The CyberWire Daily Podcast 3.12.20
Ep 1043 | 3.12.20

The return of Turla. Data exposure incidents disclosed. Beijing accuses Taipei of waging cyberwarfare against the PRC. Coronavirus disinformation.


Dave Bittner: [00:00:04] Turla's back, this time with watering holes in compromised Armenian websites. Data exposures are reported in the Netherlands and the United States. China accuses Taiwan of waging cyberwarfare in an attempt to disrupt Beijing's management of the coronavirus epidemic. The U.S. and the EU separately undertake efforts to suppress COVID-19 disinformation. And the ins and outs of teleworking. 

Dave Bittner: [00:00:35]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:01:46]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 12, 2020. BleepingComputer reports that Turla, also known as Snake or Venomous Bear, appears to be back. ESET reports two previously unrecorded malicious tools - one a downloader, the other a backdoor - in a watering hole staged from compromised Armenian government and government-related sites. CyberScoop says the compromised sites belong to the consular section of Armenia's embassy in Moscow and an Armenian foreign policy think tank. 

Dave Bittner: [00:02:22]  The Register observes that one reason the operation has gone unremarked for so long is the campaign's patience and discernment. Turla won't install its malware, for example, until it's determined that the victim is a sufficiently high-level target. Once it decides the target is worthy, the infection proceeds along familiar lines - posing as a fake Adobe Flash Player update. 

Dave Bittner: [00:02:45]  Turla is generally regarded as a unit belonging to one of Russia's intelligence services, probably the FSB foreign intelligence service. That's consistent with its quieter, less obtrusive performance, which has become recognized as a hallmark of an FSB operation. Contrast that with the heavier hand of the GRU - Fancy Bear, for example, tends to come in fast and loud. Turla has also been associated with false flag operations in the recent past, including a campaign that convincingly represented itself - for a while, anyway - as an Iranian operation. 

Dave Bittner: [00:03:20]  Two significant data breaches have come to light. According to ZDNet, the Netherlands' government has lost hard drives containing the personal information of almost 7 million organ donors. The drives stored electronic copies of all organ donor forms filled with a Dutch Donor Register between February 1998 to June 2010. The two drives were placed into secure physical storage back in 2016, pending eventual disposal as authorities migrated to newer storage systems. But earlier this year, when the Donor Register went looking for the drives, well, they were nowhere to be found. And they haven't turned up yet, either. 

Dave Bittner: [00:03:59]  The personally identifiable information on the missing drives includes first and last name, gender, date of birth, address at the time of the form, choice for organ donations, ID numbers and a copy of the user's signature. Dutch authorities say there's been no sign that anyone's actually used any of the lost information, and that since the data falls short of what would count as fullz in the Netherlands - no official identification documents, for example - it's highly unlikely they'd be used for fraud or identity theft. Well, OK, then, but that reassurance sounds a little like whistling past the graveyard, or whistling past the transplant center. 

Dave Bittner: [00:04:37]  The team at MediaPRO recently published the latest version of their State of Privacy and Security Awareness Report. Tom Pendergast is Chief Learning Officer at MediaPRO. 

Tom Pendergast: [00:04:47]  One of the things we've always tried to do is combine cybersecurity and privacy because we think that for most people, those kind of go hand in hand. They may not for professionals, but they do for the general employee. So one of the intriguing things we found is that, like, 20 months after GDPR's implementation - and that's the European General Data Protection Regulation - most employees do not know whether their organization needs to comply with GDPR or not. And I think we're going to hit the exact same thing with this new California law, the California Consumer Privacy Act, which went into effect on January 1. Sixty-two percent are unsure about CCPA. So we've got these what professionals are calling the most sweeping privacy laws ever in history, and you've got a majority of the population that doesn't know a thing about it. So that's pretty interesting to me. 

Dave Bittner: [00:05:44]  What do you suppose the disconnect is there? 

Tom Pendergast: [00:05:47]  I think that general employees don't yet really understand that these regulations impose obligations on their companies that they need to know about. So, you know, if you're working in a call center, it may just not connect up with you that you have a role to play in not asking for information that you don't need, in assuring people that they have access to any personal data that they share. So I think - and that's just one example, but I think that there's a kind of a disconnect between the way people are regularly doing their jobs and these laws and regulations that companies are really highly attuned to. 

Dave Bittner: [00:06:32]  And so what are the take-homes for you? In terms of recommendations that came out of the information you gathered, what can you share there? 

Tom Pendergast: [00:06:39]  The take-homes for me are actually relatively simple, and it comes down to this - the first thing I think people who are trying to improve their risk profile as a company, they need to understand where their employees are with regard to risk. Let me give you an example there. You may as a company have rolled out a password manager to all of your employees and done a lot of education there, and maybe they're really good about managing their passwords. But you may have a really poor understanding in your population about the importance of reporting incidents, or even suspected incidents, right away. So the only way you get to understanding the risk profile in your organization is if you do some things to understand your employees and your culture's particular susceptibility to risk. So we recommend phishing simulation to identify the phishing risk, tracking other kinds of forms of data in your environment and doing surveys like this one in your employee population to understand your risk. 

Tom Pendergast: [00:07:44]  So once you understand it, now you've got a good roadmap to the kinds of things that you need to work to correct. And contrary to, you know, what may have been the old belief, it's not enough to release a kind of once-a-year security awareness training, where you make sure to cover the stuff that your employees don't know about. You've got to be regularly communicating to employees in a variety of different ways about the risks that they face if you're going to slowly, gradually nudge them in the direction of really cybersecure behavior. 

Dave Bittner: [00:08:21]  It strikes me, also, that there really is an important culture component here, that, you know, organizations have to instead of - I guess, they have to get rid of that fear of getting a slap on the wrist for clicking the wrong thing or going to the wrong website that, you know, the folks who report these things, they should be recognized as being champions, looking out for the organization's security. 

Tom Pendergast: [00:08:46]  You're right on the mark, Dave, and especially when you said it's about creating a culture. When people are trying to create an awareness program, they've got to think not of creating a training module but about creating an ongoing and sustained conversation in their company about how to better protect the data that flows through the company. And that's a culture change initiative. Too often, our security and privacy programs have originated with people who don't necessarily understand how to move a long-term culture change initiative along. And that's what we're trying to do with the survey, is just to help people understand that it's complicated. Humans are, as you probably know, paradoxical, sometimes contradictory creatures, and you've got to a variety of things to try to get them to function more effectively. 

Tom Pendergast: [00:09:41]  So one of the things that we always recommend to people is to recognize that your employees all kind of learn and process this stuff in different ways, so it's important that you communicate to people in a variety of different ways. Some people are going to get the picture and kind of switch over to more data-protective behaviors when they watch a funny video that might be making fun of somebody who uses the same password every time. But other people just don't tune in to that kind of message, and they may be better off with kind of a lunch-and-learn session where you bring somebody in from the FBI to talk to your company, or, you know, just imagine any of the other ways that you might communicate. It's important never to rely on one but to use multiple channels of communication on a regular cadence to kind of meet your objective. 

Dave Bittner: [00:10:33]  That's Tom Pendergast from MediaPRO. 

Dave Bittner: [00:10:37]  In the US, Ars Technica reports that Comcast inadvertently published some 200,000 unlisted phone numbers. These are phone numbers whose users pay a monthly fee to keep them generally unavailable to searches, a throwback to the old days when an unlisted number didn't appear in a phone book. Comcast mistakenly put the unlisted numbers into its Ecolisting directory, from where third-party directories obtained them. Comcast has shut down Ecolisting and apologized to the affected customers. The company is offering those whose purchase of an unlisted number was less than fully successful $200 in compensation and the opportunity to change to a new number, which one hopes will remain successfully unlisted. This has happened to Comcast at least once before. In 2015, the company paid a $33 million settlement in a similar case. 

Dave Bittner: [00:11:28]  In what appears to be a tu quoque response to earlier charges from Taipei, China has accused Taiwan of using the current COVID-19 epidemic as an opportunity to wage cyberwar against the People's Republic, says Taiwan News. Last month, Taiwan's Foreign Minister, Joseph Wu, complained publicly that Beijing was attempting to disrupt the island republic's efforts to contain the novel coronavirus, and that it was also running a disinformation campaign intended to erode public trust in the country's governing party with online claims that members of the Democratic Progressive Party were getting priority for receiving surgical masks. 

Dave Bittner: [00:12:05]  There's lots of COVID-19 mis- and disinformation circulating online, from state propaganda of the kind crossing the Formosa Straits to criminal phish bait. As American Banker notes, this famously includes a maliciously crafted map of coronavirus infections as well as other forms of clickbait. There's also a lot of direct fraud, like bogus colloidal silver cures. Don't bite. 

Dave Bittner: [00:12:29]  The U.S. administration is seeking to enlist Big Tech in a coordinated effort to correct these forms of misinformation. Facebook, Cisco, Google, Amazon, Apple, Microsoft, IBM and Twitter have all been asked to help, as The Washington Post and Politico report. The hope is that some technical solution or solutions might help, but it's unclear that anyone has any idea of how to do this at scale, and colloidal silver is exhibit A for the persistence of manifest nonsense. The European Union is also reviving the self-reporting system it established with U.S. Big Tech in the hope of finding some way of muting disinformation on the coronavirus. 

Dave Bittner: [00:13:08]  Twitter is the latest Big Tech company to mandate working from home in response to the COVID-19 pandemic, TechCrunch reports. Organizations considering making a similar decision might consider a white paper from Hysolate. It offers a systematic consideration of how to make the shift to temporary telecommunications. 

Dave Bittner: [00:13:33]  It's time to take a moment to tell you about our sponsor, Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63% faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use, making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and more. If you're facing challenges like the cybersecurity skills shortage or more alerts then your team can handle, consider Recorded Future threat intelligence. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:14:44]  And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black Lotus Labs at CenturyLink. Mike, it's always great to have you back. You and I were joking before we started rolling here that Emotet seems to be the gift that keeps on giving in terms of providing you and I something to talk about here - keeps bubbling back up and has a way of keeping itself in the news. It's been on your radar along with your team. What's noteworthy lately with Emotet? 

Mike Benjamin: [00:15:11]  Yeah. Thanks, Dave. So Emotet is - many are familiar with - is really, really one of the more dominant malware distribution methods in the internet right now. It's being used as part of the supply chain to distribute a variety of threats. Of course, ransomware being one of the more frightening ones that people have been affected by. But realistically, the team behind it's been very effective at how they update, maintain their infrastructure and deliver things, so I always like to know when they make changes in their behavior. So at the beginning of this month, they started distributing a new version of their binaries. They've done this a few times before, so this is not the first time. However, it's realistically then about a week later - tends to stop their spamming. So right now, as we speak, Emotet is not sending spam emails, and that is a change in behavior. 

Mike Benjamin: [00:16:01]  And so what we really like to point out to people is during these times, the actors are reassessing how they distribute their malware, how the malware runs on a host, and they're changing things and protocols and other things that, for a time, will make it a little more difficult to detect and block. So right now is really the time to go through an infrastructure, look for those network available data points for the callbacks and look for the host-based forensics, to look for the installed malware and remove them. This is a great time, while the actors aren't focused on building up their war chests of infected points, to go remove some of them from infrastructure. 

Dave Bittner: [00:16:39]  Now, once they are back at it and they're sending out Emotet again, what sorts of things should folks have in place to defend against it? 

Mike Benjamin: [00:16:49]  Well, Emotet's been really effective from a few different points. First off, they attack existing infrastructure for their distribution, so both the malware distribution itself as well as command and control. They're hacking into hosts, they're breaking into hosts and using things that already exist. And so some of those things around how good is the site cannot, in some cases, be that effective against Emotet. Of course, they're not breaking into major websites as they do that. So they do still tend to be things like smaller businesses with WordPress and things that are being compromised, but they do have a reputation on the internet that's not negative to start with. So realistically, looking at where emails coming, from what it contains and those tried-and-true things that we've tried to do for many years to stop email distribution of malware all come into play here. That's their primary vehicle. 

Mike Benjamin: [00:17:39]  Next, when they are dropping the malware, they're using multi stages of install, secondary payload, download and other things that do tend to get caught by most endpoint software. So keeping those things updated, making sure that there's diligence. And then last, where we spend a lot of our time, is looking at the network layer, trying to find where those callbacks exist, and should something get past an early check on an endpoint agent, being able to then detect at the network and go remediate it on that individual host before it spreads more. 

Dave Bittner: [00:18:11]  Now, in terms of them altering their binaries, I mean, I suppose - I mean, that makes it - that changes the signature of those binaries, so you need to be aware of that. Does the actual behavior change for the defenses? They're looking for a particular type of behavior. Would that be altered as well? 

Mike Benjamin: [00:18:30]  So the changes have occurred a few different times. One of the big changes that we saw a couple versions ago is they started using infected hosts as part of their command and control proxy layer. This makes it a little bit easier for them to persist over time, less pressure on how many WordPress sites they happen to hack into for their second tier of C2 there. So that was a big shift in behavior that we saw. However, most of the basics of primary maldoc driven through secondary payload, download, those kinds of steps look pretty consistent across time, but they are a gang of folks that do know how to do the more smaller changes to their malware to try and evade particular checks along the way. We see them constantly changing their obfuscation methods in their maldocs because they begin to be detected with greater efficacy across the industry. They do change things like the encryption keys on their command and control protocol on a monthly basis, so they're very diligent about changing things over time. But you're right. The core of what they're doing has been pretty consistent over time. 

Dave Bittner: [00:19:34]  All right. Well, Mike Benjamin, thanks for joining us. 

Dave Bittner: [00:19:42]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for our professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexis smart speaker, too. 

Dave Bittner: [00:20:00]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:12]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.