Dave Bittner: A look at the state-based cyber actor the Australian Government is concerned about. Some signs of Chinese retaliation for Five Eyes' skepticism of Huawei. Johannes Ullrich explains malware triggering multiple signatures in anti-malware products. Our guest is Geoff White, author of "Crime Dot Com," on how he tracked down the creator of the Love Bug. And an alert about the possibility of some COVID-19-themed fraud from the Lazarus Group.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 19, 2020.
Dave Bittner: Australia's Prime Minister Morrison has said that Australia is under massive and sustained cyberattack. The Wall Street Journal quotes the prime minister as saying, "we know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used." He added that all levels of government and most economic sectors are among the targets.
Dave Bittner: The actor may be sophisticated, but most observers aren't moving from that to a conclusion that the attacks themselves are advanced or complicated. To judge from yesterday's Australian Signals Directorate advisory, the attacks for the most part hit known vulnerabilities with copy-and-paste open-source, proof-of-concept exploit code used against public-facing sections of the infrastructure. For the most part, the state-based cyber actors are going after a remote code execution vulnerability in unpatched versions of Telerik UI. In other cases, they are chasing a deserialization vulnerability in Microsoft Internet Information Services, a 2019 SharePoint vulnerability or a 2019 Citrix vulnerability.
Dave Bittner: When that approach fails, the attackers resort to familiar spearphishing. The ASD warned that the spearphishing has taken several familiar forms, including links to credential harvesting websites, emails with links to malicious files or with a malicious file directly attached, links prompting users to grant Office 365 OAuth tokens to the actor, use of email tracking services to identify the email opening and lure click-through events.
Dave Bittner: The state-based actor has shown some talent for conducting reconnaissance of target networks to identify vulnerable services. And ASD thinks the actor may be assembling and maintaining a list of public-facing services, so it can hit them quickly after new vulnerabilities are released and before the targets get around to patching them. They're also pretty good at identifying development, test and orphaned services that tend to be overlooked or even forgotten by the organizations that own them. These activities do argue for a good degree of intelligence and sound management. If we understand sophisticated to refer to a solid understanding of how to serve as targets, as opposed to the more usual connotation of exotically crafted, never-before-seen malware, then perhaps the prime minister has a point. In that sense, the state-based group can indeed be called sophisticated.
Dave Bittner: So, OK, we keep saying state-based group because that's what Mr. Morrison calls them. But straight-up, friends, we're obviously talking about China. The prime minister has refused to be drawn on attribution, but he's generally believed to be describing a Chinese government campaign. ZDNet quotes think tank sources to the effect that this particular frog has been boiling for years, which raises the question of why the prime minister would choose this moment to issue his warning. Other sources, for the most part former officials, are telling the Australian Broadcasting Corporation that the campaign may represent payback for Australia's hard line on Huawei.
Dave Bittner: So there seems to be a mutual dance of deniable accusation going on here. China hasn't yet commented on Prime Minister Morrison's press conference, but it's denied involvement in recent high-profile attacks on Australian institutions, including Parliament. Those denials haven't been generally believed. Perhaps they're not intended to be believed. The operations walk and quack like Chinese operations, and as The Wall Street Journal points out, you can hide your footprints, but sometimes it's useful to leave the tracks out there for the world to see.
Dave Bittner: The prime minister appears to have two motivations in making his statement. First, he's offering China a veiled warning. And second, he's also interested in changing behavior in his own government agencies. After all, for crying out loud, will you please get serious about keeping your systems patched and under control? There's a state-based panda pawing at you.
Dave Bittner: There may be some other Chinese payback for Five Eyes' treatment of Huawei. Two Canadians, Michael Kovrig and Michael Spavor, were arrested 18 months ago, shortly after Huawei CFO Meng Wanzhou was detained in Vancouver on an American bank fraud beef. The Wall Street Journal reports that the two have now been formally charged with espionage.
Dave Bittner: Michael Kovrig, a Canadian diplomat on leave to work with the International Crisis Group, was charged with probing into state secrets and intelligence on behalf of foreign actors. Michael Spavor, an entrepreneur, was accused of probing into an illegally providing state secrets to foreign actors, according to municipal prosecutors in Beijing and Dandong.
Dave Bittner: Both of the Canadian men were in China in connection with their interest in North Korea. Mr. Kovrig was preparing a report on the DPRK, and Mr. Spavor ran the not-for-profit Paektu Cultural Exchange, which facilitated travel to North Korea.
Dave Bittner: Ms. Meng, currently out on bail in Vancouver, is facing the slow process of extradition to the US. A recent Canadian court decision made it more likely that she'll be sent stateside, but her American court date, if it should ever arrive, still lies in the indefinite future.
Dave Bittner: North Korea's Lazarus Group is said to be preparing a large-scale phishing campaign against targets in South Korea, Singapore, Japan, India, the United Kingdom and the United States. The countries all have put large COVID-19 economic relief programs in place, and ZDNet reports that Pyongyang's COVID-19 phishbait is expected to serve financial fraud. ZDNet credits Cyfirma with the relevant threat research. SingCERT today posted a warning for Singapore businesses.
Dave Bittner: North Korean cyber operations in general and those of the Lazarus Group in particular have tended to concentrate on either espionage or financial gain, with an occasional attempt at influence. The influence attempts generally haven't proceeded very happily, but Pyongyang has shown that it has the chops to conduct both espionage and fraud. So businesses beware.
Dave Bittner: My guest today is Geoff White. He's an investigative journalist based in the U.K. and author of the book "Crime Dot Com," which will be published in August. Our conversation centers on his globe-trotting investigation to find the creator of the Love Bug computer virus 20 years after its initial release.
Geoff White: The Love Bug virus was unleashed in 2000 - May 2000. It went around the world and infected tens of millions of computers, it's estimated. And the person behind it, the person who did all of this, was never actually convicted. It was never settled who unleashed it, who created it and so on. There were some suspicions at the time, but the whole thing was a big question mark. So I thought that was worth looking into.
Geoff White: And also, the other thing is, for me, the Love Bug kind of sums up the big thing about cybersecurity. You know, it's not necessarily about computers and code and hardware and software and so on; it's about people. You know, the reason the Love Bug worked was because everybody wants love.
Dave Bittner: (Laughter).
Geoff White: And so when they received an email that looked like a love letter, which is what the Love Bug did, they answered it. So for me, it was the perfect sort of social engineering, psychological, people-focused attack, and I just thought it was a great place to start talking about cybersecurity.
Dave Bittner: Can you take us back - remind us, you know, back around the year 2000, what sorts of protections would people typically have in place in terms of backups and, you know, the things that we think of as being routine these days? What was the state of things back in 2000?
Geoff White: Well, you know, cybersecurity was on the agenda in 2000. It wasn't that there hadn't been viruses. There'd been one a couple of previous - couple of years previously to this called the Morris worm, which, again, spread from computer to computer. Companies had antivirus software. The issue with the Love Bug, another reason this highlighted some issues early on in cybersecurity was that because of the way the virus was written in those days, if you got it and downloaded it, yeah, you might get infected. But then you've got a copy of it. So people started deliberately trying to get infected, so they could grab a copy of the virus, reformat it, rework it and rerelease it. And so some of the antivirus software that was looking out for something like Love Bug would get caught out because the next iteration of Love Bug that somebody had tweaked very slightly would get through its defenses. So that was the sort of set-up at the time. And in terms of, you know, backups of information, some companies were switched on to that and has a disaster recovery, you know, as it's called in the trade. But a lot of companies wouldn't have had that. They wouldn't have seen the effect of that. And certainly, the idea of an email being able to spread and spread so fast and destroy everything in its path that that came completely out of left field for lot of people. So it really was - it's a perfect storm.
Dave Bittner: So how did you begin your journey now? I mean, decades after it began, where did you begin?
Geoff White: Well, there were lots of rumors about who was behind the Love Bug. So the police investigators were looking at where the passwords, the stolen passwords were being sent to. And they discovered that it was an email address that had been registered in the Philippines. It didn't take them long to work out an apartment in the Philippines that the email address was registered to. So they pitched up there. And they found some people living in the apartment. And they pretty soon discovered that someone connected to them was a computer science student at a nearby university called Onel de Guzman. Also implicated in this was Onel de Guzman's classmate, a guy called Michael Buen. Now, the difficult problem for the investigators in the Philippines at the time was that there was no law against computer hacking in 2000 in the Philippines, something that it seems that Michael Buen, Onel de Guzman and their buddies knew only too well...
Dave Bittner: (Laughter).
Geoff White: ...Because they were part of a kind of underground community of students who were creating viruses and experimenting with viruses and, in some cases, leaking them. So when the investigators found Onel de Guzman, they couldn't prosecute him. There was a forum, a Filipino-language forum in which somebody said, oh, Onel de Guzman - and this was, I think, in 2016-ish, 2015 - working at this particular market on a mobile phone store. You know, he's a local hero. And so I thought, well, that's the best lead I've got (laughter). Let's go to Manila, find the market, find the mobile phone store. And, you know, who knows? (Laughter) So I started going around. I thought, how can I find this guy? And I knew that the photo wouldn't be any good because the photo is 20 years old. So I I wrote his name down on a piece of paper. And I went from stall to stall, just showing it to people at random. And sure enough, he turned up. And we went for coffee. And I expected that I'd have to sort of tease the information out of him, and I'd have to sort of put the evidence to him to a point where he couldn't deny it. But actually, he admitted it straight away. He not only admitted that he wrote the virus and unleashed it. He said that it was just him and that his colleague Michael Buen - his classmate Michael Buen - was nothing to do with it. So I was able finally to clear up A, who had unleashed the virus but B, exonerate the guy over whom a question mark has hung for the last 20 years. In the ensuing years, Onel de Guzman didn't go back to university. He was a college at the time. He was a computer science student. And, you know, I've spoken to some of his colleagues - people around the same time at the same college. And they've gone on to really good careers. Onel de Guzman didn't. He didn't go back. He didn't graduate. He had to lie low for a couple of years. He didn't touch a computer for a couple of years. And the stall that he's working on now, has to be said - he's not - I mean, he's in his element. He's surrounded by volt meters and screwdrivers and disassembled phones. And, you know, it's a sort of techie's den that he probably loves. But I can't help thinking that his life could've turned out very differently had that one thing not happened back in the 4 of May 2000, had he not pressed send on that one e-mail.
Dave Bittner: Our thanks to Geoff White for joining us. His book "Crime Dot Com" will be published in August. There's an extended version of our conversation up on CyberWire Pro in the Interview Selects. And now a word from our sponsor BlackCloak. Securing your company's data, intellectual property and reputation is job No. 1. But you have a big gap. You can only secure your executives' computers and devices that are part of the corporate network. You can't control the cybersecurity or privacy of their homes, devices, personal accounts or other family members. Attackers know this and, especially in these trying times, are actively exploiting the soft underbelly of the company by targeting your executives' digital lives. BlackCloak's cybersecurity platform solves your coverage problem. Their trusted team actively protects all personal devices, accounts, homes and family members so that a breach on the personal side doesn't take down your company. In fact, over 37% of BlackCloak customers have an intrusion discovered during their onboarding. Onboard your executive team in under a week. Protect your company by protecting your executives. To learn more and partner with BlackCloak, go to blackcloack.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute, also the host of the ISC StormCast podcast. Johannes, it is always great to have you back. You and your team have been tracking some interesting things with some malware that's been doing some triggering in some anti-malware software. Fill us in on the details here.
Johannes Ullrich: Yeah. This is an experiment that one of our handlers, Xavier Mertens, ran. And what he looked at is, hey, what if a malware actually contains more than one malicious signatures? And what he did here as a test is he used Mimikatz. If you're not familiar with Mimikatz, it's software that's often used by the bad guys but also by penetration testers to steal password hashes from memory. So it's well known, well recognized. Pretty much all anti-malware will flag it as malicious. So he took this tool, and then he added a little string to it called the EICAR string. This is a very specific string that's used to test antivirus. So whenever a file contains this string, usually in the beginning, it will flag it as malicious but say, hey, this is a test file.
Johannes Ullrich: So what he did is he added this EICAR string to Mimikatz and then checked what will happen. What will antivirus tell me? Will it tell me this is Mimikatz? Will it tell me that this is a test file that's harmless? Or will it tell me both? And what he found is that, actually, much antivirus or many antivirus tools will flag it now as - EICAR as a harmless test. Execution may still get blocked here in this case. But an analyst looking at the logs, looking over a system, may say, hey, you know, this is just a harmless test file. Maybe someone, you know, ran a test. This is not something that will cause any damage. And they may now ignore this alert.
Dave Bittner: Yeah, that's interesting. So - what? - do we suppose that the anti-malware tools are - you know, they see - they flag something, and then they stop? They don't look any further?
Johannes Ullrich: Correct. That's what's happening. And many of them only have the capability to flag one alert per file. This has happened, also, for example, with network intrusion detection systems. If you have an attack, for example, against a web server, the attacker, within one session, is launching multiple attacks, where only, like, the first three or four often are being detected. So if the first three and four are - the attack are just probing and trying to figure out what the web server is vulnerable for but then, later, the exploit is actually being sent and successful, the tool may miss that very important fact.
Johannes Ullrich: And sometimes this is the configuration of the tools. But it would be nice if the tool would, yeah, scan the entire file - not just stop it first - hit and maybe rank the signatures, where they say, hey, this is - that this is Mimikatz. Actually, more important that this is EICAR. So let's - if you can only send one alert, let's send a more severe alert.
Dave Bittner: Right, right (laughter). Exactly, exactly. So what are your recommendations here in terms of folks protecting themselves?
Johannes Ullrich: Well, always second-guess your tools. Tools can be wrong, and this is a sad truth in this business and something that's often overlooked. A lot of analysts, a lot of security people do overly rely on their tools. Understand how your tools work, experiment with them and know their limitations. This is so important as business and something that's often overlooked, where someone just, you know, reads a quick blog post to figure out how it all works and doesn't really bother himself to ask the hard questions and dive in deeper.
Dave Bittner: So should the folks who are making these anti-malware tools, should they be on alert to maybe up their game as well?
Johannes Ullrich: Yeah, definitely. They should be aware that a particular piece of malware may trigger multiple signatures, and it could even happen sometimes, you know, sort of accidentally, where an attacker will just bundle multiple tools in one file. I've seen this quite often. As an analyst, I need to know that this is more than one particular piece of malware. Another sort of problem that I often see is that the analyst then goes back and cleans up the system and only removes the one piece of malware that was actually triggered on. But that act of cleaning up is always dangerous and highly discouraged. But there'd be no life. You want to get back into business. You want to - you don't want to restore the system from backups that you may or may not have. So a lot of folks are a little bit careless there, and the antivirus tools often give them the wrong signals.
Dave Bittner: Yeah, and the bad guys can take advantage of that.
Johannes Ullrich: Right. Yes.
Dave Bittner: Yeah. All right, Johannes Ullrich, thanks for joining us.
Johannes Ullrich: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: Don't miss this weekend's Research Saturday and my conversation with Ashley Graves from AT&T Alien Labs. We'll be discussing slack phishing using webhooks. That's Research Saturday. Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here next week.