The CyberWire Daily Podcast 12.20.22
Ep 1727 | 12.20.22

Warnings on SentinelSneak. The rise of malicious XLLs. Updates from Russia’s hybrid war. An unusually loathsome campaign targets children.

Transcript

Dave Bittner: SentinelSneak is out in the wild; XLLs for malware delivery. CERT-UA warns of attacks against the Delta situational awareness system; FSB cyber operations against Ukraine. Mr. Security Answer Person John Pescatore offers his sage wisdom. Microsoft's Ann Johnson from "Afternoon Cyber Tea" speaks with Dr. Chenxi Wang from Rain Capital; and an unusually unpleasant sextortion campaign.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 20, 2022. 

SentinelSneak is out in the wild.

Dave Bittner: Researchers have discovered a campaign they're calling SentinelSneak, a malicious Python package posing as a SentinelOne software development kit, ReversingLabs reports. Its researchers say that the package named SentinelOne, with no connection to the security firm of the same name, was first seen in the Python Package Index on December 11, 2022. It's described as a fully functional SentinelOne client that has a malicious back door. SentinelSneak does not strike immediately after installation, Dark Reading reports. The function lies dormant until triggered into action by another program. It's noted that this shows the threat actors' desire to target the software supply chain as a way to inject compromised code into targeted systems as a beachhead for further attacks. These further attacks likely have not yet occurred, researchers say. This is just the latest threat leveraging the PyPI repository, amongst the use by other actors of strategies like typosquatting, ReversingLabs researchers said in their advisory. 

XLLs for malware delivery.

Dave Bittner: Researchers at Cisco Talos have published a report looking at the ways in which attackers are using alternative methods to execute malicious code via Office documents, as Microsoft phases out support for VBA macros. Threat actors have recently started introducing malicious code to documents using office add-ins, which are pieces of executable code in various formats and capabilities that can be added to office applications in order to enhance the application's appearance or functionality. XLL files specifically are useful for executing malicious code via an Excel document. Talos explains, if the user attempts to open a file with the file name extension .XLL in Windows Explorer, the shell will automatically attempt to launch Excel to open the .XLL file. This is because .XLL is the default file name extension for a specific class of Excel add-ins. Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning. Cisco Talos has observed several high-profile threat actors using XLLs to deliver malware, including the Chinese state-sponsored actor APT10 and the financially motivated gang FIN7. The researchers conclude that XLL abuse is likely to succeed VBA-based attacks as users upgrade their instances of Office. 

Trends in the cyber phases of Russia's hybrid war.

Dave Bittner: The CyberPeace Institute has published its quarterly analysis of cyber operations by both Russian and Ukrainian forces. Auxiliaries continue to play a significant role on both sides. And DDoS and influence operations retain their prominence among the tactics deployed.

CERT-UA warns of attacks against DELTA situational awareness system.

Some of the activity in cyberspace during Russia's war has amounted to fairly conventional espionage. A Washington Post opinion piece argues that Ukraine's ability to deploy and make effective use of modern, automated command and control systems to process intelligence and conduct operations has given it the advantage over the invaders. Such systems would be obvious targets for Russian cyber operations. And those, indeed, seem to have been attempted. CERT-UA reports that over the weekend, it had detected attempts against its Delta system, an automated situational awareness system. It's a phishing campaign that uses emails and instant messages that misrepresent themselves as spot reports but which carry FateGrab or StealDeal information-collecting malware as their payload. CERT-UA offers no attribution and says it's been unable to link the campaign to any specific threat actor. But circumstantially, at least, it looks like a Russian operation. 

FSB cyber operations against Ukraine.

Dave Bittner: Palo Alto Networks' Unit 42 reports that the FSB group Trident Ursa has been highly active lately against Ukrainian targets, stating since our last blog in early February covering the advanced persistent threat group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing threats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia's Federal Security Service. As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. As has often been the case, the FSB's operations are less sophisticated and more obvious than those of its sister Bears. But the FSB doesn't seem to care about this. 

Dave Bittner: In its conclusion, Unit 42 writes, Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts, along with a significant amount of obfuscation, as well as routine phishing attempts to successfully execute their operations. This group's operations are regularly caught by researchers and government organizations, and yet they don't seem to care. They simply add additional obfuscation, new domains and new techniques and try again, often even reusing previous samples. Continuously operating this way since at least 2014 with no sign of slowing down throughout this period of conflict, Trident Ursa continues to be successful. For all of these reasons, they remain a significant threat to Ukraine, one which Ukraine and its allies need to actively defend against. So you don't have to be excellent, just good enough. Anything else, from the threat actors' point of view, is just gravy. They're not artists, after all. 

FBI warns of sextortion campaign targeting minors.

Dave Bittner: Finally, it would be unpleasant to report this at any time, but it's particularly loathsome to have to mention it during the holidays. The FBI warned yesterday that it had received, in the aggregate, more than 7,000 reports over the past year of financially motivated online sextortion of minors. Around 3,000 individual children, mostly boys, are believed to be involved. The scams, for the most part, originate outside the United States, generally in West African countries such as Nigeria and the Ivory Coast. The typical modus operandi is catphishing, intending to lure the boys into some sort of compromising online behavior, usually the posting of explicit photographs or videos, at which point the criminals extort them for money, payable by gift card, credit card or some other transfer payment. The FBI explains that financial sextortion schemes occur in online environments where young people feel most comfortable, using common social media sites, gaming sites or video chat applications that feel familiar and safe. On these platforms, online predators often use fake female accounts and target minor males between 14 to 17 years old. But the FBI has interviewed victims as young as 10 years old. And of course, they advise parents and other responsible adults to talk to their children and do what they can to keep them safe - and also, of course, to support and comfort them should they become victims, nonetheless. Do stay safe out there. 

Dave Bittner: Coming up after the break, Mr. Security Answer Person John Pescatore answers your questions. Microsoft's Ann Johnson from "Afternoon Cyber Tea" speaks with Dr. Chenxi Wang from Rain Capital. Stay with us. 

(SOUNDBITE OF MUSIC) 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

John Pescatore: Hi. I'm John Pescatore, Mr. Security Answer Person, coming to you a week early to beat the holiday rush. 

John Pescatore: Our question for today's episode. Hi. We had a pretty good year last year, several fire drills but no meaningful security incidents and no major noncompliance issues. But I know we had vulnerabilities, and some of those fire drills could have turned into dangerous blazes. You've said earlier that moving to multifactor authentication should be top of the list for the new year, and I've already started going on a small-scale trial early next year in 2023. MFA aside, what should my 2023 New Year's resolution project be? 

John Pescatore: Ah, we are a quaint and hopeful species, aren't we? Just because we believe that pinning a fresh new calendar up on the wall somehow empowers us to eat better, get more exercise and mitigate all of last year's vulnerabilities. But I've actually been thinking about a one-line answer to that question, and I've come up with one - get security built into at least one nonsecurity process in 2023. This is kind of a sneaky resolution. To many, it sounds kind of like Tom Sawyer resolving to get someone else to paint Aunt Polly's fence for him. That may be skewing old. Read your Mark Twain. But the reality is that IT operations has been essentially getting security to paint their fences for a long time. Asset management, change management, patch management, privilege management - those are functions that IT sysadmins own but often do poorly. Most security teams are not responsible for server, PC or network assets and don't have the power to do adds, drops, changes, patches, et cetera. 

John Pescatore: This is a big topic for another day. Let's focus on some simple ways of getting those other groups started on painting their own damn fences. There's a relatively easy target and a harder target. Let's start with the easy one - getting security built into cloud computing, specifically infrastructure-as-a-service use, such as Amazon AWS, Google Cloud Platform and Microsoft Azure. The low-hanging fruit is talking with the DevOps lead or cloud computing architect, then seeing what they are planning on doing for application performance management and visibility tools. Many of those products look very similar to cloud security posture management tools. If both sides can agree to use one product together, it will grease the skids for increasing the fidelity of asset inventory and configuration monitoring in the cloud if you can work together. A bit harder but even more powerful - convince them to base AWS, Azure and-or GCP infrastructure as a service on the Center for Internet Security Hardened Images, available directly from the cloud service providers. A reasonable increase in cost per CPU per hour, you'll be able to show big-time reductions in compliance and incident costs. 

John Pescatore: If you're feeling ambitious or the organizational tailwinds are in your favor, make friends in IT and procurement and get some key security requirements baked into all requests for proposals, evaluation criteria and other contract material for any software development or cloud services procurements. Point to the Biden administration recent requirements around supply chain security if you need a bigger breeze to fill the sails. The SAFECode organization is a good source for information on software supply chain security, as are NIST and CISA. This can be as simple a start as requiring all software and cloud services vendors to provide evidence that they use commonly available application vulnerability testing tools and-or managed bug bounty programs. 

John Pescatore: Supply chain security is like a snake swallowing a cow - you have to start somewhere; it won't happen in one big gulp. This is a great place to start. An example of this at work is the Veracode Verified Program. Google Veracode Verified Directory, and you'll see 16 screens full of software companies' logos where their products have been tested by Veracode for secure software development and the absence of known vulnerabilities. Convince your organization to think of buying new software like buying a used car. These days, just about every used-car purchase includes a Carfax check to find vulnerabilities before you buy the car. Let's do at least that for software. 

John Pescatore: I hate to leave you on a depressing New Year's resolution note, but did you know that eating an entire can of Pringles is way more healthy than eating that enormous banana nut muffin you're eyeing at the breakfast buffet? 

(SOUNDBITE OF MUSIC) 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

John Pescatore: Thanks for listening. And Happy New Year. I'm John Pescatore, Mr. Security Answer Person. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to questions@thecyberwire.com. 

Dave Bittner: Microsoft's Ann Johnson is the host of the "Afternoon Cyber Tea" podcast right here on the CyberWire Network. In a recent episode, she spoke with Dr. Chenxi Wang from Rain Capital. Here's some highlights from their conversation. 

Ann Johnson: So can you talk about the last few years and how there's been this huge wave of capital invested in cyber? Why has cyber been so attractive? And then what are you seeing right now?  

Chenxi Wang: So cyber has always been an interesting industry, where it may not be as sexy as consumer tech 10 years ago, but it's always been the undercurrent of technology that everybody needed. And as you and I both see in the industry in the last five, six years, we've seen more and more regulations and compliance requirements that companies are now - do spending more money and require more talent to run their cybersecurity operations. And also, the threats have changed tremendously. And we've seen more innovations in cyber in the last 10 years than maybe all the years combined beforehand. And those factors led to what we call a hot, rising market in the last two years or so, 2020 and 2021. And I would say the pandemic accelerated the growth because moving from a campus-centric company culture to remote working, one of the first factors you have to put in is networking. And it's secure networking, right? Secure remote communication, secure remote access and all of that came back to security. So we saw tremendous growth in the requirement, in the investment in security technology through 2020 and 2021, which led to a huge infusion of capital. And I would say that's probably a little overheated the market, and we saw those unrealistic valuations in 2020 and 2021, which - I think we are going through a period of correction right now. And I personally think the correction is needed. We just can't possibly grow the market at the same rate that it was in 2021. 

Ann Johnson: What would you be doing right now to make sure your company thrives and even survives over the next 12 to 18 months?  

Chenxi Wang: Let's take this question apart from - one is if you're raising your first set of capital as founders, what you should do. And the other one is for maybe existing founders who already raised capital but is taking the company - wanting to take the company to the next phase of growth and obviously may need additional capital, as well as how do they sort of structure the business model? For the first part of this question is if you are founders that are raising your first set of capital, I would say the criteria of getting over the hump, acquiring your first set of capital has significantly become more stricter, meaning that you really have to bring your A-game. I was just telling this to a founder that I met at re:Invent just a few days ago, that it's no longer, like, two person with an idea with a slide deck and somewhat interesting can raise capital. What you need to do is really do your homework and talking to potential buyers and customers of your solution, really understand what the market is asking for this type of capability, what the customer journey will be like. What are your relative positions against related products and functions out there? And ideally, not only come with ideas and possibly a prototype product, but come with four or five potential design partners or folks who have good things to say about your approach and may even put their names behind. 

Dave Bittner: That's Anne Johnson from "Afternoon Cyber Tea" speaking with Chenxi Wang from Rain Capital. You can hear the entire interview on the "Afternoon Cyber Tea" podcast. That's right here on the CyberWire Podcast Network. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.  

Dave Bittner: One final note - we will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry - we still have an exciting lineup of great CyberWire Pro content that you won't want to miss, so stay tuned. And happy holidays, everyone.