remain up, as is only prudent. It's certainly possible that offensive cyber operations in the war against Ukraine may quickly become more consequential and show themselves capable of doing more damage than they have so far. 

XDR data reveals threat trends. 

Dave Bittner: Security firm Barracuda has published a report on the severity of threats over the course of 2022, finding that a larger number of serious attacks occurred during the summer, while many employees are on vacation. Microsoft 365 account compromises in particular were found to increase during the summer. 40% of attacks between June and September 2022 involved logins to Microsoft 365 accounts from suspicious countries. Barracuda classifies these attacks as high risk. 

Dave Bittner: So there was a surge in incidents during the vacation season. Barracuda observes that cyberattackers target companies and its security teams when they are likely to be underresourced. This could be on weekends, overnight or during a holiday season, such as the summer. This is reflected in the XDR data - that is extended detection and response data - which clearly shows that despite an overall reduction in threat volume, a significantly greater proportion of threats detected during the summer months were at the higher risk end of the scale. Of course, summer vacation is now way back in the metaphorical rearview mirror, but Barracuda thinks we should expect a similar surge during the upcoming holidays. 

Business email compromise and gift cards.

Dave Bittner: Business Email Compromise is a commonplace problem and has been for some time. It traces its origins back to the old hoary Nigerian prince scams. But, of course, it's continued to advance in cunning and guile since those early days of the advance fee scam. The criminals have shown an ability to gull employees into thinking that they've received emailed instructions from the boss. Often you'll see BEC scammers impersonating C-suite executives to make wire transfers to vendors, organizations and accounts that they control. Curiously, one of the forms of payment the scammers ask for is gift cards. That itself should be a tip-off. How often has your boss directed you to purchase a gift card? Yet gift cards are what they want. 

Dave Bittner: Security firm Cofense released a report today today in which they detail trends in Business Email Compromise and explain what would happen if you gave scammers traceable gift cards. Cofense researchers purchased $500 worth of trackable gift cards to see where they would go after the cards were given to a scammer. Scammers were found to prefer in-store cards and tended to be flexible with what was available. The experiment showed how quickly scammers move funds, showing that, in all but one case, the gift cards were stolen, resold and used for purchases within a day. So remember; your CFO probably isn't going to email you to ask for gift cards. 

Raccoon Stealer and the war in Ukraine.

Dave Bittner: And finally, what becomes of criminals during wartime? Maybe, like others, they get drafted. And here we note we're talking about criminals still at large. Those in the slammer are convicts. And if they happen to be in Russia, well, they'll be offered a chance to join the Wagner Group and serve at the front in exchange for remission of their sentence. But regular still-at-large crooks take their chances like the rest of us. Consider the case of the Raccoon Stealer malware-as-a-service operation and one of its impresarios, Mr. Mark Sokolovsky, a native son of the Ukrainian city of Kharkiv. It's known that the U.S. has indicted Mr. Sokolovsky on charges that alleged he was a principal behind Raccoon Stealer and that he was arrested by Dutch police on a U.S. warrant. He's presently in custody in the Netherlands, appealing a Dutch decision to extradite him to America. 

Dave Bittner: But what was he doing in the Netherlands? Apparently bugging out of Ukraine. A story in MarketWatch says that, shortly after the Russian invasion, Mr. Sokolovsky climbed into a Porsche Cayenne with his girlfriend to get away from the fighting. The Kharkiv native drove through Poland and Germany, and the police in the Netherlands picked him up on an FBI tip. Raccoon Stealer, formerly a big criminal enterprise, has itself gone into hibernation. MarketWatch quotes their farewell message - "Unfortunately, due to the special operation, we will have to close our Raccoon Stealer project. Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately, everything, sooner or later, the end of the world comes to everyone." Now, come on, Raccoon Stealers. It's not like, oh, I don't know, extradition to the United States is the end of the world, you nutty little trash pandas. Think of it, rather, as a time of transition, perhaps even an opportunity for growth. And another thing - the Cayenne is a nice ride, but it's still a compact SUV, sort of a mom bomb. If you're paroled, pick up a Dodge Hellcat. You'll be an envy of the dark web. 

Dave Bittner: After the break, Tim Starks from The Washington Post's Cybersecurity 202 has the latest on election security. And a visit to the CyberWire's Women in Cybersecurity event. Stay with us. 

Dave Bittner: The CyberWire recently hosted our annual Women in Cybersecurity Reception at the fabulous Spy Museum in Washington, D.C. Several hundred women gathered to celebrate women in cyber and tech, to enjoy a panel discussion from industry experts, and perhaps most importantly, to socialize, network and create connections. Here's a taste of the event from CyberWire Associate Producer, Liz Irvin. 

Liz Irvin: On Oct. 20th, the CyberWire held the Women in Cybersecurity event at the Spy Museum located down in Washington, D.C. 

(APPLAUSE) 

Jennifer Eiben: All right. Hi. Good evening, everyone. This is the most inspiring room to see. This is awesome to see... 

Liz Irvin: It was incredible getting to see all the amazing women of cyber in one room together, mingling and discussing their professions with one another. And I had the absolute pleasure to interview just a few of the 300 women in attendance that night. 

Diane Janosek: I'm Dr. Diane Janosek. I'm with the National Security Agency. 

Sara Sendek: My name is Sara Sendek. I work at FTI Consulting. I'm a senior director on the cybersecurity and data privacy communications team. 

Simone Petrella: I'm Simone Petrella, founder and CEO of CyberVista. 

Dinah Davis: I'm Dinah Davis. I am VP of R&D operations, and I work at Arctic Wolf. 

Lauren Sasson: I'm Lauren Sasson. I work at Team Lewis here in Washington, D.C. 

Lexie Van Den Heuvel: My name is Lexie Van Den Heuvel. I work at FTI Cybersecurity, and I do digital forensics and incident response. 

Liz Irvin: At the beginning of the event, we had a panel of four different women from four different companies sit down for a discussion. I got to see what some of the guests thought of this year's panel. 

Simone Petrella: What I really loved about the panel and being part of not only, you know, getting to listen to the panelists, but put the - having the honor of putting the panel together was that we really were able to achieve representation across a really diverse set of cybersecurity roles within the panelists themselves. 

Diane Janosek: The panelists were awesome. The moderator was great. I mean, I just loved it. I loved to hear what the young lady had to say, who actually wasn't and is the intern last summer and how she said, you don't have to have a role model. You can be your own person. And I just think that's beautiful because the world keeps changing. So you are who you are. 

Lauren Sasson: Seriously enjoyed it. It was really amazing. And the - I was thinking as I was listening to it, the diversity in that panel was amazing. 

Liz Irvin: Sitting down with these women, I asked them what it meant to be here at an event supporting women in this field and why it's important for us to make our voices heard in this industry that is typically male-dominated. Here's what they had to say. 

Lexie Van Den Heuvel: It is so nice to see such a wide variety of cybersecurity jobs and women filling those roles and then also to be at the Spy Museum, where you can see women throughout history who've been involved in these types of jobs. It's very inspiring. 

Simone Petrella: The workforce of the future is in this room today, and it's growing year over year. Every year that this event has happened, it has gotten bigger. And there are more women that are asking for a seat at the table and deserve a seat at the table. And so I think the industry needs to take notice, and they need to really kind of support and think about what they need to do to embrace this untapped talent still. Like, we still have so far to go, but this workforce is in this room right now. And it's outside this room, too. So we need to figure out how to bring more women in the field, cultivate them, grow them. And we're going to have better businesses and better organizations for it. 

Sara Sendek: I feel like for any woman in cybersecurity, there's oftentimes a feeling of being underrepresented in this field. It's often male-dominated. Go to any conference and it's not - you're not going to see as many females around. But there are a lot of females in this field, and it's important to be able to connect with them and help lift each other up and help build those bonds in this line of work. 

Liz Irvin: Lastly, I asked our guests what advice they would give to women looking to get into this field. 

Dinah Davis: So there's, you know, so many jobs available, but there's going to be so many more and so many more and so many more because it's always changing. And there are so many different aspects. I think one thing that women don't understand or - and many people in general is that there's probably, like, 200 types of cybersecurity jobs, and not all of it is, you know, wearing a hoodie in a basement. In fact, that's actually a very, very small percentage of the cybersecurity jobs out there, right? 

Lauren Sasson: Don't count yourself out. You know, I grew up thinking that STEM is not for me. Math is not for me. Technology is not for me. And I found myself, just by accident, in an intersection of technology and of something that I do think is for me, you know? So I think don't count yourself out just because there are other people in the world who are telling you that you're not deserving of these positions - that you're not capable of these positions, that you're not smart enough - and find your passion that can intersect with technology - with cybersecurity and pursue that. 

Lexie Van Den Heuvel: Google and Twitter are your best friend in the security world. You're constantly learning new things on those blogs. And listen to the CyberWire podcast, obviously (laughter). 

Diane Janosek: Females, we have a role for you in cybersecurity. We need you in cybersecurity. You're multidisciplinary, multi-talented. You've got passion. You love teamwork. You love collaboration. So join the cybersecurity field and stay in the cybersecurity field, and then recruit your best friends. 

Liz Irvin: I want to thank all of the women who came out to support our event and especially those who were able to sit down with me and chat. I am grateful that I was able to sit down with some of the women in this industry. And it was such an inspiration to be able to talk about what it means to be a woman in this field and discuss the event and the panel. 

Jennifer Eiben: This was very enlightening. Thank you so much. And... 

Unidentified Person: Thank you, Jen, for putting this all together. 

(APPLAUSE) 

Jennifer Eiben: I can't even tell you how excited I am. This room is so full, and it just - it makes my heart so happy. So anyway... 

Liz Irvin: Thanks again to everyone who shared.

Dave Bittner: Special thanks to our audio team, Elliott Peltzman and Tre Hester, and to producer Liz Irvin for making this segment possible, and to senior producer Jennifer Eiben for organizing the event itself. 

Dave Bittner: And it is my pleasure to welcome to the CyberWire Tim Starks. He is the cybersecurity reporter at the Washington Post and also the author of the Cybersecurity 202. Tim, it's great to have you join us today. 

Tim Starks: Yeah, it's great to be here. 

Dave Bittner: So before we dig into our topic for the day, can you give our listeners just a little brief rundown of exactly what the mission is of the Cybersecurity 202 there at the Post? 

Tim Starks: I would say that it's a newsletter in name. You know, and you get the things you would expect to get from a newsletter there, which are rundown of all the big important news of the day. But it's also a little bit like a reported column. You know, once per day, I will dive in from between 600 to 1,000 words on some subject with a little bit of analysis. So the idea is to give people stuff that they want to get from everywhere, and we can put it all in one place, but also to give them stuff they can't get anywhere else. 

Dave Bittner: I like to say that if you're going to subscribe to one newsletter, make it the CyberWire, but if you're going to subscribe to two, include the Cybersecurity 202 as well. 

Dave Bittner: Well, let's dig into some topics here. I know you've been putting a lot of energy into examining what's going on with the upcoming elections. 

Tim Starks: We have. Every time there's an election, certainly there are a lot of cyber eyes on what's going on there. And no difference this time. You know, we've talked about how this time maybe things don't look as scary as they have in past elections. You know, certainly when you go back to 2016, where there was a hack that essentially, you know, changed the election, to some degree - it may not have won the election for Trump, but it certainly influenced the election, with the hack of the Democratic National Committee and the officials on the Hillary Clinton campaign - and then the hack-and-leak operation that was an influence operation, essentially. 

Tim Starks: So those twin threats have been around since 2016. And this time, certainly, to hear, you know, CISA director Jen Easterly tell it, there are no specific credible threats that would undermine election infrastructure. We have also, of course, reported on some warnings that the FBI has sent to the state political parties saying, hey, there's some Chinese hackers - Chinese state government affiliated hackers - who are probing your network. So it's not that there's a lack of threats. It's just that maybe they seem diminished this time. 

Tim Starks: Where the threats have maybe shifted in focus, as you guys talked about earlier this week, is worries about disinformation. You know, since the 2020 outcome of race, we've seen not just foreign influence attempts, but we've seen domestic groups trying to spread disinformation about what happened in that election and what might happen in this upcoming election. We've even seen some collaboration - you know, perhaps on accident - where a foreign government will say something, and then you'll see the people, perhaps unwittingly, amplify it in the United States - people who - where that dovetails with their message. So those are some of the big threats we're looking out for. 

Tim Starks: We do - I think we're comfortably able to say, as we did this morning in our newsletter, that things are better than they were in 2016. And, of course, you would expect that after nearly $1 billion worth of investment just from the federal government alone. That doesn't count the state and local investments. But we also know that there are a lot of things that we're not - where we haven't finished doing yet, and that state and local election officials will tell you - we need we need a lot more than a billion. We need 5 billion next year. That's what they said in December. 

Dave Bittner: Yeah, it's interesting to me because, as you say, it seems as though we've got the technical side of things pretty buttoned up in terms of the actual voting machines and the infrastructure and that sort of thing. My sense is there's a high amount of confidence in that from the folks who would know better. But it's that disinformation side that seems in my mind to have been ramped up. I mean, when you compare to recent elections, does it seem as though that's where the bad actors have been focusing? 

Tim Starks: Yeah, I would say that. You know, it is difficult to really change an election by hacking into the machines. You know, the kinds of hacks that we've seen demonstrated, by and large, for the most part, are hacks that have - you know, you would have to have access to a specific machine. And maybe in a district where things are close or in a state where things are close, if you could switch one machine, maybe you could have a big impact on the election. But you have to have access most of the time, and that's hard. 

Tim Starks: You know, there's also a push to make it so that any kind of connectivity to the internet that these things have is going to go away. We've seen very few states still kind of using these modems to transmit unofficial results. That's one thing we've seen them do with it. But you don't want the connectivity for the reasons that, you know, there's a potential that if you are connected to the internet, that someone can get in. So it's difficult. What is easier to do is to lie on the internet. Now... 

Dave Bittner: (Laughter). 

Tim Starks: ...To the credit of some of the social media companies and maybe - you know, I don't want to give them too much credit because there are people who will say they have not done enough to crack down on disinformation and influence operations. But they have done some things, and they've done more than they were doing back in 2016. And there seems to be this growing awareness that they need to be on top of this. And a lot of the - you know, a lot of the networks that they've found and exposed - and not just them, but external organizations they work with - have not had a whole lot of reach. You know, if you look at the engagements, they have been limited in some degrees. But, you know, one of my - some of my colleagues recently, just this - it was as recently as this week. We were reporting on it, on something on Twitter where it actually did get pretty good engagement. So it's the ease of the operations, and the bang for your buck is coming from that - you know, if anything between those two things. 

Dave Bittner: Yeah. I wonder, you know, for the cybersecurity professionals in our audience, is it on them to help spread the word among their family friends - you know, we all have those folks who are skeptical - to just remind them, use their expertise to say, you know what? The - at least the technical side of this, we're in pretty good shape here. 

Tim Starks: Certainly, I think that - I'd like to give some real credit to the cybersecurity officials who answered our poll that we ran earlier this week. You know, it's to their economic incentive to emphasize the hacking threat and de-emphasize the disinformation threat. But they're a pretty honest sort of group who would say, you know, even though this - my career is in hacking and cybersecurity, what I'm really worried about for this election is the disinformation piece. And, you know, one of the things that appealed to me about cybersecurity when I first started writing about it was that it was this unsettled, wild frontier of policymaking where nobody had the answers. And we still don't. We have some answers, but we still don't - we still, by and large, do not have the big answers on this. Disinformation is perhaps even harder than that. Yes, do spread the word with your friends. Sure. But then, there are also people who will tell you that if you're trying to communicate with somebody who is in the embrace of disinformation, if you are too dogmatic with them, you can actually deepen their hostility toward correct information. So, you know... 

Dave Bittner: Right. 

Tim Starks: ...You hear approaches like, you know, ask them questions. Draw them out that way. Don't tell them, no, you're wrong, and here's why you're wrong. And show them credible news outlets. But because they don't trust those credible news outlets, try to get them to talk about... 

Dave Bittner: Right. 

Tim Starks: ...Why they are where they are. And then, you got to - you know, the bigger, bigger, bigger pieces are things like better media literacy training, you know, and education at the K-12 level. So it's definitely something where the more people who are contributing, the better. But at the same time, you've got to be really careful about how you do it. And we haven't really figured this out yet. 

Dave Bittner: All right. Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us. 

Tim Starks: Yeah, it was great. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.