The CyberWire Daily Podcast 7.16.20
Ep 1131 | 7.16.20

Twitter takes down verified accounts after major hack (most service now restored). Russian influence operations. Cozy Bear’s biomedical intelligence collection. Spearphishing in Hong Kong.


Dave Bittner: Twitter sustained a major incident in which celebrity accounts were hijacked. British authorities call out Russia for an influence campaign mounted during last year's elections. Cozy Bear is back and sniffing for COVID-19 biomedical intelligence. Craig Williams from Cisco Talos on Dynamic Data Resolver, a plugin that makes reverse-engineering malware easier. Our guest is Ashlee Benge from ZeroFOX on emerging and persistent digital attack tactics facing the financial services industry. And Chinese intelligence services are spearphishing Hong Kong Catholics.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 16, 2020. 

Dave Bittner: Twitter sustained a major hack late yesterday afternoon around 5:30 U.S. Eastern Daylight Time. The incident embarrassed the company with takeovers of high-profile, verified accounts. The attack seems to have involved extensive and effective social engineering, perhaps, according to Motherboard, a bribed insider. The Wall Street Journal and others list Bill Gates, Kanye West, Joe Biden, Barack Obama, Elon Musk, Uber and Apple among the owners of affected, blue-checked accounts. Reuters reports that Twitter took the extraordinary step of suspending many verified accounts until it could get a handle on the problem. 

Dave Bittner: The incident's extent and preparation seem disproportionate to its ostensible objective - a hackneyed, grubby Bitcoin advanced fee scam in which an impersonator offers to return the mark's donation many times over. The wallet set up to receive donations accumulated about $100,000, but that sum probably doesn't represent the actual take, given the common criminal practice of salting their wallets with their own funds, the better to lend plausibility to the whole greasy imposture. 

Dave Bittner: It's certainly conceivable that a fair amount of ingenuity could be deployed in the service of a stupid and futile caper - see the whole history of lulz, of showbiz, and so forth. But some observers are speculating that this could be misdirection. Maybe the goons are after people's direct messages or account details. Or maybe it was a demonstration, showing that social media aren't the indestructible channels of communication we might complacently take them to be, especially given the increasing imposing role they've come to play in political campaigns and even emergency communications. The Telegraph grimly notes that one of the accounts taken offline was a National Weather Service feed that gave emergency tornado warnings. And, of course, there were storms in Tornado Alley during the outage. 

Dave Bittner: The most important thing to remember is that the story is still developing, and that the early takes on it are unlikely to be definitive. So suspend judgment. I reached out to our own Rick Howard, the CyberWire's CSO and senior analyst, to get his take on the Twitter breach. Here's what Rick had to say. 

Rick Howard: Well, it seems like, when you listen to the pundits out there, that this is a major meltdown of information security across the planet. And, you know, first, no, it's, you know - it's really not (laughter). But if you look at it from a intel analyst's viewpoint - right? - it's kind of a version of the business email compromise, but only using Twitter. You know, for a business email compromise, you would - the bad guys would compromise a senior executive's account and use it to ask maybe one of their employees to transfer money somewhere. And it's very similar to what happened here, right? But it's just, with Twitter, their accounts got compromised, and then they used those accounts to ask their followers to send the money, all right? And these accounts happen to be very, very popular Twitter personalities. So that was the first thing that popped in my mind. What did you think when you saw it? 

Dave Bittner: I think similarly. I think there's a part of me that sort of sat back and said, OK, here - you know, let's get out some popcorn and see how far this is going to go. 

Rick Howard: Yeah (laughter). 

Dave Bittner: I'm not too proud to say there was that. And you hope that... 

Rick Howard: (Laughter) I was secretly eating popcorn with you, my friend. 

Dave Bittner: Yeah. But, you know, how bad is this going to get? But I think we're all sort of conditioned at the moment to think that perhaps there is no bottom to that. The answer to that question is, you know, hold my beer, I think, because things can get very bad. 

Rick Howard: I know. In the scheme of things, you know, this isn't that big of a deal for most people, right? 

Dave Bittner: Right. Right. 

Rick Howard: The interesting thing to me though is we're still not sure how the bad guys got access to the accounts. There's two current theories. One was that key Twitter employees were hacked, got their credentials, and then the bad guys used those credentials to move laterally inside the Twitter network to get access to these high-valued accounts. That's interesting. 

Dave Bittner: Right. Yeah. 

Rick Howard: The other one, which is even more hair-raising, is that some key Twitter employees were bought off, right? And here's the classic insider threat thing that we all, you know, worry and talk about all the time. 

Dave Bittner: Right. 

Rick Howard: And we don't know what the answer is to that yet, but those are the two current theories. 

Dave Bittner: Do you have any insights as to what it's like to be a high-level security person when something like this goes down? Is this - have you ever been in one of these sort of all-hands-on-deck situations? 

Rick Howard: Yeah, they're not pleasant - all right? - because you spend your whole life, you know, trying to prevent these kinds of things, right? And for some reason, something that you didn't foresee happens. And now, you're doing two things. You're racing as fast as you can to try to figure out what happened so that you understand so you can stop it the next time, and then you're also talking to your bosses who, you know, are paying your salary to prevent these kinds of things. So it is stress on a high level when these kinds of things happen. 

Dave Bittner: Who do we see being the ultimate victims here? 

Rick Howard: I'm not so much worried about the victims who were fleeced. You know, if you see on Twitter one of these personalities ask for money and if it sounds too good to be true, it probably is, you know? So I don't have a lot of sympathy for them. One of the things that stuck out to me for those victims is that, you know, some of the Twitter messages - there was a time limit. You have 30 minutes to match my donation and you'll get double back. You know, the red flag should be, you know, flying everywhere. There should be red star streamers popping everywhere when you hear stuff like that... 

Dave Bittner: Right. 

Rick Howard: ...Not only on Twitter but when you go into the car dealership or anywhere, you know? So at least take time... 


Rick Howard: ...To seek a secondary source. The other big victim, though, here is, you know, Twitter, all right? So this is the event that we all talk about. Does this kind of thing cause us to lose trust in Twitter and stop using it more? I doubt that's the case. But that is - I think that's a more potential, more impactful victim. 

Dave Bittner: Yeah. Yeah. All right, well, Rick Howard, thanks for joining us and sharing your insights. 

Rick Howard: Thank you, sir. 

Dave Bittner: Speaking of elections and the campaigns that surround them, the U.K.'s foreign secretary informed Parliament today that Russian operators targeted the 2019 elections, seeking to influence voters through illicitly obtained sensitive government documents relating to the U.K.-U.S. Free Trade Agreement. The campaign staged the material through Reddit. It was a leak-and-dump campaign, with amplification through multiple channels. U.K. officials did not see a comprehensive, intensive influence effort, but they did observe what they take to be, nonetheless, a clear attempt by Russian actors to shape voting. 

Dave Bittner: Cozy Bear - that is, APT29, Fancy Bear's quieter and more refined cousin - is also back in the U.K. The National Cybersecurity Center warns in an alert that the SVR unit has been actively targeting British COVID-19 vaccine developers. The goal appears to be theft of intellectual property and other information relevant to biomedical research that's responding to the pandemic. The espionage campaign is using the NCSC's report, says WellMess and WellMail malware. 

Dave Bittner: GCHQ's NSCS (ph) isn't alone in reaching these conclusions. Its formal report was joined, cosigned and co-branded by Canada's Communications Security Establishment and by both the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency. 

Dave Bittner: British Foreign Secretary Dominic Raab condemned the Russian activity. Quote, "It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behavior, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health. The U.K. will continue to counter those conducting such cyberattacks and work with our allies to hold perpetrators to account," unquote. 

Dave Bittner: No one really expects the Russian Services to mend their ways. The Three Eyes, who signed on to the report, conclude with the assessment that, quote, "APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development as they seek to answer additional intelligence questions relating to the pandemic," end quote. 

Dave Bittner: The financial services industry has a big target on its back because, of course, that's where the money is. We checked in with Ashlee Benge from ZeroFox on emerging and persistent digital attacks facing the financial services industry. 

Ashlee Benge: So this report actually falls in line with one of my more interesting areas of research, and that is specifically within phishing and phishing kits. And so what we have kind of observed over the past couple of years is that there is this movement away from malware - if you think about the threat landscape as a whole, there is a movement away from malware in that more and more of the bad stuff, if you will, is actually phishing, as opposed to traditional malware. 

Ashlee Benge: And there are a couple of reasons for this, but one of the dominant reasons is that there is a new category of tools called phishing kits that make it very simple. And so even if you're an attacker that has really no technical skill whatsoever, you're able to buy one of these phishing kits, and it reduces really any of the technical work that you have to do in order to set up a phishing page. So we've seen that because of these kits, in part, and because it's so accessible, generally, to launch phishing attacks versus malware attacks, that there's been a tremendous increase in the presence of phishing. And a lot of the time, phishing kits will target fin serv organizations and banks because those targets are so lucrative. 

Dave Bittner: What are the recommendations, what are the take-homes here, in terms of people protecting themselves? 

Ashlee Benge: Sure. So I think one of the - and it's hard because user education really is the most important thing to help prevent these types of attacks, but that's also the most difficult thing to do. There is always an increase of awareness of these kinds of attacks, but some of these lures are actually quite good, and it really only takes one mistake before you put yourself in a bad situation. And so I would always urge people, when they are reading these emails, to verify senders, to make sure that the link that they're being taken to is what they would expect. If they're being contacted over text, say, or over a phone call and asked for personal information, if there is anything about the situation that is new or would set off alarm bells because it's never happened before, anything out of the ordinary is really probably a good indication that it may be a phishing attack and not necessarily the bank or financial institute itself. 

Dave Bittner: That's Ashlee Benge from ZeroFox. 

Dave Bittner: And, finally, a researcher who goes by the hacker name Arkbird has exposed a Chinese government spearphishing operation designed to conduct DLL-sideloading attacks against devices used by members of the Roman Catholic Church in the Diocese of Hong Kong. The phishbait includes both Vatican communications, modified to carry malware, and reports from Catholic news services in Asia, also altered to deliver the security services' payloads. The threat actor involved may be Mustang Panda. 

Dave Bittner: ZDNet notes that the campaign is effectively a twofer, targeting both Hong Kong and a religious minority Beijing has long regarded as unreliable and undesirable. Over the last two decades, Chinese anti-Catholic repression hasn't reached the genocidal levels currently being suffered by the country's Muslim Uyghur minority, but the cyber operation in Hong Kong may be an indication that it's hardening. 

Dave Bittner: And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig, always great to have you back. You have an announcement to make, a tool that you and your team are making available. What's going on here? 

Craig Williams: Well, the tool we've released is our IDA Pro plugin called Dynamic Data Resolver or DDR. You may remember it from 2019 when we released the alpha. Basically, it's the little blue hummingbird (laughter). So, you know, this is one of the tools that we've been developing, and I'm proud to say that, again, more proof that Cisco is doubling down on free and open-source software since the Sourcefire acquisition. You know, a lot of people were concerned about that. Hopefully, we put that myth to bed. But we're releasing 1.0 now. We've added some additional features. We've added some cool capabilities, and, hopefully, people enjoy it. 

Craig Williams: You know, at a really high level, what this plugin is designed to do is to allow one to reverse-engineer obfuscated malware more quickly and more efficiently. You know, if you think back to some of the samples we've covered this year, including ones like Astaroth, they were packed and obfuscated in, you know, reasonably complex manners, to the point where we even escalated them within Talos to the people who specialize in that. And we've designed tools like this to make that easier. 

Craig Williams: So if you look through the list of features, it offers some cool stuff. You know, you can do a little bit better program flow tracing. You can do a little bit better API logging. You can search for all kinds of fun stuff. And so it's a very complicated tool. It's definitely not one for nonsecurity analysts. But if you're doing reverse-engineering, I would encourage everyone to take a look at this because, hopefully, it could save you some time and help us all take down more malware families. 

Dave Bittner: For folks who aren't familiar with these tools - it's not part of their day-to-day - can you give us some insights as to how the folks who are doing reverse-engineering, having these tools in their toolbox, what sort of things does it provide for them? 

Craig Williams: Let me try and put on my CS-100 hat, right? 

Dave Bittner: (Laughter). 

Craig Williams: I've got to think back a few years. So if you think about the way a normal program flow would look - right? - like, a typical, nonobfuscated program, it would look like a very linear line. You know, and that would be, like, a very simplistic program. And you start adding complexity. Like, let's say you're looking at maybe, like, HelloWorld or something, and they're calling libraries to do a print or something. You could see it reach out to a complex library, call a couple of functions from that, and it's still going to look relatively linear, right? You may have some functions, depending on how you look at it, pop up. It's going to look like a straight line. It will have a very clear start and a very clear end. Obviously, when you get more complicated programs that have a lot of conditionals and branches and things like that, complexity climbs. 

Craig Williams: You know, when you look at a client server architecture model, on paper, it doesn't look too bad. When you start to look at actual programs, it can get bad, right? You get a lot of complexity added in. And so what the bad guys will do is they'll go into that program flow, and they'll intentionally modify it so that it's - I don't want to say unreversible, but it makes it much more challenging. You know, you really have to keep up with the current obfuscation methods and techniques. The things that you read in papers will help. 

Craig Williams: You know what? A great way to think of it is, if you know a programming language - and, you know, let's say you fall in a coma for a year, and you come out - right? - in this modern society, you're going to have a completely different set of programming languages. But the fact that you're familiar with the older ones will help you understand the new ones. And that's really kind of what goes on with reversing. You know, if you're familiar with older obfuscation techniques, you're going to see variants of that. You're going to see maybe things that are similar, even if it is a new technique. And so it's really a cat-and-mouse game, much more so than others. And I know we use that terminology a lot in malware research, but with reversing malware, it's incredibly true. 

Craig Williams: And so that's why tools like this are so helpful - because they help you take that step, where maybe a couple of extra things have been done, and it's confusing, and remove that level of obfuscation so that you can then recognize the layers underneath and then just keep unwrapping the puzzle until you get to the core and can understand what it's doing. 

Dave Bittner: All right. Well, if this is something that is up your alley, it seems that this is worth checking out. It's the Dynamic Data Resolver, the DDR. That is on the Talos website, part of Cisco. Craig Williams, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.