The CyberWire Daily Podcast 5.20.20
Ep 1092 | 5.20.20

Cyber espionage: many operations and many targets. Misinformation and online fraud during the pandemic. Beer and conviviality versus operational security.


Dave Bittner: [00:00:03] Cyber spies steal prototype missile data, others hack into South Asian telecoms and still others go after easyJet passengers' travel data. Cyberattacks, misinformation and cyberfraud continue to follow the COVID-19 pandemic. Joe Carrigan weighs in on the Thunderspy vulnerability. Our guest is James Dawson with insights on DMARC threats and why it's worse during COVID-19. And think twice before you post, no matter how good or bad you think the beer is. 

Dave Bittner: [00:00:38]  And now a word from our sponsor, ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo free online at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:05]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 20, 2020. 

Dave Bittner: [00:02:14]  Japan's Defense Ministry is investigating the possible theft of technical details from a proposal concerning a missile designed by Mitsubishi Electric. Reuters says the details of the cyber-espionage are sparse but that the data stolen probably included certain performance specifications. The report adds that the missile won't be produced. The materials stolen appear to have been from files associated with the proposal, and apparently, Mitsubishi Electric didn't get the contract. 

Dave Bittner: [00:02:45]  Researchers at Broadcom's Symantec unit are attributing attacks on South Asian telecommunications companies to Greenbug, an espionage group associated with Iran and thought to be connected to the group responsible for Shamoon. CyberScoop reports that most of the activity was directed against Pakistan's telecommunication system. Telcos are attractive targets because of the value of the data they carry. The focus on Pakistan suggests a service with a strong interest in the region. 

Dave Bittner: [00:03:15]  The Jerusalem Post, considering the recent cyberattack on an Iranian port as retaliation for a cyberattack on Israeli water treatment facilities, sees the exchange as typifying a new approach to cyberwar - continuous engagement. 

Dave Bittner: [00:03:31]  Sources tell Reuters that Chinese intelligence services were responsible for the easyJet hack that affected some 9 million passengers. The anonymous sources say that the same threat group had tracked travelers before and was interested in their movements, not in financial gain from credit card theft. 

Dave Bittner: [00:03:49]  Australia's government has condemned unnamed nation-states for conducting and supporting cyberattacks under the cover of the coronavirus, The Australian Financial Review reports. The countries may be unnamed, but the prospect of arousing China's ire the article alludes to suggests that the subtext indicates a bad conscience somewhere in the vicinity of Beijing - either that or, of course, injured innocence, since it goes without saying that China denies any involvement in cyberattacks conducted during the pandemic. 

Dave Bittner: [00:04:23]  COVID-19 misinformation continues to find alternative outlets. Increased fact-checking and content moderation by social media providers may have pushed misinformation into other channels where it can circulate without much hindrance. The Washington Post takes the documentary "Plandemic" as its example. The documentary, whose long trailer has been pushed from YouTube and other social media, has been circulating using apps such as Google Drive. Short comments on the trailer written to avoid language that would trip content moderation alerts appear on major social media platforms, and these in turn direct visitors to the sites where the trailer is available. "Plandemic," which retails a complex and implausible conspiracy theory about the alleged corporate and government interests that the filmmakers claim are behind the pandemic, has provided a popular example of COVID-19 misinformation. It's often cited as an example of the dangerous potential of misinformation. Its recent distribution also affords an example of the difficulty of controlling such misinformation spread. 

Dave Bittner: [00:05:29]  Unemployment relief assistance designed to compensate workers who've lost their jobs during the economic stress of the pandemic are being targeted by scammers. Agari reports that much of the criminal fraud against such relief programs observed by the US states of Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming are the work of the Scattered Canary gang, a criminal group based in Nigeria. The researchers outlined a few of the approaches. They found that 82 fraudulent claims for CARES Act Economic Impact Payments were filed between April 15 and 29. Since April 29, at least 147 fraudulent unemployment claims were filed in the state of Washington. Between May 15 and 16, 17 fraudulent unemployment claims were filed in Massachusetts. And most recently, Agari has observed signs that the criminals are turning their attention toward Hawaii, where on the evening of May 17, two claims were registered with the state's Department of Labor and Industrial Relations. The techniques Scattered Canary is using are the grubby, low-tech stuff of petty cybercrime. BleepingComputer says that the gang is using Social Security numbers and other personal data stolen from identity theft victims to create bogus accounts on assistance sites. As The Washington Post points out, state relief agencies are under the gun to provide assistance to people who need it in a hurry. And haste is usually accompanied by a certain relaxation of vigilance. 

Dave Bittner: [00:07:01]  James Dawson is a contractor and adviser to Danske Bank, working in the IT business risk and controls division in the office of the CISO. He shares his insights on DMARC and DKIM threats and why particular vigilance is in order in the midst of the COVID-19 pandemic. 

James Dawson: [00:07:20]  Every bank and financial service organization right now, Dave, is trying to manage the crisis - that's one thing. Everybody working from home and all of the challenges of having your workforce completely remote, there's all sorts of technical challenges that you got to face, you got to solve. But then there's also the threats. The threats change. So during the crisis, during the COVID-19 crisis, we've noticed that the threats have changed to - much more intensive phishing and spoofing campaigns are going on. 

Dave Bittner: [00:07:54]  Well, take us through that. What sort of things are you addressing? 

James Dawson: [00:07:57]  Well, you know, generally, I think that most organizations are relying upon Sender Policy Framework, which is SPF. That and domain key identified mail and also domain message authentication reporting and conformance - so that's DKIM and DMARC. Along with TLS, those are the most preferred methods of trying to fight against spoofing or phishing. So during the crisis, it's one thing to be able to protect your own domain. So you already apply those protocols so that you can protect your own domain. Just as an example, take You have methods of protecting that domain, and you can also train the individuals within your organization to - even though they see a message coming from what looks like the bank's domain to question it. Is it really something that I need to address, or is it something that I would even click on or something that I would act upon? So that's one thing. And then the other thing is to have your threat professionals and those that are doing your research and doing the settings for your revision to your DKIM protocols and your DMARC, to have them start thinking like a criminal. And I know we've discussed this before in your program. 

Dave Bittner: [00:09:18]  Now, you know, I've seen in email correspondences with folks that a lot of enterprises will have a feature in their email where if something comes from outside of the organization, that gets flagged. You know, in unambiguous terms within the email, it says, you know, this message came from outside of the organization. Is that sort of thing helpful for for tracking those spoofed emails, the ones that are - that look close to the name of the organization but aren't quite right? 

James Dawson: [00:09:46]  Yep, yep, I like those. Even the ones that look like they're actually coming from the authority can still be spoof, and I like those warnings on any message that comes from outside the bastion of the organization. And so those little messages, those little tags, we call them mitered messages. They're mitered onto the mail as it goes through the production server to route the message. If they're short and sweet, if they're clear and simple, then people will read them and act upon them. If they're verbose and lots of scary words and letters in them, people just think that there's some sort of warning and they skip over them. That's the problem with that sort of thing. 

Dave Bittner: [00:10:28]  That's James Dawson from Danske Bank. 

Dave Bittner: [00:10:32]  Lastline this morning released the results of a study that focused on NRDs, newly registered domains, with an evident COIVD-19 theme. They've concluded that there's less novelty about these efforts than might have been expected. While phishing is up, it appears that criminals are devoting more effort to refreshing and re-emphasizing existing campaigns to match the times than they are in coming up with innovative approaches. 

Dave Bittner: [00:10:58]  The UK's contact tracing app undergoing trials on the Isle of Wight is attracting further skepticism about its efficacy. While download rates during the trials have been reported to be satisfyingly high, ComputerWeekly reports that recent studies have cast doubt on the willingness of British users to install the app. The existing NHS app, not the contact tracing app but rather the app through which patients access health care data and book appointments with their doctors, is being considered for adaptation into an immunity passport, The Telegraph writes. According to the app's developer iProov, addition of facial recognition software to the tool could be used to verify the identity and immunity status of users. 

Dave Bittner: [00:11:41]  Finally, some security advice for military and intelligence professionals. Treat beer as a commodity and be content. Bellingcat points out the risks of using the Untappd app to rate brews. You can be tracked. Untappd engages in what Bellingcat calls meticulous location tracking, showing the locations where the users consumed the beer they were rating. It's not so much that Untappd is irresponsible. In fact, Bellingcat describes the app's privacy settings as being pretty decent. It's just that it's possible to correlate locations and movements with other social media, and as is almost always the case, people want to upload pictures of the places where they're enjoying themselves. So resist the temptation, military and intelligence professionals. Enjoy your beer responsibly and privately. 

Dave Bittner: [00:12:36]  And now a word from our sponsor, Thycotic. Thycotic protects companies from cyberattacks by developing innovative technologies that secure privileged accounts across the modern enterprise. Thycotic recently partnered with Cybrary to conduct a global survey of IT professionals, focusing on how organizations are implementing least privilege. Their new survey report shows overprivileged users are still a big challenge for IT professionals. The report reveals important insights for anyone planning or already down the path with their own least-privileged security program. From the survey, they found that even though least privilege is a top or urgent priority, most organizations struggle with complexity and user complaints when implementing a least-privileged security strategy. Go to the to download the report now and get more details about the survey results, the key takeaways and recommendations for how to ensure success in your least privilege implementation. Again, that's to download this special report on the state of least privilege. And we thank Thycotic for sponsoring our show. 

Dave Bittner: [00:13:52]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: [00:14:01]  Hi, Dave. 

Dave Bittner: [00:14:02]  We have seen stories coming from many, many different directions about this new attack that is being called Thunderspy. 

Joe Carrigan: [00:14:11]  Yep. 

Dave Bittner: [00:14:11]  And this has to do with Thunderbolt ports. You and I have been looking at some research from the folks over at Duo, but this is being written about all over the place. 

Joe Carrigan: [00:14:20]  Right. 

Dave Bittner: [00:14:21]  What is your take on this? First of all, can you describe to us what's going on here? 

Joe Carrigan: [00:14:24]  The research comes from a master student at Eindhoven University of Technology. His name is Bjorn Ruytenberg, and I hope I'm saying that right. 

Dave Bittner: [00:14:32]  (Laughter). 

Joe Carrigan: [00:14:33]  But it's a vulnerability in Thunderbolt, and at the very root of the vulnerability is a design decision that the chips on a Thunderbolt controller do not run signed code. So that's really the root of the problem. So that means that if I can have physical access to that controller, I can change the software that runs on that controller. 

Dave Bittner: [00:14:59]  And Thunderbolt is a protocol. I mean, I suppose it's probably more widely known with Mac users who've had... 

Joe Carrigan: [00:15:07]  Right. 

Dave Bittner: [00:15:07]  There's a whole generation of Macs that had Thunderbolt ports on them, and you use that for things like external hard drives or external monitors. It's sort of a high-speed port. 

Joe Carrigan: [00:15:18]  Right, it's a high-speed port. It's the same external port as a display port, although more recent versions actually run over a USB-C port. I don't know - I'm not a big fan of dual-purposing port designs. I think that's a bad idea. But, you know, that horse has left the barn on this one. 

Dave Bittner: [00:15:37]  (Laughter) Right. Right. 

Joe Carrigan: [00:15:37]  And that's just - I think that might just be me old manning it - you know? - going (unintelligible). 

Dave Bittner: [00:15:40]  Right. Right. Right. 

Joe Carrigan: [00:15:43]  But yeah, I've used Windows computers all my life and Linux computers more recently for the past five years. And I have never had a computer with a Thunderbolt port on it at all. So it's not something that's all that common. It does - this attack does require physical access to the device. Not only that, but you have to open the device up and then you have to attach your own malicious device onto it to rewrite the firmware on this chip. 

Dave Bittner: [00:16:09]  Right. 

Joe Carrigan: [00:16:10]  And because this chip runs unsigned firmware, you can run arbitrary code on it if you can get that level of access. 

Dave Bittner: [00:16:16]  Yeah. And that's the part that I think people are drawing attention to here is that the whole fact that you need access to the machine. And this is commonly referred to as an evil maid attack, where... 

Joe Carrigan: [00:16:27]  Right. 

Dave Bittner: [00:16:27]  ...The notion is you've left your computer in your hotel room while you've, you know, gone down to the bar or out to have a bite to eat and an evil maid can come in and do what they want to do with your machine. And so people, I think, raise their eyebrows over the odds of that being an issue for folks in their everyday lives. 

Joe Carrigan: [00:16:45]  Yeah, but there's an old saying we used to say. Physical access is root access, right? If I can touch a machine, I can do anything I want to it. But one of the main protections against physical access being root access is you can encrypt your hard drive, right? And that way, your data at rest is secure. If someone steals your laptop, then they can't access it, then they can't get to the data. But apparently, with this attack, if someone steals your laptop while it's maybe in sleep mode and then they open it up or they perform this malicious attack on it, they can actually get into all the files that are encrypted on your hard drive because those files have already been accessed by the operating system through the encryption protocol - right? - through whatever encryption workflow to access the file because encrypted files are of no use to you unless you can actually access them when you need to and you're authorized to, right? 

Dave Bittner: [00:17:35]  Right. Right. 

Joe Carrigan: [00:17:36]  So this - that's, I think, the biggest single interesting thing about this, is that if I have access to a computer that I know has data that I want on it, then I can get that data, even if that data has been encrypted using whole disk encryption. 

Dave Bittner: [00:17:51]  Yeah. Yeah, I guess, you know, a lot of the articles have pointed out that more recent machines, machines made in the past few years don't seem to be susceptible to this. So... 

Joe Carrigan: [00:18:00]  Yeah. 

Dave Bittner: [00:18:01]  ...If you're concerned, it's a good excuse to upgrade (laughter). 

Joe Carrigan: [00:18:04]  Right. 

Dave Bittner: [00:18:07]  But also it strikes me that if you're someone who thinks you might be susceptible to someone coming into your hotel room, for example, or your office or wherever and using the physical access to alter that machine, then you're going to know about that... 

Joe Carrigan: [00:18:22]  Right. 

Dave Bittner: [00:18:23]  ...And you're going to have protections in place to try to minimize the likelihood of that happening. 

Joe Carrigan: [00:18:28]  Absolutely. You know, we've heard stories about people who have left - I think it was Kevin Mitnick who told the story about leaving his hotel or his computer in his hotel and then giving it to somebody else to work on it. And the person who was working on it said, why did you open this up and tighten the screws down so hard? And says I didn't do that. And somebody had done that to his computer. I think that was Kevin. 

Dave Bittner: [00:18:48]  Right. 

Joe Carrigan: [00:18:49]  But, you know... 

Dave Bittner: [00:18:49]  I think that was, yeah. 

Joe Carrigan: [00:18:49]  If you know who that is, if you know that you're that kind of person that's at risk for that, then, yeah, you're going to do - you're going to take other measures. 

Dave Bittner: [00:18:59]  Yeah. It's interesting they make the point in one of these articles that while the odds of someone falling victim to this may be low, it's still a good thing that we know about this because it advances our knowledge of types of attacks that we need to be aware of. 

Joe Carrigan: [00:19:13]  Right. It is interesting research, and Intel should actually - and I think they probably are in the future - design their chips to only run with signed versions of their firmware. That should be standard security practice by now. But, you know, it's going to take some time to implement these practices across all this hardware, and that hardware has to age out. But over time, we'll move in a more secure direction against things... 

Dave Bittner: [00:19:37]  Yeah. 

Joe Carrigan: [00:19:37]  ...Like this. 

Dave Bittner: [00:19:38]  Yeah, absolutely. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:41]  It's my pleasure, Dave. 

Dave Bittner: [00:19:47]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:05]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:20:26]  Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.