[0:43] Navigating the Perils of Malicious Websites
Petko: So you mentioned earlier, command and control, and some things are coming in through LinkedIn. So if you receive a job offer, potentially a CV or request for a CV in a Word document. I'm curious, can you talk about the threats that malicious websites post to certain users?
And is there any recourse for people who have devices that have been infected? Like one is, how do you prevent it early on? And the other question would be, what can we do to stop after you're infected?
Dmitry: Yes, let's say like the latest trend, especially for the cybercrime ads, it's not even about using like exploits. It's about using a malicious PDF file with social engineering inviting you to click on something else to get the document or to unlock the document.
Usually, it's like, it can be a blurred document, a pdf. So it says like, oh yes, that is protected content, you know to unlock, they just click here, you click it, it takes you to the website, another website, and where it's like already it says like, okay, input your password.
So they steal the threat actors. They might steal your password or they invite you, okay, to unlock this document, you need the software. It's a security software, which works in a safe way with these documents.
So you, like the victim explicitly installs it, like thinking it's safe, it's to improve security. It's to do something for the good. That is how it usually how it happens.
The AI-Powered Deception
Dmitry: And same for Windows users like social engineering, it still works because it's cheap. The investment cost is so low. And with user shows ChatGPT, like, artificial intelligence modules, you can write really good texts.
Really convincing, appealing to the bottom of the heart or to the bottom of brain and making people click.
Petko: Dmitry, you said one of my favorite words, ChatGPT, I don’t know if it's a word or two words. But I know there are folks who use it for code development and things like that. But you're pointing out that they're using it now to refine the message to be more grammatically correct. So it's harder to tell, right?
Are you seeing adversaries using AI, and what are some examples of how they're using it? If you can go down to that level?
Dmitry: Yes. So first we have seen automation in terms of writing like certain, let's say like modules of the influence. Especially when the structure of the attack is complex. So that is about automating, that is about, okay, give me an idea or show me these tell me that.
It's been used by several threat actors so far, cyber and financially motivated threat actors, and also some targeted attack threat actors. And yes, of course, it's for social engineering campaigns as well. So, online banking, those, services like online delivery services, online payment, it's all about that.
Adversarial AI in Action
Dmitry: So for the threat actor, they just provide very basic information. “Write an email or text to someone who lives in Miami. And he's originally from Russia, but also he speaks, I don’t know, Spanish language and English language, so, right. And he's a user of that bank, or that financial institution.
Write a text to convince the person to accept an offer. Like a very attractive offer for that person so, he may accept it.”
So for ChatGPT, it's not any abuse. It's just like, “Oh, that is legitimate it's like it's about business. Yes, I can write it for you.” You get the text and it's perfect. And then you change the one word or one expression like by through hyperlink.
So you insert a malicious link behind the sports and say like, “Do it, Dmitry, accept it. It's real, it's for you. That is a custom offer for you, my friend. And the success rate is so high for that hacker in this case.
Petko: Especially if they know what bank you're at, right? I think I've seen the context or content getting massively increased that we're seeing overseas, and coming back to us is all more targeted. So you've been doing cyber threat intelligence for almost 20 years or so in this field?
Now, your current role as a senior director at BlackBerry. Tell me what kind of research is BlackBerry doing in cyber threat intelligence?
Empowering Cyber Defense with Comprehensive Threat Analysis
Dmitry: So it's something new. We just started it when I came to BlackBerry about a year ago. We put that as a goal, to have a service called “Silence Intelligence.” And this is what we do. So we do intelligence, we have three tiers of intelligence. One is just informational, so it's essential.
It's about, telemetry, just basic visibility. That is for those who want to, like in general, what's going on in the world.
I just want to know advanced and pro. So pro, it's full, it has it all, like all the levels we just discussed in the beginning. All four roles in the companies, they can use it for SOC to defend, to respond, to make a strategy.
That information is very useful also when you are working on a threat module, when you need to build a real threat module.
So how do you do that? It's based on the adversaries, weapons, how they use it, why they use it, so what's next? That is what we do. And again, it's not only just notifications, high-level notifications, but it's also about low-level technical information as well, explained in detail how it's working exactly.
It includes from reversing malicious code to the creation of applied countermeasure rules, so you can use them. And of course, providing context, sometimes it's an analysis about the events.
Let's say we have seen this attack, but why? And when you go in track this same week or two weeks before, or one month before, you saw geopolitically where there was something. Something happened, someone told something, someone did something.
[7:33] Exploring the Shifting Cyber Threat Landscape
Dmitry: That attack was the result of concrete specific action because of politicians, they did something, and that is what we do. We don't want to produce reports like purely technical, just technical. We have to understand that politics define geopolitics and also the threat landscape.
Attacks don't exist just because someone doesn't have anything to do in life, that is about achieving specific goals, military goals, diplomatic goals, and cyber espionage. It's all about that.
Petko: Now, Dmitry, before BlackBerry, you were over at Kaspersky doing global research and analysis for Latin America. How has your role changed from Kaspersky to BlackBerry?
Dmitry: By that time I used to focus mostly on Latin America and also countries speaking Spanish language or similar languages like Portuguese and Italian, my focus was mostly on that. And of course, when we speak about Latin America, it's financially motivated malware in 99%.
And sometimes you have APDs, like APT-C 36, Machete, some others, but it's not like that much about targeted attacks.
It's about ransomware, it's about Trojan bankers, it's about ATM, malware, it's about POS malware, it's about Phishing, it's about Android ransomware, Androids, or RATs (Remote Access Tools).
So that is like the world, it's more about like tracking those threat factors. And you work on that now, while at BlackBerry, of course, it's all about, it's everything. It's not just, I don't focus on LATAM only or financially motivated only attacks, but also all sorts of threat actors in all parts of the world.
Unveiling the Global Cyber Threat Landscape
Petko: I'd love to get your take, given that you went from very region specific to very global now. Given that you have these global views, who are your top two most sophisticated threat actors or most active threat actors? I'm kind of curious about what your thoughts are.
Dmitry: It depends on where you live. Why? Because your threat actors will be different. So if you live, let's say in Ecuador, it's highly unlikely to think that a Western country will target you. It can happen, it depends again, on the geopolitics, but you got to be like facing more regional threats.
But in general, when we speak about sophistication and let's say professional operations, of course, I would say it’s US, it's Great Britain, it's Israel. For me, it's like, this is the top three. It's the best, like really the best. Then, you have China.
It's also certain groups and Chinese groups are really noisy. And most of them, you know, like plugs cluster, it's just like you will see everywhere all the time.
But some, they're really very professional, targeted, even with the members, those groups, they don't live within China. They can live here in the United States and Canada, or they can live in Europe, so they are citizens of Western countries. But they do operate for China in this case.
So those operations also are very sophisticated, very interesting. It used to be also, you see everybody's speaking about Russia and all the attacks Russia has been launching for the last years, but at the same time, we have so many OBSEC fails they have committed.
Nation-State Cyber Warfare
Dmitry: Every day now it's like, “Okay, we know who you are. We know your OBS. So we are destroying this.” Like the latest one, the Snake, you remember? It was also very interesting that it was announced, the disruption operation was announced on May.
On May 9, it's in Russia, it's the day of the victory in the 2nd Great War. So it was like some sort of, “I'm gonna announce it like on the day, like the victory for you. But in reality, we know who you are, you know how you work. And we have just destroyed your network infrastructure, by the way.”
Petko: It's become very politically motivated, sounds like.
Dmitry: Absolutely. The attacks were the highest profile in cyberspace. It's about nation-state attacks.
Petko: Just curious, I mean, we've had folks on here talking about Ukraine, and others were telling us that, when Russia invade Ukraine, it got pretty noisy before and after. Have you seen the same level of, given what's going on in Ukraine, are you still seeing activities from Russia?
Are they more or less increased or decreased prior to the Ukraine invasion?
Dmitry: Increased, and those campaigns are ongoing, especially like the number of attacks, we see like very active, very high, back to back. It's gamma redden, also some, they call it like a primitive bear. Very noisy, using even a telegram to exfiltrate or to connect, to provide instructions as a C2.
It's in Telegram, it's a very popular messenger in Ukraine and Russia. So it's hard to spot it like it's malicious traffic.
From Self-Initiated Curiosity to Cybersecurity Expertise
Dmitry: At the same time, RomCom, it's a weird name. I don't like that name, but it was mistakenly attributed publicly as a cybercrime-associated family because it was found on the same machines previously infected by Cuba ransomware. In my opinion, it is not connected to cybercrime as we know it.
It's because of the targets, because the information it steals, because of timelines also like overlapping with very specific events around the war in Ukraine. That is not about any financially motivated attacks. It's 100% about stealing intelligence from military unions, and intelligence information from local authorities like cities.
Now it's targeting Western countries. So it is not about financial motivations at all. Those two, they've been super active since the beginning. And of course, like other groups, DDoS attacks, hacking websites.
Petko: Yes, it's a noisy world out there and you're definitely operating the tip of the spirit. I'd love to get an idea. If you can tell our audience, how you got started in cyber more personally than where you are now, how did you get started in the cybersecurity space and what sparked your interest?
Dmitry: Well, by that time it was a little weird because even like no careers, you know, to study, it was like engineering or mathematics, and that's it. And Yes, they also teach us like to, you know, to develop, to be a developer or network administrator, but nothing really about security.
So I just took my first step by myself. So learning from others, you know, asking questions, playing with low-level debuggers, HEX editors, nothing fancy.
Exploration, Experimentation, and the Challenges of Cyber Defense
Dmitry: But it was still cool, because you go to the disk, you look how it looks like, I don't know, Master Boot Record, you can change ASCIIs, just those strings a little bit. So that was in MS-DOS 3.11, the very first one I played with. And then we had developing skills little by little.
And finally we're here. By that time it was just a different school and pure commands, stolen, Northern Commander, of course, it was, best. It's poof! Fantastic!
Petko: You've had a wide variety of roles in IT security, what's been the most challenging and why?
Dmitry: I believe while you are a defender, when you defend, when not a researcher, because it's easier to be a researcher, it's not targeting you. You just go and, you find operations in the wild, you analyze them, you produce reports, it's cool. So you stay in a very safe zone.
But it's different when you have to defend something, even if you have the knowledge, even if you know how the threat actor is operating.
So I remember when I used to work for a financial institution, fortunately by that time it was not about the attacks we see today. But thinking about those guys defending with a variety of vulnerabilities and different tactic techniques.
And Prestige is used for initial access, lateral movement, everything, and exfiltration, that is the most challenging role on the planet. Because if something goes bad, it'll be super notorious. And for me it was also like more or less by that time, defending that financial institution.
[17:30] The Power of Curiosity and Self-Teaching in Cybersecurity
Petko: Yes, Dmitry, I'm kind of thinking through the conversation here and it's kind of obvious. If you have a mindset of you wanna understand how things work, if you're curious, being a researcher or an analyst is a great position.
Because you get to play with things, break it up, and then write a report on how it works or use that information to inform other things on how to make them better in some ways.
Dmitry: Yes. So it's all about learning. And I'm a fan, I really support self-teaching, self-standing. How can you do that? Get the tools first, get like tools you need. Let's say you want to learn about reversing, right? So what you need is probably either pro or free, now we have Ghidra.
It's free, just take it. There are other tools if you can invest a bit also to find the Binary Ninja. For quick triage, Malca, I love Malca. When you are a virus analyst, it's just like it has it all. You just go there.
I love Hiew, It's still you know from Northern Commander style. Fire manager, that's one of the things I will install at first when I prepare my machine, some debuggers, some packers. The next step of course, like if you got it all, okay, how to learn.
Find a blog, someone wrote, well-written with details, screenshots, details, explanation, and just follow it, get the sample, same sample, try to get to those points, and try to find it.
Hands-On Learning and Security Consciousness
Dmitry: How can I find it with my tools? Here it speaks about the, I don't know, encryption or about exfiltration, but find it in your computer, either using a Ghidra or whatever. Just get to that same point, and go to the end.
It's some sort of like a hands-on exercise, but of course with the tips and tricks with a public blog post where already everything is explained. Just follow the steps. So I believe it's a good thing.
Petko: You've worked in a lot of different industries. I'd love to get your advice on individuals or organizations, what should they be doing? You mentioned a couple of things that you do if you want to research.
But as someone who wants to be security conscious, what are things that you should be doing in your day-to-day life that most are not for individuals and for organizations?
Dmitry: Yes, I've seen that unfortunately there are more and more professionals who are high-level professionals, so they're certified product specialists. And essentially, if the product is quiet, it says like no attacks, everything is cool, they blindly believe in it. It's like full trust. So that is a very comfortable zone.
However, it's not the truth. It's not the reality. So my advice to those who work with those great products we have on the market is it doesn't matter. The brand is to keep working on low-level things, just play with the samples, try to see, make a lab, and see things not on the console or graphic user interface.
But also what's happening in the back? Play with the traffic.
The Significance of Curiosity and Context in Cybersecurity
Dmitry: Try to see new things, new development, like everything new, what's happening. So be up to date, not just by the news, not just, “Oh, there's a new ransomware, strange family.” Go in, analyze that, get the sample, open it, and try to see how it's working.
So stay on top, be sharp, not just like I'm a certified professional in that product line.
Petko: Dmitry, you're talking about, just be curious and be cautiously suspicious about technology. I remember when I was working on SOC and we had a SIEM and we were getting so much data and so many alerts that we'd write rules to say, ignore this, ignore that.
And eventually, we were only focusing on 1%. Yes, we were visiting potentially 70% because we didn't have the ability to go after all of it. But our SIEM was tuned to only look at the 1% problem, and miss the other 99% if you will, because it was noise or it wasn't important.
We could have automated it years ago. But sometimes you can over tune and then you look at the tool, oh, there are no alerts. But at the same time, you need to double-check and maybe test your environment and be suspicious. What are we missing and where?
Because you might have over tuned it.
Dmitry: Yes, it's about the context. It's a pretty common conversation. So how many feeds do you have? How many hashes can you pass me every day? This industry is now producing more hashes, more IPs, and more URLs than anybody can even analyze.
Leveraging Context for Effective Defense
Dmitry: It's not about numbers, it's about context. We should look into those things we know, which are interesting for us because of the threat actor. Because I'm in the industry, he's attacking the country.
So pay attention only to those things which are relevant to me. So I can really build an effective defensive strategy, the effective threat module. And if not, you can't handle it.
Petko: Dmitry, thank you so much. I've learned a lot. Where can our listeners follow your work and get in touch with you?
Dmitry: Thank you very much, Petko. Likewise, it's my pleasure. I'm on Twitter, I'm on Mastodon and on LinkedIn. I am always hoping to do any conversation, even private conversation.
My DMs are open. I'm usually accepting all the invitations on LinkedIn, because I assume probably the person will ask me something, they need something. So unless it's super weird, I see it's weird, I'm not accepting it. So, welcome.
Petko: Well maybe from tools, techniques, and procedures, it's worth accepting all and then seeing how they react and what they do. You need the bot to interface with all of them, it sounds like.
Thanks Dmitry, for your time today and are there any closing thoughts you wanna share or anything else we missed? I think we covered so much around threat intelligence, juice jacking. I'm sure we could have talked about it, blue jacking and everything else, too.
The Essential Need for Threat Intelligence
Dmitry: Like today, even anyone can be a target. We know it. Even if you work in cybersecurity or not, it's a matter of motivation and circumstances. Sometimes circumstances also may define like, okay, you are the target. As long as time pass,
I see that threat intelligence, cyber threat intelligence is it's more and more needed. It's a must. So essentially we all need to have threat intelligence because otherwise, it's like how to protect yourself. Just what will be the guide? So that's my message.
Petko: Yes, I guess if I could summarize it from just our conversation, it's staying curious, context is king and staying connected to what's important in terms of your technology. Don't just trust it. This has been invaluable. Thank you so much, Dmitry, for your time today.
This has been Rachel Lyon and Petco Stoyanov, bringing you another episode of To The Point. Remember to stay informed, stay secure, and always stay ahead of the ever-changing threat landscape.
About Our Guest
Dmitry Bestuzhev is Senior Director, CTI (Cyber Threat Intelligence) at BlackBerry. Prior to BlackBerry, Dmitry was Head of Kaspersky's Global Research and Analysis Team for Latin America, where he oversaw the company's experts' anti-malware development work in the region. Dmitry has more than 20 years of experience in IT security across a wide variety of roles. His field of expertise covers everything from traditional online fraud to targeted high-profile attacks on financial and governmental institutions. His main focus in research is on producing Threat Intelligence reports on financially motivated targeted attacks.