The CyberWire Daily Podcast 10.4.23
Ep 1920 | 10.4.23

A phishnet for the C-suite. Rootkit delivered by typosquatting. Stream-jacking in YouTube. Risk management. Hybrid war, and the laws thereof.


Tré Hester: EvilProxy phishes for executives. Typosquatting to deliver a rootkit. Stream-jacking on YouTube. A global look at risk management. Assistance from a diverse set of international partners. In our Solution Spotlight segment, Simone Petrella speaks with Diane Janosek, Executive Director of Capitol Technology University's Center for Women in Cyber, about paths to cybersecurity and ways to address cybersecurity workforce intelligence through education. Dave Bittner previews the 3rd annual SOC Analyst Appreciation Day with Kayla Williams of Devo. And some guidelines for hacktivists engaged in hybrid war.

Tré Hester: I’m Tré Hester filling in for Dave Bittner with your CyberWire intel briefing for Wednesday, October 4th, 2023.

EvilProxy phishes for executives.

Tré Hester: Researchers at Menlo Security warn that a phishing campaign is exploiting an open-redirect vulnerability on the job listing site Indeed to distribute a link to a spoofed Microsoft login page. The campaign is targeting C-suite employees in various industries, particularly banking and financial services, insurance, property management and real estate, and manufacturing. The threat actors are using the EvilProxy phishing-as-a-service platform.

Typosquatting to deliver a rootkit.

Tré Hester: ReversingLabs has discovered a typosquatting campaign affecting the JavaScript package manager npm. The malicious package “node-hide-console-windows” impersonated the legitimate package “node-hide-console-window,” and was downloaded more than seven-hundred times. The package installed a Discord bot, DiscordRAT 2.0, designed to deliver the open source rootkit r77.

Tré Hester: The researchers explain, “Like DiscordRAT, r77 is an example of open source malware with extensive documentation that makes it easy to deploy, even by novice actors. r77 is a fileless ring 3 rootkit that is able to disguise files and processes and that can be bundled with other software or launched directly. r77 is a recent addition to DiscordRAT 2.0, with previous versions of that open source malware (Discord-RAT) lacking the ability to launch a rootkit. Also of interest: the DiscordRAT 2.0 executable we studied did not use the newest version of the r77 rootkit, but an older version of the rootkit.”

Stream-jacking on YouTube.

Tré Hester: Bitdefender looks at stream-jacking attacks on YouTube, in which cybercriminals compromise large YouTube channels and use them to host livestreams promoting scams. Many of the streams are Elon-Musk-themed (we stress: "Elon-Musk themed," not Elon-Musk directed--the hoods are simply trading on a celebrity's name and reputation in dangling their bai), with a particular focus on Tesla news and cryptocurrency investments. Some of the compromised accounts had millions of subscribers and billions of views. Bitdefender notes, “[I]n most of cases analyzed, it seems that, if the malicious activity is detected by YouTube, the actual channels are deleted altogether. This means that the legitimate owner of the channel will lose everything (videos, playlists, views, subscribers, monetization, and everything that goes beyond the YouTube channel itself while still being related) unless talks are undertaken with YouTube.”

A global look at risk management.

Tré Hester: PwC has published its Global Digital Trust Insights Survey for 2024, finding that “[a]lthough cloud attacks are the top cyber concern, about one-third of organisations have no risk management plan to address cloud service provider challenges.” Additionally, “More than 30% of companies don’t consistently follow what should be standard practices of cyber defence.”

Tré Hester: The survey also notes, “About a third of this year’s respondents agree that four types of regulation will be most important to securing the future growth of their organisation — regulation of AI (37%), harmonisation of cyber and data protection laws (36%), mandatory reporting of cyber risk management, strategy and governance (35%) and operational resilience requirements (32%).”

Assistance from a diverse set of international partners.

Tré Hester: The European Peace Foundation has established a fifteen-workstation classroom to train Ukrainian military personnel in cyber operations, EU Neighbors East reports. "This classroom was set up by the Estonian Academy of Electronic Governance. Within the last 18 months, the e-Governance Academy (EGA) has procured, set up, installed and configured cybersecurity equipment and security hardware and software for the Ukrainian Armed Forces and conducted related training."

Tré Hester: The New York Times offers an account of how other support for Ukraine's cybersecurity has been delivered. Microsoft in particular is mentioned in dispatches. Nannah-Louise Wildfang Linde [NAH-huh-loo-EEZ-uh VILT-fahng LIN-duh ], vice president of European governmental affairs for Microsoft told the Times, “I think it’s appropriate to start with the war in Ukraine. It’s something that we’ve been engaged in very actively from the start, even before, because of all the signals — 65 trillion signals — that we analyze every day to make sure that our customers are safe, we have certain insights and information that governments don’t have. So we saw early on that something was going on in Ukraine and we collaborated with the Ukrainian government and gave them the information that we had.”

Tré Hester: Wildfang Linde said that the information provided related to cyber operations. Microsoft works, she said, with many governmental partners. She also said that Ukraine represented an especially clear case for assistance from the private sector, and that Microsoft had worked closely with International Criminal Court, for example, in the collection and preservation of evidence relevant to war crimes investigation.

Tré Hester: We note, in full disclosure, that Microsoft is a CyberWire partner.

Guidelines for hacktivists engaged in hybrid war.

Tré Hester: And, finally, hacktivists get some guidance from the Red Cross: if you’re going to serve as irregulars, then act like irregulars, not vigilantes or freebooters.

Tré Hester: Two officials of the International Committee of the Red Cross (ICRC) have issued guidance for hacktivists, published as an essay in the European Journal of International Law. They constitute an extension of existing international norms of armed conflict to cyberspace, with a view to preserving norms that would protect noncombatants, not only against attacks against infrastructure, but also from online incitement to atrocity. Certain specific classes of targets are explicitly prohibited, notably medical and humanitarian facilities.

Tré Hester: The BBC says that the IT Army of Ukraine is unsure of whether it can or will abide by the rules. In particular the IT Army seems to view the rules as constituting an absolute prohibition of collateral damage, which it's not always possible to avoid. The group already avoids attacks against hospitals and similar facilities, but it has conducted nuisance-level DDoS attacks against civilian infrastructure like banks and travel booking services. The hacktivist auxiliaries on the other side of the war dismissed the ICRC as irrelevant. Russia's KillNet asked, "Why should I listen to the Red Cross?" Anonymous Sudan, which, despite its name, is a Russian hacktivist auxiliary, rejected the ICRC rules outright, saying the restrictions were "not viable and that breaking them for the group's cause is unavoidable."

Tré Hester: Cyberspace has a disinhibiting effect on its users, and that disinhibition, that sense of immunity and impunity, carries over to hacktivism, many of whom act without a sense of consequences that might restrain them IRL. One of the cautions the ICRC officials emphasize in their essay is that irregular combatants can be treated as combatants, and even, under some circumstances, as criminals. "Civilian hackers risk losing protection against cyber or physical attack and may be criminally prosecuted if they directly participate in hostilities through cyber means."

Tré Hester: Among the developments in international law since the Second World War has been a general movement to bring irregular forces--guerrillas, partisans, and so on--under the rules of armed conflict. That comes with both privileges–irregulars can’t just be treated as brigands and outlaws, but have, for example,  combatants' rights to surrender, to treatment as prisoners of war, and so forth. But they also have the combatants' responsibilities to adhere to the laws of armed conflict and international humanitarian law themselves.

Tré Hester: While hacktivism has so far seldom if ever risen above the level of a nuisance in Russia's war against Ukraine, that could change. An essay in Dark Reading lays out a case for taking the threat seriously, despite its negligible results to date. Groups like KillNet are taking a new interest in wiper malware, and imaginatively they increasingly see themselves as a virtual analogue of private military corporations like the Wagner Group.

Tré Hester: So, hacktivists actual and potential, remember that actions have consequences, IRL as well as online. Really.

Tré Hester: Coming up after the break, in our Solution Spotlight Segment: Simone Petrella is talking with Diane Janosek, Executive Director of Capitol Technology University's Center for Women in Cyber, about paths to cybersecurity and ways to address cybersecurity workforce intelligence through education. Dave Bittner previews the 3rd annual SOC Analyst Appreciation Day with Kayla Williams of Devo. Stick around. [ Music ]

Simone Petrella: Today, I am so thrilled to be joined by Diane Janosek, Executive Director of Capital Technology University for their Center for Women in Cyber. Diane, thank you so much for joining me today.

Diane Janosek: Oh, thank you Simone, I'm excited.

Simone Petrella: I am too. Let's get right to it. Can you start off by telling me a little bit about your own path into cybersecurity?

Diane Janosek: Oh, sure. That's -- I wasn't expecting that one, but we all have different paths especially since as we know cybersecurity really didn't pick-up as an academic discipline until about 20 years ago when it was in infancy, so folks that are working in the field usually have different paths and we all come together around a common passion. And so, my path was really on the law policy technology side. I did a lot of -- I went into network security policy and I really appreciated that. I also had to deal with some of the unauthorized disclosures and a lot of our interfaces with the public and the Capitol Hill in terms of protecting information, and then of course the protection of privacy and civil liberties. So, those all really synchronize, so I'd like to think that cybersecurity is kind of an nice umbrella, because there's multiple things within that that are just really exciting and always changing.

Simone Petrella: Yeah, that's amazing. So, tell me, how do you think that your own experiences have shaped the way that you think about the cyber talent challenge that we're grappling with as an industry here? That's part of what we like to talk about and highlight. So, where does this kind of land for you as we think about how we solve this?

Diane Janosek: How we solve it? That's like the million dollar question.

Simone Petrella: I know.

Diane Janosek: So, if you have a dollar for every idea, but I think what we're looking at as the challenge, the real challenges, getting the country energized, right? You always have to have a sense of urgency, that there's an issue that we have to rally around kind of like the World War II kind of "We can do it and pull together." I usually have to have that as an impetus before you really get people onboard and you don't get that momentum and get those -- get the buy-in. I think we've had that with enough incidences going on, as well as people at their home having their own Ring doorbells, you know, compromised and, you know, having their bank accounts constantly having to change out their credit cards that are compromised. So, people are feeling it at a personal level and then they're also seeing it, you know, at a national level in terms of banks and libraries and Department of State. This is a challenge. It's real. But not everyone's coming together in terms of how can we make a difference to actually change this? And I think that part of that issue lays on how the United States is constructed in terms of our three branches of government with our federal and our state, and how that issues has arisen on top of our governance in the United States. And that's what makes it particularly challenging in terms of, is there one way forward or not, or can we all rally together and have some common purposes and goals?

Simone Petrella: Yeah. It definitely strikes me when I think about having worked in this space, but also previously in the more functional side, on the operational cybersecurity side, that there are a number of really impressive initiatives whether it be through industry, academia, and government that are looking to sort of take on this workforce shortage and the talent and skillset shortage we have head on. What are some of the things that you have found, especially in your work with Capital Technology University, that have helped to create new pathways, not only for individuals, but maybe even for the employers that are looking to, you know, employee these graduates after they go through their programs?

Diane Janosek: Everyone has, you know, an innate need to belong. They all want to belong to something that's important. And if we can get people to have a sense of this is area is important, you can easily get them into the pipeline. But getting them into the pipeline and getting them into the workforce I think are almost two different equations, right? And we're trying to match those up with all the initiatives that are going on right now. So, in that regard, I think they're looking at all avenues of tapping into talent, starting off young with, you know, some of the middle schools and high schools; starting off with varying types of degrees and scholarships and opportunities for associate degrees and bachelor's degrees. They're looking at doing cross-training for mid-level career people that may want to change and move into the area of cybersecurity, some cross-training going on. They're looking at those initiatives right now with veterans and first responders after they may have done their 20 years, they can move on and try something else, moving naturally into the cybersecurity, retraining and having that paid for and having them open up the doors for that. So, just opening up the aperture of who might be interested, so that the pull -- the pull from and to gravitate at a, you know, get the energy behind it. There's a bigger mass in which to literally pull from. From that way forward, from the employer perspective as you mentioned as well, they have to be creative. So, keeping folks up-skilled and current is a whole other challenge. So, this field is just layered with issues in terms of opportunities and challenges that have to get -- you don't have to go through. And so, that's why I call cybersecurity a team sport, because there's so much to get the right person in the chair at the right time to fit, you know, to just the right threat.

Simone Petrella: Yeah. I love that you referenced that it's a team sport. It's something that I've harped on for a while now around the idea that we're often trying to field players, you know, on the field without even knowing their positions in a real consistent way and then we're somehow surprised when we haven't given them the up-skilling or the training to be successful in those roles. We just expect them to kind of grow on trees, so that resonates with me a lot. One of the things tough, and it's near and dear to my heart, I know to yours, is how much we've seen statistics over the years around representation in the cybersecurity field, specifically around diversity of all kinds, women in particular. And this recent study your citing, shows that the finding of, you know, the statistics we've seen across the industry are mirrored in the CEA institutions as well, meaning, we're still lacking as much diversity as we could in those programs and in the industry. So, my question to you, you know, even as a passion play and having mentored so many women and worked in this field for so long is, what can not only academia, but you know, when you think broadly about the industry, what can our industry partners -- what can academia -- what can government do -- what can organizations do to really not just talk about diversity and increasing diversity, but what can they really do in your mind that would start to actually have an impact on those numbers?

Diane Janosek: Well, thank you for that. So, in the area of gender diversity which I think the numbers are, you know, quite low, they're not moving as far as they want. I know Jen Easterly recently committed on that; they're moving some, but you know, not enough. In the area of gender diversity they've been doing studies in terms of, you know, when a young female might want to get into a STEM field. They generally make up their mind by 10th grade if not 8th grade. So, you have to start really early. So, they may say, "I want to go into science," and somebody may say, "Well, but you're so good at writing. I mean, you are such an amazing creative writer. Like, you don't want to give that up." And the answer would be, you could do both. You could do technical and do creative and it all comes together and, you know, cybersecurity is so multitalented as well that you could -- so, what it's really, it's trying to change that narrative at a younger age so that the thought of where they're going to school, you know, it's planted in their head earlier, but so I think we have to start before they start thinking about what school they want to go to and saying, "This is an amazing profession," and the first way to do that is to give students role models, show them, you know, open up the doors for, you know, different gaming opportunities, competitions, and just fun things and you know Rubik's cube's contests and different things that they realize there is a home here and you do belong.

Simone Petrella: Amazing. Thank you so much for joining us here today, really appreciate the conversation as usual and is there anything else that you want to kind of bring up that maybe I neglected to ask?

Diane Janosek: I just wanted to mention that I often have people say to me, "Well, you know, what is cyber about?" You know, it's an amazing field to jump in to. So, it is perfect for all ages, you know, all genders, all nationalities, and it's just fun and we're very supportive of each other. So, join in. [ Music ]

Dave Bittner: Kayla Williams is Chief Information Security Officer at security firm Devo. They're celebrating the 3rd year of their annual SOC Appreciation Day, an online event highlighting SOC analysts as unsung heroes and encouraging organizations to improve their job satisfaction and mental well-being. Here's Kayla Williams.

Kayla Williams: Devo established our SOC Analyst Appreciation Day 3 years ago to pay some very long overdue kudos and thanks to SOC analysts who are on the frontlines and to encourage organizations to improve job satisfaction and mental well-being not just for SOC analysts, but for the security team as a whole.

Dave Bittner: Well, give us an idea here of what exactly the event entails.

Kayla Williams: Yeah, so we have some presentations and discussions from some of [inaudible 00:17:13] communities most prolific thought leaders, but to kind of brag on my own, but I'm moderating a panel. There's a seat for everyone in cyber where we discuss how to identify the complimentary skillsets in folks that may not be a traditional InfoSec person and how to help kind of bring people into our field. We talked with Peter, one of the cofounders of Cyber Minds for a mental health session, and we have John Hammond -- I don't know if you've seen him on YouTube, he is going to be doing a SOC hacks session as well.

Dave Bittner: And who's your target audience here? I mean, obviously SOC analysts, but folks who are perhaps interested in getting into the industry as well?

Kayla Williams: Absolutely. Anybody who is interested in learning more about what it takes to be a SOC analyst if they're not one already, if they're already in a security field or in an organization that has a SOC and they want to make that leap over, in particular, I would you know love to see and have feedback from folks who are interested in transitioning into security. You know, obviously after the pandemic quite a few people have wanted to make a career shift in one way or another, and so we would love to see an uptick in folks who just want to learn more about the industry.

Dave Bittner: You know, for folks who may not be familiar with what exactly SOC analysts do, can you give us a little description? What's the typical job description there?

Kayla Williams: So, for a SOC analyst, I mean every day it's something different, but generally speaking you know they are the ones on the frontlines, they're eyes on glass if you will looking at the potential attack vectors that they're seeing on their screens through their -- their SIEM, their security incident and event management platform. They're responding to these alerts, the triaging. They're working with their business leaders to understand the risks to the organizations so they know what actually is a true risk versus a false-positive. There's a lot of what we like to call a frontline work in protecting their organizations, you know, their employees, their customers from these potential attacks.

Dave Bittner: And what is typically the career path for someone in this position? What sort of requirements are there for someone to be effective here?

Kayla Williams: You know, in my opinion, there really isn't a traditional path anymore. There used to be a very technical, you wanted to be in the weeds if you will from a technical perspective, but now you know we're seeing shifts across the industry where people, like myself and I don't have a traditional background, I came from auditing. That was where I kind of got my start in this field. We're seeing people who, you know, have more of the EG to handle the stress of being in that type of situation, the desire to want to learn that that inherent curiosity of people who love to identify trends analysis and looking through research to understand what they're actually seeing. They have this sense of justice of you know wanting to stop the bad guys if you will. And really, it's a field for everyone more so now than ever before.

Dave Bittner: Well, the event is coming up, it is October 18th. How can people find out more>

Kayla Williams: They can find more at, that's

Dave Bittner: Alright. Terrific. Well, Kayla thanks so much for joining us.

Kayla Williams: Thank you for having me. It's great speaking to you again.

Dave Bittner: Kayla Williams is Chief Information Security Officer at Devo. [ Music ]

Tré Hester: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at the cyberwire,com. We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]