The CyberWire Daily Podcast 10.7.20
Ep 1189 | 10.7.20

Cyber conflict in the Caucasus. Zerologon exploited in the wild. Emotet rising. The Four Horsemen of Silicon Valley. Alt-coin regulation. DDoS in Honolulu.


Dave Bittner: Cyber ops accompany fighting in the Caucasus. Iranian threat group exploits Zerologon in the wild. The Kraken gets unleashed in Southeast Asia, of all places. Emotet is back, and it's after state and local governments. The U.S. House identifies the four horsemen of Silicon Valley. Monero gains criminal market share. The U.S. comptroller of currency moves for clarity in altcoin regulation. Joe Carrigan takes a look at ransomware trends. Our guest is Mathew Newfield from Unisys with remote school safety tips for students and parents. And a cyberattack from Waikiki.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 7, 2020. 

Dave Bittner: Lethal, kinetic warfare now carries with it inevitable cyber operations as combat support. 

Dave Bittner: Fighting between Armenia and Azerbaijan over the disputed territory of Nagorno-Karabakh continues. It's increasingly accompanied by supporting cyber operations. Cisco's Talos unit finds that an unspecified threat actor, probably a foreign espionage service, is deploying PoetRAT malware against government and civil targets in Azerbaijan, often through phishing campaigns themed to take advantage of the ongoing conflict. 

Dave Bittner: That foreign intelligence service need not belong to Armenia. Many governments in the region are interested in the conflict. Both Turkey and Russia, for example, are closely concerned with the fighting. 

Dave Bittner: Microsoft has identified active exploitation of the Zerologon vulnerability (CVE-2020-1472) by the Iranian threat group Redmond tracks as MERCURY but which is more generally known as MuddyWater. The attacks began after public disclosure of a Zerologon proof of concept, ZDNet reports

Dave Bittner: The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency directed in Emergency Directive 20-04, issued on September 18, that all U.S. federal agencies patch Zerologon, giving them three days to complete patching and report compliance. The attacks appear to have begun some days after CISA's deadline expired. 

Dave Bittner: Researchers at security firm Malwarebytes have blogged an account of what they've learned about Kraken, a fileless attack mounted by an advanced persistent threat group. Kraken, which is for the most part spread by phishing, often with workers' compensation phishbait, injects its payload into the Windows Error Reporting service - the better to evade defenses. It's not an entirely novel technique, but it does seem new with respect to this particular threat group. 

Dave Bittner: Exactly who that threat group is remains murky, but Malwarebytes sees signs that it may be APT32, a Vietnamese espionage outfit that's used similar tactics and tools and that has been most interested in regional targets, including those in the Philippines, Laos and Cambodia. 

Dave Bittner: CISA yesterday issued another warning to the effect that the long-familiar Emotet Trojan is not only back but back in a big way. Its principal targets - the ones CISA is concerned about, anyway - are U.S. state and local governments. 

Dave Bittner: Emotet has come and gone. It went quietly in February, returned from five months occultation in July and began to appear in attacks against state and local governments in August. 

Dave Bittner: It's also a problem of international scope. As CISA points out, quote, "cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy and the Netherlands. Emotet botnets were observed dropping TrickBot to deliver ransomware payloads against some victims and QakBot Trojans to stealing bank credentials and data from other targets," end quote. 

Dave Bittner: Senator Sherman, thou shouldst be living in this hour - or something like that. 

Dave Bittner: The U.S. House has released the results of its antitrust inquiry into Big Tech. The subcommittee investigating concluded that Silicon Valley is a hive of monopoly on a scale not seen since the 19th century's Gilded Age. Quote, "to put it simply, companies that once were scrappy underdog startups that challenged the status quo have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons," end quote. Google's parent, Alphabet, Apple, Facebook and Amazon are singled out as the new robber barons. A hundred fifty years ago, it was Stanford, Hopkins, Huntington and Crocker. Nowadays, it's apparently Pichai, Cook, Zuckerberg and Bezos. 

Dave Bittner: The harsh report is largely reflective of the subcommittee's Democratic majority. The Republican members, while hardly carrying water for Big Tech, really aren't entirely on board. The report so far hasn't affected the stock market, where, Seeking Alpha reports, the companies mentioned in dispatches seem to be holding steady. 

Dave Bittner: Digital Shadows finds that Monero is taking market share from Bitcoin as the preferred cryptocurrency of criminals, extortionists and dealers in contraband. In general, what the criminal customers want in currency are accessibility, usability and anonymity. The attractiveness of those three qualities tends to vary with circumstances, prominently figuring in which is the extent to which the gangs feel the heat is on. 

Dave Bittner: As recent criminal cases have shown, while Bitcoin and Monero are both appealing because they're relatively more difficult to trace, they can, in fact, be traced with the right application of effort and technology. So while both leading alternative currencies are imperfectly anonymous, Monero is generally thought to be better, to have the edge. In any case, it seems to enjoy a lower profile in the glare of law enforcement. 

Dave Bittner: From stories like this, it's easy to get the impression that altcoin is inherently shady and that the only people interested in cryptocurrencies are get-rich-quick tinhorns, black marketeers, pump-and-dump artists and so on. But that's not at all true, and we wouldn't want to leave you with that impression. 

Dave Bittner: In fact, they're maturing as legitimate financial instruments and are growing into a mature regulatory framework. 

Dave Bittner: The Office of the Comptroller of the Currency, hoping to ease financial institutions' leeriness of cryptocurrencies, has issued interpretive letters designed, The Wall Street Journal says, to provide some clarity with respect to regulation. The OCC hopes, according to the Journal, to avoid the mistake that's hobbled adoption of new technologies in the past - reliance on the most conservative possible interpretation of law and regulation. 

Dave Bittner: So you thought Waikiki was all sand, sun, surf and island relaxation, didn't you? It seems that a gentleman who was arrested in May for carrying ammunition illegally to a Black Lives Matter protest, one Christian Grado, is again in hot water with the law for mounting a denial-of-service campaign against the Honolulu Police Department. 

Dave Bittner: Hawaii News Now reports that his public defender says Mr. Grado isn't dangerous. And maybe he's not, but the Honolulu prosecutors disagree. Dangerous or not, his LinkedIn profile shows something of a Renaissance man - current dance instructor, former U.S. Army mortar platoon leader, West Point graduate, so on. 

Dave Bittner: What he was doing carrying ammo to a protest isn't clear, but give him an A for initiative. He set up a GoFundMe campaign to stake him bail when he was scooped up by the police in May. 

Dave Bittner: If you've got school-aged kids, there's a good chance they are either learning at home or spending a lot less time at school than they used to. That new reality is proving challenging to many parents - logistically, for sure, but there are security issues as well. 

Dave Bittner: Mathew Newfield is corporate information security officer at Unisys, as well as a board member of the National Technology Security Coalition. He joins us with remote school safety tips for students and parents. 

Mathew Newfield: So one of the things we recommend is you have to differentiate work and play. This is something I think a lot of parents are not doing when it comes to cyber and technology early enough in a child's life so that it becomes, really, like muscle memory for them. 

Mathew Newfield: Most people, when they go into the corporate world, they have to adhere to that acceptable use policy that a lot of us have heard of or even written for corporations. And teaching a child at a young age that there is a difference between what you can do on a computer for school and what you can do on a computer for fun are different. 

Mathew Newfield: So let's focus on for school. And I recommend one of two things, depending on the situation that you're in. If you're fortunate enough to have multiple machines - let's say your child has their own laptop or desktop, and the school provides one for them to use. Explaining to your child that when they're on the device for school, it is for school purposes only. There's no social media. There's no video games. There's no internet surfing. None of that can happen while you're on that device. And when you're on your personal device, while you can surf and maybe do the things you authorize them to do, there's no schoolwork. And that's a foundation. 

Dave Bittner: Do you have any advice for working with folks who may feel a little overwhelmed with this? I'm thinking about, you know, parents in particular who may not be that technically savvy. And they're faced with the challenge of securing these devices, their home network and looking out for their kids all at the same time. It might be new ground for them. 

Mathew Newfield: Not only is it new ground, but it can be massively overwhelming, and we get that. I get that. A lot of us in the cyber community get that. And we're here to help. We're doing things like this and having these conversations to try to educate people on what they should be doing. 

Mathew Newfield: And there are a lot of online resources. If you think about the companies that you've bought services from your home internet, going to their official website and looking for their guides on how do you lock down - there are security guides - or how do you harden the devices you bought is a good start. 

Mathew Newfield: And doing some basic research online of good cyber hygiene for the home is key, and then understanding that they're not at it alone. There are enough of us in this community. We want to help. So reach out to me, to others, to people you may know in this field and ask for assistance. There are no dumb questions here. 

Mathew Newfield: And to your point, this is new ground. None of us have been dealing with this full-time school from home before. So ask people who at least have the basic understanding of cybersecurity methodologies what they should do. 

Dave Bittner: That's Mathew Newfield from Unisys. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article caught my eye. This is from ZDNet from Steve Ranger. It's titled "Ransomware: Gangs Are Shifting Targets and Upping Their Ransom Demands." Give us the skinny here, Joe. What's going on? 

Joe Carrigan: This is coming from IBM X-Force, which is their incident response team. And IBM has said their responses to ransomware attacks have tripled from the last quarter to the previous quarter. And I don't know if that's because ransomware is on the rise. It's probably a combination of these factors. Ransomware is on the rise, and IBM is probably good at responding to these things, so their sales are going up as well. But tripling is pretty good. It can't all be just because IBM is making more sales. This is actually... 

Dave Bittner: Right. 

Joe Carrigan: ...Because the crimes are becoming committed at a higher rate. 

Joe Carrigan: The biggest three industries they target are manufacturing - and they get hit by 25% of the ransomware attacks that IBM responds to - professional services and government. And these are organizations with low tolerances for downtime. If you think back to the Baltimore ransomware attack and the chaos that that worked on that city because of the downtime, it was - it's devastating. It's tough. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: IBM has seen the trend where these ransomware attacks are also becoming data breaches, and they're saying, we're going to sell your data on the black market. And when their data gets sold, IBM is reporting that they've seen prices ranging from $5,000 to $20 million as a sale price for a company's data. 

Joe Carrigan: Sodinokibi is the ransomware group responsible for at least a third of the incidents that IBM responds to. And IBM estimates that Sodinokibi has victimized about 140 organizations, with about a third of them paying up. And that makes their revenue at about at least $81 million. That's how much Sodinokibi has made with ransomware. So that's really why they do this, right? There's $81 million to be had. 

Dave Bittner: Talking about real money. 

Joe Carrigan: Right, exactly. This is not small potatoes anymore. 

Joe Carrigan: They are getting more sophisticated about how they calculate their ransom request, which is smart, right? I talk about how all of this is an economic situation. This is - there are economic forces at work. And their requests range from 0.08% to about 9.1% of the victim company's annual revenue. And those dollar amounts range from 1,500 to 42 million, depending on what your annual revenue is and where you fall in that percentage spectrum. I guess the 1,500 incident is probably somebody who runs a small business who got hit by it. 

Joe Carrigan: And what do you do if you're a small business who gets hit by a ransomware? Your best bet is probably just to pay up, right? At $1,500, it's not that big of a deal. You don't have the resources to have a security response team come in, you know? It's... 

Dave Bittner: Probably not going to put you out of business. 

Joe Carrigan: Probably not going to put you out of business, but losing your data may very well do that. So it's kind of... 

Dave Bittner: Right. 

Joe Carrigan: ...An easy decision. But $42 million is a pretty big ransom to pay. And even if that's high on the spectrum of percentages of annual revenue, I mean, 10% of annual revenue is not going to be payable by a lot of companies unless they have a big stockpile of cash. Revenue is way more than the disposable cash that a company has on hand. 

Dave Bittner: Yeah. Well, and some of these are getting paid by insurance companies, right? 

Joe Carrigan: Yeah, some of them probably are getting paid by insurance companies. That's right, yep. And, you know, maybe they're offloading that risk to the insurance company, and they're helping out. 

Dave Bittner: Yeah. It's interesting to me that with this continued sort of professionalization of ransomware and its place in the ecosystem, if you will, as people are - grow accustomed to it, insurance companies have policies for it, you know... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Businesses have plans against it to deal with, it doesn't seem like it's going anywhere anytime soon. 

Joe Carrigan: No, it doesn't. And Caleb Barlow on an upcoming episode of "Hacking Humans" talks about this and talks about the possibility of outlawing payments. And we discuss that a little bit and what kind of impact that would have. 

Joe Carrigan: If it became illegal to pay a ransom, if there was a law that said, you're subject to more fines, and you're also maybe subject to prison time for doing this, I think that might have an impact on it. I'm not saying that we should definitely do that right now, but I think it's definitely time to have this conversation. 

Dave Bittner: All right. Well, the article, again, is titled "Ransomware: Gangs Are Shifting Targets and Upping Their Ransom Demands." That's over on ZDNet. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it will get its peanut butter in your chocolate. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.