The CyberWire Daily Podcast 4.23.20
Ep 1073 | 4.23.20

APT32 activity reported. Florentine Banker’s patient BEC. iOS zero-days exploited in the wild. Sinkholing a cryptomining botnet. Intelligence services and gangs follow the news.


Dave Bittner: [00:00:04] Someone - probably Vietnam - is trying to develop intelligence on China's experience with the coronavirus. Florentine Banker is an example of well-organized crime. iOS zero-days have been exploited in the wild. A cryptomining botnet is sinkholed. Malek Ben Salem from Accenture Labs on encrypted DNS. Our guest is Russ Mohr from MobileIron on why the applications that excite us about 5G are the same applications that warrant the most concern. And intelligence services and criminals are tuning their phishbait to current events, as they always do. 

Dave Bittner: [00:00:45]  And now a word from our sponsor, ExtraHop - securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IOT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As Chief Architect and Information Security Officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud; to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 23, 2020. FireEye yesterday published a report describing their conclusion that APT32, a threat actor associated with the Vietnamese government, was engaged in intrusion campaigns designed to collect intelligence from Chinese targets concerning the pandemic. The researchers say they found spear-phishing messages sent to China's Ministry of Emergency Management and the government of Wuhan, where the pandemic is generally regarded as having begun. 

Dave Bittner: [00:02:44]  Vietnam has denied involvement in cyber espionage against Chinese organizations involved in controlling the COVID-19. Reuters says Hanoi today dismissed the accusations as baseless. In fairness to Hanoi and with all due respect to the plausible and implausible deniability intelligence services prize so greatly, it does seem hard to fault any government for trying to figure out just what in the world actually has been going on in Wuhan for the last few months. 

Dave Bittner: [00:03:14]  Check Point has identified a gang they call Florentine Banker that's involved in sophisticated theft from selected banks, mostly investment houses. The campaign is patient, does careful reconnaissance, begins with spear-phishing and ends with wire fraud. It's not so much organized crime as it is extremely well-organized crime. 

Dave Bittner: [00:03:36]  The targeted firms are British and Israeli organizations, and they all use Microsoft Office 365 as their main email provider. The operation proceeded in six stages. First, obtain email credentials through spear-phishing. Second, observe the victim, read their emails to understand how the organization transfers money, what its relationships are with customers, banks, lawyers and accountants and what the key roles are within the organization. Check Point says this stage can take months. Next, control and isolate. The attackers do this by creating mailbox rules that divert mail with interesting content to folders the Florentine Banker is monitoring and that the compromised individual isn't paying much attention to. The fourth stage is to set up look-alike domains and begin using them to conduct email conversations. The mark is likely to miss the small change in the domain name. The next step is to ask for money, either by intercepting legitimate wire transfers or generating new, entirely fraudulent ones. And then, finally, the gang monitors the conversation and troubleshoots any problems until the funds are in their account. 

Dave Bittner: [00:04:47]  Check Point doesn't know where the Florentine Bankers are locating, but the bank accounts they use seem to have been either in the U.K. or Hong Kong. For the most part, they seem to speak English. The researchers observed that the criminals don't speak Hebrew. If they did, they wouldn't have missed out on some of the opportunities that appeared in that language. 

Dave Bittner: [00:05:08]  Researchers at the digital forensics shop ZecOps reported yesterday that they discovered two iOS zero-days that were undergoing active exploitation in the wild. Vice says the researchers think it likely that those doing the exploitation may be working on behalf of a nation-state and that they might have been purchased from an exploit broker. Quote, "It's someone who's spending budgets on buying exploits, but they don't really have the technical capabilities to change those exploits for better OPSEC," end quote. Apple declined to comment to Reuters on ZecOps research but did say that the vulnerabilities would be closed in the next release of iOS. 

Dave Bittner: [00:05:46]  ESET has taken down and sinkholed the command-and-control servers for the VictoryGate cryptomining botnet. Some 35,000 machines are thought to have been infected, ZDNet reports. 

Dave Bittner: [00:05:59]  Google's Threat Analysis Group has a report on how nation-states are using COVID-19 as phishbait. TAG says it's tracked over a dozen government threat groups phishing with coronavirus lures. The goal of the attackers has been either delivery of malware packages or credential harvesting. Many of the targets were U.S. government employees. These were often baited with bogus offers of free fast food presented as a generous gesture from various hospitality chains. These attempts were, on the whole, indiscriminate mass-mailed spam, interesting in part because of what they suggest about hostile intelligence services' views of what interests and motivates American civil servants - burgers and fries, mostly. 

Dave Bittner: [00:06:42]  TAG doesn't offer any attribution of these phishing expeditions, but they do identify two threat groups by name, both of which are prospecting international health organizations, including the WHO, the U.N.'s World Health Organization. These are Charming Kitten, associated with Iran, and Packrat, a South American group whose sponsorship is less clear. Charming Kitten has been sending emails that spoof WHO as the sender. Packrat has been running bogus WHO pages. Google doesn't see this trend as representing an increase in the amount of state-run operations. It's a shift in tactics and choice of bait, not a significant increase in operational tempo. 

Dave Bittner: [00:07:23]  We continue our exploration of the benefits and potential unintended consequences of the transition to 5G mobile technology. Russ Mohr is with security and compliance firm MobileIron, and he makes his case for why the applications that excite us about 5G are the same applications that could warrant the most concern. 

Russ Mohr: [00:07:43]  I think, for the majority of people, what they understand is, you know, it's an order of magnitude faster than 4G. It's great. You can download videos quicker. But there's also a lot of other benefits to 5G. And one of them that we commonly talk about is smart cities. So when we have a really high density of devices that are connecting - like when you're running an electrical grid, when you have traffic lights, when you have gas and water services and things, you know, that cities tend to run - there can be a lot of devices connecting those networks. So they handle density very well. And that's a technology called massive machine type communications, or MMTC. So you can connect a lot more devices than you can on a traditional 4G network when you're using 5G. 

Russ Mohr: [00:08:31]  The other thing that's really interesting about 5G is the latency. So we can bring latency right down to about one millisecond of delay. That's really important if you are running self-driving cars or drones or you have an autonomously guided vehicle that needs to stop very quickly, like let's say within 20 milliseconds. So you can actually carve out networks that have very low latency with 5G that allow you to run applications that just weren't possible in the past. 

Dave Bittner: [00:09:09]  So what are some of the areas of concern, then? 

Russ Mohr: [00:09:12]  Well, there are many, right? Like, first of all, I mentioned we're going to be running vehicles and drones, and we might be doing things like telemedicine with 5G. And so the applications become much more crucial, much more dangerous if they actually don't function the way that they're supposed to. So you can imagine that if a hacker were able to infiltrate a 5G network that was running drones and repurpose those drones to do something else, that could be dangerous. Or if they were able to get - penetrate a smart city and get into the grid and, you know, turn all the red traffic lights green or, you know, get into the water supply and turn it off or, you know, shut off the electricity, those things can be, you know, really very serious. 

Russ Mohr: [00:10:07]  So it's actually taking ransomware to the very next level, right? It's not just holding our data, but it's also holding our infrastructure, you know, at ransom. So I think that, you know, because it's so risky, we really need to have an approach that's going to allow us to operate in this new environment, and it's not the traditional approach that we've been taking. 

Russ Mohr: [00:10:31]  5G is critical infrastructure. Our usage is going up a lot. So Verizon published a report saying that, I think, in the middle of March, they had a 75% spike in usage. That's Verizon. I mean, I guess that's, like, 100 million customers, 50 million customers - something like that. And then it went up again the next week, and then it went up again the week after. And people are doing things that require a lot of bandwidth, like gaming or Zoom sessions that eat up a lot of bandwidth. And so 5G becomes really important because if we're not connected right now, it's dangerous. 

Dave Bittner: [00:11:14]  That's Russ Mohr from MobileIron. 

Dave Bittner: [00:11:18]  Cybercriminals are showing a similar shift in tactics. According to Fifth Domain, the FBI says it's received more than 3,600 complaints about COVID-19-themed scams. Threatpost reports a study by Forcepoint in which the security company's researchers evaluated three months of coronavirus-related cybercrime. They determined that criminals in the aggregate have reached a peak of 1.5 million malicious emails a day. 

Dave Bittner: [00:11:43]  Palo Alto Networks' Unit 42 has been tracking this trend, and their findings are entirely consistent with what one might expect. Their report says, quote, "The traditional malice abusing coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining and black hat Search Engine Optimization for improving search rankings of unethical websites," end quote. 

Dave Bittner: [00:12:09]  The specific content of the come-ons also varies with news. As emergency assistance to businesses becomes available in many countries, criminals will bait their appeals with references to such government aid. IBM's X-Force has studied the ways in which criminals are exploiting small business awareness of and concerns about stimulus relief packages. Several of their findings strike us as particularly noteworthy. 

Dave Bittner: [00:12:33]  First, more than half of those responding to IBM's survey said they would engage with an email related to their eligibility for stimulus relief. The recently unemployed are even more likely to do so; about two-thirds said they would engage. A great many small-business owners said they were unsure of how to process applications for relief, and the uncertainty would tend to render them vulnerable to phishing emails that purport to guide them through the process. So expect familiar crime dressed up in COVID-19 garb. 

Dave Bittner: [00:13:11]  And now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick. So check out the 10 incredible ways where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to and watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:24]  And joining me once again is Malek Ben Salem. She's the America's cybersecurity R&D lead for Accenture. Malek, it's always great to have you back. I wanted to get your take today on encrypted DNS. It's been a hot topic lately, and I wanted to see where you stand on things. 

Malek Ben Salem: [00:14:40]  Yeah. As you know, Dave, there has been this public debate over encrypted DNS and how to encrypt DNS. The question is not whether DNS should be encrypted or not - I guess all parties agree that DNS traffic needs to get encrypted - but the question is how to do that. And the options we have are using DNS over HTTPS or using it over TLS, the Transport Layer Security protocol. As a reminder, you know, DNS traffic is - are the network queries that translate human-friendly domain names into server IP addresses. When you type a URL in your browser, you know, the browser asks the nearest DNS server for the IP address associated with that domain name. 

Malek Ben Salem: [00:15:28]  And currently, that query is currently sent in plain text. So security administrators are able to tell which sites users are visiting. That also means that these queries can be intercepted, so you can get the wrong answer back from an adversary. So it actually makes sense that these DNS queries get encrypted, both from a security perspective but also from a privacy perspective. 

Malek Ben Salem: [00:15:57]  Now, the question is how to do it. So with the DNS over HTTPS approach, that gives you good privacy, right? First of all, it gets done by default. You know, in the settings of your browser, the browser can just encrypt all traffic, whether it's DNS, whether it's HTTPS traffic - everything gets encrypted. As a user, you don't necessarily have to do anything. And this is the approach that has been taken by Google, for instance. Google is encrypting all DNS look-ups in the Chrome browser. 

Malek Ben Salem: [00:16:34]  The other approach - the DNS over TLS approach, which cable companies and telecom industry groups and ISPs are arguing for - emphasizes security, and it gives the network operators more control to decide, you know, what's the DNS server and which traffic goes further beyond their DNS server or which sites can be blocked. From a usability standpoint, users won't notice any difference with either approach. But from the perspective of network administrators, this - the DNS over TLS approach - puts security first against privacy. 

Dave Bittner: [00:17:18]  If you had to choose, would you choose that one? 

Malek Ben Salem: [00:17:21]  As a user or as a network administrator or... 

Dave Bittner: [00:17:28]  (Laughter) Well, let's start with the professional side. As a network administrator, which one would you prefer? 

Malek Ben Salem: [00:17:33]  So I think what I would advocate for is DNS over TLS, and I would let the user get more control - right? - have them, first of all, decide - go for TLS but also decide which DNS server they want to use. The problem with DNS over HTTPS - obviously, it gives the user perfect privacy because everything gets encrypted, even - you can't tell even the traffic is DNS traffic. As a network administrator looking at that traffic, you can't even know that there is DNS traffic going on - right? - because it's all encrypted. So that gives the users, the end users, perfect privacy. 

Malek Ben Salem: [00:18:20]  But on the other hand, if you think about this - and this is also a war about who gets that user data. So, you know, if Google is encrypting all traffic over HTTPS, it's getting all of those DNS queries. Same thing - Firefox, if it's encrypting that traffic, it's making Cloudflare get all of that data. 

Dave Bittner: [00:18:44]  I see. 

Malek Ben Salem: [00:18:45]  If you're doing the TLS way, you know, those ISP are getting some of that data. So that data is not just delivered just to one entity. And so the fight is more - it's not really about users' experience and how easy it is; it's more about accessing the user data. And that's why, for me, as a professional, I would love to have the user have more control and decide where their data should go. 

Dave Bittner: [00:19:19]  All right. Well, it's an interesting one. We'll have to see how it plays out. Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: [00:19:26]  Thank you, Dave. My pleasure. 

Dave Bittner: [00:19:32]  And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:51]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT - a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:02]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.