The CyberWire Daily Podcast 5.1.20
Ep 1079 | 5.1.20

China hacks at Vietnam over a territorial dispute. Kim’s still in charge, but could Hidden Cobra get loose if his grip slackens? COVID-19 and cybersecurity.


Dave Bittner: [00:00:04] Tensions between China and its neighbors. ICS incursions are troubling. The U.S. intelligence community comments on COVID-19 disinformation. The FBI tracks increased cybercrime activity during the pandemic. Johannes Ullrich explains Excel 4 macro vulnerabilities. Our guest is Tina C. Williams-Koroma from TCecure on the importance of strong, effective leadership in cybersecurity. And smile for that webcam - your boss may be watching.

Dave Bittner: [00:00:39]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:47]  Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud - to protect the latest like containers, to empower your change makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:10]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 1, 2020. 

Dave Bittner: [00:02:19]  Tensions between China and its neighbors are finding more expression in cyberspace. As FireEye reported last week, Vietnam is thought to have conducted a recent cyber espionage campaign against Chinese targets, mostly targets that might yield information about the origins and transmission of COVID-19. Now Chinese threat actors are engaged in spearphishing officials in Da Nang. Anomali sees strong indications that the Pirate Panda group is behind the attacks. Da Nang is a coastal city relatively close to the Paracel Islands, ownership of which is disputed among China, Vietnam and the Philippines. CyberScoop says that the spearphishing campaign seems linked to the territorial dispute, especially since Da Nang was recently visited by the USS Theodore Roosevelt and the USS Bunker Hill on a diplomatic goodwill mission that took them near the disputed waters. The U.S. regards those waters as international; China says it owns them. 

Dave Bittner: [00:03:17]  While the best available information indicates that Kim Jong-un is still running North Korea and isn't under any serious immediate challenge, the recent scare about his health and the realization that the DPRK succession plans are vague at best have led the Atlantic Council to warn that North Korean offensive cyber capabilities could become a loose cannon in the event of a leadership crisis in Pyongyang. 

Dave Bittner: [00:03:42]  The attacks on Israeli water and wastewater treatment facilities were conducted by hackers who knew how to effect programmable logic controllers, SecurityWeek reports. The CBC says the Royal Canadian Mounted Police are investigating a ransomware attack against Northwest Territories Power Corporation websites and email services. Both incidents are troubling. The Israeli incident appears to have been possibly a direct attack against industrial control systems. The Canadian incident, while still troublesome, looks like a more conventional ransomware attack on business systems. 

Dave Bittner: [00:04:18]  How and where the coronavirus strain that's come to be known as COVID-19 emerged has been the subject of a great deal of misinformation and disinformation. It seems beyond serious dispute that the virus emerged in China and, although consensus here is strong, that it jumped to humans from bats. The U.S. intelligence community has been investigating COVID-19's origins. 

Dave Bittner: [00:04:40]  And the Office of the Director of National Intelligence has released its initial findings. The statement is brief, and we quote it in full. Quote, "The entire Intelligence Community has been consistently providing critical support to U.S. policymakers and those responding to the COVID-19 virus, which originated in China. The intelligence community also concurs with the wide scientific consensus that the COVID-19 virus was not man-made or genetically modified. As we do in all crises, the community's experts respond by surging resources and producing critical intelligence on issues vital to U.S. national security. The IC will continue to rigorously examine emerging information and intelligence to determine whether the outbreak began through contact with infected animals or if it was the result of an accident at a laboratory in Wuhan," end quote. 

Dave Bittner: [00:05:32]  There had been disinformation from China that the virus was an American biowar program gone rogue and from fringe conspiracy speculators, largely but not exclusively in the US, that it was deliberately engineered by China in a Wuhan lab. The least credible version of the conspiracy theory was that the virus was a weapon the Chinese lost control of. The more credible version was that the virus emerged in its lethal form when some gain-of-function research in Wuhan was bungled and the virus was accidentally released. 

Dave Bittner: [00:06:04]  There is a major biological laboratory in Wuhan, and the US Intelligence Community continues to investigate whether there may have been an accident in a research program there. But the ODNI's statement categorically rules out both deliberate weaponization and risky genetic engineering. So the remaining options seem to be either a lab accident or, more probably, zoonotic disease that made the jump from bats to humans.

Dave Bittner: [00:06:30]  Foreign policy reports signs that Russian influence operations under preparation for the upcoming European and US elections will prominently feature COVID-19 disinformation. Some of that disinformation will represent low-hanging fruit. If people fear coming into a public polling place to vote, exaggerating and playing to such fear will have the effect of undermining the electorate's willingness to participate. 

Dave Bittner: [00:06:55]  According to SecurityWeek, the European Union yesterday issued a condemnation of cyberattacks mounted against hospitals and other organizations engaged in fighting the COVID-19 pandemic. The EU didn't name names. And much of the hacking is surely criminal and not under state direction. But some of the malicious activity probably is state-directed, notably attacks on Czech health care facilities, which Czech authorities and public opinion increasingly ascribe to Russian intelligence services. 

Dave Bittner: [00:07:25]  The US Federal Bureau of Investigation says that reported cases of cybercrime have risen dramatically during the pandemic. How dramatically? The FBI's Internet Crime Complaint Center normally receives about 1,000 complaints a day. The IC3 is now logging two to three times that number, CyberArk observes. A report by Kaspersky concludes that remote desktop protocol brute-forcing has increased tremendously. Quote, "The lockdown has seen the appearance of a great many computers and servers able to be connected remotely. And right now, we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available - sometimes in a hurry - to remote workers," end quote. 

Dave Bittner: [00:08:11]  And finally, how do you keep workers on task while they're working remotely? And how hard do you even need to try? Granted that telework is not the same as phoning it in. But it does seem that some organizations are taking very intrusive steps to ensure that employees stay on task. The Washington Post writes, quote, "thousands of companies now use monitoring software to record employees' web browsing and active work hours, dispatching the kind of tools built for corporate offices into workers' phones, computers and homes. But they have also sought to watch over the workers themselves, mandating always-on webcam rules, scheduling thrice-daily check-ins and inundating workers with not-so-optional company happy hours, game nights and lunchtime chats," end quote. 

Dave Bittner: [00:08:57]  Some of these seem fine. Well-intentioned morale boosters like happy hours and game nights seem innocent enough, and entirely innocent if they're truly voluntary and non-coercive. The keyloggers and always-on webcams, however, seem to be another matter entirely. But even the innocent measures by which companies stay connected troubles some who see them as further blurring the lines between home and work, between free time and the time you spend on the clock. And eventually, close surveillance may become a net negative. 

Dave Bittner: [00:09:30]  We're fortunate at the CyberWire, in that our work is the kind that doesn't seem to tempt anyone to keep very close tabs on us. If the stories are filed and accurate, well, the suits are good to go. And all of us have been enjoying the virtual happy hours, which are voluntary. But there may be kinds of work where some form of monitoring seems necessary. Are you, for example, working under a time-and-materials contract? Then managers might become a bit antsy over whether time was actually being entered honestly. 

Dave Bittner: [00:10:00]  Still, it seems there ought to be a solution that stops short the kind of Benthamite panopticon The Post describes. And we hesitate to even speculate about the workload involved in actually checking all those webcams and key logs. Management by walking around is fine. But management by online lurking? Well, that's another kettle of fish. Besides, do we all need another reminder of how toxic the data we collect improved to be? 

Dave Bittner: [00:10:34]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Security is essential for a remote workforce. LastPass identity helps make stronger security seamless through integrated single-sign-on, password management and multi-factor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit to learn more. That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:12:16]  My guest today is Tina C. Williams-Koroma. She's owner and president of TCecure, a cybersecurity services company based in Baltimore. Our conversation centers on her approach to leadership in cybersecurity and why the human side is so important. 

Tina C. Williams-Koroma: [00:12:33]  I think one of the first things I bring up is just being clear on whether it's a services company or more of a product solution company because how you start and what you need to start I think can be a little bit different. So with a services company, the upside is that, you know, I think it's easier to get started, less capital required upfront, typically, with a services-oriented business, depends on the specific type of service. But from a general rule of thumb, it is - you can have clients and be revenue-generating I think a lot quicker than if it's a product or a solution that takes some R&D type of time and building, you know, a prototype and things like that. 

Tina C. Williams-Koroma: [00:13:14]  So likewise and similarly, it's also, you know, whether they want a consultant type of company, where it's just them as an individual type of contributor, or if they're trying to build, you know, a larger entity where they would have employees and things like that. So across the board, it's just making sure that there's enough capital or money there, you know, to get the business started and to make payroll, even if it's just you. A lot of times, clients pay a lot slower, right? You have to think of what the cycle is like. It's making sure they're understanding the difference between how you get income when you're a business owner versus being an employee, where there's this dedicated check that arrives, you know, every two weeks or semimonthly or whatever that schedule is. 

Tina C. Williams-Koroma: [00:14:08]  So I think that that's one of the biggest things that I say that might catch people by surprise. Just because you did work one day doesn't mean you're suddenly going to have your money two weeks later the way that you might in an employee-type of capacity or realm. 

Dave Bittner: [00:14:27]  Yeah. It's funny, you know. Back when I had my own company as well, I remember we used to joke that one of the perceptions that people often have who don't run their own companies is they think at every company, there's a room in the back that's full of money. 

Tina C. Williams-Koroma: [00:14:44]  Exactly, exactly. Yeah, yeah. It's - you know, it's like, oh, you have your own company. Oh, you're your own boss. Man, how great, you know. It's like... 


Dave Bittner: [00:14:55]  Right. 

Tina C. Williams-Koroma: [00:14:55]  Yeah, it's like, tell me what you think that means. 

Dave Bittner: [00:14:57]  Set your own hours, yeah (laughter). 

Tina C. Williams-Koroma: [00:14:59]  Right (laughter). 

Dave Bittner: [00:15:00]  It sounds awesome. I get to choose which of the 80 hours per week I work. It's just - it's great, yeah. 

Tina C. Williams-Koroma: [00:15:06]  Exactly, exactly. Yeah, yeah, it's like... 

Dave Bittner: [00:15:09]  Let me ask you this - in particular, when you're speaking to women who are on that entrepreneurial path, are there specific messages that you share with them? 

Tina C. Williams-Koroma: [00:15:20]  Yeah, I think one of the biggest things that I share with women is just really the importance for confidence and just knowing that you know what you know and you belong where you are, you know? I think that that's just really important because in a lot of cases, especially in a technology context, but in business ownership in general, you know, I recently just became aware that it was even more recent than I thought, you know, for women being able to get business loans on their own without having a male relative have to sign for them, you know. That's as recent as 1988. That is squarely within my, you know, generation. Like, I was already born in here, you know. 

Dave Bittner: [00:16:04]  Right. 

Tina C. Williams-Koroma: [00:16:05]  And so with that being so recent, it's - you know, I think some people may take it for granted the role and presence that that women have in business and in entrepreneurship in particular. So I think that that confidence in just, you know, knowing that as a woman, you know, you're here, you know what you know, be confident in that and carry that with you because I think confidence really goes a long way in terms of how we pursue financing, how we pursue our ideas, the risks that we take, et cetera. So I think that that's one of the biggest things, you know. And I've had different encounters, you know, in my career, being asked, like, why are you in the room, you know? It's just like, oh, boy. Yeah, so... 

Dave Bittner: [00:16:52]  Right. Do you mind taking notes? 

Tina C. Williams-Koroma: [00:16:55]  Right, exactly. It's like, no. 


Tina C. Williams-Koroma: [00:17:01]  So, yeah. I think that that's - one of the biggest things is - it's just the confidence. I think everything else, you know, stems from there. They've received a certain, you know, education. They have a certain training. They certainly have the ideas, the innovation, you know, kind of mentality, the creativity and just with that confidence, you know. And make sure they're asking questions. Like, you know, don't be afraid to ask questions thinking that it's going to, you know, make you look less competent, you know, that can only serve as a disservice - right? - to them. 

Dave Bittner: [00:17:33]  Right. 

Tina C. Williams-Koroma: [00:17:34]  Be confident in what you know and be confident enough to ask the questions and say, OK, tell me more about that. 

Dave Bittner: [00:17:41]  That's Tina C. Williams-Koroma from TCecure. 

Dave Bittner: [00:17:50]  And now a word from our sponsor, ExtraHop - securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:18:53]  And I'm pleased to be joined once again by Johannes Ullrich. He's the dean of research at the SANS Technology Institute. And he's also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. We wanted to touch today about an oldie but a goodie. We're talking about some Excel macros here. What are you guys tracking when it comes to this? 

Johannes Ullrich: [00:19:15]  Probably the No. 1 ways how organizations are being compromised these days is the email with the Office document as an attachment that includes a macro. Now, these macros are typically written in Visual Basic. That's sort of the modern current way, how you're writing macros. You have interesting story here from one of our Storm Center handlers. One of his users actually asked for a document to be released from quarantine. The document was flagged as suspicious, and the user says, hey, I know that person sent it to me. It was something I was waiting for. 

Johannes Ullrich: [00:19:49]  Well, so I think it was Xavier who looked at it closer. And, initially, he didn't find any problems with that document. But - so it passed all the tests. Like, it didn't have any Visual Basic macros in there, but it still looked suspicious to him. It's one of these - Spidey senses are kind of tingling. 

Dave Bittner: [00:20:09]  (Laughter). 

Johannes Ullrich: [00:20:10]  And what he then found was that this particular document used an Excel 4 macro. Excel 4 - you know, I don't know how old it is, pretty old. 


Johannes Ullrich: [00:20:23]  But it's one of those things. These old things never go away. So, yes, there was indeed an Excel 4 macro. And since he found it, he sort of started of course looking for it and found many, many more examples. 

Dave Bittner: [00:20:37]  Wow. So this is a case of - I guess that backwards compatibility that is sort of out of sight, out of mind could come back and bite you? 

Johannes Ullrich: [00:20:47]  Yes, we had this before with Office document, not sure if you remember the - VelvetSweatshop password in some Word documents was another example here. With these macros, there are a couple other little tricks that are being played. Like in Excel, you can hide a worksheet, and that's nothing really special. You just right click and hide it. But turns out that in the Excel file format, the hidden - there are actually three values. It's either visible, it's hidden, then they have a very hidden value. 

Dave Bittner: [00:21:19]  (Laughter). 

Johannes Ullrich: [00:21:21]  Very hidden actually means that this particular macro cannot be unhidden just by clicking on it. So lots of these little tricks that the bad guys use to make it more difficult to really detect these malicious documents. 

Dave Bittner: [00:21:36]  Yeah, I'm always left scratching my head because - and I suppose it is a reality that there are plenty of people out there who need to enable macros. But I wonder, who are these people? Because it's not something that in my own experience I found to be so. 

Johannes Ullrich: [00:21:53]  Well, there are a lot of sort of an enterprise Excel or Office artists, I call them, that come up with fairly complex spreadsheets and such that use these macros to even pull in values from APIs and such. So, yes, they exist. And that's where the hard part here for these - for the security guys that do - to filter out the right macros, like in this case. Now, the user actually expected a document like this, and that makes it really difficult. In particular, if you're talking about more targeted attacks or these busy email compromises, where an attacker already has insight into some of the emails being exchanged, then you can figure out who is the guy sending those weird macros and maybe add even code to it. 

Dave Bittner: [00:22:46]  Yeah. Well, and how interesting, too, that in this case, just - you know, somebody had a notion. Something just didn't feel right, and that ended up exposing the problem. 

Johannes Ullrich: [00:22:57]  And that's really, you know, what usually matters is sort of that experience, what are you knowing what a document is supposed to look like. It's - a lot of it is just experience and figuring out what's good, what's bad. 

Dave Bittner: [00:23:08]  Yeah. 

Johannes Ullrich: [00:23:09]  I guess that's the part they're trying to do with artificial intelligence. And I have to clone Xavier here to make that work. 


Dave Bittner: [00:23:18]  Right, right. Just get him to sign off on that. It won't be a problem. Yeah, yeah. All right. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: [00:23:24]  Thank you. 

Dave Bittner: [00:23:30]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:23:47]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:23:59]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.