The CyberWire Daily Podcast 1.12.23
Ep 1738 | 1.12.23

Trojanized VPN installers circulate in Iran. A trip down the static expressway. Hacktivism-for-profit. IT incidents disrupt NOTAMs and Royal Mail. HR phishbait.


Dave Bittner: Iranian VPN users are afflicted by Trojanized installation apps. Phishing on the Static Expressway. NoName hacktivist auxiliaries target NATO. Yesterday's flight outage appears not to have been caused by a cyberattack. The Royal Mail is disrupted by a cyber incident. Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. And HR phishbait dangles raises, and some employees bite.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 12, 2023. 

Iranian VPN users afflicted by Trojanized installation apps.

Dave Bittner: Bitdefender has reported that Trojanized versions of VPN installers are staging SecondEye, a monitoring application, on victims' devices. SecondEye is sold legitimately, but this is a surreptitious use of the product to gain insight into user activity. Many Iranians have sought out consumer VPN products as a way of shielding themselves from monitoring by their government. Bitdefender calls the campaign EyeSpy and says that the software it installs has the ability to fully compromise online privacy via keylogging and stealing of sensitive information such as documents, images, crypto wallets and passwords. While the researchers don't offer attribution, the victimology suggests an Iranian threat group. 

Phishing on the static expressway.

Dave Bittner: Avanan released a blog this morning detailing a new variation of an attack, leveraging Dynamics 365 Customer Voice to bypass security scanners in a technique known as the Static Expressway. This is a new variation of an attack Avanan reported in November 2022, with the same core structure. Hackers use Microsoft Customer Voice to send a notification to the end user appearing to be from the service when in actuality a malicious phishing link is on the site. This variation does not send a notification of a voicemail like the November version did. Rather, an email is sent, appearing to be a fax shared on SharePoint, said to contain particularly sensitive or confidential information. If the end user clicks on the link in the email, they'll land on a page with a link to preview or print the document, which leads to a legitimate Customer Voice URL. Linked in the click here to print button is what appears to be a OneDrive login screen, but in reality is a credential harvesting page. 

NoName057(16) hacktivist auxiliaries target NATO.

Dave Bittner: SentinelOne describes a Russian hacktivist auxiliary campaign against NATO organizations. The group bears the paradoxical name NoName057(16). We'll call them NoName for short. The group is known to have been active since March of 2022, and it specializes in DDoS. 

Dave Bittner: The hacktivist group deploys these attacks against websites it regards as important to countries that have been too friendly to Kyiv and too critical of Russia's war against Ukraine. And that means, NATO, NoName is looking at you. Its operations are similar to those of Killnet. Indeed, some of the two groups' targeting has overlapped. SentinelOne says that NoName has been responsible for the action against the Danish financial services sector that Reuters reported earlier this week. The threat group has also been active against campaign websites associated with the upcoming Czech presidential election. 

Dave Bittner: NoName seems to be a genuine hacktivist auxiliary and not merely a front group for a Russian intelligence service. As the report points out, SentinelLabs has identified how the group operates over public Telegram channels, a volunteer-fueled DDoS payment program, a multi-OS supported toolkit and GitHub. There is a mixture of profit with the patriotism. The group represents an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful contributors. So if SentinelOne has it right - and they probably do - expect more of the same. Hacktivism for profit looks like an incipient trend. 

The NOTAM outage appears not to have been caused by a cyberattack.

Dave Bittner: The U.S. Federal Aviation Administration grounded all domestic flights early yesterday morning after an outage of the Notice to Air Missions system. That's NOTAM. A technical failure appears to be behind the approximately 90-minute outage, rather than the work of nefarious actors. The FAA initially reported the outage at 7:15 Eastern Time Wednesday, saying they were working to fully restore the NOTAM system, with the order of a pause to all domestic departures until 9 a.m. Eastern Time. An update an hour later resumed departures at the Newark Liberty Airport in New Jersey, as well as the Atlanta Hartsfield-Jackson Airport in Georgia, due to air traffic congestion in those areas. In an update released at 8:50 a.m. Eastern Time, Bloomberg explains, the ground stop was officially lifted, with normal air traffic operations gradually returning. 

Dave Bittner: The New York Times reports that a later update from the FAA revealed that the preliminary investigation linked the outage to a database file that was damaged. The Wall Street Journal writes that Canadian provider NAV Canada saw an outage in their NOTAM system as well just after 10 a.m. Eastern Time, which was restored at roughly 1:15 p.m. Eastern Time. While the cause for the Canadian outage has not yet been identified, according to The New York Times, a spokeswoman for NAV Canada, Vanessa Adams, said that she did not believe there was a connection to the FAA outage despite the coincidence. 

Royal Mail disrupted by a "cyber incident."

Dave Bittner: Mail service in the U.K. has been disrupted by what the Royal Mail is calling a cyber incident. Computing explains that it's being called an incident as opposed to an attack because the Royal Mail is still investigating and is unsure of the cause behind this week's problems with its IT systems. The National Cyber Security Center, Britain's NCSC, is aware of the incident and is investigating.

HR phishbait dangles raises, and some employees bite.

Dave Bittner: And finally, it's the time of year when many companies inform their employees of raises or other changes to their compensation. Criminals are using this to shape their phishbait. Proofpoint  describes the form the phishing is assuming: "With bonus and #salary reviews coming up, threat actors know it and are using these lures for #socialengineering. On January 10th 2023, @proofpoint observed emails with #phishing links purporting to be from #HumanResources and utilizing bonus and #payraise lures. So be on your guard, workers of the world. And HR, now might be a good time for a little bit of that human touch. 

Dave Bittner: After the break, Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. Stay with us. 

Dave Bittner: We are facing greater economic headwinds and, with that, uncertainty in the job market. Tech firms are not immune, and even cybersecurity, where the demand for qualified talent continues to outstrip the supply. Mark Sasson is founder and managing partner of Pinpoint Search Group, a cybersecurity recruitment firm. I reached out to him for insights into what he's tracking when it comes to the cyber job market. 

Mark Sasson: To be clear, the perspective you'll get from me, Dave, is going to be related to the cybersecurity vendor product community as opposed to the, quote-unquote, "end user" or cybersecurity practitioners. And in terms of getting to this point, the cybersecurity market, from the vendor perspective, is still really immature, and it's dominated by startups. By my count, in 2022, vast majority of funding rounds in terms of volume funding went to seed A- and B-stage companies. So you're in a situation really due to macroeconomic events where investors are delaying or canceling investments, and founders have to be really careful of the burn rate. So in this situation, the first thing that will go are going to be the human resources. So now you've got more people, professionals in this space actively seeking opportunities and fewer opportunities to go around. So the way I see it, it's a supply and demand issue, and it's driving leverage towards employers. 

Dave Bittner: You know, we've seen reports for years now about the shortages of people to fill the available jobs. Are you seeing a shift there? 

Mark Sasson: Every time when I look at the numbers, at least, you start seeing a shift - the numbers go up at some point. And it's really due, I think, because of the rapid growth of the industry. So to be clear, the end of the candidate-driven market isn't an end. It's a lull in being a candidate-driven market. And again, I really think it's due to macroeconomic events versus what's specifically happening in cybersecurity. And so because of the nature and the growth of this particular aspect of technology, I think we're going to be in this situation for a long time. It's going to take education from an early age to really start filling a lot of the open positions that just can't get filled today. 

Dave Bittner: Well, can we go through together, you know, the variety of types of positions and how you think this might affect them? And I'm thinking of, you know, the person who may be just out of school or searching for a job for the first time in this market, all the way up to someone who may be a senior executive. How do you see this reality affecting those people in those different positions? 

Mark Sasson: I think there is probably a lot of opportunity for people just coming out of school, where the market seems to be deficient, and that particular area is matchmaking, so to speak - helping people that want to get into the industry figure out how to get in, where they're best suited based on their individual capabilities. And I do believe that's being worked on. From an executive-level standpoint - and obviously, we're jumping through that whole individual contributor and director-level class, so to speak. But if you're talking about more senior-level people at the executive level, this is impacting them because there are organizations trying to do more with less. And so once you get to such a high point in your career, the question is, where do you go? And so I am talking to quite a few executives almost on a daily basis that are trying to figure out whether they need to bide their time or whether they're going to take a smaller role than they anticipated taking because of the current situation. 

Dave Bittner: Are you seeing a recalibration of the levels of pay for folks throughout the industry? 

Mark Sasson: To an extent. My advice to a lot of people just picking my brain, given that they're looking around right now, is that they should probably steer away from demanding some of that top-level compensation that they were being offered maybe even a couple of quarters ago and dialing it back just a little bit. I don't know that compensation is going to take a major dip. Again, this is an industry that is still in demand. You're looking at people that are highly qualified individuals. But there was a point where people, at least on the vendor side of the house, were offering almost ridiculous sums just to attract talent. And now that there's more people on the market looking, again, the employer has got a little more leverage there. So I think it's going to level out. I don't think it's going to drastically drop. 

Dave Bittner: What's your advice for the employers in terms of creating an environment where people want to stick around? 

Mark Sasson: Again, I'm big on - based on all the feedback we get - right? - this isn't just me guessing here. This is based on why candidates tend to want to leave. And it largely comes down to uncertainty. Whether an entire executive team is getting turned over, whether their company is acquired by private equity, whether there is, again, uncertainty as it relates to how is this company going to stay afloat financially because we need a round of funding - if you're not finding a way to communicate those concerns to people you want to keep on board, you're going to lose them. And so figuring out retention policies associated with eliminating or at least reducing uncertainty for your quality employees is probably one of the first things you want to think about. 

Dave Bittner: Do you think that this could ultimately be a good thing that we obtain kind of a longer-term sustainable equilibrium here? 

Mark Sasson: I absolutely do. I compare this with people I talked to outside of this industry. I compare what cybersecurity is going through in tech, in general, to the housing market. I mean, it's simply overheated. There's something like 2,000 cybersecurity vendors, mostly early stage, that are competing for CSO budget-experienced professionals. And for this industry to mature, ultimately, there's going to have to be some consolidation and just a little less money getting thrown around. And that impacts me negatively. But for the long-term health of the industry, as you referenced, this has to happen. 

Dave Bittner: That's Mark Sasson from Pinpoint Search Group. 

Dave Bittner: Financial scams are everywhere online and especially on social media these days. Our U.K. correspondent Carole Theriault thinks that Meta, in particular, needs to step up their game when blocking financial scams. 

Carole Theriault: So according to a U.K. consumer report publication named Which?, known from now on as Which? magazine, dodgy investment ads are littering people's online feeds. The game plan, it seems, is to peddle misleading property and cryptocurrency investments to an unsuspecting audience. And the question that Which? magazine poses is - aren't companies like Facebook and Instagram all underneath Meta? Why aren't they doing more about it? In this recent article, they outlined the findings of their investigation into dodgy ads and called for the government to pass the Online Safety Bill into law without any further delays. 

Carole Theriault: Now, Which? magazine worked with a consulting team to analyze adverts on Meta's ad library. This is where you can see which ads are visible to Facebook and Instagram users. They searched for investment adverts with clear risk factors, such as those that promised life-changing returns or failed to include risk warnings. They also report that repeat offenders are able to persistently post dodgy adverts on Facebook and Instagram, meaning consumers could be misled into making risky investment choices and in the worst cases, obviously, falling victim to fraud. 

Carole Theriault: One very concerning collection of adverts they found was for a piece of software called Tesler - not Tesla, but Tesler, E-R. They spotted 20 different Tesler adverts, and each raised eight serious risk flags, such as not having any risk warnings and promising sensational returns. When one of the Which? magazine researchers clicked on the ad, they were prompted to enter their contact details. And within an hour, they were called by a representative of the company and pressured to set up a trading account amid claims that it is sophisticated algorithm, plays the trade with an 87% success rate - hmm. 

Carole Theriault: Of all the investment ads that they looked at, Which? state that at least half were either peddling investment products or were crypto ads offering impossibly high returns without clarifying how they might be obtained. And Which? also found a small number of adverts for binary options, a form of trading banned in the U.K. back in 2019. The FCA has previously warned that any firm offering binary option services is probably a scam. But here's the big thing - they say in their article, quote, "if a consumer group and another charity can design algorithms to uncover these adverts, then tech giants should be able to create effective systems to do the same job on a bigger scale." And I don't think I could agree more. Boohoo if it's difficult to become a monolith in the technology industry and not do your utmost to block the dodgier ads. Surely a sliver more of your fat profits could go to that. This was Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.