The CyberWire Daily Podcast 6.4.20
Ep 1102 | 6.4.20

Nuisance-level hacktivism. Ongoing cyberespionage and cybercriminal campaigns. EU unhappy with Russia’s hacking the Bundestag. CISA has a new cybersecurity resource.


Dave Bittner: Nuisance-level hacktivism continues to surround US protests. The Higaisa APT is active in Southeast Asia. Goblin Panda is back with USB-borne malware. A new strain of ransomware is described - Tycoon. The EU considers whether to sanction Russia over the GRU's hack of Germany's Bundestag. CISA launches a new public resource for cybersecurity. Zulfikar Ramzan from RSA on cybersecurity and digital risk in the context of pandemics. Our guest is Grant Goodes from GuardSquare on security of mobile app voting. And a Texas man pleads guilty to conspiracy to commit money laundering in the course of a BEC scam. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 4, 2020. 

Dave Bittner: Episodic nuisance-level hacktivism continues to accompany protests in the US. According to KXAN, Anonymous has claimed responsibility for taking down an Austin, Texas, public website in an anti-police gesture. And Variety reports that K-pop fans remain an odd force in social media hashtag jamming. Anonymous, as we've had occasion to remark, is now probably better regarded as a lifestyle brand than as an identifiable group. And in that respect, come to think of it, it's a lot like K-pop - more style than conspiracy. 

Dave Bittner: This morning, Malwarebytes published an update to their research into the Higaisa group, an advanced persistent threat first described by Tencent early last year. Higaisa is - Malwarebytes says with circumspection and ambiguity, that Higaisa is believed to be tied to the Korean Peninsula and is thought to have been active at least since 2016.

Dave Bittner: It's used Gh0st and PlugX Trojans in the past. In its current campaign, Higaisa is using what Malwarebytes describes as a malicious shortcut file that stages a multistage attack. Higaisa establishes its initial presence through spearphishing, with the messages carrying a malicious LNK file bundled within an archive file. 

Dave Bittner: Kaspersky reports finding a new strain of USB-based malware, USBCulprit, that's being run by Chinese-speaking threat actors Cycldek or Goblin Panda - the two operational entities that are active under a mutual quartermaster. USBCulprit is intended for use against air-gapped systems. Its targets have been in Southeast Asia, primarily Vietnam but also Laos and Thailand. 

Dave Bittner: It's worth noting that when people talk about malware or stolen information being able to cross an air gap, that's less exotic and magical than it sounds. In general, as in this case, it refers to malware being loaded onto some removable media. This isn't a new technique. It's generally believed that Stuxnet, for example, infested the Iranian uranium centrifuges via baited USB drives. So important safety tip - don't stick that thing in your computer. You don't know where it's been. 

Dave Bittner: Another bit of research published this morning comes from BlackBerry, which describes a new strain of ransomware the researchers are calling Tycoon. They describe it as "a multi-platform Java ransomware targeting Windows and Linux that has been observed in the wild since at least December 2019." The operators deploy it as a Trojanized Java Runtime Environment and use an obscure Java image format to, as BlackBerry puts it, "fly under the radar."

Dave Bittner: Tycoon attacks have been highly targeted, hitting small and medium-sized companies in the education and software sectors. The attackers establish themselves on the network by working through a compromised remote desktop protocol server - that is, an RDP server. 

Dave Bittner: Similarities in naming conventions, as well as some overlap in the language of the ransom notes themselves, suggests that Tycoon might be related to the Dharma/CrySIS gang. So far, only a relatively small number of victims has been affected, but the campaign is still young. 

Dave Bittner: Akamai has warned that its honeypots have shown that Stealthworker botnet remains an active threat. Affecting Windows and Linux systems, Stealthworker was discovered in February 2019 by Malwarebytes and further examined last October by Fortinet. 

Dave Bittner: Stealthworker is known for its ability to brute-force popular platforms and services, including Drupal, WordPress, Joomla, OpenCart, Magento and MySQL. As Akamai points out, botnets like these prey on weak authentication measures and automation in order to infiltrate servers and infect them with malware. The company sees Stealthworker as an illustration of why multifactor authentication and sound password policies, like using difficult-to-guess passwords and never reusing them, is an important security step. 

Dave Bittner: Politico sees the German intention to prosecute a Russian GRU operator, Dmitry Badin, for hacking the Bundestag as indicating hardening European attitudes toward Russian cyber operations. (Even TASS is authorized to take notice of the indictment.) EU diplomats met yesterday in Brussels to begin consideration of whether or not to impose sanctions against those involved in the cyber incident. This would be the EU's first use of its sanctioned authority against cyber operators. 

Dave Bittner: There is a national election coming up here in the U.S. this November, which will be here before you know it. Grant Goodes is chief scientist at Guardsquare, a mobile application security firm. He shares his insights on the security of mobile app voting. 

Grant Goodes: In general, there's two overlapping security concerns here. One is the whole field of mobile application security in general, and the second is the security of any form of non-in-person, not paper voting. The second category is, I would say, an academic research topic. It is not a solved problem. The moral (ph) question of verifiability of a vote, secrecy of a vote and then we're talking individual votes here - they are tough problems to solve without a - the classic paper ballot approach. However, putting that aside, I think the big challenge here is to provide the best possible security so that attacks from - clearly, nation-state actors might be interested in influencing the upcoming election. We need to make sure that we're putting our best security foot forward with these types of applications. 

Dave Bittner: Yeah. It's an interesting thing to think about. And I can't help wondering about the whole issue of timing. You know, to me it seems like it would be one thing if we had the benefit of time - if we had a few years to work through this and to test it and that sort of thing. But as we come up on this election this year, this sort of a, I guess, double whammy of the possibility that people won't be able to vote in person. And then also knowing that there could be some outside influences who are trying to affect our election, that really presents interesting challenges. 

Grant Goodes: I fully agree. I think that this has been a problem, as I mentioned, a number of decades, the consideration of how to do an electronic vote, whether it be in-person with a voting machine or remotely over the internet. But it's now - due to our current situation, this is going to have to be addressed. And effectively, I think this may accelerate the entire field. We're probably going to make some missteps. I'm almost certain of that. But I think we can avoid the most obvious ones. And I think - I would stress that the key to almost any mobile application security problem is not to rush. 

Grant Goodes: In this case, we know this is coming. We have until, in the U.S., until November. That should be adequate time to create a design. It will not be perfect. There will be academics who will say you have this and this and that flaw, but we will get a good design. Then we need to ensure the vendor producing the software is reliable and trustworthy themselves. And we must, in my opinion, institute some form of oversight on that software. It needn't be the entire world. It can be, again, a limited subset. We need people that are not associated with the people in the election that it can give oversight. And if we combine all of that and then apply standard software design principles, use good cryptography and then harden the app properly, I think the result will be immune or largely immune to the sorts of concerns we have. 

Dave Bittner: That's Grant Goodes from Guardsquare. 

Dave Bittner: The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, yesterday announced the launch of a new public resource for information about cybersecurity and the other areas in the agency's portfolio. CISA Director Krebs said yesterday in an interview on "Intelligence Matters" that as a matter of course, nations would collect COVID-19 information. He said, quote, "We do expect every intelligence service to be in the mix here," end quote. China has been the most brazen in its pursuit of information about the pandemic and research into treatments, but COVID-19 is an obvious intelligence target. NATO yesterday issued a statement of solidarity with all health care and research organizations that have been affected by cyberattacks. 

Dave Bittner: And finally, a 64-year-old Texas man has taken a guilty plea in the US District Court for the Southern District of Texas, Houston Division, to a charge of conspiracy to commit money laundering. Kennety Kim (ph) acknowledged his role in a business email compromise scam in which he impersonated corporate personae to either intercept or initiate electronic funds transfers, the money being diverted into accounts he controlled. He faces up to 20 years in prison when he's sentenced later this year, and he's agreed to provide victims with full restitution. That will amount to, as the plea agreement says, at least $745,540.70. 

Dave Bittner: And joining me once again is Zulfikar Ramzan. He is the chief technology officer at RSA. Zuli, it's always great to have you back. I wanted to talk to you today about kind of where we find ourselves with the pandemic and how cybersecurity folks are sort of sizing this up when it comes to digital risk in this context of being in a pandemic. What can you share with us? 

Zulfikar Ramzan: So I think, you know, Dave, when I look at what's happened in the world, I mean, nobody could have predicted the situation we're in today. We sort of saw some aspects of it coming. But if you just think about it a few weeks ago or a couple of months ago, you and I were together at the RSA Conference, and the world was still feeling relatively normal. And a few weeks after that, everything shut down really rapidly. And, you know, when I talked to a lot of our customers, they were all focused on how they could, No. 1, enable and get through this change. So they were thinking about what it meant for their workforce and how to enable a remote workforce. Many of them today are grappling and continue to grapple with basic questions around, what does a security operation center look like in this new world? Or should they be thinking about risk at a more fundamental level? And, really, changing what risk means and what acceptable risk entails, given the overall crisis. 

Dave Bittner: What sort of rebalancing are you seeing going on? As people are turning those knobs, what sort of things are they looking at? 

Zulfikar Ramzan: Well, I think one of the first things that a lot of our customers are looking at is, No. 1, how to rethink their security strategy at a fundamental level. Before, there were a certain set of assumptions they would make about what was acceptable risk, what they could account for and so on and so forth. And so the first thing is, what does their security operation center look like? The traditional security operations center has been this physical entity, right? People get together when there's a big incident. There's a war room, and different parts of the organization get together in that war room. We now have to rethink what that means in a virtual context. Can you have a virtual war room and run it effectively? 

Zulfikar Ramzan: Now, this is easier said than done because in a massive security incident, it's truly an all hands-on-deck effort. You tend to have participation from every single line of the business. So your legal team is involved if there are legal implications associated with the incident. If there is a customer-facing impact, you might have your sales team involved because they may have to talk to customers. If your sales team is talking to your customers, your marketing team is involved to figure out what messages have to be relayed and how to package that appropriately. And then you also have, certainly, your IT team, your IT security teams, that are always involved in these incidents. And then your finance team may be involved because, all of a sudden, you've got to write all these checks and potentially hire people or bring in third-party incident response expertise, and someone's got to fund all that. 

Zulfikar Ramzan: And so when you think about it, every aspect of an incident is truly an all-hands-on deck effort. And to make that successful, you have to find new ways to collaborate but now in a virtual environment. 

Dave Bittner: Yeah, I want to touch on incident response in particular. I mean, you know, to me, that would often involve, you know, folks getting on planes and traveling to where the incident was and having to deal with things, you know, putting boots on the ground to try to work through something. Has that equation changed? 

Zulfikar Ramzan: Yeah, so I think, all of a sudden, there's no expectation of being able to get boots on the ground anymore. Many organizations certainly have closed their front offices. They're trying to minimize visitors. Even if somebody showed up to the office itself, there's no guarantee that anybody would be there to let them in or, in that case, to a data center. And so in that regard, a lot more is happening remotely. But what's also happening now remotely is, before, when you wanted to search for an incident or investigate an incident, you would typically look for anomalous behaviors, right? Do I see behavior that's different from what I typically expect? Our understanding of what to expect has also shifted in the context of a pandemic. All of a sudden, everybody's remote. It's not like you have only one person being remote or a handful of people being remote; everyone's remote all of a sudden. Their behaviors are very different. 

Zulfikar Ramzan: Now, the way that I behave is maybe there's a handful of IP addresses to which I connect or from which I connect. I'm using a lot more cloud applications, probably, if I'm a remote worker. And so that means that being able to investigate what's occurring becomes even more challenging. And so I think that gives rise to two kind of fundamental questions. One thing, I think, is that how do we sort of evaluate what normal looks like in this new world? 

Zulfikar Ramzan: And I think, by the way, there's a glimmer of hope here because, in many ways, normal is a lot easier to measure, and it's a lot easier to get a baseline when everybody's essentially in one place, even if it's their homes. And so all of a sudden, before when I used to connect to my work systems - I might be connecting from different locations; if I'm on a plane somewhere, I might be in different countries - now there's, again, two or three IP addresses they can pretty much nail down. It's me; my behaviors are much more easy to predict, which means that deviations from those behaviors are easier to identify. So I think that's one glimmer of hope, quite frankly. 

Zulfikar Ramzan: The second element, I think, is that we've also got this new challenge in that, all of a sudden, if I was using, let's say - and focus on maybe network visibility to understand what was going on - if individuals are now using more cloud services if they're at home, they may not be on the enterprise network directly as much anymore. And that necessitates the notion of thinking about comprehensive visibility that covers both your endpoint, your cloud, as well as your network core and being able to amalgamate data across all three elements and bring them together so you can effectively build a proper cybersecurity program that looks at all aspects of what's going on in your digital infrastructure. 

Dave Bittner: All right. Well, Zulfikar Ramzan, thanks for joining us. 

Zulfikar Ramzan: Absolutely. Always a pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.