The CyberWire Daily Podcast 4.15.20
Ep 1067 | 4.15.20

Energetic Bear lands at SFO. Windpower utility hit with RagnarLocker ransomware. COVID-19-themed threats. Telework advice. Zooming.


Dave Bittner: [00:00:04] Energetic Bear's paw prints have been seen at SFO. A leading wind power company is hit with ransomware. The Nemty gang hangs up a going-out-of-business sign. Advice for a more secure network. Why health care is an attractive target for cyberattack during a pandemic. ICANN pleads for action against scam domains. And the fortunes of Zoom. 

Dave Bittner: [00:00:32]  And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:01:56]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 15, 2020. 

Dave Bittner: [00:02:05]  Hey, everybody. Guess who left their heart in San Francisco. Yes, yes, Mr. Tony Bennett, but, no, not us. We checked when we got back to Baltimore from RSA, and our heart's pretty much where it's always been, right there on the left-hand side of the breastbone. It took a licking but kept on ticking. But somebody else hearts the city by the other bay. You'll remember the two networks at San Francisco International Airport that were hacked last month. Researchers at security firm ESET have fingered a suspect. On the basis of the tactics, techniques and procedures the security company observed, ESET attributes the attack to Energetic Bear, generally regarded as a threat group operating on behalf of Russia's GRU. So it's Fancy Bear's aerobicizing sister, who made her bones going after energy infrastructure in the Middle East. You may know Energetic Bear by her Dragonfly alias. What were they after? Not so much the airport networks themselves as credentials of those who used them. Specifically, as ESET puts it, the intent was to collect Windows credentials of visitors. You'll remember, as always, that attribution is usually necessarily circumstantial. And that's the case here. 

Dave Bittner: [00:03:20]  Recharge News reports that Portugal-based international power producer EDP has suffered a ransomware attack. According to BleepingComputer, the strain involved in the attack was Ragnar Locker, and the attackers have demanded 1,580 bitcoin in ransom - the equivalent of $10.9 million or 9.9 million euros - in order to restore EDP's files. As is now customary, the ransomware operators say they've taken some 10 terabytes of company information, which they threaten to release if the victim is slow to pay. EDP is a major player in Europe's gas and electric sector and the world's fourth-largest wind power producer. 

Dave Bittner: [00:04:00]  Data privacy continues its ascension as a critical component of cybersecurity. Emily Mossburg is a principal on Deloitte's Cyber Risk Services' leadership team. We chatted at the RSA Conference about the geographical and cultural elements of privacy. 

Emily Mossburg: [00:04:16]  We're seeing more and more that global companies want a level of consistency in terms of their cyber programs. If we look around the globe, there's definitely a distinction and difference in terms of the maturity of programs and where different countries and regions are in terms of their maturity and understanding cyber and implementing their cyber programs. So there's a big focus on what does that mean in terms of the program itself? And, you know, one of the big things is how do they educate globally on the area of cyber? Particularly as the stakeholders shift and change, how do you educate a global organization? How do you get everybody on the same page in terms of the risks? Because the CSO organization itself isn't going to be able to have the scale to face off on the issue as a whole. It's very big. So how do you get a global organization on the same page to understand what the risks look like and to know, basically, who to call for help when you start to see something that's interesting or maybe needs a closer look? 

Dave Bittner: [00:05:20]  I mean, that strikes me as a really fascinating problem, especially at a global scale where not only are you dealing with technical issues, but you're dealing with different cultural issues around the world as well. 

Emily Mossburg: [00:05:33]  Yeah, I think that's a huge part of it is cultural issues. And if you even think about the legal and regulatory environment, there's elements there as you think about what the expectations are around employee interaction and protection of privacy and the overlap of security and privacy. So it really requires an organization to think very comprehensively about what they need to include in their program and what needs to be focused on being consistent, but maybe not exactly the same based upon cultural norms, legal and regulatory environment, et cetera. 

Dave Bittner: [00:06:08]  Let's touch a bit more on privacy because I think, particularly from the regulatory point of view, it's a place we're seeing some movement and some momentum. What sorts of messages are you providing your clients in terms of preparation for regulatory regimes that may be to come? 

Emily Mossburg: [00:06:29]  Well, one of the things that we've looked at and talked about around privacy for a long time is the fact that it's very complex. Even when you start to see, you know, some of the consistencies in the EU around the GDPR, you have to overlay that with other various regional privacy laws and security laws that are focused not always on the same goals. So getting to a place where you understand sort of what your foundational program needs to focus on, where are the areas of overlap and similarity that if you have a single focus for your program you're going to meet multiple legal and regulatory requirements? And then where do you need to flex your program and be specific within a specific geography or country in order to meet the difference between where your foundation is and what the expectations are for that particular country or region? 

Dave Bittner: [00:07:29]  That's Emily Mossburg from Deloitte. 

Dave Bittner: [00:07:32]  With so many people working from the social isolation of home - the better to avoid spreading the coronavirus - there's no shortage of advice on making telework more secure and doing so as quickly and easily as possible. Security experts are advising in general that organizations and individuals take five steps to improve their security during remote work. They come down, for the most part, to familiar cyber hygiene recommendations, and their familiarity doesn't make them any less important. First, keep systems patched and up to date. And while we're on the subject, we note that both Microsoft and Adobe patched yesterday. Microsoft fixed 113 bugs in its products, 19 of them critical and 94 of them important. Four of them are being actively exploited in the wild. Adobe addressed five issues in ColdFusion, After Effects and Digital Editions. None of Adobe's seemed particularly urgent, but you never know, so please do your due diligence. To return to the advice people are offering, the second common recommendation is to use multifactor authentication. Third, avoid reusing passwords. That's how credential stuffing happens. Fourth, be alert to the possibility of phishing emails. They won't always betray themselves with eccentric usage or grammar or with sloppily pasted logos. But with a little attention, an alert user can become a reliable detector of most of the phishing attempts, especially the low-grade ones. And fifth, consider using a virtual private network. That last bit of advice should be followed with caution and circumspection. Zscaler says it's found a number of phony VPN sites using spoofed brands to deliver information stealers. 

Dave Bittner: [00:09:11]  Any organization will be concerned about the confidentiality, integrity and availability of its data, but there are few sectors where these matter more than they do to health care, especially during a pandemic. The Washington Post and others report that there's been no respite in attacks, particularly ransomware attacks, against organizations engaged in developing or administering treatment for COVID-19. This isn't because health care and research organizations are especially poorly prepared to defend themselves. Rather, it's because the data they hold is urgently needed and, therefore, unusually valuable. HealthITSecurity sees smaller hospitals and care facilities as particularly attractive targets. The criminals perceive them as likely to pay the ransom rather than risk an interruption of care. 

Dave Bittner: [00:09:59]  No one - we repeat no one - should expect any public-spirited restraint in the underworld, not even during a global crisis. The U.S. Federal Trade Commission's update on COVID-19-themed complaints it's received is evidence enough. The losses to fraud victims reported to the FTC since the beginning of January totaled $13.44 million. Some of that fraud has been facilitated by domains established to push bogus merchandise and other scams. 

Dave Bittner: [00:10:27]  An Interisle Consulting Group study conducted for ICANN concluded at the end of March. Naked Security describes how ICANN, the Internet Corporation for Assigned Names and Numbers, has written to its accredited domain registrars and asked them to take action against the registration of new domains whose names suggest a pandemic theme. And, of course, since the pandemic is peaking during tax season, there's a criminal convergence between tax fraud and COVID-19-themed attacks. The Hill reports that the U.S. Internal Revenue Service, the IRS, is warning tax professionals that they should expect to be targeted. 

Dave Bittner: [00:11:05]  Reuters reports that London-based Standard Chartered is the first major global bank to tell its employees to stop using Zoom because of concerns about the platform's security. But according to Reuters, the memo also indicated that employees should shun Google Hangouts, too. Standard Chartered says its employees have other more secure means available to conduct business. 

Dave Bittner: [00:11:28]  As concerns grew over the teleconferencing service's security, Zoom has begun to issue weekly security updates. iMore reports that the latest of these, out yesterday, enhances the password options available to users and session organizers. Some of last week's improvements included giving paying customers the option of choosing how their traffic will be routed. The news that Zoom traffic routinely transited Chinese servers aroused alarm in many. The new routing options, one might add, are reassuring only insofar as one believes Zoom either escaped or contained potential security problems in its code supply chain. Several of its partners are Chinese firms, as Citizen Lab found when they looked into the company's encryption issues. 

Dave Bittner: [00:12:13]  One of the widely reported security problems that have troubled Zoom as the teleconferencing platform's usage suddenly expanded has been the availability of login credentials on various black markets. The data exposure, as Fast Company points out, isn't due to a breach at Zoom itself. Instead, it's the result of credential stuffing, in which attackers try credentials culled from other incidents to see if their users have casually employed them for other sites or services. All too often, the users have done exactly that. Don't be like that. 

Dave Bittner: [00:12:53]  Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit and click on the Contact Us link in the Enterprise box. That's, and then click Contact Us in the Enterprise box. And we will help you become that office hero. 

Dave Bittner: [00:13:59]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:14:08]  Hi, Dave. 

Dave Bittner: [00:14:10]  We've got an interesting article. This is from the folks over on the Naked Security blog from Sophos, written by John E. Dunn. And it's titled "Thousands of Android Apps Contain Undocumented Backdoors, Study Finds." What's going on here, Joe? 

Joe Carrigan: [00:14:24]  Well, these guys have studied the behavior of a bunch of apps, including 150,000 apps from the Google Play store and some apps from the Chinese market Baidu, and they found that some of these apps have behaviors you might not expect. Now, what's interesting is they also studied - now, get this, Dave - 30,000 apps that are preinstalled on Samsung devices. 

Dave Bittner: [00:14:47]  Wait (laughter). 

Joe Carrigan: [00:14:49]  That boggles my mind, that there... 

Dave Bittner: [00:14:51]  Yeah. 

Joe Carrigan: [00:14:51]  ...Are 30,000 apps that have come preinstalled on Samsung devices. You know... 

Dave Bittner: [00:14:57]  Samsung makes a lot of stuff, but... 

Joe Carrigan: [00:14:59]  They do. But even if they've made a hundred different products that you would preinstall an app on, that's still 300 apps per object, per phone... 

Dave Bittner: [00:15:08]  Right (laughter). 

Joe Carrigan: [00:15:08]  ...Per device. It's got to be... 

Dave Bittner: [00:15:11]  I'm imagining the new Samsung, you know, Bloatware 5000, where... 

Joe Carrigan: [00:15:16]  Right. 

Dave Bittner: [00:15:16]  ...You unbox it and you power it up. And there's, you know, thousands of pages of preinstalled apps just... 

Joe Carrigan: [00:15:24]  Right. 

Dave Bittner: [00:15:24]  ...There, ready and waiting for you (laughter). 

Joe Carrigan: [00:15:25]  And it already runs slow new and out of the box. 

Dave Bittner: [00:15:27]  Right, exactly. 

Joe Carrigan: [00:15:30]  Yeah, this is why I don't recommend - first of all, I don't really recommend Samsung products. I've not been impressed with their security. And this amount of bloatware that's installed - 30,000 apps - that's unconscionable. 

Dave Bittner: [00:15:42]  (Laughter). 

Joe Carrigan: [00:15:43]  But anyway, they analyze all these apps, looking for backdoors, they call it. And that's kind of - the article says it's an emotive term, and I agree with that. 

Dave Bittner: [00:15:51]  Yeah. 

Joe Carrigan: [00:15:52]  What they're looking for is exhibited behaviors. And they found that somewhere between 5% and 6% of these apps, depending on which marketplace you're looking at, exhibit behaviors that include secret keys, master passwords or secret commands, and some other apps that seem to be checking user input against blacklisted words, such as political leaders' names, incidents in the news and possibly racial discrimination, right? 

Dave Bittner: [00:16:20]  So they're using this broad term, backdoors, to cover, basically, things that the app is doing and information it's exchanging that it's not being on the up and up about. 

Joe Carrigan: [00:16:30]  That's right. It's not being open about it. 

Dave Bittner: [00:16:32]  Yeah. 

Joe Carrigan: [00:16:33]  What's interesting is these bloatware apps exhibited a rate that was more than twice the rate of the apps from Google Play or from the Baidu store - that 16% of the bloatware apps were conducting these behaviors. 

Dave Bittner: [00:16:46]  Now, when you have purchased an Android device, and if you've gotten a brand that comes with these preinstalled apps, is the first thing you do pretty much go through and delete them? 

Joe Carrigan: [00:16:56]  I've tried to do that. And in some cases, you actually can't remove them. They've built the software such that you can't remove the preinstalled apps. I remember one of my original HTC devices that I got from Sprint had a NASCAR app that I couldn't uninstall. I can't stand NASCAR. 

Dave Bittner: [00:17:12]  (Laughter). 

Joe Carrigan: [00:17:12]  I have absolutely no interest in it. But I couldn't get rid of the app. I actually... 

Dave Bittner: [00:17:16]  Right. 

Joe Carrigan: [00:17:16]  ...Couldn't get rid of the app. There are other things that come on the Samsung phones. I've owned a couple of Samsung phones, and I couldn't get rid of some of the Samsung apps, like their fitness app that I didn't want. I would prefer to use other apps. But I still had to keep their app installed. And because their app is installed, if I don't go in and physically disable it and tell it not to run, which I had to do with all the Samsung apps - and even then, how do I know that they're actually disabling it because this is Samsung's version of Android because Android's an open-source operating system. 

Dave Bittner: [00:17:48]  Right, right. 

Joe Carrigan: [00:17:48]  Now, there's a way to protect yourself against this, and that is to buy an Android One-certified phone, which comes with just the stock Android. And bloatware is not allowed to be included in the distributions in order to be listed as an Android One phone. Of course, you will probably remind everybody that Apple absolutely forbids the installation of bloatware apps on their phones regardless of who the carrier is because they're the only manufacturer of the phone. 

Dave Bittner: [00:18:14]  That's right. That's right. Well, and I don't have to remind them because you just did. 

Joe Carrigan: [00:18:18]  Right (laughter). 

Dave Bittner: [00:18:21]  So... 

Joe Carrigan: [00:18:21]  There... 

Dave Bittner: [00:18:21]  Plus, it pains you to have to do that. 

Joe Carrigan: [00:18:23]  It does, Dave. 

Dave Bittner: [00:18:26]  (Laughter) Well, I suppose that's one of the answers then, is if you pay, you know, this tax for the more pure versions of either Android or what people refer to often as the Apple tax... 

Joe Carrigan: [00:18:37]  Right. 

Dave Bittner: [00:18:37]  ...That solves the issue of the bloatware. But these things are coming through the Play Store, and I suppose there's no reason to think the same thing isn't happening on the Apple App Store. 

Joe Carrigan: [00:18:48]  Yeah. 

Dave Bittner: [00:18:48]  I'm not sure there's an easy way to protect yourself against this. 

Joe Carrigan: [00:18:50]  Yeah. I mean, just limit the apps you have installed. The other day, I looked at how many apps I had installed on my phone. It was over a hundred, and I was kind of dismayed by that. I probably don't need a hundred apps installed on my phone. 

Dave Bittner: [00:19:00]  Yeah. 

Joe Carrigan: [00:19:02]  But I would like to see a similar study done on the apps available in the App Store from Apple 'cause I would imagine that this is probably going on in the Apple Store as well and apps from that store as well. But I'll bet that Apple has a more severe response. 

Dave Bittner: [00:19:16]  Yeah, yeah. Could be. Maybe just a little more stringent from the get-go in their testing. But, you know, stuff slips by. It always does. 

Joe Carrigan: [00:19:23]  Stuff does slip by, absolutely. 

Dave Bittner: [00:19:25]  Yeah, yeah. All right. Well, it's an interesting story, again, from the Naked Security blog over at Sophos - "Thousands of Android Apps Contain Undocumented Backdoors." Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:38]  It's my pleasure, Dave. 

Dave Bittner: [00:19:44]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:02]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:13]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.