14 February: Asking for it

Thank you for reading this newsletter. If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox.

For Spanish readers, I'm happy to let you know that I uploaded Diego Morabito's Spanish translation of the third and fourth newsletters.

Feedback and suggestions are always welcome. That includes a neater way of handling the Spanish translations, which are now listed among the English ones in the main index.

Martijn
martijn@lapsedordinary.net

Asking for it

Last month, Google's Threat Analysis Group published a brief analysis of a recent campaign by a Russian threat actor it calls COLDRIVER and that is also known as UNC4057, Star Blizzard and Callisto.

What I found interesting about the campaign, other than the fact that its targets included NGOs, was its delivery method: the recipient would receive a PDF file with content that appears encrypted.

Now that in itself isn't unusual: it has been quite common to send such email attachments tricking the user to enable an insecure setting (such as macros in Office), supposedly to access the attachment but in practice to have malware downloaded.

But in this case, the PDF is totally benign. What the actors are hoping for is for the recipient to respond to the email, letting them know they can't access the content. In that case, the sender would helpfully respond with a link to a 'decryption' tool. This tool is of course malware: a backdoor Google researchers call 'SPICA', that grants full access to the target's computer.

By not including anything malicious in the original email, the actor likely hopes that their campaign stays under the radar and remains undetected for longer. For smaller campaigns like this one, it would scale well enough.

In providing incident response to at risk groups, it is not uncommon to see mysterious emails or messages like these. Ones that 'feel' malicious and certainly don't appear to serve any legitimate purpose, but where there is no kind of payload.

While there are many other explanations for messages (including someone having made a mistake somewhere), it's good to keep the COLDRIVER example in mind. Maybe the sole purpose of the message was to get the recipient to reply and only then would malware being served.

I wouldn't recommend for the original recipient to reply to such emails just to get the payload. But if you are supporting them and suspect you are in this kind of situation, it may be worth sending a reply on their behalf, from an email address you access in a safe environment, such as a virtual machine. Maybe you're lucky and you get the payload by simply asking for it.

By the way, if you, like me, tend to get confused about different companies giving different names to the same actor, you may want to check Malpedia: it keeps track of all these actors and the names they have been given, and links to published research about them.

What else?

Google's Threat Analysis Group also published a report on commercial surveillance vendors: the companies that develop spyware like Pegasus and Predator and whose targets worryingly often include members of civil society. The report is detailed and focuses on the industry as well as on its supply chain of exploit sales that is necessary for the spyware to function. But it also includes profiles of several spyware targets, as an important reminder that this affects real people in a very big way.

On that same topic, a recent episode of Recorded Future's Click Here podcast spoke to two targets of Pegasus in Jordan, that I wrote about in last week's newsletter.

Last week, the daily podcast from the SANS Internet Storm Center turned fifteen years old. For most of those fifteen years, it has been something I start my working days with. I'm a big fan of Johannes Ullrich's five-minute summaries of the security stories that are relevant to cybersecurity practitioners and I gladly recommend the podcast to anyone working in this space.

In non-security news

A book I read: I finally got round to reading Eliot Higgins's We are Bellingcat, his 2021 book on the journalism group he founded and the methodology it uses. It's a well written and easy to read book with many concrete examples of Bellingcat's investigations that certainly changed the way journalism is done today. I did thing the book relies a bit too much on examples Russia-linked examples. For sure, that country has provided a lot of good (or bad) cases for Bellingcat to work on, but it could give the impression (and lead to the accusation) that Bellingcat has a Western bias, while I was reading the book wondering what a difference the site could have made had it existed when weapons of mass destruction were invented to justify the 2003 invasion of Iraq.

A song I liked: Chris Knox has long been some kind of indie hero of mine. I once named my music website (and my main Gmail account) after a song by his band Tall Dwarfs, but I also loved his solo stuff. In particular his most popular song, Not Given Likely (Spotify - YouTube), which I only recently learned has become really huge in his native New Zealand. So huge that there exists a video of the Crowded House brothers playing it with Pearl Jam's Eddie Vedder in a stadium in Auckland, with everyone in the audience singing along. I still prefer the version in which Chris plays his dedication to his then wife on his guitar with a percussion loop keeping the rhythm, but at the same time, how cool is it that this song exists?