Phishing kits in the C2C market. Cyberespionage, Pyongyang and Beijing editions. Ransomware under the radar. A new hacktivist group says it doesn’t much care for NATO corruption.
Dave Bittner: Telekopye and the rise of commodified phishing kits. Lazarus Group fields new malware. Implications of China's campaign against vulnerable Barracuda appliances. Abhubllka ransomware's targeting and low extortion demands. Malek Ben Salem of Accenture outlines generative AI Implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. And a new hacktivist group emerges, and takes a particular interest in NATO members.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, August 25th, 2023.
Telekopye and the rise of commodified phishing kits.
Dave Bittner: ESET describes “Telekopye,” [tell-uh-KOPE-yeh] an easy-to-use Telegram bot that allows unskilled cybercriminals to launch scams: “We were able to collect several versions of Telekopye, suggesting continuous development. All of these versions are used to create phishing web pages, and send phishing email and SMS messages. In addition, some versions of Telekopye can store victim data (usually card details or email addresses) on disk where the bot is run.”
Dave Bittner: The toolkit can automatically create phishing pages based on information entered by the scammer: “These phishing web pages are designed to mimic different payment/bank login sites, credit/debit card payment gateways, or simply payment pages of different websites.” Telekopye caters to Russophone buyers in the C2C market.
Dave Bittner: So Telekopye is a spearphishing kit. Our Anglophone listeners might well think that it’s based on “tele,” as in telephone, or telegram, and copy, as in, say, photocopy. It’s not. It’s a Russian portmanteau of “Telegram” and the Russian word for spearhead, “kopye.” Thus, the tip of the spear. The purveyors of Telekopye call its targets “Mammoths,” and so ESET, “following the same logic,” call the users “Neanderthals,” since presumably mammoths would have been hunted and speared by those wiley Neanderthals, back in the day, but somehow we doubt that ESET intends it as a compliment. ESET says most of the Neanderthals work from (unsurprisingly) Russia, followed by some Russophones who operate from Ukraine and Uzbekistan.
Lazarus Group fields new malware.
Dave Bittner: Cisco Talos has discovered a new remote access Trojan, “CollectionRAT,” that’s being used by North Korea’s Lazarus Group: “CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors.”
Dave Bittner: The researchers also observe that “Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.” New tricks for a an old dog.
Implications of China's campaign against vulnerable Barracuda appliances.
Dave Bittner: The US Federal Bureau of Investigation (the FBI) has released an alert warning that Barracuda’s Email Security Gateway (ESG) appliances remain vulnerable to compromise by suspected Chinese government threat actors: “The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately.”
Dave Bittner: The FBI says the vulnerability, CVE-2023-2868, “allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.”
Abhubllka ransomware's targeting and low extortion demands.
Dave Bittner: Netenrich is tracking a new variant of malware belonging to the ADHUBLLKA [ath-uh-bill-kuh] ransomware family, active since August 1st, 2023. The ransomware targets individuals and small businesses, and tells victims to visit a TOR-based portal to open a ticket for negotiations. The attackers demand between $800 and $1600 for the decryption key.
Dave Bittner: The researchers note, “[T]he ransomware operator appears unwilling to negotiate, holding firm on the initial demand for decryption keys. The operator would not provide a decrypted sample screenshot to the victim directly, but instead, provided one on ImgBB, an image hosting service. This confirms there is a working decryptor present with the group.” They seem to have flown under the radar by hitting smaller businesses and making relatively low ransom demands.
A new hacktivist group emerges, and takes a particular interest in NATO members.
Dave Bittner: And, finally, there seems to be a new hacktivist crew operating in cyberspace. Hello, KittySec.
Dave Bittner: CyberScoop reports being in touch with a hacktivist group that's calling itself "KittenSec." KittenSec says they're a new outfit, "although," CyberScoop writes, "they acknowledged connections to other hacktivist groups, including ThreatSec and GhostSec." GhostSec is known for an online campaign against Islamist activity it began after 2015’s Charlie Hebdo murders in Paris. (It's also known to have acted against Russian targets during the present war. It styles itself as an opponent of oppression. ThreatSec positions itself in much the same way.)
Dave Bittner: KittenSec says it's an opponent of corruption. Its first target set, hit at the end of July, was Romanian. Since then it's been active against targets in Greece, France, Chile, Panama, and Italy, but it disclaims any political allegiance and says its operations have nothing to do with Russia's war against Ukraine. The operation against Romania, the group told CyberScoop, “has nothing to do with the war between Russia and Ukraine,” but it is “retaliation against the countries of NATO for their attacks on human rights.” KittenSec doesn't appear to be financially motivated. Many hacktivist groups are fronts for state intelligence services, and KittenSec's particular animus against NATO suggests the possibility of a Russian connection, although that remains a matter of circumstantial speculation.
Dave Bittner: In any case, keep an eye out for KittySec, especially if you’re in a NATO country.
Dave Bittner: Coming up after the break, Malek Ben Salem from Accenture outlines generative AI implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. Stay with us. And it is my pleasure to welcome to the show one of my N2K colleagues, our Chief Learning Officer Jeff Welgan. Jeff, welcome.
Jeff Welgan: Hey, Dave. Thanks. Thanks for having me on the show.
Dave Bittner: You know, one of the things that I was really excited about when the CyberWire merged with CyberVista and we became N2K networks was having access to all of the learning facilities and expertise that you all have on the CyberVista side of things. And today we're going to take advantage of that. And I want to talk to you today about the NICE framework and how folks can implement that and really expand on it as well. Can we start off with some high-level stuff here for folks who might not be familiar with it. Can you describe NICE for us.
Jeff Welgan: Yeah, yeah. Absolutely. So NICE actually is an acronym that stands for the National Initiative for Cybersecurity Education. It sits within the Department of Commerce under NIST. So they have created a while back, sometime around 2010, earlier workings were around 2008, a cybersecurity workforce framework to address these issues that we see day to day in this industry related to what the heck are the job roles, what's expected out of job roles, and how do we actually create a framework around that for employers?
Dave Bittner: Well, let's dig into that. I mean, how do people, both on the government side and in the private sector, typically come at implementing this NICE framework?
Jeff Welgan: Yeah. So I think one of the big challenges that NICE was addressing when they put out the framework was that they needed a common lexicon for the industry. As I'm sure you're well aware of, Dave, when you go out into the market, you can call a SOC analyst. There's a number of different job titles for that. So they wanted to normalize just work role titles, particularly for the government side, just so they can kind of organize the workforce in a way that made sense with different, you know, job identification codes, etc. So that's really where it started. And then I think, as such, they really need to identify, well, what are the expectations for those work roles? Like, what knowledge, skills, abilities, tasks are required for those. So if you ever hear the term KSATs, that's kind of where that term came out of is those knowledge, skills, abilities, and tasks. That's since evolved to, like, TKS statements, tasks, knowledge, and skills. So they're constantly playing around with it and tweaking it and making improvements to it.
Dave Bittner: And so for folks who are using it as a -- as an organizing framework here, I mean, how do they typically come at that? How do they -- how do they measure success?
Jeff Welgan: Yeah. I think it really comes down to I think a lot of our commercial entities that are leveraging it use that for job classifications, just trying to organize the workforce. It becomes part of a human capital strategy related to how do we title these particular job roles, and what are the expectations for those people in those roles when we're trying to do talent acquisition? Now, there are challenges to that. Leveraging the NICE framework one for one can be challenging because people who kind of are familiar with it, as you examine some of the work roles that they've identified in there, they don't always match up one to one to what commercial entities would actually call a work role. For example, I mentioned SOC analyst. When I say SOC analyst, everybody knows what a SOC analyst is, if you put that out as a job rec on Indeed or whatever your talent acquisition recruitment tool is. People who -- in those fields kind of are drawn to that. NICE actually defines that work role as a cyberdefense analyst. Okay. You can kind of make the connection. But it's not necessarily something that's as common in the commercial industry to see cyberdefense analyst versus a SOC analyst. So I think that's one of the drawbacks of the framework, although it is also one of those things they're trying to solve for because of that problem of job titling and the variations of job titles that exist for certain professions.
Dave Bittner: What about expanding beyond the NICE framework? Are folks using it as a foundational element and then going beyond that, fine tuning it to their own organizations?
Jeff Welgan: You see a range, right. The earliest adoption of it, folks were just kind of dabbling with it. A lot of times, they were just doing a one-for-one match-up. Okay. These job titles kind of line up to this work role per NICE, and it's a straight line. Organizations that are a little bit more familiar with it may actually go a little bit further and start looking at some of the KSAs or TKS statements or actually looking at the competencies that are defined within NICE to kind of align those two work roles. N2K, we kind of go above and beyond all of that to kind of say, you know what? Job roles are pretty unique at companies, you know. You know, a software engineer at JP Morgan Chase, may be a little bit different than the regional bank, right? So the hats you wear at those organizations can vary significantly from company to company. So what we want to do is not necessarily lean in on just work roles in the predefined list of KSAs or TKS statements. We want to work with customers and say, Okay. Well, what does your software engineer look like there? What do you expect for that particular work role? And, above and beyond NICE, we want to actually define, like, proficiency levels of those work roles because NICE does not say, oh, you know, you need to understand encryption, subject matter expertise mastery, or beginner level mastery. They do not do that work. So, at N2K, we kind of do that with our customers. We want to say, Okay. Sure. Encryption is important. But how important is it to the work role? And we'll quantify that for our customers.
Dave Bittner: So it's a matter of establishing where people are in their educational journey of expertise and then figuring out where they need to go as well.
Jeff Welgan: That's right. That's right. There's also one other thing that we've done at N2K to kind of account for some of these, what I would call nuances or gaps within the framework to help it translate a little bit better for the commercial world. The structure of the NICE framework with these seven categories and 33 specialty areas I feel are very much like putting a work roll into a box, and then you're pigeon-holed into that box, at least definitionally. What we've done is we've created another layer, a taxonomy on top of NICE that we've mapped to. So we've created these what we call functional tags, 14 functional tags or groups that are a little bit more common and are in line with what you would see from a team structure within cybersecurity at any organization. So we've created things like analysis and analytics or cyberdefensive operations or GRC or leadership and IT, you know, IT and cyber leadership. That way it kind of translates a little bit better to the org chart of like, okay. I know I have identity access management analysts here. They fit within that functional team, right. So they fit in that functional group. And, in our back end, we've kind of done the mapping back to NICE to kind of say, Hey. This is how it maps back to the NICE framework. Here are the KSAs or competencies or the specialty areas that associate with those functional groups we've identified.
Dave Bittner: All right. Well, Jeff Welgan is the Chief Learning Officer here at N2K Networks, my colleague. Jeff, thanks for joining us.
Jeff Welgan: It's a pleasure to be here. Thanks for having me, Dave.
Dave Bittner: And it is always my pleasure to welcome back to the show Malek Ben Salem. She is Managing Director for Security and Emerging Technology at Accenture. Malek, great to have you back. You know, those of us who have been in the online world for a long time remember when spam was a terrible, terrible problem. It seems to me like, in the past few years, spam I would consider to be mostly a solved problem. Like, very little spam makes it through to my email box. But I know something you and your colleagues have had an eye on is this notion that, with generative AI, that could change the game when it comes to spam.
Malek Ben Salem: Yes. Absolutely. So I think -- I mean, luckily, we've seen that reduction in spam in our inboxes because our abilities to detect spam has significantly improved. But, with gen AI, I think the abilities of these cameras are improving because now they have this assistance of generative AI models to produce high-quality spam, believable spam. And, therefore, we need to improve our detection capabilities again in order to meet the improvements on the attack side. I've been -- I've seen people saying, you know, we're not going to see, you know, those scams or emails that we get that look really like spam, like that have those spelling mistakes, right? I've seen people throwing out the argument that, you know, we're not going to see that anymore because the attackers have gen AI assistance to them. But others said no. No. What -- we're going to continue to see that because that's done on purpose. Those spelling mistakes are done on purpose in order to screen the most likely victims to these scams, right. So the most gullible people, if you will, those people will respond to those emails, even though they see that there are spelling mistakes in them. I mean, I don't think that's going to be valid anymore because that argument relies on the -- how expensive it is for the scammers to be able to -- sorry, to respond to, you know, large numbers of people who fall for those scams, right. You know, once they respond to that first initial contact, the first email, the scammers do not have the resources to continue that conversation with the potential victim, right, because it requires people to, you know, interact with them. But now that they have AI tools, they can carry on that conversation using automated tools, right. They don't have to spend the resources themselves, the time, the attention, etcetera to respond individually to these people. Because of that, then, you know, the trade-offs change or the numbers change. Now they're -- they're all of a sudden interested in more numbers to respond to them as opposed to interested in weeding out or screening out the potential victims from that first contact.
Dave Bittner: So what are the options that are available to defenders, then, to adapt to this?
Malek Ben Salem: So I think that's why we need to emphasize, first of all, you know, rely more on detecting these -- rely less on looking for spelling mistakes in spam to -- you know, classified as spam. So our spam detectors would have to emphasize more other -- other features in spam. That's for sure. And they're doing so, right. But I'm saying, if these are -- you know, if their tools are anomaly detection-based tools, they're probably assigning different weights for the different features. And maybe they need to deemphasize or -- the types of features that are related to spelling mistakes and emphasize other -- the weights of other features. And then for our security training, this is what I think we need to pay attention to. When we do security awareness training for our, you know, employees or for the larger population, we need to highlight or emphasize that, understand the entire context understand, you know, who's sending you this email and what they're asking for as opposed to focus on finding spelling mistakes in the spam email that you're receiving. I think that has been a key message that we've been providing people before. You know, look for spelling mistakes. That's a bad sign. I don't think -- I don't think that we're going to see those types of mistakes as often in the future, so we need to focus on other indicators.
Dave Bittner: All right. Well, it's interesting. The cat and mouse game continues, right?
Malek Ben Salem: Oh, yeah. Absolutely. That continues in security all the time.
Dave Bittner: All right. Well, Malek Ben Salem, thank you for joining us. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Tal Skverer from Astrix Security. We're discussing their work on GhostToken - exploiting GCP application infrastructure to create invisible unremovable Trojan app on Google accounts. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.