The CyberWire Daily Podcast 6.18.20
Ep 1112 | 6.18.20

Cyber support for a kinetic conflict. Cyberespionage. Spyware in Chrome extensions. Criminal phishing bypasses defenses. Proposed revisions to Section 230. Zoom and encryption.


Dave Bittner: Sino-Indian conflict extends to cyberspace. InvisiMole connected to Gamaredon. Spyware found in Chrome extensions. Phishing around technical defenses and some criminal use of CAPTCHAs. The U.S. Justice Department releases its study of Section 230 of the Communications Decency Act. Zully Ramzan from RSA on privacy and security in a post-COVID world. Our guest is Michael Powell from NCTA on the importance of the U.K. cybersecurity sector. And Zoom changes its tune when it comes to end-to-end encryption.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 18, 2020. 

Dave Bittner: As expected, there are signs that the Sino-Indian border skirmishing, already a bloody series of small-unit engagements with casualties on both sides, may be accompanied by cyber operations. There are reports of Chinese-distributed denial-of-service attacks against Indian targets. TimesNow says the attacks are thought to emanate from Chengdu, headquarters of PLA Unit 61398. 

Dave Bittner: InvisiMole, a cyber espionage group discovered in 2018 but active at least since 2013, is known to have operated against Eastern European military and diplomatic targets, including targets in Russia and Ukraine. The group appears to collaborate with Gamaredon. ESET researchers report finding that InvisiMole has used Gamaredon's .NET downloader MSIL/Pterodo. 

Dave Bittner: Only a small set of Gamaredon's victims were prospected by Invisimole, which suggests that the stealthier, more sophisticated Invisimole makes highly selective use of noisy Gamaredon's target list. It also uses EternalBlue and BlueKeep exploits for lateral movements once it's in the targeted enterprises. Gamaredon has been linked to Russia. InvisiMole has hitherto been more elusive, but the connection to Gamaredon is suggestive, at least. 

Dave Bittner: Reuters reports that Awake Security has found a massive spyware infestation among Chrome extensions - about 32 million downloads' worth. Google removed 70 of the extensions from its store after they were notified of the problem last month. The extensions, which were for the most part offered free of charge, represented themselves as able to warn users of questionable websites or to convert files to different formats. What, in fact, they did was capture browsing histories and data and ultimately provided the extensions' operators with credentials for accessing various business tools. 

Dave Bittner: Why Google itself didn't detect and remove the malicious extensions is unclear. It's also unclear who was behind the malicious extensions. As the Reuters piece points out, the operation could equally well be the work of criminals or nation-state espionage services. 

Dave Bittner: Check Point describes a phishing campaign directed toward acquiring Microsoft Office 365 credentials. It made heavy use of redirection. The phishing emails weren't particularly polished - they told recipients they had some voicemail waiting for them - but the use of hijacked servers and domains were. The criminals used an Oxford University email server to send their messages. The recipients were directed to malicious sites in a hijacked Samsung domain hosted on an Adobe server. The goal was to steal targeted network access credentials, and the hijacked servers and domains facilitated the passage of the phishing emails through enterprise security systems. 

Dave Bittner: Remember the high-minded chatter in the underworld early in the pandemic about how criminals should restrain themselves for the sake of the common good? Right. We didn't believe it, either. But anyone still persuaded that cybercriminals have trimmed their attacks out of public-spirited responsibility during the COVID-19 pandemic will be disillusioned by a Digital Shadows study of criminal forums. 

Dave Bittner: There is more criminal-to-criminal business than the underworld can handle, and the gangs are scrambling to find moderators who can keep up with demand. One example of their findings comes from the English-language forum Nulled, which is looking for two new trials monitors to keep pace with the forum's growth. The Nulled community is especially growing rapidly during COVID-19, and so it needs additional assistance. 

Dave Bittner: So what does a moderator do for a cyber mob? Digital Shadows explain that the typical criminal forum - whether it speaks English, Russian or any other language - is organized as a pyramid. An administrator sits at the top, exercising general directions. Beneath the administrator are moderators who handle day-to-day operations. As Digital Shadows puts it, taskings vary, but moderators enforce forum rules, answer questions, organize content and watch for crook-on-crook scams. 

Dave Bittner: Not just anyone has what it takes to be a moderator. They should, the want ads say, be friendly and approachable people who know how to use their initiative. Nulled explains that they should be able to maintain peace and order in the shoutbox as they find and expel spammers, leeches and multis. They should be mature and handle situations professionally, be good at making unbiased decisions and, above all, treat each member equally. And people like that are hard to find. Ask any HR department. 

Dave Bittner: The UK has a strong presence on the global cybersecurity stage, with a healthy ecosystem of universities, government organizations and private sector security companies. Michael Powell is cyber representative to North America for the UK's Department for International Trade, and he offers these insights. 

Michael Powell: We recently published a report in January put together by the Department for Digital, Culture, Media and Sport, and at the moment we've estimated the size of that market to be around 8.3 billion pounds, and that's a 46% increase since we last assessed the market in 2016. And that is just for pure cyber businesses, so it doesn't include defense or any of the other areas of security. 

Dave Bittner: And so who are some of the leaders there in the UK in terms of some of the organizations that we would know about, you know, the household names when it comes to cybersecurity? 

Michael Powell: Yeah, absolutely. So Darktrace - obviously a very popular solution globally. And then the likes of Glasswall. You may have come across Garrison Technologies, Nominet - so some fairly global brands. But then you also have presences there from IBM, from Northrop Grumman, from Raytheon. So some of the large US defense contractors you'll be very used to seeing in the press here in the US. 

Dave Bittner: And so what is your advice for organizations here in North America who want to establish a working relationship with companies in the UK? 

Michael Powell: That's exactly what we're here to do as UK DIT. So my advice to them is to reach out to us as UK DIT, and that's exactly what we are here to do. And we can assist them with either the G-to-G connections or the commercial connections that they need if they're considering either setting up an office or working collaboratively with somebody in the UK sector. 

Dave Bittner: Do organizations find that this could be a first step into a larger exploration of European markets in general? 

Michael Powell: We think so, yes. I mean, we have the ongoing topic of Brexit, which I'll avoid. 

Dave Bittner: (Laughter). 

Michael Powell: But absolutely, yeah. Being in London, you know, you're still geographically very close to Europe, and you're in the right time zone to do business there. So we have historically found - because of the similarities between the UK and the US market - the UK market is a really good landing pad for US companies that then want to consider expansion into the rest of Europe as well. And being English-speaking, it helps a little bit with that first journey. 

Dave Bittner: Are there any common misperceptions that you find organizations have when it comes to getting started with these things? 

Michael Powell: I think there's a expectation in both directions. So we support both trade and investment. The two markets are so similar that they could be trivial. I would say whilst yes, they share a language, and, you know, we clearly share a lot of similarity, as I've just said, the markets are actually very different. The reasons that people buy, the motivations, can be different. So actually, it's understanding that whilst they're similar in a lot of ways, there are differences, and when it comes to marketing your solution, there'll have to be a slightly different way that you go about doing that. 

Dave Bittner: What are some of the differences? 

Michael Powell: I knew you'd ask me that. 

Dave Bittner: (Laughter). 

Michael Powell: So I would really just say it's - for me, what I've seen, it's around buying. In the US people are very used to being sold to. So when I provide advice to UK businesses, I tell them, you know, be bold. Be very clear what your solution does. Ensure that you can differentiate it in 90 seconds from everybody else's solution. And get ready to actually have 100 conversations, and perhaps 10 through one of those will play out. 

Michael Powell: I would say the sell in the UK is often far more relationship driven. So it will be - ensure that you're attending the right forums. Show that you're present. Show that you are a thought leader. And demonstrate that you are there and that you're not just there to sell to the market, but you're also there somehow to contribute to the market itself. And having that presence over a period of time will then sort of engender a trust in your organization, which means you're far more likely to be successful in the UK market. 

Dave Bittner: That's Michael Powell. He's the cyber representative to North America for the UK's Department for International Trade. 

Dave Bittner: It turns out that CAPTCHAs - those I'm-not-a-robot questions designed to keep bots out of sites - can be used for evil as well as good. The good guys use automated tools to detect malware. And Ars Technica reports, citing Microsoft discoveries, that some criminals are now using CAPTCHAs with their maliciously crafted Excel files in order to help them steer clear of automated defenses. 

Dave Bittner: The US Justice Department yesterday issued its review of Section 230 of their Communications Decency Act. Section 230 has generally served to shield internet platforms from various forms of civil and criminal liability. The department recommends four categories of reform that it says would bring the balance of various interests into line with the ways the internet has evolved since the law was passed in 1996. 

Dave Bittner: The revisions would incentivize online platforms to address illicit content, denying Section 230 protection to genuine bad actors, carving out exceptions for terrorism, child abuse and cyberstalking and for case-specific carveouts that would remove protection from platforms that knew, in a specific case, that third-party content was illicit. 

Dave Bittner: The proposed revision would also clarify federal civil enforcement capabilities, promote competition and would help in, quote, "promoting open discourse and greater transparency by replacing vague terminology and defining good faith." 

Dave Bittner: Zoom, hearing the customers speak, has decided to reverse itself. The company will henceforth offer end-to-end encryption to all users of its remote conferencing service. 

Dave Bittner: And, finally, we note with respect and condolences the passing of Dame Vera Lynn, who died this morning at the age of 103. Famous as the force's sweetheart, whose songs - especially "We'll Meet Again" - comforted British soldiers, sailors and airmen during the Second World War, Dame Vera returned to the public eye two months ago when she offered similar encouragement to people struggling with COVID-19 and the measures being taken to control it. So we spare a thought for a life that was as well-lived as it was long. 

Dave Bittner: And joining me once again is Zulfikar Ramzan. He's the chief technology officer at RSA. Zully, always great to have you back. I want to touch today on your thoughts on what it's going to look like when we come out of this COVID situation. How are we going to approach privacy and security when we're on the other side of this? 

Zulfikar Ramzan: You know, first of all, Dave, I think that there's this interesting notion. If you think about COVID-19, it has been the single greatest accelerant of digital transformation in recent times. It's really forced people to embrace digital technologies. People have supplanted their physical presence at work with videoconferencing and collaboration tools. Classrooms have been replaced by distance learning environments. Movies are now much more - are streaming to our homes at a greater level of frequency than we've had in the past. Checkout lines at the supermarket are being sidestepped by people who are using on-demand grocery services and so on and so forth. Even our social interactions have shifted, right? Under lockdown conditions, we're conducting lunches, happy hours, play dates, we're having birthday parties and even funerals through virtual means. 

Zulfikar Ramzan: And so I think even though we've already known we could do many of these things for a long time, people are now availing themselves to digital capabilities and their benefits, given this broader context. And these changes, in my mind, are just the beginning. So I think it's going to set the stage for a world in which technology plays a much more prominent role, and that means areas like digital privacy and digital risk become more - I guess involve an increased notion that we have to consider. 

Dave Bittner: Well, what specifically do you think we're going to see going forward when it comes to privacy? 

Zulfikar Ramzan: So first of all, I think there's a big question around the notion of individual privacy, especially in a health context, versus systemic risk. And so today - and I'm sure it's true for each of us - our interest in the health status of any individual and the impact it can have on an overall system has never been greater. 

Zulfikar Ramzan: Now, in the future, I think we're going to see more and more that people will be required to prove or provide some form of attestation about the state of their physical health. And that could happen in different settings, and already we're seeing in some countries and some places where you can't board an airplane without having a temperature check done. You won't be able to come to work without, again, doing something similar along those lines or maybe even providing some type of attestation that you've been vaccinated, eventually, when a vaccine becomes available against COVID-19. 

Zulfikar Ramzan: Now, these scenarios, again, these are not dream scenarios. We already are seeing many of these scenarios come up, and what that means is that there's a question now about all this data that's being gathered about individuals and the implications that could have for data privacy. All of a sudden, organizations might have health data about me, and that data could be potentially very damaging. There's a question of, in my mind, not just privacy but fairness. And these notions are often conflated. You know, privacy is about - you know, with data, it's being collected and how it's safeguarded. Fairness is really about how that data is being used. And I think, in my mind, I truly worry that we could be in a situation where that data could be misused or abused if not cared for correctly. 

Dave Bittner: Well, and how do we ensure that we don't inadvertently leave people behind, you know, people who might not have access? If we're shifting to a scenario where more and more of our day-to-day lives are reliant on technology, I can envision that there are whole groups of people who would have trouble getting access. 

Zulfikar Ramzan: Absolutely. I think that's going to create, you know, a set of concerns. I mean, even - there's been a lot of work in the media recently around the idea of Bluetooth contact tracing. And the challenge of Bluetooth contract tracing - one of the challenges - is that not everybody has a Bluetooth phone or has a mobile phone that they're willing to allow in that process, even if they have the capabilities. And for these technologies to be successful in any way, shape or form, you need a critical mass of data. 

Zulfikar Ramzan: And I think that you're absolutely right - these are fundamental issues that are going to come up over and over again. The good news is that there's been a lot of work in epidemiology and other fields around how we can implement these types of mechanisms without digital technology. And so the idea of contact tracing, for example, has been around for decades. It's not new at all in the context of immunology and epidemiology. What is new, maybe, is trying to use digital technology to accelerate or make it more widespread. And so I think at the very least, we will have fallback mechanisms in key areas. But it's not always a good replacement in either case, and I think we have to struggle with how we can - how we're going to manage society in this future world. 

Dave Bittner: Yeah. All right. Well, Zulfikar Ramzan, thanks for joining us. 

Zulfikar Ramzan: Absolutely. Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.