WEBVTT

1
00:00:01.600 --> 00:00:11.160
Produced by PI Media. Hi,
I'm rand Levy. Welcome to CP Radio.

2
00:00:11.759 --> 00:00:17.359
According to Statista, the global cybersecurity
industry is expected to earn one hundred

3
00:00:17.399 --> 00:00:21.960
and sixty two billion dollars in twenty
twenty three. Five years from now,

4
00:00:22.160 --> 00:00:28.359
it's projected at over two hundred and
fifty billion. Large organizations spend thousands upon

5
00:00:28.480 --> 00:00:33.200
thousands, even millions of dollars in
a year trying to protect their systems,

6
00:00:34.000 --> 00:00:39.079
and small businesses will scrap together what
little they can get for some kind of

7
00:00:39.119 --> 00:00:45.159
protection, whether it's basic anti virus
or a password manager, phishing protections,

8
00:00:45.320 --> 00:00:50.000
firewalls, XDR we name it.
A massive amount of time, energy,

9
00:00:50.240 --> 00:00:56.240
money, manpower and other resources we
could otherwise spend on other things are by

10
00:00:56.320 --> 00:01:03.520
necessity dedicated to fighting cyber criminals every
day, which makes it almost unbelievable to

11
00:01:03.640 --> 00:01:08.560
think that just one simple policy change
from one company, with almost no cost

12
00:01:08.640 --> 00:01:14.959
to anybody and no effort involved,
could alter the entire course of cyberspace.

13
00:01:15.680 --> 00:01:22.879
And yet that is exactly what happened
about a year ago. Today. The

14
00:01:22.959 --> 00:01:29.359
following story is a microcosm of how
a single act from Microsoft change fundamentally,

15
00:01:29.599 --> 00:01:34.000
how even high level threat letters must
now go on about infecting their victims and

16
00:01:34.079 --> 00:01:42.040
the implications that follow when the entire
cybercrime ecosystem is forced to shift. At

17
00:01:42.159 --> 00:01:47.840
the center of this story is APT
thirty seven. APT thirty seven is a

18
00:01:47.879 --> 00:01:53.599
state sponsored actor from North Korea,
and they typically target their southern neighbors in

19
00:01:53.680 --> 00:02:00.519
South Korea. Sam Hendelman is a
threat intelligence analyst at Checkpoint. Recently,

20
00:02:00.719 --> 00:02:06.280
he and his colleagues were embedded in
research about North Korea's APT thirty seven.

21
00:02:06.599 --> 00:02:10.520
Also known by names like Ripper and
Scarcraft, the group is sort of a

22
00:02:10.599 --> 00:02:16.560
Swiss army knife for any of the
Kim Jungong regimes cyber needs. Although they

23
00:02:16.680 --> 00:02:22.960
usually attack South Korea, they have
also been seen targeting other countries such as

24
00:02:23.080 --> 00:02:29.520
Japan, Vietnam, and even recently
they were seeing targeting countries in the EU.

25
00:02:30.400 --> 00:02:34.199
The group has been around for over
a decade, at least since two

26
00:02:34.199 --> 00:02:38.360
thousand and twelve, and in that
time they've created a series of different trojan

27
00:02:38.439 --> 00:02:45.879
backdoors, such as Dolphin and Gold
backdoor and Connie. They actually have a

28
00:02:45.879 --> 00:02:49.120
lot more, but I won't list
them all right now. One of the

29
00:02:49.280 --> 00:02:53.560
most recent creations, first discovered in
twenty seventeen, is called rock Rat.

30
00:02:54.080 --> 00:02:59.960
In most ways. Rock rat is
like any other remote access trosian with Kepple.

31
00:03:00.159 --> 00:03:05.639
These including being able to download payloads, download shell code, delete files

32
00:03:05.719 --> 00:03:08.159
on the computer to clean up the
kind of commands that you would see in

33
00:03:08.560 --> 00:03:15.520
most other rats. Its most interesting
trait is how it interfaces with cloud services

34
00:03:15.560 --> 00:03:22.319
like dropbox, yandex cloud and peak
cloud. The attackers can upload files to

35
00:03:22.520 --> 00:03:25.759
the cloud service and the RAT is
able to download them and interpret them as

36
00:03:25.800 --> 00:03:34.120
commands and run additional payloads. And
what's interesting about using these services as a

37
00:03:34.120 --> 00:03:38.680
command and control infrastructure or C two
is that the attackers are able to use

38
00:03:38.680 --> 00:03:45.000
a very generic and well known services, which makes it harder for researchers to

39
00:03:45.080 --> 00:03:49.159
actually track their infrastructure because, for
example, we could have seen in the

40
00:03:49.199 --> 00:03:53.240
past that APT thirty seven uses A, B and c IP addresses, and

41
00:03:53.280 --> 00:03:58.960
then in the future we'd be able
to track those servers and it'd be easier

42
00:03:58.960 --> 00:04:03.240
for us to find. But instead
they opted into using cloud services, which

43
00:04:03.400 --> 00:04:09.240
make it a little more generic and
harder to track and make the traffic look

44
00:04:09.400 --> 00:04:16.199
more benign because it's common for people
to use these cloud services to get rock

45
00:04:16.319 --> 00:04:23.439
rat onto computers in South Korea and
abroad, APT thirty seven crafts phishing attack

46
00:04:23.680 --> 00:04:29.480
emails designed to be interesting enough to
click on. The lures that they use

47
00:04:29.839 --> 00:04:35.000
are tend to be connected to themes
related to relations with North Korea, including

48
00:04:35.040 --> 00:04:42.079
the Ministry of Reunification for escaped dissidents. We've seen them also use lures related

49
00:04:42.079 --> 00:04:46.240
to the private sector in South Korea, including some business documents that appear to

50
00:04:46.279 --> 00:04:51.439
be taken from previous hack. In
a recent campaign, for example, the

51
00:04:51.560 --> 00:04:56.639
lure that they used to deliver this
malware was a lot more generic and just

52
00:04:56.680 --> 00:05:00.480
seemed to be targeted to general people
in South kore Are. They use the

53
00:05:00.600 --> 00:05:05.600
lure using a bank called Cacao Bank, and it prompted the user to enter

54
00:05:05.639 --> 00:05:11.439
in their password for Cacao Bank.
The goal in any of these cases is,

55
00:05:11.439 --> 00:05:15.279
of course, to get a target
to download their own malware. And

56
00:05:15.399 --> 00:05:20.199
there's one trick hanckers love more than
any other for achieving that a malicious word

57
00:05:20.240 --> 00:05:27.720
document with a macro. So can
you just briefly explain what macros are and

58
00:05:27.839 --> 00:05:33.680
how hackers use them? So macros
are code that you can find in Microsoft

59
00:05:33.720 --> 00:05:41.439
Office documents that are intended to automate
different kinds of tasks. The whole intention

60
00:05:41.480 --> 00:05:46.160
of macros was to make life easier
for people to automate mundane tasks in office

61
00:05:46.199 --> 00:05:51.560
documents. For example, let's say
you have a word document and you had

62
00:05:51.600 --> 00:05:55.879
to write something in it, or
an Excel document you wanted to write something

63
00:05:55.920 --> 00:05:59.600
in it and you need to submit
it somewhere, and the author of the

64
00:05:59.720 --> 00:06:04.360
document puts in a button that you
can click to submit that data somewhere else,

65
00:06:04.399 --> 00:06:09.399
to the Internet. This is the
kind of thing that macros were created

66
00:06:09.439 --> 00:06:15.120
for, as well as maybe filling
out certain things in a document once you

67
00:06:15.199 --> 00:06:19.199
open it, which is why macros
support running code on opening a document on

68
00:06:19.319 --> 00:06:25.839
closing a document. Some people love
to use macros to automate any number of

69
00:06:26.000 --> 00:06:31.759
useful tasks that would otherwise take far
longer without them. But hackers eventually took

70
00:06:32.079 --> 00:06:38.519
these facts, took these aspects of
macros, and were able to use them

71
00:06:38.519 --> 00:06:43.959
in a malicious way. Hackers can
write scripts in VBA, the programming language

72
00:06:43.959 --> 00:06:47.759
for macros, that automate things they
want to do to their targets computers.

73
00:06:48.519 --> 00:06:53.759
So, for example, using the
hook of running code when you open a

74
00:06:53.800 --> 00:06:58.000
document is probably the most common way
to run a macro because it will open

75
00:06:58.240 --> 00:07:06.240
the code will run right when you
open the document. This usually is what's

76
00:07:06.279 --> 00:07:12.160
happening behind the scenes. When you
hear about a malicious attachment in an email

77
00:07:12.240 --> 00:07:16.759
file, somebody clicks to open it
and maybe chooses the option to enable macros,

78
00:07:16.759 --> 00:07:21.560
thinking that it's harmless, but in
fact allowing hacker's malware to run in

79
00:07:21.600 --> 00:07:28.120
the background. Over the years,
like baggy jeans and Britney spears, macros

80
00:07:28.240 --> 00:07:32.519
have gone through waves of being in
and out of favor. The first,

81
00:07:32.560 --> 00:07:40.319
like macroviruses that first came up,
happened like around nineteen ninety nine approximately,

82
00:07:40.639 --> 00:07:45.319
and macros were actually a common way
of spreading computer viruses like twenty years ago.

83
00:07:45.959 --> 00:07:50.160
And then what happened is that people
started thread actors started shifting more towards

84
00:07:50.279 --> 00:07:56.639
using exploits such as like exploits and
Internet Explorer, or even exploits and Microsoft

85
00:07:56.680 --> 00:08:01.040
Word and this was a better all
turn native because it allowed them to run

86
00:08:01.240 --> 00:08:07.079
code without you having to click enable
content, and it allowed code to just

87
00:08:07.160 --> 00:08:11.720
automatically run once you opened a web
page or opened a document, and so

88
00:08:11.879 --> 00:08:18.000
exploits actually became a lot more popular
for many years, until things like Internet

89
00:08:18.040 --> 00:08:22.800
Explorers started to become less common.
Flash started to become less common, and

90
00:08:22.839 --> 00:08:28.959
eventually both of those technologies which were
constantly, constantly exploited, were eventually killed

91
00:08:28.000 --> 00:08:33.840
off. Microsoft no longer supports Internet
Explore. Flash is also no longer developed

92
00:08:33.919 --> 00:08:37.799
or supported. Those technologies are gone, and modern browsers, such as Chrome

93
00:08:39.320 --> 00:08:46.080
and chromium based Edge Firefox, they've
become more difficult to exploit. So I

94
00:08:46.120 --> 00:08:50.759
think because of that, maybe around
I would say twenty sixteen or twenty seventeen,

95
00:08:50.840 --> 00:08:56.240
a lot of attackers started switching again
more to macros, which is what

96
00:08:56.279 --> 00:08:58.480
they had been using a long time
ago in the past, but it became

97
00:08:58.519 --> 00:09:05.720
the easy your vector to use to
attack. So ironically, it was precisely

98
00:09:05.799 --> 00:09:13.240
because popular software was becoming more secure
that macros became so rampant. So I

99
00:09:13.279 --> 00:09:16.440
would say the reason that macros were
kept around for so long is because so

100
00:09:16.519 --> 00:09:20.440
many people were already using them for
so many years. I mean macros have

101
00:09:20.480 --> 00:09:26.639
been around for I mean macro viruses
have been around for even over twenty years,

102
00:09:26.960 --> 00:09:30.759
so people have been using them for
even longer. The main thing is

103
00:09:30.799 --> 00:09:35.799
that people didn't want their code to
just stop working. You can probably automate

104
00:09:35.840 --> 00:09:39.840
these tasks in other ways without having
to embed them in the document, but

105
00:09:39.879 --> 00:09:45.159
this is what people were used to
and people don't like change, so they

106
00:09:45.240 --> 00:09:50.240
continued to do this for a long
while. Even as macros returned to the

107
00:09:50.320 --> 00:09:54.600
four in cybercrime, they were simply
accepted as effect of life. That is

108
00:09:54.840 --> 00:10:00.799
until February seventh, twenty twenty two, when Microsoft change in the course of

109
00:10:00.840 --> 00:10:07.639
cybersecurity with twelve words quote VBA,
macros obtained from the Internet will now be

110
00:10:07.679 --> 00:10:13.919
blocked by default. Actually implementing the
new rule turned out to be bumpy.

111
00:10:15.080 --> 00:10:20.320
Microsoft initially announced that they would start
blocking macros in February twenty twenty two,

112
00:10:20.000 --> 00:10:24.600
but then they quickly reversed this because
there was a lot of pushback from people

113
00:10:24.639 --> 00:10:30.399
who are using Office. So we
could see that there was actual pushback from

114
00:10:30.679 --> 00:10:35.600
people using the software because they really
wanted to continue using it. By June

115
00:10:35.639 --> 00:10:41.200
twenty twenty two, though the security
community went out over the Office Power users,

116
00:10:41.559 --> 00:10:46.200
the plan was back on, and
technically it's actually still possible to use

117
00:10:46.240 --> 00:10:50.759
it. It's just that macros are
disabled when they're downloaded from the Internet from

118
00:10:52.279 --> 00:10:56.360
like an email attachment if they have
a mark of the web tag on them.

119
00:10:56.799 --> 00:11:01.399
Hackers now needed an alternative to macros, but they were prepared. Microsoft

120
00:11:01.440 --> 00:11:07.919
first started talking about banning certain types
of macros back in October twenty twenty one,

121
00:11:07.559 --> 00:11:13.679
certain types of Excel macros, that
is XLMS for Excel specifically. I

122
00:11:13.720 --> 00:11:16.639
think there was already a beginning.
There was a sense that Microsoft was going

123
00:11:16.720 --> 00:11:24.080
to fully banned macros eventually, and
there started to be a shift. According

124
00:11:24.120 --> 00:11:30.279
to data from cybersecurity company Proofpoint,
in two twenty two, the year that

125
00:11:30.360 --> 00:11:35.559
Microsoft rolled out its Internet Macro's band, macro enabled cyber attacks decreased by two

126
00:11:35.679 --> 00:11:41.399
thirds, and this trend continued in
two twenty three, except the cyber attacks

127
00:11:41.480 --> 00:11:48.679
themselves. Those didn't stop. Look
at APT thirty seven. They surely wouldn't

128
00:11:48.759 --> 00:11:52.559
let a simple change in Windows get
in the way of their attacks against their

129
00:11:52.600 --> 00:11:58.600
southern neighbors. They're still using North
Korean based lures, but just instead of

130
00:11:58.679 --> 00:12:05.000
only using word documents with malicious macros
inside of them, they started using zip

131
00:12:05.039 --> 00:12:11.399
files and ISO files that contain several
benign documents, and then one ellen k

132
00:12:13.039 --> 00:12:18.639
that's masquerading itself as a benign document
but it actually runs malicious PowerShell in the

133
00:12:18.679 --> 00:12:24.919
background. ZIP folders, ISO,
optical disc files, LANK shortcut files,

134
00:12:24.960 --> 00:12:31.320
APT thirty seven continued spreading its rock
rat backdoor, only now be a more

135
00:12:31.480 --> 00:12:37.200
creative means. And so this isn't
like a complete takeover, It isn't a

136
00:12:37.200 --> 00:12:43.759
complete replacement. It's really more that
APT thirty seven added a new tool to

137
00:12:43.799 --> 00:12:48.159
their tool set and they're starting to
use ellen K's a little bit more.

138
00:12:48.960 --> 00:12:52.039
We still saw even in twenty twenty
three that they were sometimes using macros,

139
00:12:52.120 --> 00:12:56.399
but most of the time most of
the samples that we saw happen to be

140
00:12:56.639 --> 00:13:07.759
ellen K's. This is just one
file type attackers can manipulate for their own

141
00:13:07.840 --> 00:13:11.960
purposes, and other threat actors have
come up with their own clever workarounds.

142
00:13:13.399 --> 00:13:18.639
Some used hdmils smuggling, sneaking and
encoded malicious script into an hdmill attachment,

143
00:13:20.000 --> 00:13:24.120
which gets decoded and runs when the
attachment is open. Some have opted for

144
00:13:24.200 --> 00:13:31.039
even simpler solutions than that, like
old reliable PDF files containing hyperlinks. Another

145
00:13:31.080 --> 00:13:37.600
trend emerged around last December. A
lot of malware started using one note documents.

146
00:13:37.159 --> 00:13:43.120
Basically, they would include a VB
script payloads inside the one note document

147
00:13:43.320 --> 00:13:48.360
and trick the user into clicking a
button that would actually run them. So

148
00:13:48.519 --> 00:13:52.879
we saw that in emotats and cubot
campaigns, as well as others. By

149
00:13:52.919 --> 00:13:58.679
the following month, dozens of hacker
groups hopped on the trend, using one

150
00:13:58.720 --> 00:14:03.360
note to execute over one hundred and
twenty attacks in the first few months of

151
00:14:03.639 --> 00:14:07.240
twenty twenty three. And now this
was mostly cyber crime that was abusing this

152
00:14:07.279 --> 00:14:13.840
technique, but there was actually one
instance where Kimsuki, another North Korean apt

153
00:14:13.639 --> 00:14:20.279
was seen using this technique as well. At the end of the day,

154
00:14:20.639 --> 00:14:28.279
few decisions have ever made such an
impact in cybersecurity as Microsoft's decision to block

155
00:14:28.440 --> 00:14:33.720
Internet downloaded macros. But that's not
to say there's a single answer to cyber

156
00:14:33.879 --> 00:14:39.240
security, no possible thing anyone can
do to prevent all of it. We

157
00:14:39.399 --> 00:14:46.000
forced hackers to change by reducing the
attack surface, and my opinion in any

158
00:14:46.039 --> 00:14:50.519
way that we can reduce the amount
of possibilities that hackers have the better.

159
00:14:50.960 --> 00:14:56.759
However, we know that attackers will
always try to adapt to these changes and

160
00:14:56.840 --> 00:15:01.240
come up with new ways of attacking. But security is constantly just been a

161
00:15:01.440 --> 00:15:05.320
game of cat and mouse, where
attackers do something new and then Blue team

162
00:15:05.399 --> 00:15:11.200
defenders have to catch up to that
and try to respond. And the fact

163
00:15:11.279 --> 00:15:15.799
of the matter is the changes the
trends that we've been seeing when shifting away

164
00:15:15.799 --> 00:15:20.200
from macros to other methods. They're
not necessarily all, they're not all novel,

165
00:15:20.360 --> 00:15:26.039
or they're not like impossible to follow. So we just need to keep

166
00:15:26.080 --> 00:15:28.919
monitoring all these different types of methods
and making sure that we defend against them

167
00:15:28.919 --> 00:15:35.960
properly. Criminals kept hacking our software, so we made a software more secure,

168
00:15:35.360 --> 00:15:41.399
which forced hackers to change the methods, which pressured Microsoft to change their

169
00:15:41.440 --> 00:15:46.600
policy, which forced hackers to evolve
once more. Now again it's our turn.

170
00:15:50.320 --> 00:15:54.399
That's it for this episode. Thank
you for listening. For past episodes,

171
00:15:54.519 --> 00:15:58.120
visited Checkpoints Research blog at research dot
checkpoint dot com, and you can

172
00:15:58.120 --> 00:16:03.159
follow Checkpoint Research on Twitter or follow
me at rand Levy. That's r A

173
00:16:03.360 --> 00:16:08.000
n l e v I. CP
Radio is produced by PI Media, written

174
00:16:08.039 --> 00:16:14.159
by Nate Nielson, produced by Hila
Shemesh, and edited and narrated by Rand

175
00:16:14.240 --> 00:16:22.440
Levy. See you next time.
Bye bye,