Shopping during wartime? Focus, people.

Tre Hester: Cyber safety for the holidays. Using regulatory risk to pressure a ransomware victim. A call for regulatory action against a supply chain threat. Rhysida malware: a warning and a description. Extending local breaches in Google Workspace. Protestware in open-source products. GRU's Sandworm implicated in campaign against Danish electrical power providers. Jason Meller, Founder & CEO of Kolide joins us as part of our sponsored Industry Voices segment to discuss the findings from The Shadow IT Report. In this Threat Vector segment, David Moulton sits down with Sama Manchanda, a consultant at Unit 42 to discuss the fascinating world of social engineering attacks. And donation scams: exploiting sympathy.

Tre Hester: I’m Tre Hester with your CyberWire intel briefing for November 16th, 2023.

Cyber safety for the holidays.

Tre Hester: Hey, everybody–have you noticed the holiday creep this year? We have. We saw some Christmas stuff for sale before we’d even bought our Halloween candy.

Tre Hester: Anyway, we’re just eight days out from Black Friday, as Americans have come to call the lonely shopping day after Thanksgiving, so it’s not too early to start thinking about staying safer online. As you look for bargains galore, keep some advice from Visa in mind.

Tre Hester: A report from Visa outlines cyber threats facing consumers during the holiday season: “Visa’s data shows that for the top merchant categories targeted by fraudsters, 2022 holiday fraud rates increased 11% over their non-holiday fraud rate and saw an increase of 8% over the previous year during this time.” The report warns users to be on the lookout for digital skimming, phishing, social engineering, ATM and POS skimming, one-time passcode bypass, provisioning fraud, and physical theft.

Tre Hester: Heed them, shoppers: Visa knows a thing or two about e-commerce.

Using regulatory risk to pressure a ransomware victim.

Tre Hester: BleepingComputer reports that ALPHV/BlackCat ransomware gang has dimed out one of its claimed victims to the US Securities and Exchange Commission (SEC). Their victim, the criminals allege, failed to disclose a cyber incident that had a material impact on its business by filing an 8K within the prescribed four days. ALPHV/BlackCat claimed to have stolen data from software company MeridianLink on November 7th. MeridianLink hasn't paid, and so the gang has reported the company to the SEC. MeridianLink says it's found no evidence of data loss.

Tre Hester: The gang received an automated reply from the SEC ("Thank you for contacting the United States Securities and Exchange Commission," etc.) but it's unlikely their complaint will be found to have merit. For one thing, the SEC's new disclosure rule doesn't take formal effect until December 15th, even though companies are already adjusting their practices to come into compliance. And for another thing, public companies will be required to disclose attacks that have a material impact. Who made BlackCat the expert on materiality? The nerve of those cats…I mean, who elected them the people’s CFO. Phooey.

A call for regulatory action against a supply chain threat.

Tre Hester: The Electronic Frontier Foundation has asked the Federal Trade Commission (FTC) to stop resellers from selling set-top Android boxes and mobile devices known to be compromised with malware. The ban the EFF advocates would affect devices manufactured by AllWinner and RockChip. These devices, the EFF says, were found by HUMAN researchers to be infected with BadBox malware. "When first connected to the internet, these infected devices immediately start communicating with botnet command and control servers, the letter explains. Then they connect to a vast click-fraud network—in which bots juice advertising revenue by producing bogus ad clicks." The infected devices can also be used to stage other attacks without their owners' knowledge, and this exposed them to legal risk as well as ordinary cyber risk. The EFF argues that this supply chain problem is a consumer protection issue, which therefore clearly lies within the FTC's remit.

Rhysida malware: a warning and a description.

Tre Hester: The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory describing the Rhysida ransomware-as-a-service operation: “Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”

Tre Hester: Fortinet has published an analysis of a Rhysida intrusion, noting, “The majority of the TTPs employed by the threat actor during this intrusion are typical for these types of ransomware intrusions, and no novel techniques were observed....While the threat actor may have had more sophisticated TTPs within their repertoire, in this case, they were able to achieve their outcomes using exclusively unsophisticated, known TTPs. As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day, organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.”

Extending local breaches in Google Workspace.

Tre Hester: Researchers at Bitdefender have uncovered “previously unknown attack methods for escalating a compromise from a single endpoint to a network-wide breach” in Google Workspace. The technique involves an OAuth 2.0 refresh token stored by Google Credential Provider for Windows (GCPW): “[T]he refresh token follows a two-step storage process. First, it's temporarily stored in the registry, and later, it finds a more permanent home under the user's Chrome profile. Decrypting it is possible from both locations, each with its own set of pros and cons. The registry approach is stealthier, offering a discreet way to access the token. However, it has a drawback—it's available for a limited time only. On the other hand, the profile-based storage method provides a more extended timeframe for access but is harder to conceal, making it a noisier option.”

Protestware in open-source products.

Tre Hester: ReversingLabs today draws attention to the phenomenon of "protestware," that is, the practice of concealing scripts advocating some political position in NPM packages embedding in open-source software. The message is commonly displayed after a user installs or executes the software. "Although the latest packages are not malicious," ReversingLabs researchers say, "they underscore a persistent risk in open source software, in which unintended and malicious features can lurk undetected — even in widely used applications." The two campaigns discussed in the report are being run, separately, in the Palestinian and Ukrainian interest, and, while protestware tends to shadow current events, it's not confined to the fighting in Ukraine or Gaza.

GRU's Sandworm implicated in campaign against Danish electrical power providers.

Tre Hester: SektorCERT, Denmark's "cyber security centre for the critical sectors," this week described what it characterized as the largest cyberattack on record against that country's critical infrastructure. In May of this year an APT group, which SektorCERT associates with the Sandworm, simultaneously hit twenty-two companies in Denmark's highly decentralized electrical power sector. The attacks, which began on May 11th and continued into the last week of that month, exploited CVE-2023-28771, a critical command injection flaw affecting Zyxel firewalls. That vulnerability had been disclosed and addressed in late April, but the attackers were able to find enough unpatched systems to gain access.

Tre Hester: The attack was ultimately detected and stopped without disruption to power distribution, but it seems to have been aimed at gaining comprehensive access to Denmark's grid. The attacks proper were preceded by a reconnaissance phase that began in January. A simultaneous attack against so many targets suggests both careful planning and determined execution. SektorCERT properly notes the difficulties of attribution, and itself stops short of saying the incident was the work of Russia's GRU, but on form it certainly looks like a Sandworm operation. Similar attacks have been mounted against Ukraine's power grid, and the incident in Denmark strongly suggests that infrastructure in what Moscow tends to call the "collective West" can be expected to figure in Russian target lists.

Where decent people see tragedy, criminals see opportunity.

Tre Hester: And,finally, Abnormal Security this morning described a continuing criminal campaign that lures its victims with phishbait that appeals for donations to ease the plight of Palestinian children suffering in the present war between Hamas and Israel. The phishing email contains neither malicious attachments nor malicious links. Instead, it simply asks that contributions (the suggested levels of donation range from $100 to $5000) be deposited in cryptocurrency wallets specified in the email. Donations are accepted in Bitcoin, Litecoin, or Ethereum. The email is generally well-written in idiomatic American English, lacking the usual stigmata of nonstandard grammar and awkward usage. To lend credibility to their appeal, the scammers include links to real sources describing shortages of clean water and medicine. The users' defense against this kind of phishing comes down to the sort of street-smarts that would lead them to walk by a three-card Monte dealer, hands safely in their pockets. In this case some AI tools might serve as a useful adjunct to worldly skepticism.

Tre Hester: Coming up after the break, Jason Meller, founder and CEO of Kolide, joins us as part of our Sponsored Industry Voices segment to discuss the findings from the Shadow IT Report. In this week's Threat Vector segment, David Moulton sits down with Sama Manchanda, a consultant at Unit 42, to discuss the fascinating world of social engineering attacks. Stick around. [ Music ]

Sama Manchanda: I stumbled into cybersecurity by accident. I actually switched majors six times in college and happened to find a class that was an intro to cybersecurity class. It was an elective called From Hackers to CEOs, Intro to Information Security. And I was like, ooh, that sounds fun. I took the two-unit elective and the rest is history. I absolutely fell in love with it and that completely changed the trajectory of my life.

David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence, insights, new threat actor TTPs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. [ Music ] I'm your host David Moulton, director of Thought Leadership for Unit 42. In today's episode, I'm going to talk with Sama Manchanda. Sama is a consultant at Unit 42. She's hyper competitive in the videogame Just Dance and will take on anyone with the song Rasputin. Sama, where are you recording from today?

Sama Manchanda: I am recording from Austin, Texas.

David Moulton: When you and I were thinking about the show, you pitched me on this idea of the ish tales -- the smishing, the vishing, the phishing, and that dual view on social engineering. But help me understand what's going on with those different ishings.

Sama Manchanda: All three of them are different types of social engineering attacks. Phishing being the most common is related to email or usually targeting users to click on a link of some kind. Smishing is similar, just uses texting or SMS instead. And then vishing is over the phone usually. It involves some level of talking to another person and trying to do some actual like interaction with them to gain access or gain information of some kind.

David Moulton: From an offensive security perspective, what strategies or techniques do attackers often employ to make their social engineering attacks more successful?

Sama Manchanda: Some of the tactics that make a lot of these attackers more successful are like more thorough research and the more tailored approach to the environment. So those nitty-gritty details of figuring out exactly what process or what system is in place can help establish that trust, establish that rapport, with the end-user and make them think that this is more believable, or this isn't something of high concern. For example, with phishing, knowing exactly the type of email provider that they're using or VPN provider or something like that and having somebody reset their credentials. If they see like the right logo, if they see the right tool or whatever, they're more likely to fall for that attack and enter their credentials. Versus, you know, if I'm a Microsoft 365 user and, you know, this is a phishing email for Gmail, they're more likely to immediately off the bat recognize something is off. Through phishing, the fact that you know about employees to sort of convince a help desk employee that you are in fact this other employee. And you can say like, oh, okay, I know I'm supposed to have this running on my system, or, you know, I know that Cortex HDR is running on my system, for example, that establishes some level of trust with the help desk person that, oh, okay, this person's actually looking at their laptop and like actually is running, you know, tools that they're supposed to be.

David Moulton: As you were saying this, one of the things that has stuck out to me when I've got a phishing email that tells me that my Windows machine has been infected, I always chuckle to myself, because I only use a little iPad as my personal device. Could you share some insights on the DFIR side, the digital forensics and incidence response, how social engineering attacks like phishing are used as attack vectors in larger networks and intrusion cases?

Sama Manchanda: So we very commonly see things like phishing, vishing, smishing, and mainly we see them as like an initial intrusion vector. And we also sometimes see it as a way for them to move laterally or move around and try and basically spread themselves further in an environment. In the cases of phishing and smishing, we've seen a bunch of large engagements where attackers have done their due diligence with reconnaissance and targeted large numbers of employees with emails or texts, directing them to click malicious links and enter their credentials. On the vishing side, we've seen engagements where attackers have targeted IT support staff and are able to either gain access to user accounts by impersonating users and saying, hey, I need help with my password, can you reset it -- we've seen cases where the attackers are actually able to trick the IT support staff into granting them access as well. And those are really dangerous.

David Moulton: Help the listener understand what is the most important thing that they should be taking away from this conversation.

Sama Manchanda: So continuously training and educating people to be aware and to be alert and to just question, you know, when things aren't quite right is the biggest thing, I think. The sad truth of security is that end-users like people like you and me are the most vulnerable part of any company, and that includes people -- again, even with a lot of training, people still make mistakes. Having a culture where employees feel safe to raise those questions and self-report is I think just as important as having the training in place. If somebody's afraid to report that they have made a mistake or something doesn't seem right, all that creates more time in which an attacker has unfettered access to the environment.

David Moulton: So it sounds like if you're trying to put together a security culture in your organization, find a way to give people the confidence that when they have made a mistake or think they've made a mistake, that it isn't retaliation or punishment.

Sama Manchanda: Yeah, absolutely. [ Music ]

David Moulton: Sama, thanks for joining me today on Threat Vector to share your tales of ishing. We'll be back on on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.

Tre Hester: That's David Moulton speaking with Sama Manchanda, a consultant at Unit 42. [ Music ]

Dave Bittner: Zero Trust access provider Kolide recently published their Shadow IT Report, surveying over 300 IT security and business folks to learn more about what workers do on unmanaged devices. Jason Meller is founder and CEO at Kolide. And in this sponsored Industry Voices interview, we dig into some of the surprising details from the report.

Jason Meller: Anytime that you put a report like this together, any survey, you immediately regret not asking additional questions. Because every survey that comes out, you're just like, wow, this revealed so much, I wish I had asked X, Y, and Z. But we did have the foresight to I think dig in the right areas to really understand the crux of the problem, how pervasive it is, and effectively why it's occurring. So the first stat that really surprised us was that 75% of the workforce admitted to doing work on non-company-owned devices. And we always knew that that number was going to be high, but to hear it be 75% of the workforce do some amount of work on non-company devices was surprising to us. The next logical question we had after that -- because I think the first place I would go is, oh, this must be happening on phones. We're talking about mobile, we're talking about email, or maybe even a little bit of chat. We're not talking about real stuff, and we're not talking about laptops. Well, no, we found that a lot of the stuff people admitted to doing wasn't just email, it was effectively things that were really concerning like cloud-based filesharing. 54% of respondents said that they were doing that on work devices. Customer service, 46%. Software developers, those folks writing code, 29% folks admitted that they were doing that. Even more concerning, managing cloud infrastructure -- so I'm talking about logging into Amazon, pushing things to production -- 27% of respondents said that they were doing that. And we also had a whole segment in the survey talking about AI-based application, the use of ChatGPT, GitHub, Copilot, things like that. A quarter of folks said that they were using those tools on their personal devices. So we see here that there is a major desire by these employees to use their personal devices while they're working remotely or maybe even in the workplace to do their job. And the next question we asked to that was why. And the survey also revealed the number one reason people did this was simply because they like their device better. That was the number one cited reason. I expected to hear, oh, it's because there's this onerous MDM solution, or maybe I'm being surveilled. No, it was just, I like my device better. I have a better Mac, or whatever it was, that's what's getting folks to do this.

Dave Bittner: Wow, that's an interesting insight [laughing]. I'm curious, how does this intersect with folks who are investing in things like Zero Trust?

Jason Meller: Yeah, I think that the Zero Trust push right now is really about recognizing that things have really changed in the last three to four years. Previously, and I remember this before I started Kolide when I was working at a big company, my day-to-day experience was taking my work laptop, signing into the VPN. And about half the apps I needed to access were in that private network, and the other half the apps were SaaS apps. But the ones that were in the network were the most important ones, and I wanted to lock those down. It never occurred to me to take my VPN client and put it on my personal device. That's always felt like a bridge too far. But now you have organizations and you have end-users who are working from home. Their personal laptop is right there, and the majority of the work that they're doing is on SaaS apps that are outside of the private network. In fact, they forget to connect to the VPN, their experience in terms of what they're able to do and not able to do is almost effectively the same. So it's no surprise to me that folks then say, well, why don't I just use my personal laptop for this? Clearly, the IT and security team isn't asserting any sort of technological protection to stop that from happening. So maybe implicitly they're saying it's fine, because otherwise wouldn't they do that? So now you have folks that are doing that and they don't even know that it's bad. They're doing it with impunity. And they're answering surveys like the one that we worked with dimensional research on, and they're actually admitting to it. I think that's really surprising to a lot of IT and security practitioners. That's why we published the report. And I think it underscores the importance of any Zero Trust goals or mission that you have at your organization. At the end of the day, Zero Trust is about ensuring that not just the correct user is signing in, but a big part of it is device trust -- ensuring that they're using the correct laptop. And the thing that we do at Kolide is we assist with that by not just ensuring the right laptop is able to access the apps, but that the laptop is in a state that the IT and security team really care about. So is it patched? Is the browser patched? Is there any sensitive data on that device that shouldn't be there? Is it enrolled on the MBM? These are all things that we can detect. And if they aren't correct, we can actually block the device and then ask the end-user to fix any issues before they're allowed to sign in again. That I think is something folks should really start looking at, because the data is showing us that if you're not doing that, your end-users are doing work on their personal device, which is not good.

Dave Bittner: Based on the information that you all gathered here in the study, what are your recommendations? What do you hope people take away from it?

Jason Meller: Well, I hope it kicks off a conversation between IT practitioners, security teams, and end-users. I think that a lot of this is happening and there's an awareness that it could be happening at a small amount or small level. But at the end of the day, it's the majority of their employees are not using the right devices to sign in. And I think that the conversation I think starts with, okay, why is that bad? Do we really care about that? And we try to enumerate what are the risks beyond the obvious. You don't want sensitive data from those apps to live on the device. Every time a web browser makes a successful authentication attempt to any SaaS app, there is some transference of essentially authentication like plaintext credentials in the form of cookies like we've seen with the Okta hack and, you know, the MGM hack. There is a big appetite for malware authors and cyber criminals to harvest these credentials. And you really want to be in a place from an IT security perspective where, if you're trying to detect that style of malware and those styles of attacks, you want to do so on the devices that you've provisioned so that you can install things like CrowdStrike or other EDR tools. If the end-users are using their own tools out there or their own devices, you don't have any visibility or ownership of those devices, and you can't deploy a detection apparatus that's going to find those types of problems. And all it takes is one or two of those cookies falling into the wrong hands. They establish a session in a system they shouldn't have access to. And that could lead to a major incident. So I think we've done a great job as an industry of forcing cyber criminals to a place where they have to now start compromising endpoints to be able to sign in to stuff. Phishing is really hard to do now with phishing resistant multifactor auth. And there's less and less network-based attacks you can deploy to get that level of access. All the good stuff is now on the device. And now it's time to really have a discussion with security leadership and end-users that, hey, it may be more convenient for you to use personal devices, but we can't properly protect the organization and you without some oversight and management capability on those devices. And that starts with making sure they're using the right device to access the company's resources.

Dave Bittner: That's Jason Meller, founder and CEO at Kolide. [ Music ]

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. This show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]