The CyberWire Daily Podcast 3.24.20
Ep 1051 | 3.24.20

Active ICS threats. TrickBot and TrickMo. RCE vulnerability in Windows. Google ejects click-fraud malware infested apps from Play. Attackers hit WHO, hospitals, and biomedical research.


Dave Bittner: [00:00:02] WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware has been found in children's apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. And more COVID-19 phishbait. 

Dave Bittner: [00:00:38]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at That's And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:09]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 24, 2020. 

Dave Bittner: [00:02:18]  Researchers at security firm Kaspersky summarized the activity of WildPressure, a previously unknown advanced persistent threat active against industrial targets in the Middle East. Kaspersky doesn't attribute WildPressure to any nation-state, but it notes that the group distributes a C++ Trojan researchers call Milum. It's unclear whether WildPressure's goals extend farther than espionage. It's apparently been active in its present form since this past August. 

Dave Bittner: [00:02:48]  FireEye's Mandiant division has warned about the ongoing proliferation of commodity industrial control system attack tools. The developers of the tools, which, of course, lower barriers to entry for attackers and raise the risk to enterprises, work to make their malware as widely applicable as they can, vendor agnostic when possible and where not, then tailored to the most widely used ICS (ph) systems. Siemens is the most heavily targeted within FireEye's estimation, some 60% of vendor-specific tools built with Siemens in mind. Products from Schneider Electric, GE, ABB, Digi International, Rockwell Automation and Wind River Systems are also mentioned in dispatches. The targeting follows market share in the parts of the world of greatest interest to attackers. 

Dave Bittner: [00:03:36]  IBM X-Force researchers are describing what they call a relatively sophisticated bit of Android malware being pushed by TrickBot. They call the malware TrickMo and say that while it's been used against targets in Germany, it appears to be still under active development. It's a transaction authentication number stealer. Transaction authentication numbers - TANs, for short - are, in effect, a one-time password used for multifactor authentication, and so TrickMo is designed to get around this useful security measure. There are, of course, security measures in place to defeat TAN stealers, but TrickMo abuses Android accessibility features to identify and control the dialogue screens Android uses to control permissions. 

Dave Bittner: [00:04:22]  Microsoft issued an advisory yesterday that cautioned against a remote code execution vulnerability in the Adobe Type Manager Library used by Windows. Redmond classified the issue as critical and says it's observed some limited exploitation in the wild. They're working on a fix and expect to push it out in next month's Patch Tuesday. In the meantime, they recommend certain mitigations. Two things users might consider are disabling the Preview Pane and Details Pane in Windows Explorer and also disabling the WebClient service. 

Dave Bittner: [00:04:55]  Researchers at security firm Check Point have identified 66 malicious apps in Google's Play Store. They're infested with a strain of click fraud malware called Tekya. The campaigns using Tekya are unusual in that they concentrate on apps designed for and marketed to children. Google removed most of these after Check Point disclosed them, but others were taken down by the criminal operators themselves once they realized the jig was up. 

Dave Bittner: [00:05:23]  Allan Liska is a senior analyst at threat intelligence firm Recorded Future. I spoke with him this week on the "Recorded Future" podcast about some of the specific security challenges organizations are facing in the midst of this global pandemic. Here's a segment from our conversation. 


Allan Liska: [00:05:39]  Obviously, we know that attackers have ramped up their use of coronavirus- or COVID-19-themed lures in their email. And they've been highly successful with that. I read statistics from DomainTools that one campaign in Italy they were tracking got a 10% click-through rate, which is unheard of for any sort of phishing lure. And it's because people are - they don't know what's going on. They don't have enough information. They're glued to their TV sets. And they're fascinated by this. 

Dave Bittner: [00:06:18]  So if I am that person at my organization who is in charge of keeping things secure and, suddenly, I'm faced with a huge percentage of my workforce working from home, they are outside of my firewall. They have - they're outside the moat, you know? I can no longer pull up the drawbridge. How do I prioritize handling that shift? What sort of things should I be working on? 

Allan Liska: [00:06:44]  Normally, this is something that you'd have months or even a year to plan out and go on, you know, and get implemented. You've had to do this in a week. There's going to be mistakes. There are going to be holes. There's going to be problems that people run through. And that is going to create other problems. 

Allan Liska: [00:07:08]  So, you know, you'll - obviously, you'll have support problems 'cause you'll have an overwhelmed support staff that is suddenly fielding, you know, 10, 20 times more calls than they normally do. You'll also have employees that have trouble getting things set up, and so they may try to do workarounds, which means you could expose sensitive data. So there's all kinds of potential problems there. 

Allan Liska: [00:07:33]  And then, as with the COVID-19 example, because of all the confusion and uncertainty, the employees may actually be more likely to click on a phishing email, especially one that purports to be from your IT team, because right now, you're probably expecting a lot of communication from your IT team. And so, you know, you get an email that says, VPN instructions - open this Word document. So you open it, and turns out you've installed something malicious on your desktop that now connects in. 

Allan Liska: [00:08:05]  The best thing that you can do to sort of answer your original question is have a very well-documented plan that's communicated as early as possible, and then have backup plans if those don't work. So in other words, send out to your newly minted workforce, here are the steps you need to do to get connected. Only follow advice that comes from this specific email address. Don't - you know, ignore anything that is, you know, or anything like that. So warn people that these may be coming. 

Allan Liska: [00:08:40]  So you do need to be adaptable, you know, in security and IT right now. Understand the real-world problems that people are having and give them the tools they need to do their job and feel confident that they're doing it in a secure way. 

Dave Bittner: [00:08:56]  That's Allan Liska from Recorded Future. You can check out the rest of our conversation on the "Recorded Future" podcast, hosted by yours truly. That's at 

Dave Bittner: [00:09:08]  The World Health Organization has disclosed that it was subjected to cyberattack by the DarkHotel group, Reuters reports. The attackers, who were after credentials, were detected around March 13. And the WHO says the attack was unsuccessful. 

Dave Bittner: [00:09:23]  It's not clear whom DarkHotel works for, but they have a long record of cyber-espionage, mostly against Russian and East Asian targets, but hitting many other countries as well. There's been some musing over the years that DarkHotel may have some connection with either Chinese or North Korean services, but that attribution is too circumstantial and speculative. The group does show the kind of resources and patience one normally associates with a nation-state intelligence agency, especially since its goals seem to consist largely of espionage. But in any case, the group's origins and masters remain, as reports call them, shadowy. 

Dave Bittner: [00:10:03]  Remember when the Maze, DoppelPaymer and Netwalker ransomware gangs told BleepingComputer that health care targets were off limits? Yeah, well, we didn't believe it either. It seems that the truth changes, or perhaps there are other gangs out there less high-minded than the public-spirited three. 

Dave Bittner: [00:10:21]  L'Express says that France's CERT reported that Paris hospitals sustained an inconvenient but unsuccessful ransomware attack Sunday. The strain used against the Parisian targets hasn't been specified, but in another case, it has. Forbes reports that Hammersmith Medicines Research, a British firm standing by to help test any COVID-19 vaccines that may be developed, was the target of a Maze ransomware attack on March 14. It might be argued pedantically that the attack happened before Maze promised good behavior on March 18. On the other hand, that good behavior - if it ever, in fact, materialized - clearly doesn't extend to helping with decryption or relaxing extortion demands. The Maze gang has continued to demand payment and, what's even more evident of bad faith, has published to its dark web markets some of the data that it stole during the attack. Thieves got to thief. No one should build any high hopes on criminals' promises. 

Dave Bittner: [00:11:21]  This kind of nonsense, of course, represents a direct threat to public health. But others haven't hesitated to use fear of the COVID-19 virus as phishbait in the service of fraud or other illicit activity. Researchers at security firm KnowBe4 call it a feeding frenzy as the cyber sharks sense coronavirus fear in the online waters. Old, familiar come-ons are back in use. Bogus invoices, calendar invitations, purchase orders, requests for proposals and casual file sharing are all out there, so do stay skeptical and stay safe. 

Dave Bittner: [00:11:55]  And it's not just that the virus is providing the phishbait. The conditions of relatively greater isolation that people are living under in many parts of the world also has a tendency to make them more susceptible to social engineering. Help Net Security summarizes research by the Better Business Bureau, the FINRA Investor Education Foundation and the Stanford Center on Longevity that suggest isolation and loneliness contribute to anyone's vulnerability to manipulation by scammers. So try to stay connected as safely as you can - pick up the phone, chat, exchange emails. And, of course, stay alert, and stay healthy. 

Dave Bittner: [00:12:39]  And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick. So check out the 10 Incredible Ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are often so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to and check out the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:13:53]  And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, over on "Caveat," you and I have been discussing, as I think most podcasts are these days, the evolving situation with the coronavirus. But we've been hitting specifically on some of the issues that deal with civil liberties. You had an article that came by you wanted to draw attention to. This is about a surveillance company deploying what they're calling coronavirus-detecting cameras in the U.S. What's going on here? 

Ben Yelin: [00:14:29]  Yeah, so this was an article from the Motherboard page at Vice. It's about a company called Athena Security. It's previously sold systems to both public and private sector clients, where they claim to use artificial intelligence to identify items in video feeds, like knives and guns. So you can see, for example, how that would be particularly useful at public venues, places like airports, theaters, et cetera, but also could be very useful for the government as well, including at government facilities. 

Ben Yelin: [00:15:01]  They are claiming now that they have developed technology to use thermal imaging to measure whether people in a public place have a fever. They are using this imaging to measure people's temperature. And they claim to be able to measure within a half-degree of reality of that person's actual temperature. 

Ben Yelin: [00:15:21]  And, you know, there are potential consequences to this technology. A person goes out in public. They have a fever above, you know, whatever that 100.4 is that would indicate they potentially have the coronavirus. And, you know, because this fever would indicate that they're positive, they might face some sort of quarantine and isolation order. So there are certainly some civil liberties implications of this. 

Dave Bittner: [00:15:48]  Yeah, how interesting how our perspectives can change when it comes to these sort of privacy issues when faced with a legitimate emergency. 

Ben Yelin: [00:15:58]  Absolutely. You know, I heard yesterday in Maryland that they were going to close down the locations where they measure vehicle emissions and might turn them into drive-thru testing centers. 

Dave Bittner: [00:16:07]  Right. 

Ben Yelin: [00:16:08]  And I was ecstatic at that news. I thought it was an excellent idea. We already have the infrastructure in place for cars to come by and for people, you know, to either take the coronavirus test or be screened for their temperature. This is something that three or four weeks ago would've seemed absolutely outlandish, you know? You could have thought of conspiracies about the government, you know, conducting a mouth swab on every single person in the state and putting them into some sort of DNA database. And that would've felt... 

Dave Bittner: [00:16:35]  Right. 

Ben Yelin: [00:16:35]  ...Extremely scary. But, you know, we're living through particularly scary times. This is a true pandemic, public health emergency. And at least my instant reaction to that news was not to have any concerns about civil liberties but was to be pleased that perhaps we could ramp up our testing capabilities so that we could better identify who has this virus and we could isolate those people while allowing everybody else to return to some semblance of normal life. 

Dave Bittner: [00:17:03]  You know, it's interesting. As the federal response has been - I suppose if I'm being generous, I could say slow - that the states have really stepped up here. As a resident of Maryland, it's been comforting to see that our governor, our leadership, they've been doing everything within their power to step up. And I think that's something we're seeing nationwide. 

Dave Bittner: [00:17:28]  It's interesting to me when we look at sort of, you know, the structure of our nation, you and I have talked many times about how things sort of break out between the feds and the states. And we're seeing that play out in real time here with this. 

Ben Yelin: [00:17:42]  Yeah, it's quite an experiment in federalism. You know, states retain police powers, so whether - well, you know, they've given up some of their powers to the federal government as part of Article I of our Constitution. But everything else - those powers to protect the health, safety and welfare of citizens - those powers are retained at the state level. And because of that, states have very broad public health emergency powers. They can demand mandatory quarantine and isolation. They can, and have in many states, shut down large businesses like bars and restaurants and casinos. They can demand the closure of schools. You know, in the state of Maryland, I know that the governor could even seize private property for public use if that public use was for some sort of public health emergency. 

Ben Yelin: [00:18:31]  States are doing the best that they can, but there are some things that do require strong, robust federal action. There's something called the Defense Production Act. It is a Korean War-era law where the government could actually compel companies to manufacture certain products that are necessary to confront an emergency. And there's been some discussion about forcing companies to, you know, abandon whatever else they're manufacturing and focusing on producing, for example, N95 masks, surgical masks or testing kits for the COVID-19 virus. And that's something that really can only be done at the federal level because it's only the federal government that has access to those resources. 

Dave Bittner: [00:19:13]  Right, right. All right, well, interesting insights, as always. Ben Yelin, stay safe. Thanks for joining us. 

Ben Yelin: [00:19:19]  You, too. Thanks. 

Dave Bittner: [00:19:25]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:43]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:56]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working safely from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.