The CyberWire Daily Podcast 8.14.20
Ep 1152 | 8.14.20

Bad Woodcutter is still bad, but not invincible. CactusPete is in Eastern European networks. Exploiting COVID-19. Celebrity endorsements (not).


Dave Bittner: An update on Fancy Bear and its Drovorub rootkit. Karma Panda, also known as CactusPete, is scouting Eastern European financial and military targets with the latest version of a venerable backdoor; how criminals and terrorists exploit COVID-19 and how law enforcement tracks them down. Caleb Barlow from CynergisTek covers security assessments and HIPAA data. Our guest is Ryan Olson from Palo Alto Networks on the 10th anniversary of Stuxnet. And those celebrity-endorsed investment scams aren't actually endorsed by celebrities, and they're not actually good investments.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 14, 2020. We spoke yesterday about the joint alert NSA and the FBI issued concerning a new malware tool set operated by Russia's military intelligence service, GRU. To recap briefly - the advisory described Drovorub - in English, that's woodcutter - which is malware deployed by APT28, and APT28 is, of course, Fancy Bear. Drovorub is a multifunctional Linux malware tool set consisting of an implant coupled with a kernel module rootkit, a file transfer and port-forwarding tool and a command and control server. So far, it seems that Fancy Bear is Drovorub's only user. Both NSA and the bureau offer advice on how to detect the malware and protect against it. The warning is being taken seriously. As The Register puts it, four words you don't want to see together are Fancy Bear Linux rootkit. 

Dave Bittner: Researchers at security firm Kaspersky have published an update on the activities of CactusPete - also known as Karma Panda, which we prefer because we like animal names - a Chinese APT that's using a new form of the Bisonal backdoor against defense and banking targets in eastern Europe. Bisonal isn't new. As ZDNet reports, it's been under active development for a decade, but it continues to evolve, and it's the latest evolution that's drawn the attention of researchers. Its ability to handle Cyrillic script suggests that its activities extend east through Ukraine, Belarus and Russia. The effort Kaspersky describes is a cyber espionage campaign, but it might also represent reconnaissance and battlespace preparation for more damaging attacks. Karma Panda has earlier been active against Japan, South Korea and the United States. Researchers at Cisco Talos say the group is run by the Chinese government. 

Dave Bittner: Fortinet's semi-annual global threat report notes that while it should at this point be obvious to everyone that the dramatic increase in remote work brought about by COVID-19 has created opportunities for cybercrime and espionage, nonetheless, they can't talk about threats in 2020 without discussing how the pandemic has shaped them. As they say, quote, "predictably, cyber criminals of all shades from opportunistic phishers to scheming nation-state actors found some way to exploit the pandemic for their benefit. Organizations around the world were suddenly confronted with a situation where they had to support a majority of employees working from home. For attackers, the shift presented an unprecedented opportunity to break into enterprise networks by targeting weakly protected home networks, consumer devices, VPN connections and video communication and collaboration tools" - end quote. 

Dave Bittner: And it's not just the expanded attack surface. It's also the anxiety over the virus that's rendered people susceptible to social engineering tailored to that anxiety. Two such cases are worth a look. In the first case, a cooperative enforcement action conducted with Vietnam's Ministry of Public Security, the U.S. Justice Department has moved against online COVID-19 scammers based in Vietnam. The Justice Department obtained a temporary restraining order against three residents of Vietnam whom prosecutors alleged to have engaged in a wire fraud scheme seeking to profit from the COVID-19 pandemic. Prosecutors say the three ran more than 300 websites that fraudulently offered products for sale when pandemic-driven demand rendered them scarce to the point of practically unavailable. You know those sorts of things - hand sanitizer, disinfecting wipes - products like that. Thousands ordered the goods but never received them. 

Dave Bittner: A U.S. district judge has ordered an emergency temporary restraining order whose effect has been to disable the websites. Further action against the alleged fraudsters can be expected. 

Dave Bittner: That's a traditionally criminal motive for COVID-19 fraud. The other COVID-19 fraud is still criminal, but less traditional. U.S. authorities have also taken action against online COVID-19-themed fraud committed to benefit of Islamist terror groups seizing millions in bitcoin. The groups that benefited from the fraud include ISIS, the al-Qassam Brigades and al-Qaida. The Department of Justice says it's issued three forfeiture complaints and one criminal complaint. 

Dave Bittner: ISIS was the group that allegedly ran the COVID-19-themed scam selling cheap knockoffs of personal protective gear through Unlike the straight-up crooks in Vietnam, ISIS apparently delivered at least some of the goods, but as the Justice Department notes, they weren't the FDA-approved N95 respirator masks the dealers said they were. 

Dave Bittner: Both the al-Qassam Brigades and al-Qaida were simply making direct appeals for bitcoin donations. They assured their donors that alt-coin donations were untraceable and therefore safe, and there's a good chance they themselves believe this. Al-Qaida included a Telegram-based bitcoin-laundering service in their offering. 

Dave Bittner: Cryptocurrency isn't, of course, necessarily untraceable, but it's acquired a kind of totemistic status in the charities established to support terrorists. The Justice Department used tools from the blockchain company Chainalysis to trace the funds. As Chainalysis says with understandable pride, their tool enabled the feds to uncover who sends funds, who helps launder funds, the goods and services they buy with the funds and more. 

Dave Bittner: And finally, Infosecurity Magazine reports that Britain's National Cyber Security Centre, a GCHQ unit, has seen so many bogus endorsements for investment scams fraudulently imputed to celebrities that it felt it's necessary to warn people that, no, neither Ed Sheeran nor Sir Richard Branson are actually offering you a foolproof way of doubling or tripling your money, or more. 

Dave Bittner: NCSC has taken down more than 300,000 URLs used to run the scams. Of course, someone's making money. The funds the marks click through in order to place their investments - scammers have made out quite well from them. 

Dave Bittner: Time flies, as they say, and it's hard to believe it's been just about 10 years since the world learned about Stuxnet, the malicious computer worm believed to be responsible for causing substantial damage to Iran's nuclear program. Ryan Olson is vice president of Palo Alto Networks Unit 42, and he joins us with thoughts on Stuxnet as well as the 2020 Unit 42 IoT Threat Report. 

Ryan Olson: So late last year, Palo Alto Networks acquired a company called ZingBox, and ZingBox was an IoT-focused company. They collected a lot of data in the past around the types of IoT devices that they had seen inside of networks, as well as the vulnerabilities that those devices have. And based off that data, we collected it together and did some analysis, and that's really what led to the report. So it was the sudden influx of a whole bunch of data specifically related to IoT, as well as a lot more expertise in the world of IoT. And we saw an opportunity to start talking more about the fact that there are a lot of threats related to all of these tiny computers spread out around the world. 

Dave Bittner: Yeah. Well, let's go through some of the key findings together. What sort of things came to the surface here? 

Ryan Olson: So there were a few things that were especially interesting to us. And one thing to keep in mind is a lot of the data that ZingBox had acquired that we were working with was related to medical IoT, so lots of devices in hospitals and other sort of medical environments, although it was more broad than that. Enterprise IoT was also encompassed in the report. 

Ryan Olson: There were a couple really interesting findings. And the one that was most interesting to me was the number of medical IoT devices that were running outdated software, software that was no longer supported, and specifically operating systems. So what we saw was Windows 7 went out of support earlier this year. That meant 83% of the devices - medical IoT devices that we were looking for, and specifically imaging devices - things like X-rays and other systems that do medical imaging - were running one of these out-of-date, unsupported operating systems, which means Windows 7, Windows XP - those are the big ones. Eighty-three percent is a pretty significant proportion of them. And that means they're not getting updates anymore. But also, those devices are all pretty old. Like, if you imagine a computer - a Windows computer that's still running Windows XP, it's got to be relatively old getting deployed out in the world. And it comes with a lot of vulnerabilities. And because of that, we tend to see lots of old malware just sort of bouncing around inside of these networks. Conficker is one that we still see inside of hospitals spreading from device to device, even though the vulnerability is from - that it exploited was from 2008. 

Dave Bittner: Right. Well, take us through some of the threats that you were tracking here. When the bad guys are coming after IoT devices, what sort of things are they doing? 

Ryan Olson: The main thing that we've been tracking is the exposures that are happening for these devices. So how are they configured? What kind of vulnerabilities exist inside them? Sort of, we categorize these all as security issues. So in a lot of cases, the issues that we found were related to passwords - default passwords that are left on the devices, as well as network-exploitable vulnerabilities where someone could execute some sort of code on the device. But most of the actual attacks that we saw, that we identified were commodity malware that was spreading around, infecting Windows systems, as well as devices that were simply being taken over and being used for things like cryptocurrency mining, cryptojacking. Oftentimes we might refer to it that way. 

Ryan Olson: So not super significant impact against the devices themselves. But that, I think, has more to do with the fact that the people who launched those attacks whenever they did so, they did so indiscriminately, where a worm is spreading around just sort of trying to hit every single device that might contain a vulnerability. Or a worm like the kinds of router worms that we've seen the past, like Mirai, where they spread to as many Wi-Fi routers as possible, take advantage of them through either vulnerabilities in the routers, or network-connected devices or default passwords, credentials that are left on the devices and are unchanged. But I think that tide is going to shift as more attackers realize the resource that could be potentially available to them through these IoT devices as they continue to proliferate inside of networks. 

Dave Bittner: Well, my pal Joe Carrigan, who works at Johns Hopkins, he says, you know, says that over on the hospital side of things that, you know, when a doctor or a surgeon is faced with a choice between medical care and security, medical care wins every time. And there's no discussion, you know, (laughter) so, I mean, that's the reality of it. And so that's the, you know, I guess, that's the framework within which the security folks need to operate. 

Ryan Olson: Yeah. And that's what we should expect. And that is - it is different when - if you've been working in information security and your entire focus is just on the information and the systems themselves, once those systems are more interacting with the real world, it changes everybody's concept of what happens. And this is one of the reasons that Stuxnet - which we're coming up sort of on the 10-year anniversary of that huge attack - was so significant in changing the way that people thought about what was possible from an attack perspective. The fact that a - someone or a group could write malware which would spin up centrifuges and then spin them down and surreptitiously destroy them over time to degrade the Iranian nuclear capability - like, this was science fiction until 10 years ago. But it became very possible. And I'll say Stuxnet is one of those few pieces of malware that if you were to ask - and I might be a little skewed on this - but not a random person on the street, but certainly more people know about Stuxnet from a malware perspective than any other piece of malware I've ever mentioned. 

Dave Bittner: Yeah. 

Ryan Olson: Because it was - and a lot of that was because it crossed that cyber-physical barrier. It wasn't about destroying information. It wasn't about stealing your data. It wasn't about corrupting your data. It was about breaking things. And I think that makes attacks a lot more real for people, and that's entirely the world of IoT. It breaks things. Things break when IoT systems don't work anymore. 

Dave Bittner: That's Ryan Olson from Palo Alto Networks. There's an extended version of our interview available on CyberWire Pro. Check it out on our website, 

Dave Bittner: As you may have heard, the CyberWire's new subscription program, CyberWire Pro, is designed for security professionals - and all others - who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With the CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape, save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit and click on the contact us link in the Enterprise box. That's Click contact us in the Enterprise box, and we will help you become that office hero. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's great to have you back. I wanted to touch today on security assessments, particularly as they apply to things like planning and budgeting - some of the stuff that you deal with from time to time. What can you share with us? 

Caleb Barlow: Well, you know, I think the first thing we have to think of, Dave, in all of this is, how do we think about security assessments differently in this world of COVID, right? And so my answer to your question would totally change from the last six months. And, you know, I always like to start thinking about this by realizing that the adversary's human and they too have been impacted by this, you know. They're trying to find a quiet place in the house to work away from the family. And remember, their budget has probably also been impacted. It's not like targeting travel sites is probably going to do you any good in the middle of this. 

Dave Bittner: Well, here we sit - you know, we're a couple months in now. And is it fair to say the transition is done, that we're kind of - we're settled in for the longer haul now, that it's time to calibrate and set the standards for this new normal? 

Caleb Barlow: I think that's exactly it. And I think we have to stop thinking about what happens when we all get back to the office. And I think we have to accept this as the new normal. And I'll do one of the things security guys should never do and use a medieval castle analogy, right? So, you know, it's like we had the medieval castle. We spent extra money on the alligators in the moat and the archers on the wall. And COVID started, and we just told everybody, run. Get the hell out of the castle as fast as you can and social distance. So we're all now running around. The princess has got the jewels around her neck, and she's running around the forest. 

Caleb Barlow: So what this ultimately means, though, is that attack surface has totally changed. You know, the workstation your employee's using wasn't sanctioned by the company. It was set up in a hurry. It's a shared workstation the kids play games on in the evening. The VPN was poorly configured, and no one really knows how it terminates. The home router's full of vulnerabilities, and there's probably bitcoin mining on the side and hasn't been updated since it was purchased. So, you know, the point is there's a whole new slew of vulnerabilities that are going to make it much easier for the adversary. And here's the really hard thing for security professionals. Your security assessment now actually needs to look at the home network. 

Dave Bittner: Where do you begin? Because everyone - you assume everyone's home network is a little bit different. So rather than, you know, being able to standardize on one thing at the office, it's a whole series of one-offs. 

Caleb Barlow: Well, OK. So there's a couple of things actually you can do. First of all, consider paying for the router. And better yet, like, a lot of - you know, a lot of companies got out of paying for your home network connection. And most, you know, ISPs, you can rent the home router. And I would actually think that maybe that's a good idea - right? You know, go rent the router from Comcast because all you got to do to update it is go take it into the office, and they'll give you a new one - right? - if you're renting it. Mandate that employee workstations you control. So if you - doesn't mean you can't do BYOD, but you have to have your security platform on top of that workstation that your employees are using and lots and lots and lots of education. You know, it is not appropriate to be at home using the same workstation that junior plays Fortnite on to also go access medical records. That's just a bad idea. 

Dave Bittner: You mentioned medical data. What about HIPAA considerations? How does that come into play? 

Caleb Barlow: Well, I'll tell you. Now, my companies had to deal with this, as an example, right? We, generally speaking, don't access patient records, but we do a lot of privacy monitoring. So when we're chasing down a case, you know, we potentially run across inadvertent use of medical records, which ultimately means our people are seeing medical records - right? So you know, we used to mandate that this work was done 100% in the office. Well, guess what? Can't be done in the office anymore. 

Dave Bittner: Right. 

Caleb Barlow: So we worked with clients and let them know what we were doing. We put in place, you know, new levels of VPN protection, end-to-end encryption. We ensure that that workstation that is being used on is one that we control. And we actually took precautions to make sure we understood - what was the environment you're working in at home? You know, are you in a place where you can actually close the door? And you know, even in some cases take a picture of it, send it to us and make sure we can check it out - right? 

Caleb Barlow: And you know, it sounds like a bit of a patchwork, but just by asking those questions, you start to instill the right culture. So yes. I mean, you know, you also have to understand, particularly with HIPAA, is regulators have largely put a lot of the restrictions around telemedicine aside. And that was the right thing to do. And now we need to figure out how to get it back under control. But guess what? The genie is out of the bottle, and it's never going back in. 

Dave Bittner: Yeah. 

Caleb Barlow: This remote work thing is here to stay. Telemedicine is here to stay. In fact, telemedicine probably accelerated by 10 years, which is great. Now we need to secure it. 

Dave Bittner: Yeah. People are demanding it. They like it. 

Caleb Barlow: Absolutely. 

Dave Bittner: Yeah. Yeah. All right. Well, interesting insights, as always. Caleb Barlow, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and make every weekend feel like a three-day weekend. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't miss this weekend's Research Saturday. where I speak with Liviu Arsene from Bitdefender. We're going to be discussing the StrongPity APT which has been targeting victims in Turkey and Syria. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.