The CyberWire Daily Podcast 5.7.20
Ep 1083 | 5.7.20

Mining Monero. A RAT in a 2FA app. The decline of the Cereal botnet. Markets during the pandemic. Ransomware in Taiwan. Twitter appeals to reason.


Dave Bittner: [00:00:05] A new Monero miner is out and about. Hidden Cobra is pushing a RAT through a Trojanized two-factor authentication app. The rise and fall of a botnet. Markets, criminal and legitimate, react to the pandemic. Ransomware hits Taiwan. Remcos is resurgent. Michael Sechrist from BAH on the future of ransomware. It's World Password Day, so Rachel Stockton from LastPass shares their Psychology of Passwords report. And, no, despite what you saw on Twitter when you were doing your own research, 5G does not cause COVID-19, and telecom repair crews are not agents of the Illuminati. 

Dave Bittner: [00:00:46]  It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:13]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 7, 2020. 

Dave Bittner: [00:02:22]  Red Canary reports finding a new threat to Windows machines. It's observing a cluster of apparently related activities the company is calling Blue Mockingbird that are engaged in deploying Monero cryptominers on infected machines. The malicious payloads are appearing in dynamic-link library form on Windows systems. Initial access is gained through exploitation of public-facing web applications, and the most common payload is the XMRig open-source currency miner. 

Dave Bittner: [00:02:52]  A new version of the Dacls remote access Trojan is being distributed by North Korea's Lazarus group - also known as Hidden Cobra and APT38. Malwarebytes Labs says that this version is designed to work against Macs, and it does so through a Trojanized version of the MinaOTP two-factor authentication app, an app used mostly by Chinese speakers, which suggests its probable target set. Qihoo360 Netlab first described the Dacls RAT in December of 2019. 

Dave Bittner: [00:03:25]  Botnets rise, of course, but they also fall, especially as affected devices are patched or retired. One long-running botnet that exploited D-Link NVRs - network video recorders - and NAS - network-attached storage devices - has slowly declined through this natural attrition. ZDNet reports that the Cereal botnet, established by some otaku to download anime, has been active since 2012. It peaked in 2015 with over 10,000 bots in its herd but is now almost gone. Cereal was also driven down by some competing malware. Cr1ptt0r ransomware suppressed Cereal infestations this past winter, which wasn't necessarily a good thing for victims. Forcepoint now thinks it's safe to publish details on the vanishing botnet, and they've done so. 

Dave Bittner: [00:04:14]  Tech firms, including some in or adjacent to the cybersecurity sector, haven't been immune to the economic pressures of the pandemic. Here are three examples from the US West Coast heart of the industry. The Silicon Valley Business Journal reports that Cohesity has cut staff and done so only a few weeks after raising $250 million in capital, that cloud provider Nutanix has laid off almost 1,500 employees (about 27% of its workforce), and that Cloudera yesterday confirmed that it was readying a round of layoffs. 

Dave Bittner: [00:04:48]  The cybersecurity sector proper, however, while seeing a slowdown due to the caution so prevalent in the markets it serves, has proven relatively resilient under pressure. Security needs have remained relatively stable. And after all, security itself remains a relatively small and bearable fraction of corporate budgets, SecurityBrief points out in a survey of industry observations of the sector. 

Dave Bittner: [00:05:13]  The criminal market has followed opportunities opened up by the crisis. Not only has it become commonplace that COVID-19 has been dangled all over the internet as effective phishbait, it's surfaced in a new round of attacks by familiar Nigerian gangs, a business email compromise campaign Palo Alto Networks is calling "Silver Terrier." And Illusive Networks believes it's detected a nation-state-sponsored ransomware campaign with strong similarities to the techniques used by TrickBot. 

Dave Bittner: [00:05:42]  Bots have also been causing trouble through automated applications for emergency relief. Some of the problems with emergency relief programs are technical, not necessarily nefarious, but rather artifacts that emerge in any rapidly expanding system that wasn't designed to handle large volumes of requests. TechTarget reports that the US Small Business Administration will no longer process applications for Payroll Protection Program loans filed using robotic process automation tools. So many requests have come in by RPA that the system was overwhelmed. But some of that activity is nefarious, since RPA tools benefit criminal as well as legitimate enterprises. The Wall Street Journal says that the US Justice Department is actively investigating fraudulent applications for assistance. 

Dave Bittner: [00:06:30]  Another area where criminals see opportunity under the present state of emergency, ZeroFox reports this week, is with compromise attempts against celebrities' accounts and attacks offering free streaming services. Sports and entertainment figures, when their social media accounts can be turned to criminal use, can be used to drag their fans in. And when you're stuck at home with little to do, free streaming services can be dangerously attractive. 

Dave Bittner: [00:06:56]  In case you are looking for something to celebrate today, it's World Password Day. And no matter how you and your loved ones celebrate, whether it's sending the kids searching the house for passwords written on sticky notes stuck to the underside of keyboards, or breaking out the Boggle game to see who can generate the most complex string of random characters, World Password Day is a good reminder to take stock of your password hygiene. Rachael Stockton is senior director of product marketing at LastPass. 

Rachael Stockton: [00:07:24]  So I'm a psychology minor... 

Dave Bittner: [00:07:27]  Ah. 

Rachael Stockton: [00:07:27]  ...And I have to say, this just plays right into my interests. And one of them is the concept of cognitive dissonance, right? You know something is right, yet you continue to behave against it, and then you have that friction. And that's really one of the key things that we have come up with in this report, and it's that 91% of people know that reusing passwords is insecure, that that's not a best practice. They shouldn't do it. 66% of them still do. And this has been a consistent finding over the three years we've been doing this report. So I think this cognitive dissonance still exists, despite people being much more educated about the risks of password reuse and all the data breaches we hear about consumer passwords being stolen. 

Dave Bittner: [00:08:15]  So how do we come at this disconnect here? Is it a technology solution? Is it a training solution or a combination of all those things? 

Rachael Stockton: [00:08:23]  I think the first piece there is - there is a psychology behind it, right? They have to understand that there is something that they can change, a behavior that they can change. One of the things we hear from people is why they don't want to really change their passwords or even use a solution like a LastPass is they want to maintain control. If I know it, it'll be safe. But what we also found is that people underestimate the number of passwords that they have. They estimate that they have between 1 and 20, but when we compare it to our anonymized information, people have about 40 different passwords. This is consumers. So the concept of I can control this by being really insecure and reusing and I'm underestimating how much I'm trying to do - I think that's something that, as humans, we have to realize it's OK we don't control this, like phone numbers. I don't know anybody's phone number - I'm sorry, Dad -... 

Dave Bittner: [00:09:22]  Right. 

Rachael Stockton: [00:09:22]  ...In my phone. But I'm OK with it because I trust that I'm going to be able to get to that. It's the same with passwords. And then once they've made that leap, there's a plethora of ways that they can have, you know, secure passwords, easy to remember. But it's also really interesting that people are still trying to memorize passwords. 

Dave Bittner: [00:09:44]  What about the fear that some people have - I've heard this one mentioned - where, if I use a password manager, well, then it's just the keys to the kingdom. If someone gets that password, well, then they have everything. 

Rachael Stockton: [00:09:55]  You know what? Very valid concern. And that was one of the best things that we actually saw in the psychology of the passwords is the concept of multi-factor authentication is really going mainstream. And so what we've seen is that, in this survey - that over half of people are saying that they're using MFA for some of their personal accounts. But you know what's worrisome? This does bleed over to work. And less than 40% are saying they're using it at work. So I do think we do need to think about - particularly as everybody is working at home right now, we expect this trend to continue in the future, and our real lives are becoming more and more virtual, and we're opening up more accounts. This blending belief between work and personal is happening rapidly. So I think that's where we really need to see the continued adoption of MFA on the consumer side, but businesses have to be thinking about this more as well. 

Dave Bittner: [00:10:52]  That's Rachael Stockton from LastPass. 

Dave Bittner: [00:10:56]  Microsoft is tracking a surge in Remcos attacks that it says are using COVID-19 lures to prospect organizations across many sectors. Remcos is a remote administration tool marketed for various legitimate purposes, but it's been widely used in criminal and espionage campaigns as a RAT. The phishing is pretty much a dead giveaway with respect to intent. 

Dave Bittner: [00:11:18]  And finally, Twitter is still trying to control the rumor that 5G causes COVID-19. One would have hoped the odd belief that cell towers are somehow the cause of coronavirus infections would have now passed its expiration date. Alas, no. Twitter is still grappling with the dissemination of that particular theory, often linked by the credulous to suspicion that the whole matter is linked to a deeper conspiracy to cull the herd, to prepare for some horrendous world order of social control, and that fear exists in left, right and center forms. The Telegraph says that Twitter's most recent approach to the rumor is to prompt people who tweet it to read an official British report debunking the cell-service origin theory, which is so direct and almost charmingly naive - and we mean naive in the best possible sense of the word - that one wishes them all success. Why not give the invisible hand of the marketplace of ideas a chance to work its magic? Give reason a chance? 

Dave Bittner: [00:12:20]  This particular bit of misinformation is dangerous not because it's affecting treatment or compliance with public health advice. It's dangerous because it's inspired people to vandalize cell towers. An ex-Googler told The Telegraph in an earlier piece that he sees structural problems with social media that tend to cause misinformation cascades. He's concerned mostly with YouTube and sees the algorithmic push to optimize watch time at all costs as fostering the propagation of spectacularly false and spectacularly attractive content. Substitute engagement for watch time to generalize the problem. The problem has involved more than just vandalism. Some telecom maintenance workers in the U.K. were attacked by locals who accused them of setting up the virus infrastructure. 

Dave Bittner: [00:13:07]  One almost wishes for a return of alien invasion conspiracy theories. At least you'd know what to say - Klaatu barada nikto. See, you can learn things from television. A true otaku would add, Gort, declensu kasku. But that's just gravy, or so we hear from the old 5G. We're kidding, of course. We're kidders. We like to kid. 

Dave Bittner: [00:13:39]  And now a word from our sponsor KnowBe4. Corporate privacy concerns are more paramount than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware and software needs and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his new book, "The Art of Invisibility." Kevin Mitnick has a new webinar, and a few topics include privacy concerns around employees using personal devices for business purposes, security issues with various operating systems, mobile devices and the internet of things, the reality of deep privacy and how tied together devices, systems and surveillance really are and why new-school security awareness training is more critical than ever before. Plus, Kevin shares some shocking new demonstrations that will change the way you think about privacy. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:54]  And I'm pleased to be joined once again by Michael Sechrist. He's the chief technologist at Booz Allen Hamilton. Michael, it's great to have you back. I wanted to touch on where you think things are headed with ransomware. We're kind of in a interesting situation right now dealing with the global pandemic. And that puts different pressures on people all over the globe. 

Michael Sechrist: [00:15:19]  Yeah. Thank you so much for having me back. It certainly does. Like we've seen, cyber is a - cyberspace is an extension of the physical world. So as we deal with strains and crises going on with COVID-19, we're seeing kind of an influx of COVID-19 potentially related activity in cyberspace. And generally, the attackers have, you know, see some kind of opportunity here. And they're seeing - one, they're seeing weakness on corporate environments, on federal environments, government environments where, you know, they are having difficulty potentially with, you know, work-from-home capabilities, with availability, with being able to kind of baseline activity. So that's kind of one - you know, a thing that the attackers will see. 

Michael Sechrist: [00:16:07]  The other thing they'll have is they'll have a motive, right? They'll have a - more of a need, potentially, for actually just money for goods and services to operate and continue their activity. And that's going to change. And the other thing is they have more time on their hands, generally. If they're potentially confined as well, basically having access to potentially a device that allows them to get access to funds or to do things that they need to survive, they're going to probably take advantage of that. So you have this - kind of like this storm brewing that they're going to use to their advantage. And ransomware is certainly on that list. We've seen the COVID - there was a map of COVID-19 infections that was being distributed with - that, you know, produced potentially a malware infection that would drop a particular variety of ransomware that they were calling CovidLock, which was related to obviously the campaign here. We're seeing, you know, other ransomware, you know, going after groups like Epiq Global, which is a legal services provider, falling victim to a large ransomware attack. We're seeing other kind of ransomwares continue to be dropped through malspam campaigns, through, you know, compromising cloud backup providers. So, you know, this will not slow down. 

Dave Bittner: [00:17:31]  Yeah. You bring up an element that I hadn't really considered, which is that we're going to have people who have technical abilities who are not going to be working. And so out of desperation, perhaps, you know, they could find themselves with a little more moral flexibility than they had before when it comes to spinning up some of these kits to make ends meet. 

Michael Sechrist: [00:17:57]  That's right. Yeah. And, you know, there was previously interviews with some cyber criminals where they will literally talk about, you know, the need to support their family or treating this as also a day job that they go and perform to bring in, you know, money for their family. And so you can't think of that and not relate it to the current environment. You've got, again, folks that this was potentially a source of income now completely almost reliant on not being able to move in certain environments and likely going to use that as an attack vector. 

Dave Bittner: [00:18:30]  Yeah. All right, well, Michael Sechrist, thanks for joining us. 

Michael Sechrist: [00:18:33]  Thanks so much. 

Dave Bittner: [00:18:39]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:18:57]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:09]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.