EU suspects Russia of disinformation. TrickBot’s latest module is a brute. Parallax RAT and the MaaS black market. Pandemic hacking trends. What to do with time on your hands.
Dave Bittner: [00:00:03] The EU suggests that Russia's mounting an ongoing disinformation campaign concerning COVID-19. Russia says they didn't do nothing. TrickBot is back with a new module still under development, and it seems most interested in Hong Kong and the U.S. The Parallax RAT is the latest offering in the malware-as-a-service market. Food delivery services are now targets of opportunity for cybercriminals. Zoom-bombing is now a thing. And some advice from an astronaut.
Dave Bittner: [00:00:38] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyberintelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top-trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire and subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:48] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 19, 2020. The EU's foreign policy body, the European External Action Service, has called out Russia for systematically pushing disinformation about the coronavirus. Quote, "A significant disinformation campaign by Russian state media and pro-Kremlin outlets regarding COVID-19 is ongoing. The overarching aim of Kremlin disinformation is to aggravate the public health crisis in Western countries, in line with the Kremlin's broader strategy of attempting to subvert European societies," end quote. That's from a document dated March 16 and obtained by Reuters.
Dave Bittner: [00:02:56] The document said that there had been more than 80 cases of disinformation about coronavirus emanating from Russian sources since the 22 of January. Among the more noxious themes is Russian amplification of debunked Iranian charges that COVID-19 is really a U.S. bio-war project and charges that U.S. military personnel in what Moscow refers to as the near abroad, the non-Russian former Soviet republics, have been carrying the coronavirus. The general consensus on the origins of COVID-19 is that this strain of coronavirus is a zoonotic disease that jumped from bats to humans in China.
Dave Bittner: [00:03:37] Russia's Foreign Ministry has harrumphed that the EU's charges are unfounded and lack common sense. Spokesman Dmitry Peskov thinks the examples aren't specific enough and that, as usual, Moscow is more sinned against than sinning. Quote, "We're talking again about some unfounded allegations, which, in the current situations, are probably the result of anti-Russian obsession," Mr. Peskov complained.
Dave Bittner: [00:04:03] This global pandemic has nudged many of us toward a greater appreciation for the interconnectedness of this big, blue marble in space we all inhabit - global supply chains, economies, health care systems, nation-states and, yes, cybersecurity. Thomas Creedon is the cyberthreat intelligence leader and senior managing director for the Asia-Pacific region at LookingGlass Cyber Solutions. We caught up with him at the RSA Conference.
Thomas Creedon: [00:04:31] That's the - kind of the double-edged sword with regard to public threat intelligence coming out of commercial side or even some of the stuff that's coming out of the DOJ is that, while it does give people visibility into - there is a threat there, many times, a lot of the stuff that we're putting out there is also helping them get better at their opsec and avoiding detection. And that's the case both in crime or in tradition - cyberespionage.
Dave Bittner: [00:04:55] In terms of the sophistication of these groups and the types of operations that they do, comparing them to what we're doing here in the United States, for example, are they - are we on equal footing? Do they go toe-to-toe with us? Where do they rank as an adversary goes? What's the level of sophistication?
Thomas Creedon: [00:05:17] Traditionally, we see - you know, the term advanced persistent threat.
Dave Bittner: [00:05:21] Yeah.
Thomas Creedon: [00:05:21] Majority of attacks are not very advanced. As far as their capabilities, what would you compare - what would you say our capabilities are?
Dave Bittner: [00:05:31] That's a good point.
Thomas Creedon: [00:05:32] So...
Dave Bittner: [00:05:32] Yeah.
Thomas Creedon: [00:05:33] We all assume that, of course, Stuxnet was conducted by U.K., U.S. and Israel.
Dave Bittner: [00:05:39] Right.
Thomas Creedon: [00:05:40] A very interesting operation, interesting tools. But I don't have a lot of visibility into the tool sets that are being used in U.S. law enforcement, in U.S. intelligence agencies. So probably stay away from that.
Dave Bittner: [00:05:53] Yeah. That's actually a really interesting insight. Is there anything, when it comes to the Asia-Pacific region, that you feel is not getting the attention it deserves?
Thomas Creedon: [00:06:04] We've seen a lot of the discussion of the Russian influence operations. We've seen some discussion of the Chinese influence operations. And - don't want to overhype them because in many ways, they're - we haven't found them to be successful in any way, shape or form, whether they're targeting Taiwan, whether they're targeting Hong Kong - which actually might be a good thing that we're not overhyping it. Whereas with Russia, well, we can have the argument whether it's being overhyped or not, and that's a longer discussion over beers, I guess.
0:06:34:(LAUGHTER)
Thomas Creedon: [00:06:35] But there's really not too much - the business email compromise is still a significant issue over there. The cyberespionage, it never went away. There is a lot of talk that, you know, after the Xi-Obama summit - that things quieted down, and for the case of East Asia, it never did quiet down. It's actually quite a colorful region, and you can't really just base on the country itself because of people operating in those countries.
Dave Bittner: [00:07:01] That's Thomas Creedon from LookingGlass Cyber Solutions.
Dave Bittner: [00:07:06] We turn from COVID-19 for the moment. You do know, of course, that COVID-19 is currently the most popular phishbait in the cyber sea, right? We're going to look at a few other interesting developments. Researchers at security firm Bitdefender report that TrickBot has a new module designed to brute-force remote desktop protocol for selected victims. It's designated rdpScanDll, and it's apparently still under development. The RDP attack tool seems intended for use against targets in Hong Kong and the U.S. TrickBot began its career in 2016 as a credential stealer focused mostly on financial targets, but its modular design has lent it steadily increasing levels of sophistication as criminals plug in new capabilities. This most recent enhancement, rdpScanDll, is being used mostly against telecommunications targets with the other most targeted verticals being education and research and then financial services, including banks. The criminal campaign is being run from a dynamic set of command and control servers, most of them located in Russia.
Dave Bittner: [00:08:15] Morphisec Labs have released more technical information on the Parallax remote-access Trojan. Parallax has recently figured in coronavirus-themed attacks. Morphisec sees the more recent Parallax RAT campaigns as representative of a trend toward malware as a service, which has made effective attack tools available to criminals who don't need to have the skills necessary to developing their own malware.
Dave Bittner: [00:08:41] Here are a few new bits of criminality we confess we hadn't particularly expected. Retrospectively, however, they seem fairly obvious, especially in these challenging times. First, SpyCloud warns that hoods are sharing instructions in their chat rooms on how to hijack food delivery services - the objective being, of course, free food - free for them, not for the homebound who pay for and actually need the deliveries. Second, with videoconferencing seeing heavy use as people work remotely, TechCrunch reports that Zoom-bombing is now a thing. That is, Iago-like skids are trolling Zoom virtual meetings and sharing unusually repellent, violent or pornographic content as your screen, the objective being, of course, the lulz. They're like Iago in terms of motiveless malice, not in terms of invention or cleverness - losers with time on their hands.
Dave Bittner: [00:09:39] And BleepingComputer reports that high-minded criminals say they won't use ransomware against hospitals during the present pandemic - says the gangs, but The Register and The Telegraph seem reluctantly moved to skepticism. Remember what we just said about food-stealing skids? Sure, sure, technically, of course, it's not ransomware, but it's a fair representation of the criminal mindset. Security firm Emsisoft, which specializes in developing decryptors for ransomware and which is offering its services for free during the pandemic, has appealed to the extortionists as fellow human beings, people who themselves have families and loved ones, and asked them to tone it down while everyone's dealing with COVID-19. We hope they reach the criminals' ears, but we have to admit there's not a lot of reason to expect altruism, public spirit or even fellow feeling from the hoods.
Dave Bittner: [00:10:33] Finally, we've seen lots of advice about how to work remotely effectively and securely during the present pandemic, and you'll find plenty of links to such advice in this week's worth of the CyberWire's daily news briefing. Check it out. Some of it includes various offers of free services. But there's also some general advice. Call it lifestyle advice from an unexpected source. Dr. Rendezvous himself explains how to get through the lockdown, quarantine and confinement. Buzz Aldrin, Apollo 11 Lunar Module pilot and alumnus of that "Andromeda Strain"-style quarantine the astronauts endured at the Lunar Receiving Laboratory in Houston, has offered us all not to take so much advice as an example.
Dave Bittner: [00:11:16] Ars Technica asked Dr. Aldrin what he was doing to protect himself from the coronavirus. The second man on the moon immediately replied, lying on my backside and locking the door. He used a different word than backside. The astronaut also suggested that one might pass the time the way he did back in the day - watching ants crawl around and filling out government travel vouchers. For government travel vouchers, fill in whatever company forms you may have been putting off or even, heaven forfend, income tax documents. There may be some lessons here for telework or at least for phoning it in. Ars calls Dr. Rendezvous a national treasure, and what can one do but agree? Let's stay safe out there.
Dave Bittner: [00:12:06] And now a word from our sponsor LookingGlass Cyber - organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:13:19] And I am pleased to welcome back to the show Andrea Little Limbago. She is the chief social scientist at Virtru. Andrea, you've been a guest on the show before, but this is my opportunity to welcome you to our partners segments, so welcome to the CyberWire.
Andrea Little Limbago: [00:13:34] Oh, thanks so much. I'm thrilled to be a partner with you, and I've - and I always love the podcast. This is an exciting opportunity for me.
Dave Bittner: [00:13:41] Well, let's get to know you a little bit. First of all, your title, chief social scientist - what goes into that role?
Andrea Little Limbago: [00:13:49] That's honestly one of most frequently asked questions I get because there are so few social scientists actually in cybersecurity. And quickly, you know, I'll start off explaining what it is by an anecdote that - about five years ago, I was asked almost everywhere I went, why is there a social scientist in cybersecurity? And I now no longer get asked that question at all. And it's more so, what different areas are you focusing on? And so the position and just the applications of social science have evolved a ton over the last five years.
Andrea Little Limbago: [00:14:15] And so really, my job now and in the past has - it covers several different areas. One can focus on the human-computer interaction. And so we hear a lot about usable security and usable privacy and making it more user-friendly. And so looking at how different applications enable various kinds of security settings and data integration and analysis and those kind of things is one component of it. Another core component of it is looking at the geopolitics of cybersecurity - so really, looking at the behavior of nation-states, criminals, terrorist groups, the - you know, the whole range of attackers as well as, you know, what kind of tactics and techniques and procedures they're using. What are the motivations? How do the groups interact? And then also along those lines, on the defensive side, you know, how are defenders adjusting to those kind of attacks both on the technical side but also on the legal and policy side, is another component.
Andrea Little Limbago: [00:15:08] And then I would add, probably a third one that I try and integrate is really just within the industry itself, focusing on - you know, within companies, helping professional development and growth of our technical folks and helping guide and sort of serving as an editor in chief of the technical content so that when it is distributed, it's more consumer-friendly for a broader audience. But then also looking at, you know, growing companies and helping within the industry in the areas of diversity, equity and inclusion.
Dave Bittner: [00:15:36] Yeah, it's really interesting to me, as you mention, this evolution, this recognition that the human side, the social side of this technical industry is more important than ever.
Andrea Little Limbago: [00:15:49] Right. And it's - you know, one of the things where, you know, as a social scientist, it that has always driven me nuts that I always hear - the human is the weakest link, you know, in security. And while, absolutely when - we see the data on spear phishing and so forth, but at the same time, you know, it's really - I've always seen it as a cop-out for explaining why technology isn't doing what it should be doing. And, you know, one of my favorite quotes by Martijn Grooten is along the lines of, you know, humor humans are features, not bugs. And that's how we really need to start looking at it, is making the technology work for humans, understand the kind of human behavior that drives why they're clicking on links. I mean, the fact that we're still focused on not clicking on links as one of the top line of defense is a little bit baffling, given human behavior and given what our - the business needs are.
Andrea Little Limbago: [00:16:34] And so the industry is evolving, though, and that's what - you know, it's interesting seeing you just - you know, just saw it at RSA. The human element was the core theme. And so I did - I do see the industry changing a fair amount, starting to look at all the different applications and how it's really a sociotechnical system of the humans interacting with the technology and then building the tools to, you know, address those and also keeping in mind sort of the unintended consequences that may happen, especially when you think about AI models that you're building, but also on the lines of just, you know, visualization and human interaction and so forth.
Dave Bittner: [00:17:06] Can you give us some insights on to - into what - your career path? What led you to this line?
Andrea Little Limbago: [00:17:13] It so far has been really circuitous, I would say.
0:17:16:(LAUGHTER)
Andrea Little Limbago: [00:17:16] You know, I started off very much so in the national security space and really interested in international relations and earned my Ph.D. in political science with a focus on international relations and conflict and cooperation amongst nation-states, but also along those lines, with a focus as well on democracy and building democracies and also how democracies decline. And so that took me into teaching and academia for a short period of time, before I got recruited into the Department of Defense and worked at a analytic center called the Joint Warfare Analysis Center. And that's actually where I really started getting more into the realm of working with engineers and other kinds of data sources, as you can imagine, in that area, in conjunction with a broad range of computational social scientists. And so I was the technical lead of a team there that focused more so on the counterterrorism effort. And this was, you know, in the, you know, late aughts - I guess if we can call the decade that (laughter).
Andrea Little Limbago: [00:18:14] So that's when the DOD was realizing that the human element really did matter. You know, and it's interesting - when I first got into cybersecurity, I wrote something that was very similar, along the lines of how, in the counterterrorism realm, there was an evolution for first trying to focus on kinetic and then starting to realize that humans matter and then how to try to, you know, adjust behavior or anything from economic governance and democracy and development to just, you know, influence operations and so forth as far as, you know, the whole winning the hearts and minds notion. And, you know, cybersecurity I feel like has gone under a very similar evolution as far as focusing mainly on the technical and then starting to now look at how the humans interact.
Andrea Little Limbago: [00:18:50] And so that was - you know, that was the DOD. I was there for about five years leading a team there and then have since then gone to a couple of different smaller startups, working across those various realms that I described earlier at - first at Berico Technologies, was at Endgame for about five years, which is an endpoint security - and now at Virtru, focusing on data protection and privacy and security.
Dave Bittner: [00:19:11] Well, we're glad to have you join us. Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: [00:19:16] Oh thank you so much.
Dave Bittner: [00:19:23] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:19:42] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:54] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Take care of yourself. Take care of each other. Stay safe. Thanks for listening. We'll see you back here tomorrow.