The CyberWire Daily Podcast 9.25.20
Ep 1181 | 9.25.20

Lots of coordinated inauthenticity, but a small return in influence. Confidence building in cyberspace? CISA reports finding that a Federal agency was hacked. Cyberattacks on hospitals are up.


Dave Bittner: Facebook takes down three Russian networks for coordinated inauthenticity. Russia calls for confidence-building measures in cyberspace. CISA detects a successful incursion into an unnamed federal agency. Governments warn of heightened rates of cyberattacks against medical organizations. Mike Benjamin from Lumen joins us with details on Alina malware. Our guest is James Dawson with insights on how to best calibrate your security budget. And there's a "not guilty" plea in the case of the attempted bribery of a Tesla insider.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 25, 2020. 

Dave Bittner: Facebook yesterday identified and took down three more networks for coordinated inauthenticity behavior or, in Facebook more specific formulation, quote, "for violating our policy against foreign or government interference which is coordinated inauthentic behavior on behalf of a foreign or government entity" end quote. All three networks originated in Russia. Facebook says that they targeted a wide range of countries and that they shared an overarching operational style. They focused first on creating fictitious or seemingly independent media entities and personas to engage unwitting individuals to amplify their content and, second, on driving people to other websites that these operations control. 

Dave Bittner: Graphika, which assisted Facebook with its investigation and assessment, notes that the offending network clusters operated across multiple platforms. Despite the operators' efforts, none of the clusters succeeded in going viral. So their activities were marked by information laundering, an increasingly common tactic in influence operations. Facebook found that the clusters, as it called them, used a mix of legitimate and fictitious profiles. Their activity broke down as follows - the first network consisted of 214 Facebook users, 35 pages, 18 groups and 34 Instagram accounts. It was, for the most part, interested in Syria and Ukraine, to a lesser extent in Turkey, Japan, Armenia, Georgia, Belarus and Moldova, with a still smaller fraction focused on the U.K. and the U.S. 

Dave Bittner: Facebook's report says, quote, "They used fake accounts to create elaborate fictitious personas across many internet services... posing as journalists to contact news organizations, purporting to be locals in countries they targeted and managing groups and pages, some of which proclaimed to be hacktivist groups. These clusters also focused on driving people to their off-platform sites and other social media platforms where, among other themes, they promoted content related to past alleged leaks of compromising information," end quote. 

Dave Bittner: All of this activity was largely a fizzle. Facebook says the whole operation had a negligible following across its platforms. Facebook attributes the activity to the Russian military. We observe that in the context of cyber conflict, Russian military usually means GRU. 

Dave Bittner: The second network consisted of one page, five Facebook accounts, one group and three Instagram accounts. It concentrated on Turkey and Europe with some reach into the United States. It relied on fake accounts to drive traffic to a nominally independent think tank in Turkey. The accounts represented themselves as locals from Turkey, Canada and the U.S. Facebook, which notes that this network also recruited people to write for them, connects the activity to the troll farmers at St. Petersburg's Internet Research Agency. It, too, attracted almost no followers. 

Dave Bittner: The third network enjoyed more success than the others, but that success was nothing to write home about either. It included 23 Facebook accounts, six pages and eight Instagram accounts. And it focused on global audiences but especially on the near abroad with an emphasis on Belarus. It used fictitious persona to post and comment on content, manage pages, amplify content and drive visitors to off-platform sites that posed as independent journals whose editors and researchers were soliciting articles. Facebook connects this network to Russian intelligence services. As we mentioned, this crew attracted more followers than the others but still fell short of achieving much reach. 

Dave Bittner: It's perhaps no accident that the third group advertised more than the others. They spent about $10,000 on Facebook ads. The second group spent just $4,800. And the cheapskates of the first group forked over just a cool six - count them - six bucks in total. As Dorothy Sayers wrote back in the day, It pays to advertise. Potential sponsors, take note - use your marketing budget for good instead of evil. 

Dave Bittner: Some but not all and not even the majority of the inauthentic activity was directed against U.S. elections, which remain a flashpoint in Russo-American relations. According to Reuters, Russian President Putin today said that the U.S. and Russia should agree not to meddle in one another's elections. He called for a comprehensive treaty that would amount to a non-aggression pact in cyberspace or at least a confidence-building treaty similar to Cold War-era agreements designed to reduce the possibility of accidents at sea and in international airspace. President Putin said in part, quote, "One of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere. We would like to once again appeal to the United States with a proposal to approve a comprehensive program of practical measures to reset our relations in the use of information and communication technologies," end quote. So dust off the hotline and no fighting in the war room, gentlemen. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency, CISA, reports that an unnamed U.S. federal organization was successfully hacked by an attacker who used stolen credentials to gain access to the agency. The attacker was able to browse the network, obtain, zip and probably exfiltrate some of the files it located. How the attacker got the credentials is unknown, but CISA's educated guess is that they were obtained from an unpatched Pulse Secure VPN vulnerability - CVE-2019-11510. 

Dave Bittner: CISA says it detected the problems with its EINSTEIN intrusion detection system. EINSTEIN is deployed across the federal civilian agencies, not the .mil domain and not, certainly, the other national security agencies, mostly in the intelligence community, that are exempt from CISA oversight. That would seem to narrow the range of possible victims, but the story is still developing. 

Dave Bittner: Governments are increasingly concerned about rising rates of cyberattacks against health care organizations, the Wall Street Journal reports. Contrary to hopes expressed early in the pandemic, the honor among thieves the thieves themselves promised hasn't really materialized, and hospitals are increasingly suffering from ransomware. It's a global problem. The journal quotes authorities from Europe, North America, Asia and the Pacific and the International Red Cross. 

Dave Bittner: And finally, the man charged with attempting to bribe a Tesla insider to assist him in carrying out a ransomware attack against the electric car company, Egor Igorevich Kriuchkov, has entered a plea of not guilty before a U.S. federal magistrate. The Washington Post says Mr. Kriuchkov hopes to put the whole matter behind him as soon as possible. 

Dave Bittner: James Dawson is CISO of IT Risk Advisory LLC. Throughout his career, he's worked with a number of global top-level organizations to help them build their cybersecurity strategies. He joins us today with insights on how to best calibrate your security budget. 

James Dawson: The basics, the foundation for this is, you know, first, know in your organization your critical processes. What's the place do, you know? Do we make snow skis? Do we give out bank accounts? What do we do here? Are we a hospital? Do we make people healthy? What do we do? So know your critical processes at that organization. So that's your first step because when you talk to that C-level individual about the spend, they think in business terms. They know what the business does. So look at those critical processes of the business. And in those critical processes - you've heard me say this before - inventory the applications. In those applications, inventory the system - the machines, the servers that manage that. And then map the critical cyber risks from beginning to end and where humans' hands are involved. 

Dave Bittner: So I mean, are you inventorying the people as well? 

James Dawson: You are. So that's the - that's where I was going to get to. That's kind of the crux of the conversation here. Get down to - so you've got this list of processes - five important processes we do here at the bank, let's say. And then who is involved in those critical processes? You're actually writing down the people who either manage the applications in those critical processes or are responsible for the systems, the machines that those applications run on. There's also sometimes custodians or owners of the data, too, which could be different than the application owner and the system owners. 

James Dawson: There is also then the user, the worker bee - the person who's involved in the process to actually enter data in unstructured form in the beginning of the data lifecycle and then do something with it - manage a record or put it away or store it at the end of the critical data lifecycle. That's where you need to spend your money because the hackers know - you know, a cybercriminal, whether - the man or woman or the organization, they're lazy. And I think you've - some of your other guests have mentioned this on your show, Dave. You know, cybercriminals are lazy. They're going to go after and they're going to exploit the easiest place they can. 

James Dawson: Some of your guests have also mentioned recently, you know, entity behavior analytics - user and entity behavior analytics, U-E-B-A. I know you like to spell out your acronyms all the time. But that's where - you know, it's that behavior in your critical data process, in your critical process for the business - that's where you need to spend your money. And that's where the attackers are going to look to exploit the organization because that's the easiest path for them to get to either extorting you or stealing your data or holding you hostage or whatever it is that they're after in your organization. It's either for love or money. Cybercriminals don't do anything for other than love or money as far as I can tell. 

Dave Bittner: You know, it strikes me that a simple way to look at this, I can imagine people having an impulse to follow is, you know, you have that unlikely event that could be catastrophic on one end. And then you have the likely event that's not going to be that bad at the other end. And then there's a spectrum of things in between. You know, it strikes me that one of the things about this business is that that likely thing that doesn't seem so bad - you know, because of things like lateral movement and just the way these systems are kind of hosed up and connected - it can lead to much more serious things. 

James Dawson: Yes, it really does. And I'd like to also point out in an organization, when you're looking at cybersecurity and cyber controls and risk, where there is a lot of human interaction in a critical process. There are more in some parts of the organization than others. Take JML. So that stands for joiner, mover, leaver. In all organizations, you have JML activities - someone joins, someone moves around within the organization, or they leave the organization. JML activities are a very, very high-risk activity for the organization because that's when humans can be exploited. 

James Dawson: You know, if they join the organization and you haven't checked them out well but you give them high credentials and strong entitlements, you have a risk there. If they're moving into or out of a high-risk position where they have strong entitlements and they have a lot of access to your critical data, you need to be cognizant of that risk at that very point in time. That's where you need to spend the money. 

James Dawson: And of course, leavers - you know, even though a person may leave an organization and you try to make sure that you change all the, you know, credentials and entitlements that that individual had, in that JML process, the leaver portion of JML tends to be the riskiest because that individual was an insider. And, you know, they should be still considered an insider when you're looking at your controls for the leaver portion of the JML processes. Usually all of that happens in HR, so there are always critical processes in HR in every organization because you need people to do your work and provide your service. 

Dave Bittner: That's James Dawson from IT Risk Advisory LLC. CyberWire Pro subscribers can find an extended version of my conversation with James Dawson. That's on our website, 

Dave Bittner: And joining me once again is Mike Benjamin. He's the head of Black Lotus labs at CenturyLink. Mike, it's always great to have you back. We want to touch on a bit of malware that you all have been tracking. And you call it Alina. 

Mike Benjamin: Yeah. So the Black Lotus Labs team here at CenturyLink, we do a lot of work on global DNS traffic. As I'm sure many folks are aware, DNS is a great indicator of things happening from a malware campaign perspective. And recently we were looking through our data and found a pretty sizable anomaly in the usage of a particular set of domains. And upon diving in a little more deeply, we found that it was clearly exfiltrating data, and you can tell that in DNS when there's a whole ton of queries to a single domain and every subdomain is different. That way, DNS doesn't cache it, and the information can be transferred all the way to the owner of the domain. 

Mike Benjamin: And so as the team opened up that data and took a little closer look, what we're able to glean is that it was actually exfiltrating credit cards. And so this particular malware family we're talking about is a point-of-sale malware. And DNS was the mechanism in which it was stealing all the credit cards. It was doing all its coms back to a C2, and the way it was maintaining that communication channel over time in what are often at least decently enclosed environments and secured environments where credit card processing is occurring. 

Dave Bittner: You know, we really seem to see that credit card processing or hitting those point-of-sale terminals, that's always an attractive target. 

Mike Benjamin: It is. That's where the money is, right? And so as long as people can make money off these credit cards, they are going to target them. And so, you know, over the years, we've seen everything from a small restaurant with a single computer in a back room being attacked to large companies that are, you know, hitting the front page as we see their point-of-sale machines infected with malware. So it's really a lucrative way for them to spend their time. As long as they can both successfully attack, extract the data and then sell it somewhere, it's going to be a target. No matter how much work we do to prevent it, there's profit to be made. 

Dave Bittner: Can you take us through some of the details? How exactly does Alina work? 

Mike Benjamin: Yeah. So it's persistence method looks very much like any other Windows malware. And so I think many folks know but some may not that a lot of point-of-sale machines are Windows computers. At the end of the day, they need to perform computing functions, and Windows is a platform commonly used, so why not use it for this as well? 

Mike Benjamin: And so the malware gets installed through a variety methods into the computer, persists and sits there just monitoring memory. And thankfully scraping memory is a little bit intensive, but at the end of the day, if they can scrape memory and look for a certain combination of numbers, of which credit card numbers look relatively distinct - there's even an algorithm that can be used to validate that that string of numbers it finds is a credit card - it can then match it and then send it back over DNS. So as I mentioned, it'll perform a DNS look-up with a very unique encoding. Therefore, it's not cached, and the actors run the authoritative name servers for that domain. So every time a query comes in, it's unique, they get to see it, and they know how to decode it. And that's how they're extracting the credit cards and being able to persist across a network that may not allow outbound HTTP, may not allow a lot of outbound connectivity. But clearly it's allowing outbound DNS, and that's how they're being successful. 

Dave Bittner: Wow. I have to say, that's pretty clever. 

Mike Benjamin: Yeah. DNS exfiltration, you'll find, is a common tool for folks when a outbound HTTP proxy prevents something from functioning or just doesn't allow HTTP. A lot of folks are still using name resolution even just for internal domains. And so as we think about ways to prevent such an attack, making sure that if an environment is intended to be closed off, DNS is a part of closing that off is really important. DNS can still be used on a localized basis to do things like resolve internal file shares and internal comms inside a network - doesn't have to reach out to the internet in order to do that. And so that along with basic upkeep on an endpoint - at the end of the day, it's a Windows computer; there's a lot of best practices on how to secure a Windows computer and how to monitor for malware, et cetera - being able to do those two things can be really effective in preventing this kind of an infection from a point-of-sale malware perspective. 

Dave Bittner: All right. Well, Mike Benjamin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it softens hands while you do the dishes. You're soaking in it. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.