APT41 is back from its Lunar New Year break. Commodity attack tools for states and gangs. Russia takes down a domestic carding crew. Restricting misinformation.

Dave Bittner: [00:00:02] APT41 is back and throwing its weight around in about 20 verticals. States and gangs swap commodity malware. The FSB - yes, that FSB - takes down a major Russian carding gang. Coronavirus-themed attacks are likely to outlast the pandemic. Facebook Messenger considers limiting mass message forwarding as a way of slowing the spread of COVID-19 misinformation. 

Dave Bittner: [00:00:33]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:04]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 25, 2020. 

Dave Bittner: [00:02:14]  APT41 renewed activity this month after a February lull that corresponded to China's Lunar New Year. In what FireEye calls a global intrusion campaign using multiple exploits, the group is targeting vulnerabilities in Cisco routers, Citrix NetScaler ADC and Zoho ManageEngine Desktop Central products. The targets appear to have been selected with some deliberation and not hit opportunistically, but they're drawn from a wide range of verticals - telecommunications, manufacturing, health care, government, oil and gas, higher education, defense, industrial, pharmaceutical, finance, technology, petrochemical, transportation, construction, utilities, media, not-for-profits, law firms, realtors and travel services. The campaign appears to be one of collection as opposed to disruption. What APT41's goals are remain unclear. The hacking group is generally thought to work on behalf of the Chinese government's intelligence services, but it also moonlights, and it's not reluctant to dip into financially motivated cybercrime on the side. 

Dave Bittner: [00:03:20]  We're accustomed to hearing about the commodification of hacking tools cybercriminals use. They're cheap. They offer a reasonable return on investment. And above all, they don't require much or even any skill development or, in many cases, any development at all. CYFIRMA researchers report that the commodification of attack tools has enabled less-capable intelligence services in developing nations to conduct effective cyber operations. And established cyber powers aren't above using the commodity tools, either. CYFIRMA sees evidence of collaboration between the big operators and both clients and allies of convenience. 

Dave Bittner: [00:03:58]  In December, for example, the security firm's researchers observed discussions in various hackers' communities of how to launch Emotet attacks. CYFIRMA says the hacking groups were all known to be state-affiliated and funded. The attack mechanism of choice is simply commodity malware. Commodity malware is attractive because of the ease with which it can be repurposed and turned against various target sets. Some of the state actors CYFIRMA says it's tracked in this trend will have familiar names - Stone Panda, Lazarus Group, Gothic Panda and Fancy Bear. 

Dave Bittner: [00:04:33]  CYFIRMA's list includes the qualification or associated group, which suggests that, of course, there are state actors who have yet to be recognized or described but also that there's moonlighting going on and that in some places, criminal gangs operate with the knowledge and sufferance of the security organs, provided, naturally, that the criminal gangs keep their noses clean and their hands off prohibited targets. 

Dave Bittner: [00:04:58]  With that in mind, here's something a bit different. In what CyberScoop calls a rare enforcement action, Russia's FSB has arrested 25 individuals on charges of running the BuyBest - also known as the GoldenShop - carding and PII dark web market. The FSB has also shuttered BuyBest's online operations. If it weren't for, well, history with the FSB, we'd almost be tempted to say, bravo, FSB. The FSB is one of the old Soviet KGB's daughter agencies, carrying its foremother's legacy into Russia's post-Soviet era. The service's mandate extends to counterintelligence, internal security and surveillance. Its activities can be difficult to distinguish from those of its sister agency, the SVR, which is responsible for foreign intelligence and espionage. 

Dave Bittner: [00:05:52]  Anyhoo, the biggest fish this particular dragnet pulled in was one Alexey Stroganov, who uses the hacker name Flint24. Mr. Stroganov, according to CyberScoop, is apparently something of a recidivist, having served two years of a six-year sentence for an earlier cybercrime beef. The FSB said their takedown netted about a million dollars in cash, server equipment used for the operation of online stores, fake identification documents, including passports of Russian citizens, as well as rifles, drugs, gold bars and precious coins. That list makes Mr. Stroganov and his colleagues look like a collection of gangsters right out of Central Casting. The FSB noted that some of the carding data being traded belonged to Russian citizens and came from Russian banks, and that may indicate the domestic line these particular alleged crooks stepped across to draw the attention of the organs. 

Dave Bittner: [00:06:49]  Count me among those who are skeptical of using a password manager. How could adding another layer in between me and my accounts possibly make life easier? More secure, maybe - OK, more secure, for sure. But take it from me. Once you get past the initial transition period, which really isn't that bad, using a password manager is not only safer but easier as well. But don't just take it from me. Rachael Stockton is senior director of marketing at LogMeIn, makers of the LastPass password manager. We sat down for a chat at the RSA Conference. 

Rachael Stockton: [00:07:24]  You know, I feel as if we've made progress in the past few years. I think people understand the problem around managing both passwords as well as overall access and identities. But I think the more you learn about it, it's like peeling back an onion. You see that there are more challenges. 

Rachael Stockton: [00:07:43]  So when you think about passwords, you know, there are the passwords that we have for our own applications, ones that we bring in, the ones that the company assigns us, the ones that we have for our own personal use. And organizations are solving that in a lot of different ways, right? SSO - that's fantastic for business apps... 

Dave Bittner: [00:08:03]  Right. 

Rachael Stockton: [00:08:04]  ...Which is great, provides a lot of control. But we also know that that's only going to solve a certain percentage of applications. It's only going to protect a certain percentage of applications. And I like to think of things as, like, doors and windows. 

Dave Bittner: [00:08:19]  OK. 

Rachael Stockton: [00:08:19]  And so when you think about the kinds of technologies that people are adopting, they look at SSO - it's going to help lock those doors, for sure. 

Dave Bittner: [00:08:26]  Right. 

Rachael Stockton: [00:08:27]  But then when you think about what people are actually bringing into the office to help make themselves more productive, those are all open windows, as well as our sort of - the second-tier applications that not everybody's using, that may be more departmental... 

Dave Bittner: [00:08:41]  OK. 

Rachael Stockton: [00:08:41]  ...That may not make that sort of top tier for integration with SSO - more open windows. I think that's where password management can come in. So that's a way that you're able to help close some of those windows as well. 

Dave Bittner: [00:08:56]  I'm curious. As we look towards the future, how do we see this playing out as the technology continues to evolve and we see things like people are pushing solutions that have no passwords at all - you know, a future without them? We see things like biometrics coming along and those sorts of things. What is on your radar when you look down the road as to where we may be headed? 

Rachael Stockton: [00:09:19]  I'm aligned with everything you just said there. I think if you look at us as humans, we don't want to have things that come between us and what we want to get at, whether it's our personal data, our work data, anything along those lines. And so passwords right now are that, you know, that challenge that we have to overcome to get it. 

Dave Bittner: [00:09:39]  Right. 

Rachael Stockton: [00:09:39]  The price you have to pay. And I think there's more technology out there now that helps us if not eliminate the concept of password, then make the password more invisible, so biometrics, for example. You know, you mentioned having to have one password to access your entire password manager - true. 

Dave Bittner: [00:09:57]  Right. 

Rachael Stockton: [00:09:58]  But we also now use biometrics for everything to get into our phone. It's second nature to us. And you can picture that replacing that concept of that password to get you into things - or if not replacing, masking it. And I think you're going to see more and more in personal life, but also in business, where passwords may be there - they may not be - but they're not going to be the end user's concern. It's going to be about touching - you know, it's going to be able to fingerprint. It's going to be about that glance at your phone, which will now let you into your computer. 

Dave Bittner: [00:10:30]  Right. 

Rachael Stockton: [00:10:30]  It might be the glance at your phone that lets you into your house. And I think that's where we're going to be going, even - I would hope even further, really pushing the envelope there, really figuring out how we can make access incredibly frictionless, invisible, transparent for the end user. But then also on the business side, from an administrative perspective, how do you give that same kind of ease to that administrator who's going to be managing all of this, too? And I think that's really important from the business side. You spend a lot of time on the end user. 

Dave Bittner: [00:11:03]  Right. 

Rachael Stockton: [00:11:03]  But we have to think about that admin as well. You know, you don't want to have to bring in tech that you have to be hiring lots of people to manage. This isn't the way we want to be growing sort of in managing identity. So I think we have to be considering that as well. How do we make sure setting it up, setting the right policies, all of those things, maintaining it is really super simple? So I think it's simplicity all around. 

Dave Bittner: [00:11:28]  That's Rachael Stockton from LogMeIn. 

Dave Bittner: [00:11:32]  The Wall Street Journal, noting the patience of both intelligence services and the larger criminal gangs, points out that the fallout from coronavirus can be expected to affect cybersecurity for weeks or months after the pandemic abates. Some bad actors won't wait, and BusinessWorld reports that the Philippines' Department of Information and Communications Technology sees a heightened risk of attacks on hospitals and other health care facilities. Attempts against health care facilities and organizations suggest that some criminal assurances that they'll leave essential services alone during the pandemic are empty and idle. The health care sector should by no means relax its cyber guard. The services it provides and the information it holds are more valuable than ever, and there's no reason to think this will have escaped the criminals' attention. 

Dave Bittner: [00:12:20]  In an attempt to inhibit the flow of misinformation about COVID-19, Facebook Messenger may limit users' ability to mass forward messages, Naked Security reports. The ability to quickly disseminate mass messages has been seen as a problem for Facebook before, especially in cases of mob violence incited online in various South Asian communities. The cap on distribution now being considered would, Facebook hopes, at least slow down the rate at which misinformation and disinformation spreads. 

Dave Bittner: [00:12:51]  And finally, we close with some good news from our community. Exabeam's Chris Tillett, one of the cybersecurity industry's early COVID-19 sufferers, seems to be on the road to recovery, the local Connecticut news service Good Morning Wilton reports. We congratulate him, hope his prognosis stays positive and send our best wishes to his family. 

Dave Bittner: [00:13:18]  And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 Incredible Ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are often so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and check out the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:33]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:14:42]  Hi, Dave. 

Dave Bittner: [00:14:43]  As you and I are recording this, there are bills making their way through Congress to help get stimulus checks out to U.S. citizens. 

Joe Carrigan: [00:14:54]  Yes, that's correct. 

Dave Bittner: [00:14:55]  And it's happening fast and furious. So... 

Joe Carrigan: [00:14:57]  It is. 

Dave Bittner: [00:14:58]  A little behind the scenes here - you and I record these segments a day or two before they air. 

Joe Carrigan: [00:15:03]  Right. 

Dave Bittner: [00:15:04]  So there's a chance that when this airs, things may have changed already. But (laughter)... 

Joe Carrigan: [00:15:08]  That's correct. That's correct. 

Dave Bittner: [00:15:08]  Here's what we know. It looks like it's likely that these checks are going to happen. 

Joe Carrigan: [00:15:14]  Right. 

Dave Bittner: [00:15:14]  It's likely that we're going to get checks sent directly to us from... 

Joe Carrigan: [00:15:17]  Yep. 

Dave Bittner: [00:15:18]  ...The federal government. 

Joe Carrigan: [00:15:19]  Based on previous tax filings. 

Dave Bittner: [00:15:21]  That's right. And it is almost a certainty that scammers are going to take advantage of this. 

Joe Carrigan: [00:15:26]  One hundred percent, Dave. This is a golden opportunity for scammers. And everybody should be aware of it. 

Dave Bittner: [00:15:33]  Yeah. 

Joe Carrigan: [00:15:34]  So there's an article on Forbes that, actually, my wife forwarded to me today from Jim Wang, who talks about the entire stimulus package and everything. But he actually spends a little bit of time talking about scams on this and that you should be worried about this and look for people who are saying things like, we need your - we need some money from you to release your check, right? Anybody that calls you up and says, we need money from you to release your check, that's a scam. 

Dave Bittner: [00:15:59]  Right. 

Joe Carrigan: [00:15:59]  Right? 

Dave Bittner: [00:16:00]  Right. 

Joe Carrigan: [00:16:00]  These checks are just going to show up in the mail, actually. 

Dave Bittner: [00:16:02]  Yeah, most likely. Yep. 

Joe Carrigan: [00:16:04]  That's the way these things have worked in the past. I've never had to file for a stimulus check. 

Dave Bittner: [00:16:08]  Right. 

Joe Carrigan: [00:16:10]  But I've gotten them. 

Dave Bittner: [00:16:11]  Another thing they're saying is that these scams could say, get your check now. 

Joe Carrigan: [00:16:16]  Yes. 

Dave Bittner: [00:16:16]  Get it fast. 

Joe Carrigan: [00:16:17]  The FTC is warning that - that... 

Dave Bittner: [00:16:18]  Yeah. 

Joe Carrigan: [00:16:18]  ...They're saying, get your check now, kind of like the tax refund things that, like, H&R Block and TurboTax offer, right? They offer you an immediate tax refund based... 

Dave Bittner: [00:16:28]  Oh. 

Joe Carrigan: [00:16:28]  ...On your return for filing with them. 

Dave Bittner: [00:16:31]  Right. 

Joe Carrigan: [00:16:31]  That's actually a loan that they're giving you. But they're basing that loan on the fact that your return is expecting a certain value back. 

Dave Bittner: [00:16:41]  Yeah. 

Joe Carrigan: [00:16:41]  Right? 

Dave Bittner: [00:16:41]  Yeah. 

Joe Carrigan: [00:16:41]  And then they're actually charging you for that. 

Dave Bittner: [00:16:43]  Yeah. 

Joe Carrigan: [00:16:44]  If you wait for your return, you'll get the full amount of money. But based on that kind of information - right? - based on that kind of experience that the American people have, this kind of a scam could take off, where, hey, you can get your stimulus check now, and just give us your banking information, and we'll put the money in your account. 

Dave Bittner: [00:17:02]  Yeah. And taking advantage of the fact that there's a lot of anxiety out there. There are... 

Joe Carrigan: [00:17:06]  There is a lot of anxiety. 

Dave Bittner: [00:17:07]  ...A lot of people who are in increasingly desperate situations as their jobs go away... 

Joe Carrigan: [00:17:13]  Right. 

Dave Bittner: [00:17:13]  ...Sources of income dry up. So people are in need of this money. So it's a good thing, I suppose, that the money's going out. But everybody needs to be vigilant. 

Joe Carrigan: [00:17:24]  Everybody needs to be vigilant. And one of the things we need to do is reach out to everybody that we know that might be susceptible to scams and give them the information that this is something to look out for. Call your older parents that might be susceptible to this. 

Dave Bittner: [00:17:39]  Right, right. 

Joe Carrigan: [00:17:40]  And tell them, look out for these scams. Don't answer any emails or any phone calls where they're promising this money or they're asking about you paying a fee to get it released or they want your bank account details. 

Dave Bittner: [00:17:51]  Right, right. Anybody asking for your Social Security number... 

Joe Carrigan: [00:17:54]  Right. 

Dave Bittner: [00:17:54]  ...Any of that personal information - the feds aren't going to need that... 

Joe Carrigan: [00:17:58]  Right. 

Dave Bittner: [00:17:58]  ...To send you your check. 

Joe Carrigan: [00:17:58]  Nope, they already have it. 

0:17:59:(LAUGHTER) 

Joe Carrigan: [00:18:00]  They are the source of that information, so... 

Dave Bittner: [00:18:01]  That's right. Right. 

Joe Carrigan: [00:18:02]  ...They don't need to ask you for it. 

Dave Bittner: [00:18:04]  Yeah, yeah. All right. 

Joe Carrigan: [00:18:05]  In fact, if you don't know your Social Security number, you can ask them, and they'll tell you. 

Dave Bittner: [00:18:11]  (Laughter) I just imagined you calling up every day - hey, listen; could you tell me my Social - I just - I can't remember it. I can't... 

Joe Carrigan: [00:18:16]  (Laughter) Right? 

Dave Bittner: [00:18:16]  Just one more time. And, yeah, OK, Joe. Here it is. 

Joe Carrigan: [00:18:19]  (Laughter). 

Dave Bittner: [00:18:19]  All right. 

Joe Carrigan: [00:18:19]  They got it written down on a sticky note next... 

Dave Bittner: [00:18:21]  Right, yeah. 

Joe Carrigan: [00:18:21]  ...To me. 

Dave Bittner: [00:18:21]  Under no circumstances give this man his Social Security number. 

Joe Carrigan: [00:18:23]  (Laughter). 

Dave Bittner: [00:18:25]  All right. Well, you know, we all got to stick together here. These are interesting times. Things are changing quickly. But look out for your loved ones. 

Joe Carrigan: [00:18:33]  Yes. 

Dave Bittner: [00:18:34]  Warn them. Do your best to help them. Use the powers that you possess to sniff out these sorts of scams. And spread some of that knowledge around. 

Joe Carrigan: [00:18:43]  Absolutely. 

Dave Bittner: [00:18:43]  All right. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:18:45]  My pleasure, Dave. 

Dave Bittner: [00:18:51]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:09]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:21]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.