The CyberWire Daily Podcast 5.18.23
Ep 1826 | 5.18.23

BEC attack exploits Dropbox services. Ransomware in the name of charity. API protection trends. Hybrid war hacktivism. Executive digital protection.


Dave Bittner: Business email compromise exploits legitimate services. A hacktivist ransomware group demands charity donations for encrypted files. Trends and threats in API protection. The effects of hacktivism on Russia's war against Ukraine. Executive digital protection. Deepen Desai from Zscaler explains security risks in OneNote. Our guest, Ajay Bhatia of Veritas Technologies, with advice for onboarding new employees. And news organizations as attractive targets.

Dave Bittner: I'm Dave Bittner with your CyberWire "Intel Briefing" for Thursday May 18th, 2023. 

Business email compromise (BEC) exploits legitimate services.

Dave Bittner: Avanan reported this morning that a business email compromise campaign is abusing legitimate Dropbox services. BEC 3.0 is a social engineering approach that takes advantage of legitimate services to gain entry to its targets. This campaign in particular works by sharing a fake resume through Dropbox, and leading victims to a false login link to open the document. If the user shares their credentials, they will also be led to a malicious link that could further compromise their system.

Hacktivist ransomware group demands charity donations for encrypted files.

Dave Bittner: A new ransomware group has been seen operating in the name of the less fortunate, or at least it says that's what it's doing. The hacktivist group encrypts files on its victims' computers and demands the company affected donate to a charity group of its choosing to receive the decryption key. BleepingComputer reports that the ransomware operation MalasLocker began encrypting Zimbra servers toward the end of March 2023. Victims reported in both the BleepingComputer and Zimbra forums that their emails were encrypted. MalasLocker posted its manifesto on its dark web leak site in which the group states that they are waging war on the rich to promote equality. Their motto it seems as reported by BleepingComputer roughly translated to English says, "We are bad. We can be worse."

Dave Bittner: One simple question that comes to mind is how are the hackers verifying that the companies donated? Simply put, MalasLocker doesn't have a verification method. On their website they write, we have no real guarantees they are actually sending the money. MalasLocker hasn't yet been associated with any larger organizations, and the methods they use to obtain access to their targets remain a mystery, and it's unclear what charities if any, might actually want to be the beneficiaries of such campaigns.

Trends and threats in API protection.

Dave Bittner: Cequence Security released its API protection report for the second half of 2022. The report highlights the tactics, techniques and procedures of malicious actors targeting APIs. Shadow APIs, defined by the researchers as unmanaged, unknown and unprotected APIs saw a 900% increase from the first half of 2022 to the second. Unique TTPs saw a 550% increase over the holidays. Additionally, researchers observed a 220% increase in API security over traditional application security tactics in the same period. Traceable AI also discussed the state of API security in a report this morning, prepared at this year's RSA Conference. API security remains a major point of concern, as the researchers say they determined that 40% of companies do not have dedicated professionals or teams for API security, while 23% of respondents do not know if there is dedicated API security in their organization. Many respondents (66%) report struggles with API sprawl, or in some cases don't know if their company is adequately managing it.

The effects of hacktivism on Russia's war against Ukraine.

Dave Bittner: Hacktivism may be the most influential propaganda method in the era of the hybrid war. A study published this morning by the Center for Strategic and International Studies addresses various aspects of the war in cyberspace. One of the report's essays looks at the use of proxies, that is deniable hacktivist or criminal groups that serve as cyber auxiliaries under the direction of state authorities. That direction can be relatively loose or relatively stringent. The essay takes two representative groups, the IT Army of Ukraine, who operates in the interest of Kyiv, and Killnet who works under Moscow. It sees similarities in the effects they've achieved and concludes that the proxies have had the most significant effect in terms of propaganda. The proxies' records, the study concludes, suggest that they're best understood as influence operations.

Executive digital protection.

Dave Bittner: Cybersecurity Company Agency has released an Executive Digital Protection whitepaper discussing the protections of high-value assets and targets within an organization. Securing the digital lives of executives, or executive digital protection as Agency calls it, is increasingly being observed as part of the cybersecurity strategy within organizations to fight against employee-targeted digital risks. The white paper emphasizes that there are other individuals within organizations who may not be executives, but who may fill a public-facing high-risk role or work within an executive's inner circle. These too may require protection. The report also advises a program broadly addressing protection rather than honing in on specific narrow risks. For an effective solution, Agency recommends focusing on options that balance breadth, value, privacy and specialization.

News organizations as attractive targets for hackers.

Dave Bittner: And finally, The Philadelphia Inquirer was hit by a cyberattack last week that interrupted its news publications, and the paper has continued its investigation and recovery since then. The Inquirer wrote that it had been unable to print its regular Sunday newspaper, and it was not clear until late Sunday afternoon that it would be possible to print Monday's editions of The Inquirer and Daily News. Online stories were said to continue, though sometimes at a slower pace than usual. The paper reported that employees would be barred from entering its main office, which could impact the paper's coverage of the Democratic primary for the mayoral race. Coming up after the break, Deepen Desai from Zscaler explains security risks in OneNote. Our guest is Ajay Bhatia of Veritas Technologies with advice for onboarding new employees. Stay with us. Onboarding new employees often involves a lot of moving pieces with information gathered, policies put in place, access granted, and so on. Ajay Bhatia is General Manager for Data Compliance and Governance at Veritas Technologies. I spoke with him about best practices for how companies can ensure data protection and compliance while navigating the challenges of onboarding new employees.

Ajay Bhatia: We've kind of seen the multiple phases here in quick succession, which is The Great Resignation, you know, the great hiring, the great firing, the quiet quitting. With quick employee turnover fueled by these phenomena and the rise of a new workplace culture, companies are hiring and onboarding new employees at a very rapid pace. You know, we must find a way to quickly and efficiently onboard new hires, but unfortunately, you know, sometimes this means many essential trainings, policy reviews, and new employee guidelines can sometimes slip through the cracks.

Dave Bittner: Can we go through some of the things that folks typically have to work through here? I mean, I -- off the top of my head, I can think of, obviously, you're setting up an email address for someone, for most people, you know, that sort of thing. What other things are typically on that list?

Ajay Bhatia: Yes, so I think one of the few things is ensuring that new and existing employees are aware of the complicated risk landscape, because after the pandemic, you've got a remote workforce. That further complicates the ability for organizations to be able to track where their data is, and also be able to respond to active threats such as ransom attacks and phishing that are now targeting the entire workplace data, and so getting a good handle on that is essential to avoiding expensive and detrimental complications. So beyond, you know, setting up email, welcoming the employee, I think some of the best practices for how companies can ensure protection of their data, and also compliance on the data when onboarding new employees, I would say it's in a couple of buckets. One is to implement mandatory trainings to be completed within the first, you know, two months of employment, ensuring that all receive the necessary information on the potential, you know, risks and strategies that bad actors use to implement phishing attacks and how these attacks can lead to various outcomes, such as noncompliance penalties, and some complications in the way we manage data. The second, I would say, best practice is set usage guidelines on the collaboration tools. So we found out that, you know, more than 70% of office workers globally admit to sharing, you know, sensitive and business-critical company data, using IM, business collaboration tools, Teams, Zoom, and other sources of content generation. And I think it's essential that, you know, companies set information-sharing policies that account for those kinds of tools, and even the new ones like chatbots, to combat new risks.

Dave Bittner: You know, we often hear of this notion of shadow IT where, you know, if people don't have the tools they think they need to get the job done, they'll find a workaround. It strikes me that that could be a component here, that part of this is educating your employees that if they need to be able to do something, and they feel like there's a roadblock there, they need a pathway to be able to sort that out without taking matters into their own hands.

Ajay Bhatia: I fully agree there, Dave, because at the end of the day, for any company, it comes down to managing data and assets in a manner that increases the value of the data, but reduces the risk quotient, because if companies don't do that, then some of the evolving changes in regulation, as well as the problems posed with a shadow IT situation, can be a challenge to profitability in years to come, because we need to closely monitor how employees handle and share and store different types of data. Some of it could be what we call as personally identifiable information or PII, health, financial and proprietary information. All of these need to be able to manage in a way that we ensure compliance also with data privacy regulations, not just in the United States, but across the globe if a company is a multinational. So I think IT professionals feel that additional pressure on their workload to keep up with this. We can somehow implement three tactics to gain visibility. That would definitely set up any organization for long-term success. And then some of these are done with AI and ML ops at scale. I would say the three tactics I would nominate are, number one, identifying and categorizing dark data. So, you know, on average, more than half of a company's data is dark, and aside from, you know, costing above, I would say $30 to $40 million a year just in the storage burden, this dark data poses a significant risk to our compliance efforts, especially when it's hiding in an image, audio or video generated by some of the newer collaboration tools.

Dave Bittner: And how do you define dark data?

Ajay Bhatia: So dark data can be something that we have no clue what it is. We have consumed it. It shows up in a storage envelope. There could be immense value in it, or there could be immense risk in it. It's data that is not classified. It is data that is not transcribed. It is data that is not enriched with any other metadata tags on it to exactly say what it is, whether it is relevant and active, whether it is irrelevant and active, whether it's irrelevant and inactive, or whether it's redundant, obsolete and trivial or ROT, like we call it. So it's data that has not been processed. It's sitting there, and like I said, it could be a value or a risk. Most often than not, it ends up being a risk factor for most companies.

Dave Bittner: And so what are the other elements, Ajay, that you were discussing?

Ajay Bhatia: I would say beyond identifying and categorizing dark data, the second one is automating a classification system. So we just talked about a need to classify all of this data. And, you know, as humanity, we're producing data at a rate of more than 500 exabytes per day, according to some of the IDC reports, and so to appropriately manage and categorize all of this data, companies, that they collect and generate, they need to implement automation, so that it can be managed through its lifecycle of capturing it, classifying it, contextualizing it, and then being able to decide whether you want to back it up, archive it, use it for monitoring your utilization, as well as in any litigation support, eventually. The third aspect, because now it's so ubiquitous, then you have to democratize the data classification, which means it's not just an IT or legal team responsibility. Any part of a business can be at risk of failing to comply, and so individuals outside of the IT team should be able to classify their own content. So those would be my three areas, Dave, identifying and categorizing the dark data, automating the classification system and then democratizing the data.

Dave Bittner: That's Ajay Bhatia from Veritas Technologies. And I'm pleased to welcome back to the show Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, always a pleasure to welcome you back. I know you and your colleagues have had an eye on OneNote lately and the potential here for it to play a part in malware distribution. What exactly are you all tracking here?

Deepen Desai: Thank you, Dave. Yes, so OneNote documents, we're starting to see more and more threat actor groups referring to malware families, starting to leverage OneNote documents to distribute malware. Right? So they're abusing the fact that you're able to execute several scripting files by embedding them inside OneNote documents.

Dave Bittner: And how exactly are they going at this? And how do people find themselves victims here?

Deepen Desai: So the victim part starts as usual. Like what we've seen in the past is you will see an email that contains a link pointing to an Office document. They were heavily abusing Microsoft Office .doc files, .xls files, but Microsoft in July 2022, did an update where the disabled macros by default, right, for Office documents. And this made the approach not reliable for these guys when they were trying to attack these victims using malicious macro-enabled documents. This is where the TDPs remain the same. They identify the victims. They go after them. They will send an email with a link pointing to a document or the document attached to the email itself. There's some level of social engineering involved there. One example that I can give you actually for the starting point is a campaign where we saw a reply email team. So a reply email team is where they've taken existing email thread, and they will reply to that thread and attach this malicious document. So one of the user's account obviously is compromised at that point, but now they're trying to establish persistence into the end machine as well. So this is where OneNote is now becoming the go-to mechanism for distributing this malware because the security mechanism that got updated in July breaks the attack chain for Office documents, so they're now using OneNote to achieve similar results, where they will have scripts like CHM, HTA, Java Script, VBS, which is Visual Basic Scripts. We can run the scripts by embedding them inside OneNote document.

Dave Bittner: So is this the classic case of whack-a-mole here where, you know, perhaps now, Microsoft needs to take a look at disabling this functionality by default.

Deepen Desai: Yeah, I mean, this -- it is always the case. They will continue to evolve. Security vendors will continue to evolve, and all these application vendors will also have to continue to evolve. There will be certain things that you will have to do as part of your proactive defenses, and then there are things that you will end up doing reactively when the other group identifies some loopholes. So again, in this case, I mean, there are -- Microsoft already acknowledged they're working on something to probably strengthen this area as well, but there are existing policies that can play a role as part of that proactive defense that I was talking about. So you could configure group policy, for example, to protect against malicious Microsoft OneNote files. You could basically block embedded files in this OneNote altogether using these group policies. Again, Dave, the flow is you get a phishing email. There is a OneNote attachment which has an embedded scripting file, which is where the damage starts. The document will open some decoy PDF file or document or the user will not see what's going in the backend, but in the backend, that scripting file will download a .dll and lead to the actual end malware. So in this case, we have seen three different sites families already. When I say family, three different groups of families, so one is banker malwares, another is stealer malwares. Another is Rad. Even prominent groups like EMOTET, Blackbaud, they've all started leveraging OneNote as a means to distribute the .dll files.

Dave Bittner: All right. Well, the cat and mouse game continues. Deepen Desai, thank you so much for joining us.

Deepen Desai: Thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at This episode was produced by Liz Ervin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.