The CyberWire Daily Podcast 9.16.20
Ep 1174 | 9.16.20

VPNs in Tehran’s crosshairs. US indictments of foreign cyber threat actors. Strife exacerbated by social media. ByteDance’s plan for TikTok.


Dave Bittner: CISA and the FBI warn of extensive Iranian cyberattacks that exploit flaws in widely used VPNs. The U.S. indict two men for website defacements undertaken for the benefit of Iran and in retribution for the U.S. drone strike that killed Quds Force commander Soleimani. The U.S. has also indicted seven in a cybercrime and cyber-espionage wave conducted in conjunction with Wicked Panda. Ethiopian strifes made worse by social media. Joe Carrigan describes scammers using fake alerts on websites. Our guest is Kevin Ford, CISO of the state of North Dakota, on their move to offer free anti-malware to all state K-12 institutions. And ByteDance's plans for TikTok grow clearer.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 16, 2020. 

Dave Bittner: CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has warned in a joint alert issued with the FBI that threat actors based in Iran have increased their exploitation of known vulnerabilities in virtual private networks. VPN use has spiked during the pandemic, and the attackers are taking advantage of the expanded attack surface. Federal agencies are being targeted. So are private sector organizations, mostly in health care, technology, financial, insurance and the media. 

Dave Bittner: The attackers are making much use of three web shells - Tiny, China Chopper and ChunkyTuna - and tunneling tools FRPC and Chisel, with FRPC used over port 7557. CISA and the FBI note that the Iranian threat actors use ngrok a great deal, and this may appear as TCP port 443 connections to external cloud-based infrastructure. 

Dave Bittner: The two agencies offer some advice for mitigating the risk these campaigns present. They come down, for the most part, to sound digital hygiene. 

Dave Bittner: If you haven't patched for the Citrix CVE-2019-19781 vulnerability, do so. CISA alert AA20-031A offers some recommendations in this regard. 

Dave Bittner: You should also, as a matter of routine, audit your configuration and patch management programs. The agencies also recommend monitoring network traffic for unexpected and unapproved protocols. 

Dave Bittner: They recommend using multifactor authentication and implementing the principle of least privilege with respect to data access. 

Dave Bittner: And, of course, keep software up to date. You can read the whole thing yourself in CISA alert AA20-259A. 

Dave Bittner: The warning came as tensions between the U.S. and Iran remain high. Iran is under unusual public pressure from the recent U.S.-brokered rapprochement of Israel and some of Iran's regional Arab rivals, notably the United Arab Emirates. 

Dave Bittner: The U.S. Justice Department yesterday unsealed its indictment of two Iranians in connection with their alleged defacement of websites in response to the U.S. drone strike that killed Iranian General Soleimani during his activities in Baghdad. 

Dave Bittner: The two men charged are accused of what would appear to be patriotically motivated cyber vandalism. They began working together in December of last year but began the defacement campaign that led to the charges after January's drone strike that killed the Quds Force commander outside the Baghdad airport. 

Dave Bittner: The two are charged with conspiring to commit intentional damage to a protected computer and with intentionally damaging a protected computer. The first charge carries a sentence of up to five years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss - whichever is greater. The second charge provides for a sentence of up to 10 years in prison, three years of supervised release and a fine of two $250,000 or twice the gain of loss - whichever is greater. 

Dave Bittner: Joseph R. Bonavolonta, special agent in charge of the FBI Boston Division, pointedly said in the Justice Department press release that the two are now effectively unable to travel outside the Islamic Republic or the Palestinian Authority without risking arrest and extradition. Denial of free travel is one of the costs commonly imposed on criminal hackers outside the reach of the U.S. government, even when they're the sort of low-level talent involved here. 

Dave Bittner: Such imposition of costs may also be seen in a second U.S. federal indictment of seven people on charges of international cybercrime announced this morning. Two defendants have been arrested in Malaysia, and the remaining five remain at large in China. 

Dave Bittner: The seven are alleged to have stolen source code, software code signing certificates, customer account data and what the Justice Department characterizes as valuable business information. The intrusions through which the theft was accomplished facilitated other criminal activity as well, particularly ransomware and cryptojacking. 

Dave Bittner: Two of the seven are charged with 25 counts of conspiracy, wire fraud, aggravated identity theft, money laundering and violations of the Computer Fraud and Abuse Act. They targeted companies, but they also had a side hustle going in the form of a video game conspiracy in which they stole and resold in-game currencies and commodities. They also sought to get the gaming companies to ban various criminal competitors. 

Dave Bittner: The remaining three Chinese nationals face nine counts of racketeering conspiracy, conspiracy to violate the CFAA, substantial violations of the CFAA, access device fraud, identity theft, aggravated identity theft and money laundering. The alleged racketeering conspiracy pertains to their operation of Chengdu 404 Network Technology, a Chinese company through which they engaged in a range of racketeering that affected more than a hundred companies. 

Dave Bittner: At least one of the individuals under indictment is said to have boasted of his connections with Chinese security and intelligence services. Indeed, the activity seems to have some connection with APT41, also known as Wicked Panda, and some of the targets were government networks where the defendants appear to have been collecting intelligence. So the activity would indicate that China's government is willing to let its contractors make some money on the side as long as their activities benefit Beijing. 

Dave Bittner: VICE describes the way in which Facebook has apparently figured in Ethiopia's growing ethnic violence. The strife has been centered in the region of Omoria (ph), where intergroup tensions have found expression and amplification in social media. 

Dave Bittner: And finally, ByteDance's deal with Oracle has grown clearer. According to The Wall Street Journal, TikTok's American operations will be incorporated as a U.S. company, with Oracle holding a significant but still minority stake in the new company. ByteDance will retain majority ownership. The Washington Post thinks the reorganization is likely to meet with U.S. regulatory approval. 

Dave Bittner: The state of North Dakota quietly flies under the radar when it comes to cybersecurity policy, but they recently implemented a plan for a statewide offering of anti-malware software and services for every K-12 organization in the state. Kevin Ford is chief information security officer for the state of North Dakota, and he joins us with the case for why the move deserves attention. 

Kevin Ford: The state of North Dakota has a statewide network that all public organizations are required by law to be on. That includes K-12, but it also includes cities, counties, as well as the state government. So we have a very, very large user pool here. It's all commingled. It's about 250,000 devices at any one given time. So we have a pretty large task on our hands keeping that all secure. 

Kevin Ford: K-12 happens to be our largest user group. And it's a user group that we feel really needs to be protected, particularly during this time when teleworking and virtual learning are so key to the state. So with that in mind, the state has decided to provide free security services to K-12 organizations. That includes a very robust and feature-rich anti-malware - next-generation anti-malware that has a very, very strong capability against modern types of ransomware. It also includes vulnerability management as well as breach monitoring. 

Dave Bittner: And what has their response been so far? Are they welcoming this effort? 

Kevin Ford: The majority of K-12 organizations have been very welcoming of this. First off, I think it hits the right price point - free. So that's always great for everyone. 

Dave Bittner: (Laughter) Right. 

Kevin Ford: And we're very pleased to be able to offer it for free. I should say we had to do a lot of kind of financial acrobatics to get this done. But I think we're in a good spot. 

Kevin Ford: So, you know, our key mission is to reduce risk for every citizen in North Dakota. And I think this is a big road forward in that regard. 

Dave Bittner: What went on, you know, behind the scenes from the value proposition side of things as you all were making the case to, you know, the various stakeholders at the state level that this is a good thing to invest in? 

Kevin Ford: So I think one of the most important things that we were able to do was make officials understand, or help them understand, that - and it's an old maxim - you know, an ounce of prevention is worth a pound of cure, right? So this is and should be seen, and I believe is seen by the majority of leaders within the state, as a key method of reducing risk and, thereby, reducing the expense around cybersecurity events for the state. 

Kevin Ford: So this is one way that the state is trying to kind of prevent that sort of ransomware attack or these other risks that can be so expensive. And when you compare the cost of doing this versus the cost of these ransomware events and these large malware outbreaks, it seems to be a no-brainer. We're really saving a lot of money for K-12 organizations within the state. And if you take the state as a whole, we're saving a lot of money for the state as a whole. 

Dave Bittner: That's Kevin Ford. He's chief information security officer for the state of North Dakota. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article came by. This is from the folks over at Sophos. This was written by Sean Gallagher. And it's titled "Faking It: The Thriving Business of 'Fake Alert' Web Scams." 

Joe Carrigan: Yes. 

Dave Bittner: I have seen these myself. What's going on here, Joe? 

Joe Carrigan: Well, this is an analysis of the business behind this and how this whole thing works and how it's kind of evolving. 

Dave Bittner: Yeah. 

Joe Carrigan: Basically, the underlying method this works with is with an advertising network that injects these malicious ads into a website, and these ads pop up. And they use techniques like Cascading Style Sheets and JavaScript to make these pop-ups look really, really convincing. A lot of times, they will look like a Windows interface or like an Apple interface. And they will lead you to some path where you are separated from your money. That's how this works. 

Dave Bittner: Yeah. 

Joe Carrigan: So the classic one we've all seen and heard about is the tech support scam. You have a virus on your computer; please call this number. And then you call the number, and someone there says, well, we'll sign you up for some virus software that costs $500 a year and you'll be A-OK, right? 

Dave Bittner: Right (laughter). 

Joe Carrigan: Well, now we're seeing this more - what Sean's talking about here is you're seeing this more on the mobile platforms as well. 

Dave Bittner: Yeah. 

Joe Carrigan: And one of - we've talked about this as well on "Hacking Humans" and, I believe, on this show. One of the big problems with the mobile platform is that the screen real estate is really limited, so you may not have as much of a clue that you're looking at a webpage, or you may not be able to notice the smaller alerts that say, hey, this is not a secure webpage. 

Joe Carrigan: Additionally, one of the things that they're doing on the mobile application is they're saying, just go to the store - the Apple Store or the Google Play Store - and download this app that will take care of it. And, of course, that's what they call a PUA, a potentially unwanted application. 

Joe Carrigan: And it can be something that we've talked about before as well called fleeceware, which is a piece of software that will cost you an exorbitantly large amount of money to use every month. And in order to cancel it, you have to go into your store account - either the Apple App Store account or your Google Play account - and cancel it. And you can get your money back, but a lot of people don't do that. And these guys make bank on this. 

Dave Bittner: Right, right. One of the things I've noticed about some of these pop-ups is - they refer to it in the article as browser lock attacks, which is when one of these pops up, you can't do anything else in the browser, even in other tabs, before you, you know, get rid of this alert or do something in this alert. 

Joe Carrigan: Right. Well, what happens is the JavaScript is written such that when you close the alert, it immediately reopens it, which then assumes control of the tab again. Now, they did say that on Safari, you can open another tab and then close the original tab or go to the tabs interface and close the tab so it goes away. And I think you can do that on Chrome on Android as well. I'm not sure. I haven't received one of these on my mobile app recently. So, yeah, you can close them. But if you're not a sophisticated user, it's difficult to close. 

Joe Carrigan: The best thing you can also do - you can just close the application. 

Dave Bittner: Yeah. 

Joe Carrigan: And then when you open the browser again, it starts with a new, fresh page. So you can do that. I'm not sure how it works in Apple. 

Joe Carrigan: One of the interesting things that Sean mentioned in this article, and this hadn't ever occurred to me before, is that if you're on a PC and you get one of these attacks and they install this fraudulent software or this malware that they're selling as legitimate - in some cases that they were investigating, they found that the computer victim becomes an exit node for a peer-to-peer VPN service, which then allows the scammers to use that computer and the victim's internet connection for further scams. So not only are you being victimized, but your machine is then being utilized to victimize others. 

Dave Bittner: Wow. What are the recommendations here to put an end to these sorts of things? Is there anything you can do to prevent them? 

Joe Carrigan: Yeah, Sean lists a number of those preventions. He says on the desktop, at least, you can use a pop-up blocker. That will provide some protection, but it might not protect against the pop-under advertisements. There are tracker blockers, such as the Electronic Frontier Foundation's Privacy Badger that can suppress trackers from malvertising networks and prevent pop-unders from being loaded. There's reputation-based blocks and malware protection. They can also block any of these sites. You know, so when you go to the site, you're actually alerted, hey, this is a scam site. 

Joe Carrigan: The problem is, if all this is new and fresh and nobody else has hit it and you're being victimized by this attack within the first couple of hours of a campaign, you're going to be your only line of defense. It's going to come down to you, as it usually does. So just close the app if you can't do anything else. 

Joe Carrigan: But never install software that's advertised on a pop-up. Never click on a website. And never allow a phone call to go through, or never make a phone call from one of these sites. 

Dave Bittner: Yeah. 

Joe Carrigan: They are always scams. Microsoft will never call you. Microsoft doesn't reach out to you this way. Apple doesn't reach out to you this way. Google doesn't reach out to you this way. 

Dave Bittner: Right, right, right. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it leaps tall buildings in a single bound. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.