The CyberWire Daily Podcast 8.16.23
Ep 1886 | 8.16.23

China accuses the US of cyberespionage. Backdoors found in NetScaler. Account hijacking campaigns. Raccoon Stealer gets an update. Cryptocurrency recovery scams. Narrative control in the hybrid war.

Transcript

Dave Bittner: China accuses the US of installing backdoors in a Wuhan lab. NetScaler backdoors are found. A Phishing scam targets executives. LinkedIn sees a surge in account hijacking. Raccoon Stealer gets an update. Cryptocurrency recovery scams. We kick off our new Learning Layer segment with N2K’s Sam Meisenberg. And a Moscow court fines Reddit and Wikipedia, for unwelcome content about Russia's war.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, August 16th, 2023.

China accuses US of installing backdoors in Wuhan seismic laboratory.

Dave Bittner: China's Ministry of State Security has accused the US of "a cyberattack incident targeting the Wuhan Earthquake Monitoring Center. The Global Times, a news service operated by the Central Committee of the Chinese Communist Party, quotes Xiao Xinguang of the National Committee of the Chinese People's Political Consultative Conference: "US intelligence agencies not only actively collect various signal intelligence, but have also long obtained other countries' comprehensive earth system science remote-sensing and telemetry data as strategic intelligence through various means." Chinese statements express concern about collection of technical information and the possibility of collateral interference with earthquake alerts and emergency response. 

Dave Bittner: The Record writes that seismic data could serve as a form of MASINT–that is, measurement and signature intelligence–noting as well that seismic monitoring has long provided information about nuclear testing. Whatever merit it may or may not have, China's announcement also serves as an influence operation, as pushback to US accusations of Chinese cyberespionage and staging of potentially disruptive malware in critical infrastructure.

NetScaler backdoors found.

Dave Bittner: NCC Group’s Fox-IT has discovered a massive exploitation campaign of approximately 2,000 Citrix NetScaler products. A threat actor automated the exploitation of CVE-2023-3519, a remote code execution vulnerability, to place webshells on the devices. The researchers note, “The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.”

Phishing scam targets executives.

Dave Bittner: Proofpoint is tracking what it calls “a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies.” The threat actors used the EvilProxy phishing tool to target executives at more than one-hundred organizations around the world between March and June of 2023. The researchers state, “Amongst the hundreds of compromised users, approximately 39% were C-level executives of which 17% were Chief Financial Officers, and 9% were Presidents and CEOs. Attackers have also shown interest in lower-level management, focusing their efforts on personnel with access to financial assets or sensitive information.”

LinkedIn sees a surge in account hijacking.

Dave Bittner: Cyberint researchers are tracking an increase in the hijacking of LinkedIn accounts. Much of the evidence the researchers have collected is circumstantial, like a surge in such Google searches as “LinkedIn account hacked” or “LinkedIn account recovery.” "While LinkedIn has not yet issued an official announcement," CyberInt says, "it appears that their support response time has lengthened, with reports of a high volume of support requests." Unsurprisingly, poorly protected accounts--that is, accounts with weak passwords or without two-factor authentication--are most vulnerable. Better protected accounts typically see a temporary disruption while LinkedIn verifies the owner's identity.

Dave Bittner: The more poorly protected accounts suffered "full account compromise." In these cases the owners were unable to regain access on their own. The attacks followed a common process. First, the attacker gains access (either through credential theft or brute forcing of weak credentials). Second, they alter the email address associated with the account. Third, they change the account password. The second step is the one that renders it difficult for the legitimate owner to recover access, since they can no longer receive a recovery email. The new email addresses assigned to the hijacked accounts often use the mail system of rambler.ru, a Russian online platform and news service owned by the government-controlled financial institution Sberbank.

Dave Bittner: The motive for the hijacking is unclear, and the clues are inconsistent. There have been reports of ransom messages directed to the legitimate account owners, but the ransoms demanded don't amount to much--only "tens of dollars." Cyberint concludes, " Although the specific intentions of the threat actors are uncertain yet, whether they are financial, phishing, or internal information acquisition, the potential impact on victims is serious."

Raccoon Stealer gets an update.

Dave Bittner: The developers of the Raccoon Stealer malware have returned after a six-month hiatus with a new version of their infostealer, BleepingComputer reports. This version includes a new search feature that allows threat actors to find credentials and other information stolen in data breaches. The new version is also better at evading bots used by security researchers. Additionally, the developers added various new features that make it easier for less skilled threat actors to use the tool. The criminal-to-criminal market, here as elsewhere, responds to customer feedback. The malware’s developers said in a forum post, “Changes were implemented based on feedback and analysis of our customers’ requirements and market trends.”

Cryptocurrency recovery scams.

Dave Bittner: The US Federal Bureau of Investigation (FBI) has warned that criminals are exploiting fear of cryptocurrency scams to operate cryptocurrency recovery scams. The criminals claim to be businesses that can trace and recover stolen cryptocurrency. They reach their victims either by contacting them directly through messaging or social media services, or by attracting marks with ads or news articles hawking their bogus services. Sometimes they pose as law enforcement authorities (and, as the FBI points out, law enforcement agencies don't charge crime victims for their services). The scam either obtains payment from its victims or collects their personal information in furtherance of other crimes.

Dave Bittner: BleepingComputer ran an experiment in which they tweeted a call for assistance in recovering lost cryptocurrency. The tweet, which was nicely phrased ("I need trust wallet metamask phantom yoroi support! I lost all my crypto and password recovery phrase.") drew an "immediate" response from bots offering to direct them to people who could help. The FBI advises reporting recovery service fraud come-ons to the IC3 portal.

Moscow court fines Reddit, Wikipedia, for unwelcome content about Russia's war.

Dave Bittner: And, finally, Cybernews reports that a Russian magistrate court in separate actions yesterday fined Reddit and Wikipedia a billion rubles each (the equivalent of a little more than $20,000, the ruble not being what it used to be) for their failure to remove content not in line with the Kremlin's view of its special military operation, that is, its war against Ukraine. Wikipedia has been fined before and has no intention of complying with the takedown orders that accompanied the fine.

Dave Bittner: Coming up after the break, we kick off our new Learning Layer segment with N2K's Sam Meisenberg. Stay with us.

Dave Bittner: And it is my pleasure to welcome to the studio Sam Meisenberg. He is one of my colleagues here at N2K. Happy to have you join us here on the CyberWire today, Sam.

Sam Meisenberg: Great to be here, Dave. Thanks for having me.

Dave Bittner: So let's start off by getting to know you a little bit. Can you tell us about your responsibilities at N2K?

Sam Meisenberg: Sure. So my official title is I'm the director of Learning Experience at N2K. All that really means is I make sure, you know, students have a good learning experience when they go through our training programs and to make sure that they're learning something. But perhaps more importantly, and more rewarding, I'm also instructor at N2K. So I make appearances in our on-demand learning content as well as our live online sessions.

Dave Bittner: So for folks who may not be familiar -- of course, if you're listening to this, chances are you know about the CyberWire and perhaps have been listening for a while -- along the way in the past year, we merged with a company called CyberVista, and that is where you were working. And then the new company, the combined forces of both of those companies, is N2K.

Sam Meisenberg: Right.

Dave Bittner: So let's talk about the learning space itself. How did you get into this?

Sam Meisenberg: Absolutely. So when I came to CyberVista, I actually didn't have a background in cybersecurity at all. I was a speechwriter before, actually, and did a lot of internal and external communications at a strategic communications firm. But I was able to sort of teach myself the material. And sort of how I did that is by studying for all these certification exams.

Dave Bittner: Wow.

Sam Meisenberg: So I dove right in. I got my CSSP, Sec+ 401, 501, 601, CEH, among other certs. And I sort of fell in love with the cert taking process. And I know as an industry, we sort of like.

Dave Bittner: That's ambitious, Sam.

Sam Meisenberg: Well, I mean, you know what's interesting is like I think the cert sort of, as much as we make fun of it as an industry, it helps on the learning side, because it fixes the two problems that have always plagued learning from the dawn of time and it'll always plague learning in the future, which is motivation and accountability. If you have a cert at the end, the students are going to be focused and motivated and sort of interested in actually engaging with the content.

Dave Bittner: Right.

Sam Meisenberg: So you have, you know, sort of something at the end to measure, and you have a goal, a tangible goal to go after.

Dave Bittner: Yeah, there's a finish line there.

Sam Meisenberg: Exactly. So I kind of fell in love with the test-taking art. In fact, I recently sat for the LSAT. If you don't know what the LSAT is, that's the test for folks who are going to law school.

Dave Bittner: Wow.

Sam Meisenberg: I am not going to law school. I just heard it was a hard test and I'm kind of ultracompetitive and wanted to beat my girlfriend, who's a lawyer. So I'm proud to say I scored in the 95th percentile. Dave, the only reason I'm mentioning that number is because I started in the 14th percentile.

Dave Bittner: Wow.

Sam Meisenberg: Yes.

Dave Bittner: Okay.

Sam Meisenberg: That's not a spoken typo. So the point is, I am proud of that because, you know, I did a lot of work, learned a new skill, and I really think just having again that exam focus is really helpful for learning.

Dave Bittner: And you practice what you preach.

Sam Meisenberg: Exactly.

Dave Bittner: Yeah.

Sam Meisenberg: Exactly.

Dave Bittner: You know, I've heard people say that one of the best ways to ensure that you know how to do something is to be able to teach it. And I'm curious what sort of lessons you've learned along the way when it comes to learning about learning.

Sam Meisenberg: Yeah. So it's a really interesting question, because I think your question gets to the heart of actually something that we tell our students when you're studying, is if you can teach it, if you can explain it, especially to somebody who has no idea about the content, that's when you really understand it. So it's actually a study tool, right, to try to teach it and try to explain it. But in regards to the question itself about what I've learned, I mean, I think what I've come to realize -- and I think this is good to say because it's an expectation for everybody who's listening -- learning is hard. Learning is not easy. Learning isn't always fun. If you're having too much fun in learning, something's wrong. Meaning, you either like already know the information too well and you shouldn't be in the class, or again, the content is not challenging enough. So it is one of those things where you have to actively engage with the content, you have to wrestle with it, you have to like take it out of your brain and put it back in, that repetition. It takes a lot of willpower. It takes a lot of dedication. And so it's something that you really have to work at. And it's sort of learning is a muscle and a skill that you have to develop. And it doesn't really come naturally for a lot of people.

Dave Bittner: Yeah. As an instructor, what is it like for you? I'm thinking particularly when you're not in front of a live audience, when you're creating some of these educational programs that you know people are going to be viewing on their own time and their own terms.

Sam Meisenberg: Absolutely. It's one of those things that, you know, always is a little strange and it takes a bit to get used to. What I sort of use myself, and when we train instructors, we always say, pretend like there's somebody on the other side of the camera. So trick yourself and look into the lens or look above the lens -- if you need to tape a picture of a real human being above the lens -- and just convince yourself that somebody's there, and pour your heart out as if there is somebody there. Make love to the camera is what we say, right. So we really try to, like you said, sort of pretend like there is somebody there. But going back to my first answer about why learning is so hard, that I think is the ultimate job of the instructor: to motivate, to hold people accountable, to inspire people to actually want to learn. Because, you know, all good instructors, of course, can explain content, right. But the best instructors are the ones who can motivate people to study. And if you can help people tap into some motivation to learn -- because when you start to learn, you realize how hard it is. You, the instructor, are really there to get people inspired and motivated.

Dave Bittner: Well, you're going to be hosting a regular segment here on the CyberWire called Learning Layer. What can we expect from that? What sort of stuff are you going to be discussing?

Dave Bittner: Yes, I'm really excited for this segment. It's a segment, right, don't call it a podcast, because it's not its own thing, right. I'm really excited for that segment because I think we're going to talk about a lot of different stuff or things, but all of which I think they will get something out of. So we're going to talk about everything from, you know, certification/exam prep to learning science in general, a little bit of brain science. But I think the most value will come from when I have on the show actual real learners who are in the space, right, who are sort of learning how to learn. Because I think folks will get value of talking to their peers in the industry and listening to what they have to say about how they do it, right -- what's their learning experience like; what's their journey; what are their habits; what do they actually do to retain information and stay sort of on top and keep up with all the information? So I think exposure to real human beings who are in the space doing it will be the greatest value add for the segment.

Dave Bittner: You know, it's such a rapidly changing space. Where do you see things headed? What's the future of learning from your point of view?

Sam Meisenberg: So I typically don't like to forecast, but, Dave, if you insist, I will. So I think something that we could see in the future is a slightly different approach to how we measure and assess folks and how we measure success. So what I mean by that is, right now, we typically measure folks compared to their peers. So think about like grades, right. That is a grade that is you are being compared to all your classmates, or even folks who are studying for the SEC+ -- you guys will appreciate this. The passing score is 750, right. It's the same for everybody. But the reality is that not everybody comes in at the same place. So why should the finish line be the same? So I think a better way to measure learning success is to figure out the delta -- the delta between, for example, where you come in at, like a diagnostic, and where you end at. Figuring out that personal growth I think is good for folks who, you know, may be on the lower end of the spectrum. Or meaning like they come in at a slightly lower knowledge level. And it's also good for those advanced people, because then you can sort of set a finish line that's appropriate for them. So it really benefits all types of learners when you think about success like that.

Dave Bittner: All right, well, the segment is called Learning Layer, and Sam Meisenberg is the host. Sam, thanks so much for joining us.

Sam Meisenberg: Thanks, Dave, appreciate it.

Dave Bittner: And coming up after this short break, we'll have our first segment of the Learning Layer, featuring host Sam Meisenberg.

Sam Meisenberg: Okay, pop quiz. Do you remember the first headline that Dave discussed today? Take a second, think about it, see if you remember.

Dave Bittner: China's Ministry of State Security has accused the US of "a cyberattack incident targeting the Wuhan Earthquake Monitoring Center." The Global Times, a news service operated by the.

Sam Meisenberg: Okay, how about another memory quiz? Do you remember any of the headlines from yesterday's CyberWire Daily? It can be any headline, it doesn't have to be the first one.

Dave Bittner: A cyber attack against data hosting provider Rapattoni Corporation has taken down numerous Multiple Listing Services, the MLS, used by realtors around the country. Peg King, a Coldwell Banker agent in.

Sam Meisenberg: So if you answered no to either or both those questions and were not able to recall the headlines, that's actually normal, even expected. If you answered yes, well, you have a huge brain and we mortals bow down to you. But for the rest of us, retaining information doesn't come naturally. So on this episode of Learning Layer, we'll discuss how to retain more of what you hear on the Daily and anywhere else.

Sam Meisenberg: Now, before we get into how to remember more of what you hear, I want to address something you might be thinking. You might be thinking, I don't need to remember news segments. The point of news is not to have the information in my long-term memory but to just get a daily update of daily happenings. And I would agree that you can still get value from things even if they're not sort of stored in your long-term memory. But for some super important news stories, you actually want to remember them. That's because remembering news stories and case studies allows you to make connections across them. This is very important for our industry. A headline isn't helpful without context. You want to recognize themes or parallels across the news stories so they aren't just random events but rather parts of a larger story. A good cyber practitioner and leader sees the forest, not just the trees. And you can only make those connections and see the big picture if you remember the news stories. Another reason it's important to remember what you hear on the Daily is so you can have case studies in your back pocket. Whether it's using an example as part of a business case, or being a thought leader in the space, sharing real-world tangible examples are crucial. So hopefully I've convinced you that remembering news stories is important, but it's not easy. Going back to the pop quiz, the reason I wasn't expecting you to remember what you heard is that our brains, by default, aren't really good at remembering most things. Really, the only thing we're good at remembering are things that we have emotional ties to. That's why we remember well what our crush said to us years ago, or we remember very happy or very low moments, but don't remember where we parked the car. So unless you have an emotional tie to any of the news stories -- which, you know, is possible, like maybe your organization was part of a breach and you lived through it -- but usually you probably won't have that connection, so you probably won't remember what was discussed on the Daily. And to be clear, this is no fault of Dave's or the format of the Daily, it's simply that without emotional ties, our brain needs to actually work hard to remember things. The other challenge you face retaining information on the Daily is that a lot of you are probably multitasking while listening. We know, for example, that the Daily is a popular commute or household chores soundtrack. There is well-documented brain science that shows multitasking is damaging to short-term retention. Now, to be fair, if you're driving, you're probably using what we call your procedural memory. Meaning you're not stealing much brainpower away from what you're listening to, but still, it's not optimal. So with all those challenges, we're finally ready to discuss the solution. So we're finally here. All these minutes in, we're here for the main event. How do we retain information? Well, the bad news is, as I mentioned earlier, it's not easy, and it's not fun. You have to actively engage with the content that you want to remember. So how would we apply this to the Daily? Well, for example, say you identify one important headline that you want to remember. Well, the next day, listen to the same headline again for a second time. That sounds really obvious, but it'll work. This is called space repetition. You're having the information repeated to you over time. Research tells us that the ideal repetition schedule is to listen to it again for a third time, on day seven, and then on day 21 and then day 30. The dates don't really matter. All I'm saying is that, basically, across a month, you want to listen to it about five times. Now, if that seems a little drawn out and boring, one thing you can do to speed up the retention process is to write it down. Meaning, after you listen to the segment for the first time, at a moment when you're not driving, summarize what you heard and jot it down in a journal. The act of summarizing will help you remember it. And then you can actually revisit that journal over time and reread your own summary. You can watch your CyberWire Daily journal grow and make those connections that we discussed, you know, across your news notes. I also like the name, news notes, I think that should be a thing. As you can tell on Learning Layer, we like the concept of alliteration. News notes, I like that. All right, look, if writing it down also seems too burdensome, you can try just telling a friend or colleague about the news story. Again, it's just the process of summarizing and putting into your own words, putting into your brain, taking out of your brain, engaging with it, that's the thing that's going to help you remember it. So what I'm proposing is actually really simple, right. Choose a news story that you want remember, re-listen a bunch of times, talk about it, write it down. Build your CyberWire Daily journal and consider those themes or parallels across the stories and make connections across them. It's hard work. But if you're diligent and put in the work, you'll have a valuable pile of news stories and case studies at your disposal, both in your brain and in a journal, ready to be recalled on demand. Try it, see what happens. Try it for like, I don't know, a couple days. If you hate it, that's fine. If it's not for you, again, totally fine. But regardless, let me know if it works for you, or if you have any better ideas. Let us know by emailing learninglayer@N2K.com. Happy learning. We'll see you next time.

Dave Bittner: That's N2K's own Sam Meisenberg with our Learning Layer segment.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.