The CyberWire Daily Podcast 2.16.23
Ep 1762 | 2.16.23

APT37 has some new tricks. Multilingual BEC attacks. A look at the cyber phases of Russia’s war, and how being a crime victim may now be another way of serving the state. Influencers behaving badly.


Dave Bittner: North Korea's APT37 is distributing M2RAT. Multilingual business email compromise attacks and how they happen. Assessing the cyber phase of Russia's war, as the first anniversary of the invasion approaches. Killnet's attempts to rally hacktivists and criminals to the cause of Russia. Dinah Davis from Arctic Wolf describes continuous network scanning. Our guest is Dr. Inka Karppinen of CybSafe with a look at cybersecurity through the lens of a behavioral psychologist. And Grand Theft Auto is now also a TikTok challenge.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 16, 2023. 

North Korea's APT37 is distributing M2RAT.

Dave Bittner: North Korea's APT37, also known as RedEyes or StarCruft, is distributing a new strain of malware dubbed M2RAT, according to a report from AhnLab Security Emergency Response Center (ASEC). ASEC spotted M2RAT being distributed via phishing emails last month. The emails contain documents that will execute shellcode by exploiting an EPS vulnerability in the Hangul word processor, which BleepingComputer notes is commonly used in South Korea. The shellcode will download a JPEG image to the victim's machine, then use steganography to extract code that will download M2RAT. The malware is designed to exfiltrate data via keylogging and screenshotting. M2RAT will also scan for mobile devices that are connected to the infected machine and will transfer any documents or voice recordings to the PC. ASEC explains that APT37 usually targets human rights activists, journalists and North Korean defectors. The researchers note that, since the threat actor targets individuals and personal devices rather than companies with expensive security solutions, the victims often don't know they've been compromised. 

Multilingual BEC attacks, and how they happen.

Dave Bittner: Abnormal Security today detailed insights into multilingual business email compromise attacks in a report and insights into two actors, Midnight Hedgehog and Mandarin Capybara, who launch these campaigns in multiple languages concurrently. BEC attacks may be somewhat less prevalent than their phishing and identity theft counterparts, Abnormal Security researchers say, but the availability, affordability and accessibility of software and technology lower the barrier to entry in targeted multiple-language attacks. These attacks use common sales and marketing online services for malicious purposes. The research states, using these resources, BEC actors tend to collect target contact information, referred to as leads, within a certain geographic area, usually a single country or state. Google Translate doesn't hurt either. While it's not flawless, it is free and allows for quick translation and turnaround to victims of varying tongues. 

Assessing the cyber phase of Russia's war as the first anniversary of the invasion approaches.

Dave Bittner: The approach of the first anniversary of Russia's invasion of Ukraine has prompted a number of retrospective assessments of the cyber phases of Russia's war. The Washington Post cites expert opinion that sees a general Russian failure to integrate its cyber efforts into a more general combined arms operation. This failure has led Russia's cyber campaigns to be far less effective than expected. Dmitri Alperovitch, executive chair of the Silverado Policy Accelerator, told the Post, for cyber to be effective on a battlefield, it has to be deeply integrated into conventional military plans. They've utterly failed in achieving any tactical or strategic success, Viasat aside, which actually was a combined arms operation with significant effects. And despite the efforts of Russia's cybercriminal auxiliaries, large-scale and devastating cyberattacks against nations sympathetic to Ukraine have also fallen short of expectations. CISA director Easterly said, I think all of us were surprised somewhat that there have not been more significant attacks outside of Ukraine. 

Dave Bittner: In a report issued this morning titled "Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape," Google's Threat Analysis group, Mandiant, and Trust & Safety groups offered an appreciation of how the cyber phases of the war have developed. Google makes no pretense of neutrality in the war, which it directly calls Russian aggression. Russian cyber operations have so far fallen short of prewar expectations and may well continue to do so. But Google thinks that the war has shown that cyber operations are likely to remain an enduring feature of future wars. 

Killnet's attempt to rally hacktivists and criminals to the cause of Russia.

Dave Bittner: Flashpoint offers an update on the Infinity criminal-to-criminal marketplace, which Killnet, the Russian cybercriminal auxiliary, has opened to attract more talent to the Russian cause. It continues to offer strong financial incentives to those willing to work for the Kremlin. One interesting conclusion the researchers arrive at is that Infinity's rules are much less fastidious about permitting financially motivated crime against Russian organizations than other Russian criminal forums have been. The researchers state, notably, the forum does not seem to discourage members from selling data breached from Russian entities, such as malware logs or passports, which traditionally is frowned upon or downright forbidden on most Russian-speaking forums. So Russian businesses and individuals may be on their way to becoming collateral damage or, if you prefer, friendly-fire casualties. And that, too, from Moscow's point of view, may simply be another way of serving the state. 

Grand Theft Auto: now also a TikTok challenge.

Dave Bittner: Finally, here's the latest threat to your car - dimwits yukking it up on TikTok. Car manufacturers Hyundai and Kia have rolled out free theft-deterrent software for vehicles that don't have an immobilizer, the United States Department of Transportation said in a press release on Tuesday. Social media giant TikTok, known for its short-form video format, has seen the promotion of a so-called “Kia Challenge,” observed since July of last year in which users share “videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire [the] car,” Bleeping Computer wrote  yesterday. This challenge went viral, and Los Angeles, Calif., saw an 85% increase in Kia and Hyundai thefts in 2022, with Chicago seeing a nine-time increase for the same brands. 

Dave Bittner: The issue resides with a flaw in the vehicle's turn-key-to-start system that allows for bypassing of the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle. The NHTSA says that the update provides an extended alarm duration from 30 seconds to one minute and requires a physical key in the ignition to start. More updates for more models are anticipated in June. We leave comment about the malign imbecility of social media influencers as an exercise for you, dear listener. Remember the Tide pod challenge? Yeah. We wish we could forget it, too. And good luck to Hyundai and Kia drivers. As CISA would put it, apply updates per vendor instructions. 

Dave Bittner: Coming up after the break - Dinah Davis from Arctic Wolf describes continuous network scanning. Our guest is Dr. Inka Karppinen of CybSafe with a look at cybersecurity through the lens of a behavioral psychologist. Stay with us. 

Dave Bittner: Dr. Inka Karppinen is a behavioral scientist at behavioral analytics platform provider CybSafe. I reached out to her for insights on the human side of cybersecurity through the lens of a behavioral scientist. 

Inka Karppinen: CISOs work in different industries. They work in retail industries. They work in banking, financial services, as well as more service-related industries. And the top tip for any of these industries is to listen to your people. Talk to your people. Know who your employees are because that's the only way you're actually going to then find out what you need to do for your cybersecurity initiatives for the year, for example. So it is, really, check out the practices, especially if people are using what we call shadow practices in cybersecurity. So you might have training procedures. You have policies in cybersecurity, you know, things you do and you don't, what is allowed, what's not. And we need to make sure that those policies, for example, and procedures are clear, they are concise, they are understandable by all the people in the organizations. And obviously, different organizations consist of different types of people. 

Inka Karppinen: So really, if you're going to talk to people, even during the coffee machine break, whether you send a Slack message or whether it's a simple survey, if you can find out a lot about them and if you then ask, OK, how - you know, what do you guys know about multifactor authentication, for example, and you know that you've given that training, you know, earlier in the year - they say, oh, actually, I don't know what it is - now, if you find that one person who doesn't find what it is, I bet you there is about, you know, multiple of others. So depending on organization size, you can multiply those peoples. And finding out what are the knowledge gaps, why people - even if they know how to use multifactor authentication, why are they not using it? Ask, are you using it? How are you using it? Do you find it - you know, does it help with your productivity, and does it hinder your daily job? You know, is it your pay (ph)? And you might find something really, really interesting, and then you can help them to actually either break the beliefs or myth or break the procedures in a more digestible format. 

Dave Bittner: How do you nurture those good habits? How do you encourage them to do the right thing? 

Inka Karppinen: That's a very interesting question because it can be applied to anywhere, whether it's your personal health or diet. Now, when we're talking about cybersecurity, which is something that it's bit of a - for a person, they don't see it. So when cybersecurity is good, kind of nothing happens. And when something goes wrong, then the training kicks in. Everybody goes in a panic mode, and then something happens. So actually, encouraging good habits means that you have - you actually have to communicate during those times that things are good. You know, if you do a phishing simulation, for example - if I identify my phishing, this is a simulation, I press report button at my end - well, I just don't get any feedback, basically. 

Inka Karppinen: Well, what if you would get a feedback? How good does it make you feel when you actually correctly did something? And so that's the kind of open feedback environment that could actually potentially help a lot on these matters. And I've actually received something like this myself a few weeks ago when I reported a phishing email correctly. And even somebody who works in the industry - I thought, oh, this made me really happy. I've done something correct, even that tiny little bit, although I work in the industry and, you know, I know about this stuff. But it just makes people good - feel good. 

Inka Karppinen: And it's collaboration. So listening to people, asking - you know, if you do have a mistake, you recognize that you clicked on a link that you shouldn't have, report it. Tell us - tell somebody about it. Whether you tell it to your line manager, whether you tell the IT or somebody in your security team, you know, let us know because that's the way we protect organization. We protect you as an employee, and because we can be protecting you, we also protect your family because we are doing well. You get to, you know, still have a good organization to work to. We will survive tough times. 

Inka Karppinen: And it's more personal, so it kind of hits the point of actually, why are we doing this thing? We are fighting against cybercrime together. We are not, like, individual players in a team, and one team is only responsible for this. We - everybody's in the same boat, and everybody benefits from good cybersecurity hygiene, including your family. So let's encourage that. And that's how you probably get through the difficult part of explaining people why something should matter to them. You make it more relatable to themselves. It's a bit like the health behaviors. So you look at, you know, stop smoking, drinking campaigns. It is pretty much about the benefits of what happens when you do so in your body, for example. 

Dave Bittner: That's Dr. Inka Karppinen from CybSafe. 

Dave Bittner: And I am pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, always a pleasure to welcome you back. I saw over on the Arctic Wolf website you all had an article about continuous networks scanning. I think that's a topic worth discussing here. What can you share with us? 

Dinah Davis: Yeah, so, you know, attackers are working around the clock to try and get into our corporate networks, right? And one important technique to thwart that is continuous network scanning. But, you know, OK, so what is that, right? So it's monitoring for intrusions around the clock. You want to be able to reduce the likelihood that an IT system will be breached to steal that data. And if it does happen, you find it quickly, right? And that really does need that continuous monitoring, but it also requires continuous and automatic alerts - right? - so that, you know, when something happens, somebody gets notified, so you can look at that. And then the other part of continuous network scanning that is good is it helps you build reports so that you can evaluate your defense posture basically. 

Dave Bittner: What about alert fatigue? I mean, you say you get all these alerts. We always - we talk about the firehose of alerts, when people get tired of it and start turning them off, and the next thing you know, you're - you know, you're kind of working against yourself. How do you fight that fight? 

Dinah Davis: So alert fatigue is a real problem. You have one of two choices, really. You can spend a lot of time tuning your system to make sure you're only getting what you really care about so you don't get alert fatigue. Or you can go with a managed provider. And, you know, with Arctic Wolf, that's what we do. We, you know, only notify our customers when something really bad is happening. But we do take everything in. And we've written all kinds of rules and algorithms to figure out what is important so that, you know, our security engineers don't get alert fatigue as well, right? It's important, even in our internal SOC, for them not to get alert fatigue. So there is a balance there. And it is very important how you set it up. And if you don't set it up correctly, you could end with that, for sure. 

Dave Bittner: I see. What are the different types of network scans that are out there and that people should know about? 

Dinah Davis: Yeah. So, like, first there's, like, two methods of network scanning, right? So there's the passive network scanning. And so that's the tools that are going to, like, watch the data and activities that are flowing through your system. And then there's active network scanning, where you're actively trying to poke holes in places, right? So you want to be doing both. But obviously, the passive is easier to do kind of around the clock, whereas the active is something you can only do every once in a while, or you have to actually do something about that. 

Dinah Davis: So important - the first one I would say is external vulnerability scans. It's a passive scan. And what it's trying to do is, you know, look at your network from the hackers' perspective, like from the outside, hence the external in external vulnerability scan. And it's looking at external IP addresses, at domains, at ports. Are they open? Are they not? These types of scans are what happen - like, are used, or, like, have been used to find, you know, those open permissions on GitHub repositories and things like that. So you can use it in that way. 

Dinah Davis: Internal vulnerability scanning is also very important. That is done from inside the network. And it's running scans on everything in your network, and it's noting every software version that it's running. And then good software will be comparing that to the latest software that you have as well as comparing to see if there's any major security issues with the version you're running and then recommend an upgrade for you, right? These can be run automatically at regular intervals, both of those things. And the third passive scan would be a host-based agent scan, so software that actually lives on the devices in your organizations to track active progress, like applications and Wi-Fi networks you're connecting to, USB drives that don't conform with company policies, that kind of stuff. 

Dave Bittner: Oh. 

Dinah Davis: It really watches those types of things. And then finally, you have the active scan, which is basically penetration testing or, you know, in the lingo, pen testing... 

Dave Bittner: Yeah. 

Dinah Davis: ...If you hear that. And it's really testing the effectiveness of your cybersecurity efforts, identifying potential weak spots. And not only is it testing your software, but it's often testing your human response capabilities as well, right? So if you do a true pen test, and, you know, your team actually sees it and thinks it's real, they're going to react. And you can see your whole organization - how they're going to work. Or they might not react appropriately. And then you can know where you need to go and do some training. 

Dave Bittner: All right. Well, interesting stuff. Dinah Davis, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening. We'll see you back here tomorrow.