What would it take to get you kids into a nice, late-model malware mealkit?
Malicious packages are found attached to NuGet. Russia will establish its own substitute for VirusTotal. Commodity tools empower low-grade Russian cybercriminals. Malware mealkits, and other notes from the cyber underground. Insights from a Cybersecurity workforce study. Mr Security Answer Person John Pescatore looks at MFA. Drew Rose from Living Security on the very scary human side of cyber attacks. And more details from President Biden’s Executive Order on artificial intelligence.
I’m Dave Bittner with your CyberWire intel briefing for a very spooky Tuesday, October 31st, 2023.
Malicious packages found attached to NuGet.
Researchers at ReversingLabs have discovered “several hundred malicious packages published to the NuGet package manager since the beginning of August.” The researchers note, “[T]hese packages employed an unusual code execution technique that is worth mentioning. Most of the malware published to the NuGet repository places malicious code inside the initialization and post installation PowerShell scripts. These packages use a different approach, with the malicious functionality placed inside the <packageID>.targets file in the ‘build’ directory.” ReversingLabs adds, “Based on our research, this is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware.”
The NuGet security team has since removed the malicious packages.
Russia will establish an autarkic substitute for VirusTotal.
The Record reports, citing an account in Rosiskaya Gazeta, that Russia is in the process of establishing a free security package for Internet users. Called "Multiscanner," the project will be prototyped this year, further developed in 2024, and released in finished form during 2025. It will perform, Deputy Minister of Digital Development, Communications and Mass Communications Alexander Shoitov says, all the functions of VirusTotal, and then some. Replacement of VirusTotal, however, is a principal goal of the program: Russian authorities regard VirusTotal as a security risk. The Record explains, "Similarly to VirusTotal, the service would ultimately not only remotely check files and links using static analysis, but also conduct behavioral analysis on the suspected malware in virtual controlled sandbox environments."
Multiscanner serves at least two purposes. First, it affords a degree of independence from Western tools that might be yanked under sanctions. And, second, Moscow is convinced NSA and other dark forces are doing all sorts of stuff with the code in VirusTotal, and so it’s better to steer clear of it altogether. If anyone’s going to be abusing a security tool, gosh darn it, it’s going to be patriots in the Aquarium and not those big-haired Baltimore hons over at Fort Meade.
Commodity tools empower low-grade Russian cybercriminals.
"Kopeechka" [kah-PYAYCH-kuh] is a commodity tool that enables criminals to create large numbers of fake social media accounts. It enables its users to bypass requirements that accounts be associated with unique email addresses and phone numbers. Active since 2019, Kopeechka, the Record reports, has enabled creation of fraudulent accounts in Facebook, X (formerly Twitter), Discord, Telegram, and Roblox.
The name itself, Kopeechka, means “Little Penny." It’s the diminutive, affectionate, familiar form of “kopek,” [koh-peck] the smallest Russian coin. No languages are as rich in diminutives as the Slavic languages, and these terms of endearment turn up in surprising places.
Trend Micro, whose researchers have investigated the criminal service, says, "Kopeechka does not provide access to email inboxes, but it provides access to emails received from social media platforms. The service has been designed so that the mailbox account is still controlled by Kopeechka and not by any third-party user." The study adds, "We suspect that these email addresses are either created by Kopeechka actors themselves or possibly compromised email inboxes, as we’ve previously seen these actors post messages in underground communities’ compromised email threads. Kopeechka also purchases email accounts."
The service is actively hawked in criminal-to-criminal online souks, and it's supported with user-friendly training and customer service. It's also cheap, with bogus or ripped-off email addresses available for pennies (or kopeks), not dollars (or rubles). Trend Micro concludes its report with an appraisal of the service's value proposition. "Kopeechka’s services can facilitate an easy and affordable way to mass-create accounts online, which could be helpful to cybercriminals. Kopeechka customers use the service to easily create a large number of accounts without the hassle of SMS and email verification. While Kopeechka is mainly used for multiple accounts creation, it can also be used by cybercriminals who want to add a degree of anonymity to their activities, as they do not need to use any of their own email addresses to create accounts on social media platforms."
Given Russophone criminal gangs' closeness to Russian intelligence and security services, Kopeechka can be expected to turn up in state-sponsored attacks.
Malware mealkits, and other notes from the cyber underground.
Other commodity criminal tools, these not necessarily Russian, offer turnkey malware to the unskilled bad actor (or to more businesslike operators interested in saving through outsourcing). HP’s Wolf Security Threat Insights Report for Q3 2023 looks at trends in cybercriminal marketplaces, finding that crooks are peddling pre-packaged “malware mealkits” that allow unskilled criminals to carry out sophisticated attacks. Alex Holland, Senior Malware Analyst in the HP Wolf Security threat research team, explained, “Instead of creating their own tools, low-level cybercriminals can access kits that use living-off-the-land tactics. These stealthy in-memory attacks are often harder to detect due to security tool exclusions for admin use, like automation.”
The report makes particular note of two campaigns. One, a Vjw0rm campaign that executes multistage attacks, employs "a 10-year-old Houdini worm and 'living off the land tactics' to remain hidden." The other is a Parallax remote access Trojan (RAT) campaign that runs two threads when a user opens the bait: one thread opens the file, and the other runs the malware. Wolf Security calls this a "Jekyll and Hyde attack"--the connection between the threads may not be obvious, and the victims may not recognize that they're under attack at all.
The report also found that criminals frequently scam each other, offering fake, malicious versions of popular commodity malware strains. For a sense for what the malware costs in the C2C market, note that a Parallax mealkit can be rented for just $65 a month. It's not a single-score, big payoff trade. The proprietors' secret would seem to be the proverbial "volume." Just like Crazy Eddie.
Cybersecurity workforce study.
ISC2 has published its Cyber Workforce Study 2023, finding that “the global cybersecurity workforce has reached 5.5 million people, an 8.7% increase from 2022, representing 440,000 new jobs.” Despite this increase, “[t]he cybersecurity workforce gap has reached a record high, with 4 million professionals needed to adequately safeguard digital assets.”
92% of respondents said their organizations have cybersecurity skills gaps, particularly in cloud computing security, artificial intelligence/machine learning, and zero trust implementation. Thus the gaps continue even as demand for workers remains high.
Full text of US Executive Order now available.
And, finally, White House has made the full text of President Biden's "Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" available. It's a long document, rich in taskings and deadlines that the previously released Fact Sheet gives summary treatment. All connoisseurs of agency deadlines can get a full helping in the Briefing Room at White House dot gov.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed. And check out the “Recorded Future” podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That’s at recordedfuture.com/podcast.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
HP Wolf Security Threat Insights Report Q3 2023 (HP Wolf Security)