The CyberWire Daily Podcast 1.26.23
Ep 1747 | 1.26.23

Remote monitoring and management tools abused. Russian and Iranian cyberespionage reported. The world according to the CIO. And if volume is your secret, maybe look for a better secret.


Unidentified Person: You're listening to the CyberWire network, powered by N2K.

Dave Bittner: A joint advisory warns of remote monitoring and management software abuse. Iranian threat actors are reported active against a range of targets. The U.K.'s NCSC warns of increased risk of Russian and Iranian social engineering attacks. A look at trends as seen by CIOs. Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan-Jones. Kyle McNulty, host of the "Secure Ventures" podcast, shares lessons from the cybersecurity startup community. And the DRAGONBRIDGE spam network has been disrupted. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 26, 2023. 

Joint advisory warns of remote monitoring and management software abuse.

Dave Bittner: Three U.S. organizations - the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Multi-State Information Sharing and Analysis Center - have released a joint advisory outlining the abuse of legitimate remote monitoring and management software. The advisory describes a large, financially motivated phishing campaign that managed to compromise many - as the advisory puts it - federal civilian executive branch networks. 

Dave Bittner: The advisory explains, in this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient's system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient's bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to refund this excess amount to the scam operator. 

Dave Bittner: The agencies note that while this campaign was financially motivated, the access could lead to additional malicious activity against the recipient's organization from both other cybercriminals and APT actors. So this time around, it's ordinary crime. The next time, it could be espionage or sabotage. 

Iranian threat actors reported active against a range of targets.

Dave Bittner: Iranian threat actors are reported active against a range of targets. Those targets appear to be in Australia and Israel. ABC Australia reported Tuesday that cyberattacks targeting Australian organizations for data extortion, believed to be the work of Iranian Revolutionary Guard-affiliated actors, were seen in a tabled parliamentary report. 

Dave Bittner: In other campaigns, Secureworks Counter Threat Unit has also analyzed the activities of the Moses Staff and Abraham's Ax personae, active in September 2021 and November 2022, respectively. Commonalities between attributes of the hacktivists fuel researchers' beliefs that they are operated by the same entity. The researchers believe both personae are operated under the umbrella of the Iranian COBALT SAPLING threat group. COBALT SAPLING saw emergence in October of 2021, according to Secureworks, as a pro-Palestinian hacktivist group targeting Israeli entities. 

UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks.

Dave Bittner: The U.K.'s National Cyber Security Centre - the NCSC - warned this morning that Russian and Iranian intelligence services are increasing their phishing attempts, stating the Russian-based SEABORGIUM and Iran-based TA453 actors continue to successfully use spear-phishing attacks against targeted organizations and individuals in the U.K. and other areas of interest for information-gathering activity. The campaigns are selective and highly targeted, prospecting people who work in academic, defense and governmental organizations, in NGOs and think tanks as well as politicians, journalists and activists. The campaigns are independent and not coordinated. Both efforts use open-source intelligence during their reconnaissance phase, impersonate well-known figures in a field of interest to the targets and employ official-looking documents as their phish bait. They are both espionage campaigns engaged in collecting information. Their immediate goal is development of rapport with the target and eventually credential theft that might enable further social engineering campaigns. Computing reports that the ultimate goal of the collection seems to be the gathering of compromising material that could later be used to recruit the targets. 

A look at trends, as seen by CIOs.

Dave Bittner: Foundry this morning released their annual State of the CIO report, analyzing CIO Attitudes toward finances, the evolution of the CIO role and the anticipated initiatives in focus in the coming year. They think that economic instability may not spell an end to tech budget increases. The research details the continued optimism shared among CIOs in terms of finances in 2023, with over half of those surveyed expecting increased budgets despite the state of the economy. Reasoning for budget increases is believed to include a need for security improvements, a need to upgrade outdated IT infrastructure, application modernization, investments in new skills and talent and product innovation. Over half of respondents report that the CIO has a budget of their own in the company separate from the IT budget. 

A quick note on Hive.

Dave Bittner: We'll have more on this tomorrow. But in a developing story, the U.S. FBI says it's taken down the notorious Hive ransomware gang. The bureau has been quietly working at it since last summer, infiltrating Hive, taking decryption keys and restoring lost funds to Hive's victims. Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying, using lawful means, we hacked the hackers. We turned the tables on Hive. The bureau says it stopped Hive from collecting around $130 million in ransom for more than 300 victims. This morning Hive's site was replaced with a notice - the Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive ransomware. Bravo, FBI. 

DRAGONBRIDGE spam network disrupted.

Dave Bittner: And finally, remember the old radio ads that began with an amazed customer adding, Eddie, how do you do it? And then Eddie would answer, what's my secret? Volume. Our history of advertising desk says they never really got how that would work either. I mean, how could selling one suit below cost result in a loss but selling 100 below cost would turn a profit? Weird. But apparently the approach is still making sense to some out in the influence arena. Google's Threat Analysis Group has released a report outlining its efforts to disrupt the massive spam network DRAGONBRIDGE. It's got a small audience, but it pumps out a lot of spam through hundreds of thousands of inauthentic or hijacked accounts. 

Dave Bittner: DRAGONBRIDGE is a China-based influence network that works across several platforms. The researchers note that most of the network's posts are low-quality content without a political message populated across many channels and blogs. TAG has taken down more than 100,000 of the network's accounts. Despite the network's size, DRAGONBRIDGE has received very little engagement from real people. Ninety-five percent of its blogs received fewer than 10 visits, and most of its videos have fewer than 100 views. The researchers also note that most of the engagement the posts received were from other DRAGONBRIDGE accounts. Even Crazy Eddie never did that. 

Dave Bittner: Maybe the problem is the quality of the content. TAG says most of their posts are spammy, nonsensical material without an overt political message, often clips of animals, landscapes, food, sports and other content. Blurry visuals, garbled audio, poor translations, malapropisms and mispronunciations are also common. The content is often hastily produced and error-prone - for example, neglecting to remove lorem ipsum text from a video. The researchers also note that a small fraction of the accounts push more coherent posts relating to current events, adding a pro-China spin. Most of these posts were written in Mandarin and focused on negative stories about the U.S. So, yeah, we got your lorem ipsum right here. Since they're letting some Latin slip into the text, consider some advice from Ovid. If you want to be loved, be loveable. Or in this case, if you want to persuade, be persuasive. Don't just phone it in. We know. We know. Lenin said, quantity has a quality all its own. But how's that working out for you, CCP? 

Dave Bittner: Coming up after the break, Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan-Jones. Kyle McNulty, host of the "Secure Ventures" podcast, shares lessons learned from the cybersecurity startup community. Stay with us. 

Dave Bittner: From time to time, we like to highlight security podcasts that have caught our attention and that we believe deserve wider notice. You may have heard of a little independent show we promoted a few years ago called "Darknet Diaries." It's done quite well for itself in the meantime. Kyle McNulty is host of the "Secure Ventures" podcast, where he focuses on the cybersecurity startup community. He joins us with insights from the interviews he's done and the things he's learned along the way. 

Kyle Mcnulty: It's basically telling founders' stories and the stories of their companies. So the same way you just asked me about my kind of origin story, it's understanding how these different security founders have made it into this entrepreneurship world. Some of them have longtime security backgrounds, 25-plus years. Some of them have never worked a security job and were doing something somewhat related. There was one guest who was doing media and kind of stumbled into the privacy space and ended up starting a successful cybersecurity company from there. And then telling the story of, what is that company actually focusing on, what are the challenges that they're working through, what does the longer-term vision for that company look like, and helping tell lessons for other founders and investors and even practitioners as far as how they can do something similar. 

Dave Bittner: Are there any common threads that you've discovered as you've done these interviews, any things that these folks with entrepreneurial spirit have in common? 

Kyle Mcnulty: To be sure. And obviously there's lots of nuance to each individual story, but there's certainly themes that shine through. One really interesting one that's stuck out to me over time is the emphasis on customer interviews before actually launching a product. So rather than just saying, hey, I have this idea, let's go ahead and start building it, it's I have what I think could potentially work, but before I trust my conviction, let me go ahead and speak with, let's say, 20, 50 different professionals in the industry, whether that's CISOs, other practitioners, other founders, investors - get their perspective on it. And even if they are validating the idea, as part of that process they're giving you feedback as far as the features that are important to them, what they really want out of that product, and sometimes even more importantly, that's some very helpful customer diligence that you're doing and relationships that you're building, which can then convert into easier sales once you actually have that product up and running. 

Dave Bittner: You know, I think it's easy to think of folks in the venture world as being very successful and - because so many of them are. But I think there's a lot of lessons to be learned from the failures as well. And that's an area that you discuss with your guests also. 

Kyle Mcnulty: To be sure. Not every person who's come on the podcast has every single startup that they've created be successful. Failure is certainly a part of it. Oftentimes you hope for smaller failures as opposed to massive, large-scale failures where $100 million has already been invested. But a big part of being a founder is learning from those experiences. So even if - I'd say one thing that I find is very common, especially with the folks who are doing podcasts and putting a lot of attention on their media opportunities, is they might be a repeat founder. So they built a company, sold it, and they decided, hey, I want to do something bigger. I want to do something more grand. And so even though that's not truly a failure, it's, what sort of learnings can you apply from that experience? What does it look like to, rather than maybe look for an early acquisition, say, hey, this time around, I want to build something that has a much broader vision and try to take this to a public exit? What does the timeline look like for that? Who are the people that you need around you? What are the investors that you want on your team and in your corner? And what do you really need to do differently from day one to prepare for that vision? 

Dave Bittner: You know, in the conversations that you've had along the way, are there any lessons that you've taken away from it for yourself? Anything that's surprising or unexpected? 

Kyle Mcnulty: One interesting piece that stuck out is the idea of really mapping your customer segment. And so this was on a conversation with Dan at CyberOwl. They're a shipping security company - so maritime security company. And they went through a detailed exercise, in terms of understanding how their different customer segments are clustered to one another. So what sort of supplier relationships involved each of those different companies? And how can they target specific clusters before moving into the next one? So almost like a network map of your customers. And it was an additional level of customer diligence that had never even occurred to me at that kind of minute scale. It just gave me a renewed understanding and importance on understanding what your target market really looks like and how you can potentially penetrate that market. And I think that applies, whether it's to the podcast, whether it's to consulting, whether it's to starting a new business, whether it's even to just growing your own professional brand - is how can you apply that same sort of very meticulous customer understanding and customer mapping and use that to just increase your efficiency with outreach to your target audience? 

Dave Bittner: What is your sense for the outlook for the coming year - or the folks that you talked to? Are folks optimistic that we're in for a good one here? 

Kyle Mcnulty: I think the general consensus is certainly not. But it's always a hard prediction or a hard position to be in, as far as making predictions about the market, right? And I think anyone who acknowledges that the outlook is bleak generally also acknowledges that there's a great deal of uncertainty. And so it's less about saying with certainty the outlook is bleak and more about saying that there's a lot of uncertainty that exists ahead as far as exactly what the next year will look like and understanding that the range of outcomes is much broader than maybe it's been obvious for the last couple of years. And so just preparing for that worst-case scenario and putting your business in a position where it can be successful in the next year, in that range of outcomes. 

Dave Bittner: What do you get out of doing the show personally, having these conversations, talking to these folks? What are the takeaways for you? 

Kyle Mcnulty: Well, we talked already about the different lessons that I've learned just from talking to these folks and how that's helping me be a better professional, whether it's building a business, working on these different side projects, understanding the cybersecurity market more clearly. But it's also been an amazing experience just to build content that so many people are excited about, really getting some of that feedback when someone listens to a recent episode and shoots me a text or a LinkedIn message and says, hey, I really enjoyed that episode. It's very gratifying that's something that's enjoyable for me to actually do on a daily basis is also enjoyable for other folks to listen to. 

Dave Bittner: That's Kyle McNulty. He's producer and host of the "Secure Ventures" podcast. 

Dave Bittner: Carole Theriault is our U.K. correspondent and also co-host of the "Smashing Security" podcast. She recently checked in with former BBC guru Rory Cellan-Jones about health versus privacy. Carole Theriault files this report. 

Carole Theriault: I recently interviewed Rory Cellan-Jones. Until recently, he worked at the BBC and for decades had been the lead technology journalist on all things digital. Now, Rory retired a few years ago and then announced that he had been diagnosed with Parkinson's. Rory now runs the Rory's Always On Newsletter on Substack and focuses primarily on the issues frustrating the tech progress in health care. I mean, privacy is important, but this is a heavy cost to those of us facing serious medical conditions. Here, I ask him to expand on this debate. I've heard you talk on your newsletter and actually in person about how there's a kind of fight between privacy and shared data because people want to be private about health care issues. Yet that data is so valuable to share amongst all the different institutions that provide a health care service, be they private, consultants, GPs, emergency rooms, all that. 

Rory Cellan-jones: Yeah, that - it's a very interesting debate. And I've long felt that it's a bit unbalanced. So for obvious reasons, everybody is very concerned that their health data should be private, that it shouldn't get into the wrong hands. And that concern - yes, it's genuine, but it's really holding up, quite often, the potential there is for using that data for good. So in the U.K., the National Health Service is an extraordinary treasure trove of data. It's, you know, the biggest, centralized generator of health data in the world, probably. So you could harness that. You know, maybe you could develop new drugs. Maybe you could do a lot more preventative medicine. Maybe you could find a cure for Parkinson's. But every time somebody comes up with a scheme, the government comes up with a scheme. And they never handle it very well. To take, for instance, GP records - a local doctor, your family doctor records, which are really important because they give us sort of long-term view of somebody's health and how that relates to demographics and so on. Every time such a scheme is proposed, it's kind of held down for privacy reasons. And what you hear is always about the dangers rather than the potential. So the latest such scheme was theoretically launched a couple of years ago but quickly died a death or was put in the deep freeze. The first headline I read about it, in a British liberal newspaper, was - referred to an NHS data grab, you know, very negative language. 

Carole Theriault: Yeah. 

Rory Cellan-jones: And as I say, there are proper, you know, questions to be asked. For instance, do you want big technology companies - Google is a great example - to be involved in this? But I think we can construct systems where there are safeguards for privacy, and yet this data can be put to good use. 

Carole Theriault: Someone right now who may be in a situation similar to yours, where they're trying to navigate complicated doctor relationships and making sure everyone has that information that they need at the right time - do you have any advice for them? Is there any, like, secret tricks that you've learned along the way where you're like, I couldn't do without this? 

Rory Cellan-jones: I wish I did. I mean, yeah. But I'm - what's happening in this country is that gradually, that interaction between patients and doctors is being digitized, is being made better. For instance, every drug - new drug now is probably going to come with an app to kind of guide the patient or maybe provide feedback to the doctor about how the drug is working. There's a lot of work going on in using smartphones. This is coming back to where we started, the benefits of smartphone technology to provide that interaction between patient and doctor and to provide remote monitoring. I was in the ihospital I visit regularly the other day, and they were promoting an app where you could do your own eye test at home. Patients who were, you know, being monitored didn't necessarily need to come in to have their eyes tested. They could do their own eye test using this app, and that would be analyzed probably by an algorithm. And, you know, if there was something of concern, then they would be called in. 

Carole Theriault: So there you have it. Health care may be lagging behind when it comes to digitization, and there's a long way to go before we can do all our own diagnostics. But we are definitely heading in this direction. It's kind of fascinating to imagine where we'll be in 20 years' time. This was Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you here tomorrow.