The CyberWire Daily Podcast 9.24.20
Ep 1180 | 9.24.20

Not the Gremlin from the Kremlin. Zerologn exploited in the wild. Cyberespionage phishing in NATO’s pond. US Treasury announces sanctions. Four guilty pleas coming in eBay cyberstalking case.


Dave Bittner: Zerologon is being actively exploited in the wild. The Old Gremlin ransomware gang picks on Russian targets. Thought Fancy Bear was done with NATO? Think again. The U.S. Treasury Department sanctions more organizations and individuals from malign influence operations. Betsy Carmelite from BAH on vaccine laboratories cybersecurity. Our guest is Shena Tharnish from Comcast Business with insights for small businesses concerned with COVID-19-related phishing. And four of the defendants indicted in the eBay cyberstalking case have chosen their pleas.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 24, 2020. 

Dave Bittner: Zerologon exploitation is no longer merely a theoretical possibility. Microsoft has seen the Windows Server vulnerability being actively attacked in the wild. ZDNet reminds all that Samba file-sharing software is also susceptible to this bug and must be updated as well. Computing has an update on the patches available for Zerologon. 

Dave Bittner: That the Zerologon vulnerability is a serious risk isn't in dispute. The U.S. Cybersecurity and Infrastructure Security Agency took the unusual step last week of issuing the federal agencies it oversees a binding operational directive, telling them to get their skates on and patched by midnight Monday. Those agencies were given a deadline of last midnight to get back to CISA and let them know that the proper patches had been applied. 

Dave Bittner: Group-IB says a new ransomware group they're calling Old Gremlin is currently active against Russian banks and corporations. Old Gremlin is phishing with emails that represent themselves as coming from a variety of legitimate third parties whom the email recipients might be predisposed to trust - RBC, RosBusinessConsulting, a large Russian media holding company; the self-regulatory financial organization SRO MIR; an unnamed Russian metallurgical holding company, an unnamed dental clinic and, crossing the Belarusian border to another country in the near abroad, the Minsk Tractor Work. 

Dave Bittner: As Group-IB, Singapore-based but with Russian roots, Old Gremlin's target list is surprising. Group-IB's report says, quote, "It is common knowledge that Russian hackers have an unspoken rule about not working within Russia and post-Soviet countries." Yet Old Gremlin, made up of Russian speakers, is actively attacking Russian companies, banks, industrial enterprises, medical organizations, software developers... According to Group-IB expert estimations, since the spring, Old Gremlin has conducted at least seven phishing campaigns," end quote. 

Dave Bittner: This seems to be sailing pretty close to the unforgiving wind or, to mix the metaphor, a little bit like tugging on Superman's cape. And it will be interesting to see how long they continue to get away with it. They've been at it since March, and the Kremlin is probably not too pleased with Old Gremlin. Unless there are wheels within wheels here, Old Gremlin is going to draw the attention of the organs in an unpleasant way. As Bleeping Computer summarizes, the gang is using TinyPosh and TinyNode backdoors, TinyCrypt ransomware and various third-party tools for reconnaissance and lateral movement. So far, Old Gremlin has been active in Russia only, but there are signs it may be working toward much wider attacks elsewhere. 

Dave Bittner: A ransomware attack has hit Tyler Technologies, a large IT service provider to U.S. state and local government agencies. The company has disclosed that it's working to restore its systems and that while some data were exposed, as is now normal in ransomware attacks, it's not believed that any customer software was affected. Reuters notes that Tyler's services are used by states and counties for both emergency response coordination and for sharing election information. 

Dave Bittner: SecurityWeek describes QuoIntelligence's research into a new Zebrocy cyberespionage campaign directed against NATO. Zebrocy is, by consensus, held to be a Russian operation. While its exact organizational niche isn't entirely clear, most observers think its associated with Moscow's GRU - that is, Fancy Bear. The group's eponymous malware, Zebrocy Delphi used NATO exercises as its phishbait. The operation's command and control infrastructure is located in France, and QuoIntelligence has let the French authorities know where to look for it. 

Dave Bittner: The U.S. Treasury Department yesterday sanctioned more Russian individuals and organizations for their involvement in malign influence operations, The Hill reports. Most of them are tied to the previously sanctioned Yevgeniy Prigozhin, known as Putin's chef because of the way in which the entrees he once catered served as his entree to the Russian oligarchy. Mr. Prigozhin is best-known for having been one of the organizers and funders of the Internet Research Agency, the St. Petersburg troll farm that gained notoriety during the last U.S. election cycle. He also pioneered a more sophisticated form of trolling, outsourcing and offshoring much of the work to a lot of contractors in the Central African Republic. 

Dave Bittner: And finally, there are developments in the very strange case we first discussed back in June where eBay employees - now former eBay employees - were charged with various forms of illegal harassment of a mom and pop newsletter that had published notes not always to the liking of eBay's then-leadership. Of the seven defendants charged, four have decided to plead guilty to cyberstalking the couple who ran the EcommerceBytes newsletter. Stephanie Popp, Stephanie Stockwell, Brian Gilbert and Veronica Zea yesterday filed their intention to enter guilty pleas to federal charges on October 8. All are former members of eBay's security and global intelligence teams. The other three defendants are presumably still weighing their options. 

Dave Bittner: The response to the newsletter, beyond being illegal and morally loathsome, seems quite out of proportion to anything the couple who published the newsletter wrote. They weren't particularly inveterate critics of eBay, nor did they seem to write anything particularly scurrilous or defamatory. Such complaints as the ones they put out were of the anodyne sort any business inevitably attracts. And what was the response of eBay's security and global intelligence team? Anonymous email and Twitter threats, deliveries of live cockroaches and a bloody Halloween pig mask, clandestine surveillance and shipping adult material to the victims' neighbors in the victims' names. 

Dave Bittner: How in the world all of this could have seemed to be a good idea at the time is difficult to fathom. The incident will at some point provide, we imagine, interesting lessons about organizational culture and the dangers of groupthink. Ongoing, cascading, impulsive bad judgment isn't just for teenagers. 

Dave Bittner: Shena Tharnish is vice president of cybersecurity product management at Comcast Business. She joins us with valuable insights for small businesses concerned with COVID-19-related phishing. 

Shena Tharnish: Hackers are using tried and true approaches, like phishing and malware and denial-of-service attacks, to exploit businesses, especially amid COVID. And we're seeing a much higher rate of that. So, you know, phishing and ransomware will remain the biggest threats to businesses of all sizes. And you want to make sure that you're really cautious of those campaigns that are going on. You know, we saw 150% rise in the number of new domains related to COVID since March. And they use keywords like corona or drug or vaccine and test kits. And, you know, we've blocked queries of these newly registered domains nearly 13 times. So as much as we talk about phishing and ransomware and train our employees, it's still a place where cybercriminals are multiplying the number of messages and ways to influence consumers. 

Shena Tharnish: And, you know, from a DDoS perspective, attack traffic has significantly increased, and more businesses are being targeted by cybercriminals. As a result, during these attacks, businesses aren't able to serve their customers online or transact with supply chain partners or maybe even interact with their employees, which all causes disruption and loss for the business. So, you know, it's really important that as more COVID scamming opportunities arise, you know - even, like, the stimulus relief came out. It caused more phishing offers related to, you know, assisting with payment receipts. So as the pandemic prolongs, businesses should be really sensitive to these phishing and malware campaigns that could surface. 

Dave Bittner: Are there any areas - when it comes to cybersecurity, are there any areas that you feel aren't getting the attention that they deserve? 

Shena Tharnish: I guess I would say education. I think that is really key to the whole program of cybersecurity. While technology is very important, training our employees and businesses on these types of threats is important. But, you know, to err is human. So technology is important as well, especially that which has automatic updates. And you're not having to rely on people to configure or load, so getting services by reputable companies that can automatically, you know, include the latest domains that are malicious and automatically protect the business are really important. 

Dave Bittner: That's Shena Tharnish from Comcast Business. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, it's always great to have you back. I wanted to touch today on some of the work that you and your colleagues are doing when it comes to cybersecurity in the lab. We're hearing a lot about vaccine research, those sorts of things. What are some of the things that you all are tracking? 

Betsy Carmelite: Sure. We're very much tracking how to keep labs secure with such a rapid increase in data generation, which ultimately introduces vulnerabilities. We're definitely seeing the increase in data - certainly PII, PHI, financial data - but also the increased concern for network lab equipment, such as, for example, petabytes of genomic data and securing all of the advanced technology that now exists in labs. 

Dave Bittner: What about the velocity that labs find themselves running at today? I'm thinking about all those labs who are trying to keep up with, you know, the demand for things like COVID testing. Does that mean that it's easy for some security things to slip through the cracks? 

Betsy Carmelite: Sure. And I think some of that kind of lends to the research culture. And in recent weeks, we've seen this with some high-profile attempts to steal vaccine data and helping researchers understand the risk of what is a inherent part of their roles and jobs, which is data sharing, being collaborative, how much we collaborate, how we collaborate securely. And so given the nature of their jobs, especially in the current COVID-19 environment and the circumstance like a pandemic where we want to be working together, we really need to be balancing, you know, how much we collaborate and the security around that collaboration. We're looking at information transfer and then the possibility of compromise of the integrity or confidentiality of that research information. 

Dave Bittner: Well, share with us some insights. What are some of the specific concerns that you have? What are some of the things that you all are tracking here? 

Betsy Carmelite: Sure. So in recent weeks, we've seen some of the reported high-profile attempts to steal COVID-19 vaccine data. We've seen the Department of Justice accusations alleging Chinese intelligence services that are targeting that COVID vaccine research. We've also seen similar accusations directed toward Russia that may have been targeting universities, organizations, health care providers as well. So we're seeing some highly sophisticated threat actors that are obviously cause for concern in a heightened crisis situation. 

Dave Bittner: Is there a cultural element here as well? Are the folks who are working on these hard problems, the scientists - do they generally need to be brought up to speed on the cybersecurity elements to keep their research safe? 

Betsy Carmelite: Yeah. And I - it's definitely an increased awareness that may not have come naturally to their jobs as they're performing their scientific research - the awareness of how much we collaborate, how we do it securely. Do we increase the levels of security to protect the intellectual property? But then we - do we do that at a risk of decrease to information sharing and promoting that information sharing? So that's a - it's a really hard problem steeped in technology but, to your point, also in the culture of performing scientific research. 

Dave Bittner: So for the folks who are in this line of work, what sort of recommendations do you have for them? 

Betsy Carmelite: Sure. I would say that it really boils down to some basic cyber hygiene to keep these labs safe and also to keep the research data safe and the lab teams as well. First, we would say examine the business processes in place prior to adoption of any technology, whether it's a collaboration tool or any changes to the network environment. For example, isolation of that internal research from the other parts of the network would be critical - so looking at segregated networks to reduce that chance of attack. And secondly, really knowing your use cases for workflows and processes and choosing your tools and technology - how are you actually going to use that tool to perform your work? And do you really know all the use cases that could, you know, be used properly or lead to misuse? And then when you're choosing that technology, look at the possibility for flexibility to change the functionality when you're moving from your current use to a possible to-be future state of how you're going to be using that technology. 

Dave Bittner: All right. Well, interesting stuff. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed and it's so good, cats ask for it by name. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.