The CyberWire Daily Podcast 8.28.20
Ep 1162 | 8.28.20

Stock exchange DDoS continues. Another criminal market exits. Pyongyang cybercrooks face criminal forfeiture. Instagram hijacking. Old malware returns. Treason’s motives. An attempt to hack Tesla.


Dave Bittner: Denial-of-service attacks continue to cripple New Zealand's NZX stock exchange. The Empire criminal market has exited and done so with its users' funds. U.S. authorities have filed for civil forfeiture of Hidden Cobra's stolen crypto assets. An Instagram hijacking campaign is underway. Qbot and Emotet are back and together again. The former Green Beret who allegedly spied for the GRU offers an insight into his alleged motives. We welcome our newest partner to the show, Betsy Carmelite from Booz Allen Hamilton. Our guest is Mark Calandra from CSC on their 2020 domain security report that revealed shortfalls among the Forbes Global 2000. And the unnamed company cited in the arrest of a Russian national this week has now been named. Its Tesla.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 28, 2020. New Zealand's NZX stock exchange continues to suffer disruption as it's subjected to further distributed denial-of-service attacks, The Guardian writes. Trading halts in its cash markets have disrupted NZX's debt, Fonterra shareholders and derivatives markets. According to the AP, the Government Communications Security Bureau has been brought in to help with the investigation. The bureau so far had no comment on the investigation. The Government Communications Security Bureau is New Zealand's signals intelligence organization and the rough equivalent of its Five Eyes sisters, the Australian Signals Directorate, General Communications Headquarters, National Security Agency and Communications Security Establishment. 

Dave Bittner: Digital Shadows thinks it sees unmistakable signs that proprietors of Empire, the largest and most trusted English-language cybercriminal marketplace, have shut down and absconded with their clients' money. Empire offered a wide range of contraband. In Digital Shadows' list, the offerings included drugs, of course, software, especially malware, databases obtained from various sources including open media reports, counterfeit goods, especially forged identification documents like driver's licenses and passports, various guides and tutorials, goods purchased with stolen credit cards, various fraud items like bank accounts and information dumps and finally various security and hosting services attractive to the underworld, such as VPN subscriptions and bulletproof hosting. 

Dave Bittner: Empire's contribution went beyond simple listing and included other middleman services designed to make transactions run more smoothly and reliably; escrow services, an easy user interface and customer support to address problems and complaints. It seems it was, as is usually the case, the funds in the escrow accounts that were looted. On August 20, a moderator of Empire's Dread forum space announced that the market was fighting off a distributed denial-of-service attack but that it remained committed to its traditions of excellent reliable service and would be back better than ever. Hosts on the 21 and 24 urged people not to spread false narratives that all would be well and that Empire was still working on that DDoS problem. On the 25, a post announced success. The DDoS had been defeated, and, by the way, Empire wasn't planning to abscond with anyone's funds because after all, they hadn't disabled withdrawals. 

Dave Bittner: But on the 26, the moderator said that he or she was, crushed and ashamed by my admin's apparent decision to disappear with your funds. The moderator had believed in Empire until the bitter end, but now the money was gone. Digital Shadows emphasizes that Empire's exit is a very big deal for the underworld. The market had been a rare reliable place for criminal transactions. The researchers predict a turn from markets to old-school criminal fora and an increase in the use of private channels of communication. 

Dave Bittner: Check Point says that Qbot has resumed malspamming this month. The banking Trojan, which has been in use for more than 10 years, has acquired some new functionality - an email collector module that extracts the victim's email threads from the Outlook client and uploads them to a remote server. Proofpoint reports that Emotet also has returned and that the TA542 threat actor is using it to install Qbot. 

Dave Bittner: The Wall Street Journal reports that U.S. authorities are moving towards civil forfeiture of cryptocurrency stolen by North Korean government hackers. The Justice Department yesterday moved to seize 280 cryptocurrency accounts used by North Korean government hackers who stole more than a quarter of a billion dollars from various cryptocurrency companies around the world. One of those companies was based in the U.S. The civil forfeiture filing targets accounts North Korean hackers and their Chinese agents used to launder some $300 million stolen over the last two years. The Journal quotes Acting Assistant Attorney General Brian Rabbit of the Justice Department's criminal division as saying, quote, "today's action publicly exposes the ongoing connections between North Korea's cyberhacking program and a Chinese cryptocurrency money laundering network," end quote. 

Dave Bittner: Trend Micro reported this morning that another campaign designed to hijack high-profile Instagram accounts is in progress. Like an earlier series of attacks, the hackers in this case are Turkish-speaking. The earlier attacks had used email. Phishing emails ask users to confirm their account to receive a verified badge. Should they click the verify account button the email presents, they're taken to a page that's set up to harvest the victim's email address, credentials and date of birth. Upon harvesting these, the threat actors have all the details they need to modify the information for recovering a stolen account. The current round uses text messages instead of emails. The message tells the recipient that a recent post of theirs contains copyrighted material, that the copyright holder has complained and that the recipient's account will be deleted. 

Dave Bittner: The text message, however, offers the recipient the opportunity to appeal their account's imminent cancellation. A link in the message takes the victim to an appeal form. Filling it out gives up the victim's credentials and then redirects the victim to a page that redirects them to their own homepage, ending the appearance of a successful appeal. The criminals use the stolen credentials to change the email associated with the victim's account. And from that point on, they have control of what they're looking for. In this case, the usual skepticism anyone should regard a request for credentials ought to provide a degree of protection; so should multi-factor authentication. And in this case, the poorly written non-native English usage should also be a dead giveaway that this isn't legit. 

Dave Bittner: The Washington Post reports that former U.S. Army Officer Peter Rafael Dzibinski Debbins, charged with spying for Russia's GRU, has written a confession acknowledging his contact with the hostile intelligence service. In a statement prosecutors released yesterday, Debbins wrote, quote, "I had a messianic vision for myself in Russia that I was going to free them from their oppressive government, so I was flattered when they reached out to me. In addition, I was concerned what they would have done with my wife's family," end quote. Thus the motive for Mr. Debbins' activities seems to have checked three of the five letters in the hoary old counterintelligence acronym MICE. It wasn't the money, but ideology, compromise and ego all seem to have been involved. The alleged treason thus seems to have been overdetermined. 

Dave Bittner: And finally, circumstances surrounding the arrest and arraignment of a Russian national in the U.S. in connection with an alleged hacking conspiracy have become clearer. Egor Igorevich Kriuchkov, the Russian national arrested by the FBI and charged Monday with conspiracy to damage a computer and an unnamed U.S. company, allegedly offered an employee of that unnamed company $1 million to help install custom malware in the company's servers. The unnamed company has now been named. Teslarati reports that the intended victim was Tesla and, specifically, its facility in Sparks, Nev. The employee Mr. Kriuchkov approached declined the offer and worked with the FBI to make their case. The malware the conspirators wanted to install is believed to have been ransomware. Other conspirators are presumably in Russia, where they're safe from extradition to the U.S. and probably formulating vacation and honeymoon plans to avoid the more U.S.-friendly legal systems. 

Dave Bittner: Mark Calandra is executive vice president and general manager of the digital brands services division at CSC. He joins us with insights from CSC's 2020 Domain Security Report, which revealed significant enterprise domain security shortfalls among the Forbes Global 2000. 

Mark Calandra: We've been talking about domain and DNS security for quite some time, especially over the last couple of years as we've seen a real significant surge in domain and DNS hijacking attacks. And that led us to doing this study. We wanted to take a look at the Global 2000. We work with a good chunk of them, but we wanted to look at the Global 2000 holistically and just look at their security posture as it relates to domain, DNS and digital certificate security. And that was the basis for the study. And, you know, obviously, in this study, we shared some of the key findings publicly. 

Dave Bittner: Yeah. Well, before we dig into the key findings, can you give us a little overview of, what are the primary security concerns when it comes to DNS? 

Mark Calandra: What we've seen over the last couple of years in particular is a real increase in the frequency, sophistication and severity of these domain and DNS attacks. And we've seen this for a long time. Just for a little historical context, I mean, it goes back to 2008, when Kaminsky talked about the risks around cache poisoning, which is one kind of DNS attack, where DNS traffic can be redirected. And then in the early 2010s, we saw a lot of hacktivism, where groups - one that comes to mind is the Syrian Electronic Army - was looking to redirect domain names and websites, particularly of media organizations, to advance their political agendas. But now we're seeing cybercriminals and some of these attacks linked to state sponsors to get access to domains and DNS to redirect websites, to intercept email, redirect VPN traffic. And, of course, once attackers have access to domains and DNS, they can also issue new digital certificates, which allows them to decrypt email and passwords and so forth. So the motivation has really morphed from, again, hacktivism to some pretty serious cybercrime. And I think a lot of attackers out there have realized that getting access to demands and DNS is a pretty impactful way to do a lot of damaging things without actually having to directly breach a corporate network or infrastructure. 

Dave Bittner: Well, let's go through some of the key findings from your 2020 Domain Security Report. What are some of the things that stood out to you? 

Mark Calandra: Yeah. And again, like I said, I think they reaffirmed a lot of what we had already suspected. I think the punch line is there's a lot of very large companies out there that, we would advocate, really need to take domain and DNS security more seriously. And even some of those are companies that we work with, and we're going to continue to evangelize this. And that's why it's so great we get to talk to folks like you. But some of the key findings are - we found that over 80% - actually 83% of the Global 2000 have not even adopted something called a registry lock for their main domain name that powers their business. And for those who might not be aware, a registry lock essentially disables automation between a registrar and the registry so that if an unauthorized user gets access to a registrar/DNS console either by compromising the registrar or the end customer, they can't send an automated command to redirect the DNS for that domain name to redirect their website or redirect email and so forth. So that was one of the most important ones and one that seemed to get the most attention in the press and in the security blogs. But there's quite a number of other things that we looked at that we can talk about if you'd like. 

Dave Bittner: Yeah, what are some of the other findings that jumped out at you? Was there anything surprising in the results? 

Mark Calandra: Yeah, I think there were a couple others. The first is that we only saw that about 20% of the Global 2000 are utilizing enterprise-grade DNS hosting. So similar to what we just described about the difference between enterprise-class registrars and retail registrars, quite a few very important domain names that are powering important websites or other applications are using DNS services that, we would suggest, are probably not optimal in terms of potential downtime, susceptibility to DDoS attacks and so forth. So I would say that's the first one. 

Mark Calandra: The other one that we talk about quite a bit - I wouldn't say it's surprising, but we found that only 3% of these companies are utilizing DNSSEC, which is an important security control to mitigate those cache poisoning attacks that we talked about before. DNSSEC is a bit complicated to implement, and there are some pros and cons to it. But it is very effective with respect specifically to cache poisoning attacks, so we were expecting to see a bit more usage in that regard. And I do think - based on the attacks we saw over the course of the last 18 months and the recommendations that a lot of security experts like Mandiant and Talos and the security bloggers have been talking about, I do think we're going to see increased adoption in DNSSEC over the coming years. 

Dave Bittner: That's Mark Calandra from CSC. There's an extended version of our interview available on CyberWire Pro. Check it out on our website, 

Dave Bittner: And I am pleased to welcome to the show a new partner. It's my pleasure to introduce Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, welcome to the CyberWire. 

Betsy Carmelite: Thanks very much. 

Dave Bittner: Well, before we get going and start talking to you about some of the technical things we're going to cover, let's get to know you a little bit. Can you give us a little a bit of your background? What's your professional journey been like? 

Betsy Carmelite: Sure. Primarily, it's been in intelligence analysis. And in the last 15 years, I focused on cyberthreat analysis. I've worked across the intelligence community - the Department of Defense, in federal government agencies and in the commercial spaces looking at cyber-adversaries and, more recently, looking at how to reduce an organization's attack surface by combining threat intelligence, vulnerability management and threat defense operations and looking at, really, the technical ways adversaries can exploit our networks and how to prevent that from happening. 

Dave Bittner: Can you give us some insights? I mean, what's your day-to-day like these days? What's a typical day like for you? 

Betsy Carmelite: Really diving deep and looking into threat actors, training analysts as well as how to look at threat actor TTPs - tactics, techniques, procedures - having them look at - map those to vulnerabilities to understand if those vulnerabilities can be exploited by those TTPs; also looking at and diving into - deep into an organization's countermeasures, security tools, seeing how all those marry up. But really, I love to focus on the critical thinking aspect of that, challenging our preconceived notions about how threat actors might behave based on history and really challenging analysts to look at how threat actors evolve and might be changing their TTPs over time and not to expect what you think you should expect. 

Dave Bittner: Can you give us some insights into that? I mean, how do you spread that message with your team? How do you instill that value in them? 

Betsy Carmelite: Sure. I always challenge them to look at their sources - look at the sources of their information, try to characterize their sources, look at how, in the past, a source is reported or if this is a new piece of information. And do we hold biases about that information that they're looking at? Think about that information from several different angles and not just at face value, which is really difficult because in a fast-paced work environment when you're doing analysis and providing technical assessments where clients need the information and they need to act on that information, it can be a challenge to spend that time and think through that problem. But that's really critical in getting the right kind of assessment and the thoughtful kind of assessment to a client. 

Dave Bittner: Yeah, it's really interesting. I mean, it sounds like it's - I mean, it's really an important sort of human factor in an otherwise technical area. 

Betsy Carmelite: Yeah. And that human factor to consider takes, I think, quite a long time to understand and adapt to. So I always say - you know, I've been an analyst for about 20 years. I always say to an analyst who's two years into it, six months into it, you know, 10 years into it, you're going to learn something new every single day. You should always be challenging your biases and the information that you're looking at. 

Dave Bittner: Well, we're looking forward to having you join us. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. We'll save you time, keep you informed. And it's 99.44% pure. Listen for us on your Alexa smart speaker too. Don't miss this weekend's Research Saturday and my conversation with Jen Miller-Osborn from Palo Alto Network's Unit 42. We're discussing attackers cryptojacking Docker images to mine for Monero. Research Saturday - check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.