The CyberWire Daily Podcast 6.11.20
Ep 1107 | 6.11.20

Gamaredon ups its crazy game. Doxing during unrest. Bogus contact-tracing apps spread spyware. Thanos in the ransomware market. Crypto Wars notes. Another 419 scam.


Dave Bittner: The Gamaredon group is back, and what's their secret? Like Crazy Eddie's, it's volume. Doxing during times of unrest. Phony contact-tracing apps are snooping on personal information in at least 10 countries. Thanos is a criminal favorite in the ransomware-as-a-service market. Another skirmish in the Crypto Wars is brewing on Capitol Hill. David Dufour from Webroot on how organizations can successfully navigate their new workplace realities. Our guest is Chester Wisniewski from Sophos on fleeceware apps found in the Apple app store. And no, really, Elon Musk is not on YouTube offering you Bitcoin.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 11, 2020. 

Dave Bittner: ESET reports that the Gamaredon group has introduced remote template injectors for Word and Excel documents and is deploying a distinctive Outlook mass-mailing macro. Gamaredon is an advanced persistent threat group that for the most part hits Ukrainian targets. It's generally regarded as a nominally Ukrainian separatist group operating under Russian GRU control. Gamaredon is both noisy and careless, going for speed and spread as opposed to stealth. But as this latest report suggests, an operation might well rationally sacrifice quality for quantity since, after all, as someone once remarked, quantity has a quality all its own. ESET also suspects that all the noise may be masking quieter, arguably more damaging operations. 

Dave Bittner: Police officers in major US cities including Washington, Atlanta, Boston and New York are being subjected to doxing, their home addresses and other personal information being shared on social media, the AP reports. The source is an unclassified intelligence memorandum from the Department of Homeland Security, which warns that the information could be used by violent opportunists or domestic violent extremists. It's not illegal to post this sort of information, although most platforms at least fitfully discourage doing so, but it's difficult to ignore the implicit threat in this and other doxing incidents. Since there's a possibility that at least some of the information came from compromised email accounts, DHS advises police officers to take steps to secure their online presence. 

Dave Bittner: Anomali yesterday released its findings that bogus contact-tracing apps were in fact carrying spyware payloads, mostly SpyNote and the banking Trojan Anubis. Contact-tracing programs are being spoofed for Armenia, Brazil, Colombia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore. The geographic reach of the operations, the kind of information being collected and the opportunistic approach are suggestive of a sophisticated criminal enterprise. 

Dave Bittner: Researchers at Recorded Future describe the growing popularity of Thanos in the ransomware affiliate program criminal market. Thanos is a ransomware builder believed to be the first to feature the RIPlace technique that's designed to facilitate rapid weaponization of proof-of-concept exploits. RIPlace works, basically, by leveraging symbolic links through an MS-DOS device name to copy an encrypted version of the file to the original file location. 

Dave Bittner: It's been well-received in the criminal-to-criminal equivalent of Yelp. Thanos works flawlessly, say the happy affiliates, and they ask the vendor, who goes by the name Nosophoros, to keep the updates coming. And we say as an aside that we're struck by how often online gangsters sound like people who buy stuff as seen on TV or even like successful Mary Kay sellers. It's as if the ultimate Avengers villain was really more interested in establishing a nice work-from-home multilevel marketing scheme instead of achieving universal beauty through widespread Infinity Stone desolation. If only Nosophoros offered pink Cadillacs as a reward for criminal success, the picture would be complete. 

Dave Bittner: In any case, Recorded Future sees two strengthening trends in ransomware. First, the ransomware-as-a-service market can be expected to grow. And second, the gap between the high-end operators and the skids will continue to widen. As they put it, there will be a continuing separation between the ransomware haves and have-nots. 

Dave Bittner: There's a thriving ecosystem of free-to-play games and free-to-try apps in Apple's app store, programs that encourage you to spend some time with them before deciding if you want to spend a few bucks to unlock features or continue their use. Researchers at Sophos have been looking into the increased presence of fleeceware apps, so called because they lure you in with some promise of particular functionality but soon switch to charging users large sums of money, often in a sneaky way. Chester Wisniewski is a principal research scientist at Sophos. 

Chester Wisniewski: Well, they have a tendency to be on the whimsical side and on the commonly searched side, and I think those of us that have been in the security industry for a long time have often made fun of people downloading flashlight apps when there's been flashlight functionality built into our phones for years and yet run into our friends at parties who, in fact, have loaded a flashlight app because it will strobe the light to the beat of their favorite song or, you know, whatever. And so a lot of these apps are things like that. We see horoscope apps, fortune-telling apps, QR code apps, apps that make you look like you're aging to see what you might look like when you're ready for retirement, this kind of stuff that people would kind of play around with but not take terribly seriously. 

Dave Bittner: And how are the folks who are running these app stores responding to these things? Are they taking them down when they find them? 

Chester Wisniewski: Well, it's difficult for us to know how much patrolling Google and Apple are doing, but our researchers certainly have had no difficulty tracking them down and sometimes even to the point of us pointing out violations of the app store guidelines to the app stores themselves, going, we found all these apps. We see all kinds of people complaining about them. Why aren't you doing something? And fortunately, we have seen some response when we file complaints. But there does not appear to be a lot of proactive action on behalf of the app stores. 

Dave Bittner: Yeah, I mean, I wonder if it's against their own interest. I mean, for example, you know, Apple takes a pretty significant cut of an app's revenue. 

Chester Wisniewski: Yeah. The cynic in me says, hey, they're making 30% off every one of these things. You know, what incentive do they have? But I think there is incentive in that people really do trust - and especially Apple over Google - I think a lot of people are more suspicious of things that make it into the Google Play store, whereas people - you know, Apple has a reputation that they value very highly. The reason they're able to get you to buy very expensive phones and laptops from them is that they do curate content pretty well. And this kind of, I think, leaves a bad taste in people's mouth who really trust the Apple brand. 

Dave Bittner: What are your recommendations for folks who want to protect themselves, for themselves but also for other members of their family? 

Chester Wisniewski: Yeah, it's tough. It's a tough problem. I mean, one thing you can do is regularly review any subscriptions in your app store. So fortunately, both Apple and Google make it quite easy to review what things you're subscribed to, especially if you're concerned about teenagers that maybe you're trying to give them some control of their device and teach them some responsibility - you don't want to totally lock it down. On the other hand, you don't want to find out, you know, six months later that you paid $200 for a palm-reading app. So you know, we've posted a blog post on our SophosLabs Uncut site where we point people to the way to unsubscribe - or check your subscriptions in both iOS and Android. But it's quite easy. If you go to the app store help and look for subscriptions, then you can see a list of anything you're subscribed to. 

Dave Bittner: That's Chester Wisniewski from Sophos. 

Dave Bittner: In what The Washington Post sees as a shift in the EARN IT Act skirmish in the Crypto Wars, Reuters reports that members of the US Congress are seeing information on a 2015 backdoor incident at Juniper Networks. While Senator Wyden, Democrat of Oregon, has been prominently mentioned among the pro-crypto lawmakers engaged in the inquiry, it's a bipartisan move. Senator Wyden of the Intelligence Committee was joined by his Utah Republican colleague Mike Lee of the Judiciary Committee in a letter sent this Tuesday to Juniper Networks CEO Rami Rahim. They're interested in what Juniper learned after it found what the networking shop called unauthorized code in its NetScreen security software in 2015. It was reported at the time what they found was an NSA-designed backdoor. The FBI investigated, but the results of their inquiry haven't been made public. 

Dave Bittner: The other incident that's prompted a revival of this particular contest is the Motherboard account, published earlier this week, of Facebook's development of an exploit that enabled the FBI to make an arrest in a notorious case of child stalking and exploitation. Facebook and other big tech companies have resisted the Justice Department's push for what Justice characterizes as responsible security, which is to say security systems that would permit some form of access to systems involved in criminal or national security investigations. The Washington Post characterizes the effect of the news like this, quote, "it's a rare public example of how law enforcement can use lawful hacking to gather incriminating evidence. It also helps beat back claims that police need backdoor access to encrypted communications for that information, which cybersecurity pros say would make everyone more vulnerable to malicious hacking," end quote. 

Dave Bittner: Finally, celebrity impersonation in the service of fraud is back. Actually, it never really left, but it's back in a splashier way. As has so often been the case, the celebrity being impersonated is Elon Musk, the closest thing to a real-life Tony Stark we're likely to see, only with a healthier heart and without the transistor-powered armor. This round of trouble is a YouTube scam in which criminals hijacked the legitimate YouTube sites Juice TV, Right Human and MaximSakulevich and renamed them SpaceX Live or SpaceX. The hoods splashed some vaguely plausible SpaceX branding on the sites, streamed some of the real Mr. Musk's appearances at conferences and then pitched the usual advance fee scam. The faux Musk would double your bitcoins back if you put some in a wallet the crooks helpfully provided. Why would he do that? Well, never mind - it's Elon Musk. That's the way he rolls. 

Dave Bittner: Surely, you say, no one could fall for that. Surely, however, you'd be wrong. Naked Security reports that YouTube has given the hijacked accounts the old heave-ho, but during their brief time onstage, the faux Musk had pulled in about $150,000 in bitcoin. Needless to say, not one of the marks realized any return on their investment. 

Dave Bittner: Two things - first, it's worth doing what you can to secure your own social media accounts. Try a password manager. Don't reuse your passwords. Use multifactor authentication. Sure, they're not collectively a silver bullet, but they're valuable precautions nonetheless. And for heaven's sake, no one - and we mean no one - is going to pay you big bucks in exchange for a small donation. And no, kids, that's not how the stock market works, no matter how bullish it gets. Class dismissed. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of cybersecurity and engineering at Webroot, an OpenText company. David, it's great to have you back. I wanted to get your take on where you think things are heading on the other side of this pandemic that we find ourselves in, and I wanted to come at this from the point of view of the employer. What are the realities you think they're going to face when we start to see some light at the end of the tunnel here? 

David Dufour: First of all, great to be back, David - always love being here. You know, I think a lot of folks are still asking that question. What does this look like? A lot of us like working at home, David. Ironically, I'm sitting in the office, and it's empty right now. 

Dave Bittner: Me too (laughter). 

David Dufour: You as well, yes. I don't know if that says anything about us or... 

Dave Bittner: Truth hurts. 

David Dufour: Yeah. I was really surprised how quickly both technical and nontechnical companies were able to flip a switch and have people working at home. And I think these organizations are going to have to spend some time evaluating policies and procedures that they have in place because, you know, we have a lot of tools, VPNs. I know we've had some struggles with VPN bandload (ph), having people come into the network to be secure. Things like that are going to have to be evaluated in terms of how we can ensure high levels of productivity with the tools that we have in place. 

David Dufour: That said, I think employers have been pleasantly surprised and somewhat shocked at the productivity of employees who've been able to work from home. People are really, really, you know, knuckling down. And maybe that'll fade over time and it's all the, you know, hey, we need to get through this, but people really are being hyper-productive from home, and employers like that. 

Dave Bittner: Yeah, it's interesting to me. You know, there's that old saying that - how temporary solutions tend to become permanent solutions. And I wonder, as these systems, these networks, these - you know, as stuff was put together with, you know, spit and baling wire just to get everybody in place, as things settle down and more permanent solutions are put into place, could folks actually see pushback from employees as things become a little more regimented? 

David Dufour: I can guarantee you that's going to happen. I'm not going to name any offices that I'm familiar with who are already worried they're going to all have to come back in. But no, I think there's a lot of that that's happening when people realize, you know, I'm able to get a lot done when I'm not sitting in the car, I'm showing up to work, I'm not as frustrated because of that drive or that commute, I'm home with my family more. There's a lot of that. 

David Dufour: On the flip side, though - and we are experiencing a lot of this as well, David - there's some desire to get back to that collaboration when you can get in a room with folks and write on a whiteboard to design something out or plan something. So I think we're going to have to find that balance between requiring people to come in at certain blocks of time or letting them figure out when they need to get together to collaborate because, yes, we can all meet online with the videoconferencing, but there's something that is lost that's intangible when you're sitting in a room with people that I think we're still going to have to figure out how that pans out. 

Dave Bittner: Do you think we're going to see a shift? I'm thinking about the pure hardware side of things, of having servers and all those sorts of things that having a physical location can provide you with. Do you think more - this is going to be a push to have more stuff just be, you know, virtualized out there, to have more and more things as a service? 

David Dufour: Oh, I truly do. And I'm going to jump back to, like, 2016, I think it was - maybe it was 2017, actually. I went a year without using Wi-Fi or cable. I put a SIM card in my laptop, and I completely was off-network other than my wireless carrier for a year. And that was painful at times, but it was doable in 2017. And, you know, with the 5G coming out and the stability of 4G infrastructure - and I'm maybe extrapolating a little too far here because people have broadband and all that at home, but the capability of these cloud providers to provide the tools and SAS solutions - all of this is really allowing us to disconnect. The concern, then, will be, as it's been for several years, is how do I ensure the device or the person is who they say they are if I have no network to feed them through to ensure of that authenticity? 

Dave Bittner: Yeah. That's an interesting point. All right, well, David Dufour, thanks for joining us. 

David Dufour: It's been great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.