The CyberWire Daily Podcast 10.14.20
Ep 1193 | 10.14.20

Cyber conflict and cyberespionage. Social engineering as a turnstile business. Inside a social engineering campaign. A warning about fraudulent unemployment claims.


Dave Bittner: Hey, everybody - Dave here. Are you one of those people that skips ads in podcasts? Of course, we like the ads because we have a lot of great sponsors, and they help keep the lights on and great content coming to you every day. But we've got great news for the ad-skippers among you. A CyberWire Pro subscription now gives you access to all your favorite CyberWire podcasts ad-free. That's right - ad-free. And you can still listen to them on your favorite apps. Visit to subscribe and go ad-free and get all the other great benefits of a subscription, too. That's

Dave Bittner: Reports of cyberattacks against Iranian government and possibly economic targets are circulating. Details are sparse. Norway accuses Russia of hacking parliamentary emails. A cybercriminal gang's secret is volume. A social engineering campaign singles out victims with U.S. IP addresses. Joe Carrigan on a million-dollar REvil recruitment offer. Our guest is Paul Nicholson from A10 Networks with a look at the state of DDoS weapons. And the U.S. Treasury Department warns banks to be on the lookout for signs of unemployment fraud. 

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 14, 2020. 

Dave Bittner: Iran's National Computer Emergency Response Team acknowledged today that two Iranian government agencies had come under cyberattack, which had been successfully confined to those two organizations. The Jerusalem Post notes that the disclosure came after rumors of the disruption circulated widely in social media. Iran's official news agency, IRNA, said the attacks had been contained, done limited damage and were under investigation. Unconfirmed reports from U.S.-operated Radio Farda and other sources said the attacks hit Iran's ports and shipping organization as well as a port in Bandar Abbas and that some financial services may also have been affected. 

Dave Bittner: Norwegian Foreign Minister Ine Eriksen Soreide announced that Moscow was responsible for a recent attack on Norway's parliamentary email system. The BBC quotes the foreign minister as saying, quote, "Based on the information available to the government, it is our assessment that Russia stood behind this activity," end quote. Moscow dismissed the statement as a serious and willful provocation. The attack, detected in August, gave the intruders access to parliamentary emails in an apparent cyber-espionage incident. 

Dave Bittner: Those of you of a certain age will remember the radio ads for discount electronics stores or men's clothing establishments whose prices were so low that they - they - they were just insane. The proprietor would ask, they ask me, what's your secret? And I tell them, volume. It's like that with social engineering sometimes. 

Dave Bittner: FireEye today released an account of the activities of FIN11, a financially motivated APT - that is, a criminal gang. FIN11 isn't the Maison Louis Vuitton of malware; their stuff isn't particularly advanced or sophisticated. No, FIN11 is more the Crazy Louie's Nut House of Malware. What FIN11 lacks in sophistication, FIN11 makes up in volume. The outfit runs as many as five large-scale fishing expeditions a week. They've been around for a while - since 2016 at least - which makes them vulnerable by criminal standards. Their targets were initially chosen from the financial, retail and hospitality sectors. But over the past year, FIN11's target list has expanded to the point where few sectors or geographical regions have escaped attention. 

Dave Bittner: FIN11 has shown an evolution that exemplifies the way the criminal underground has changed over the last few years. Fireeye says, quote, "Recently, FIN11 has deployed Clop ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group's shifting monetization methods - from a point of sale malware in 2018, to ransomware in 2019 and hybrid extortion in 2020 - is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion," end quote. 

Dave Bittner: FireEye also notes that recent FIN11 activity seems to overlap with that of the TA505 criminal group, but they caution that this doesn't mean the two groups are the same. And in fact, their assessment is that they're distinct operations. What it does mean is that the two groups are partaking of another criminal trend - buying services from a commodity criminal provider of hacking tools and services. And their secret - volume. 

Dave Bittner: Digital Shadows describes an SMS-based campaign that uses highly personalized clickbait to induce its victims to follow the proffered link. It was originally known as the USPS texting scam, but it's expanded beyond messaging that impersonates the U.S. Postal Service. Other services, notably Amazon, FedEx, CashApp, Netflix, various adult entertainment services and, of course, payment card or financial services - the usual bric-a-brac of the online scam. 

Dave Bittner: A lot of smishing this year has used fear of the COVID-19 pandemic to lend urgency to its appeals to fear. That's not the case in this recent wave. Instead, it relies on more or less plausible impersonation of a shipper's customer service messaging to tell the victim, for example, that an attempt has been made to ship them a package and that for some reason or another, usually an unstated reason, the shipment requires the recipient's immediate attention. There's usually a shipping number - bogus, of course, but tacked on for greater detail to lend plausibility to the imposture - that's tossed in for good measure. What's not bogus is the recipient's name, and that can really lend plausibility. 

Dave Bittner: These are the steps in the attacks Digital Shadows describes. First, the victim receives a message with a suspicious four to six-digit link. Second, the incautious victim clicks the link and is redirected to a .io domain. Third, that domain fingerprints the victim and connects to another domain. Fourth, the victim, if located in the U.S., is redirected to a phishing page. If the victims are determined to be outside the U.S., they're simply redirected to a legitimate Google page. If the user has an IP address located within the U.S. before they're redirected to the phishing page, they're briefly connected to a tracking domain. The phishing page is usually a phony survey. After the victims complete the survey, they move to the final page, which asks them for personally identifiable information - those are fullz in hacker speak - so that they can receive a free prize for completing the survey. But as is so often the case, the prize is the victim's data, and the winners are the hackers. 

Dave Bittner: Finally, the COVID-19 pandemic has induced a large number of unemployment claims. And the U.S. Treasury Department warns banks to watch for signs of a correspondingly large rise in unemployment fraud. Among the signs the Treasury Department's Financial Crimes Enforcement Network points out are large wire transfers, especially transfers to offshore accounts. Wire transfers can be as convenient as they are risky. Unlike credit card fraud, where the victims have some recourse, once a wire transfer goes through, it's gone, baby, gone. 

Dave Bittner: Researchers at A10 Networks recently published a report on the state of DDoS weapons. Joining us with some of their findings is A10 Network's Paul Nicholson. 

Paul Nicholson: OK. So with this report, we actually publish it every quarter, and it's basically an informational resource for security professionals to look at potential weapons which could hit their network. So it's a slight difference than some of the other reports out there because - we call it the DDoS Weapons Report because these weapons are potential weapons which could be used to attack your network. As well as that, we also normally highlight some of the more interesting findings and try and relate them to topical events where we can, as well. 

Dave Bittner: What are you tracking in terms of the evolution of DDoD? Are - do you think continue to grow? 

Paul Nicholson: Yeah. So we look at - you know, as I say, amplification and reflection attacks are the biggest types of attacks we see - so some of the more usual UDP services which come out on top in the report every quarter. So, for example, with Portmap, we see 1.8 million potential weapons out there which could be used to launch these types of spoofing attacks. And then after that, as SNMP, SSDP, DNS resolvers and TFTP servers. So they round out the top five. 

Paul Nicholson: But what we find is interesting is - you might have heard there was a recent attack on Amazon at the - revealed in their Q1 report. And that was the same type of attack, a UDP attack, but it was using not one of the top five weapons. It was actually using a - one called CLDAP, or Connection-less Lightweight Directory Access Protocol. And, you know, when I talked about these top weapons we see, there's like 1.8 million of them out there. With the CLDAP ones from our honeypots and our sources, at the time, we were seeing only 15,000. So the size isn't always an indication if it's going to be used for the largest attacks of the day. 

Dave Bittner: So what are your recommendations? In order for organizations to best protect themselves against this, what sort of things do you suggest? 

Paul Nicholson: One, you have to know your environment. You have to - also, if you're going to a cloud environment - very important right now is to know that cloud environment as well. And your level of responsibility in terms of what's secured by the cloud or hosting provider versus what your responsibility is, as I mentioned, that CLDAP example earlier illustrating that. And then, you know, with the DDoS attacks, literally, the attackers are just trying to overwhelm either the network, the infrastructure or the applications. So employing automation, artificial intelligence to be able to, you know, establish your baseline, you know, which is seeing when that baseline is being exceeded and then gradually implement policies which become more aggressive as the attacks become aggressive is the way to go because it will reduce the operational impact of having it. It'll be more accurate, and it'll give you a better chance to make sure that you can defend against these. 

Dave Bittner: That's Paul Nicholson from A10 Networks. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hey, Joe. It's great to have you back. 

Joe Carrigan: Hi, Dave. How are you? 

Dave Bittner: Good, good, good, good, good. So we have an article here from Forbes... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Written by Simon Chandler. And it's titled "REvil Ransomware Gang Offers $1 Million As Part Of A Recruitment Drive" (ph). Unpack this for us here, Joe. (Laughter). 

Joe Carrigan: Right now, I'm putting my pinky up to the corner of my mouth. 

Dave Bittner: (Laughter). 

Joe Carrigan: (Imitating Dr. Evil) One million dollars. 

Joe Carrigan: So what is going on here is that this group, the REvil ransomware operation, has deposited this $1 million in bitcoin in a Russian-speaking hacker website. And they are announcing that they're looking for people to help with their operation. They're recruiting people, Dave. This is just like a business for these guys. 

Dave Bittner: (Laughter) Is this like LinkedIn for bad guys? 

Joe Carrigan: That's what the hacker forum is - it's LinkedIn for bad guys. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But when you're a malicious actor, you have to demonstrate that you're capable of paying people for being part of your operation. 

Dave Bittner: Right. 

Joe Carrigan: And what they've done here is essentially put into escrow a million dollars in bitcoin and said, look; we can do this. We have the money to pay you. We are not scamming you, which is a really big risk for people when they're looking to do nefarious things on the darknet. Right? There's all kinds of ways to get scammed out of your money or your time on that, and then you work for someone for free. No - nobody wants to do that. So these guys have said, well, here's a million dollars in bitcoin. We're just going to put it up here, and you can see it. And we'll pay you from it. 

Dave Bittner: Who are they looking for? What kind of talent are they going after? 

Joe Carrigan: They're looking for affiliates who would be responsible for getting into organizations and infecting them with ransomware. And... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The - actually, REvil is building this ransomware-as-a-service enterprise. And they're saying that they'll receive 20% - 20 to 30% while you as the guy that broke into the place and infected them with ransomware, you'll get 70 to 80% of the payout. 

Joe Carrigan: Ransomware is tough work, you know, breaking in. So if you can have other people do it and then just collect, you know, 20 to 30% while other people do the work, it's like being a franchiser, right? 

Dave Bittner: (Laughter) That's what I was going to say. Yeah, it's like opening your neighborhood McDonald's... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Except for ransomware. 

Joe Carrigan: That's exactly what this is. They are looking for franchisees. It is exactly like a business. We talk about how these people run their organizations just like businesses. There are people in there for sales. This is recruiting. This is like HR. There are people who do management. And there are people who do tech support for these companies, these - not companies, organizations. These are criminal organizations (laughter). I say company like it - it's run like a company, but it's not a company. It's a... 

Dave Bittner: Legitimate businessmen. 


Joe Carrigan: One of the things they're looking for is they're looking for people with experience and skills in penetration testing - right? - which means they're looking for people to break into businesses. 

Dave Bittner: Yeah. Well, I mean, it strikes me that a million dollars in - is not chump change... 

Joe Carrigan: It is not, no. 

Dave Bittner: ...No matter what form it's in, in bitcoin or other ways. I suppose - I mean, I guess it's a small possibility, but there's a possibility that this could all be a ruse by law enforcement - right? - I mean, to try to hook people in. That happens sometimes on these dark web forums. 

Joe Carrigan: Yeah... 

Dave Bittner: Unlikely but... 

Joe Carrigan: That is possible. But the problem is that if you're doing this completely, like the Onion Network, the Onion Router network - Tor - then you're going to have a hard time finding the people who have done this. And if you send them bitcoin and they immediately change that to another currency to evade detection, that's also going to be hard to find. So I don't think law enforcement is going to take a million dollars, put it up and say, you know, we're going to try to catch some bad guys. Maybe they're going to do it if it's seized money - you know, they've seized money from people. This bitcoin's all seized. They really don't care what happens. Maybe. I mean, that's a good point, Dave, that this might not be hackers. But I think it is the REvil. I think that's been confirmed in this story that it is the people (unintelligible) REvil... 


Dave Bittner: Yeah, yeah. I mean - yeah, yeah. I guess what I'm getting at is that, you know, that's sort of the - rolled into all of this is that element of risk, that cost of doing business - that there is a risk. You always have to be looking over your shoulder. 

Joe Carrigan: Absolutely. 

Dave Bittner: And I guess that mean - to the main point of this whole story, that in order to get people to trust them, that's why they have to put the million bucks up in the first place. 

Joe Carrigan: That's exactly right, yeah. You know, this is something I could never do, not because it's wrong - right? - and because I mean... 

Dave Bittner: (Laughter) You're fully capable of doing things that are wrong? (Laughter). 

Joe Carrigan: That's not what I meant to say. Not just because it's wrong... 

Dave Bittner: Right, OK. 

Joe Carrigan: ...Let's say that instead. 

Dave Bittner: There you go. 

Joe Carrigan: Not just because it's wrong and because you're destroying people's businesses and lives - but I know myself. I could never live in constant fear of somebody tapping me on the shoulder and going, Mr. Carrigan, you're under arrest for the hacking - OK. I - great. 

Dave Bittner: Right (laughter). 

Joe Carrigan: That gives me a tightness in my chest. 

Dave Bittner: You're the guy who always rewound his VHS tapes before he returned them to the rental store. 

Joe Carrigan: Yeah, absolutely - every single time (laughter). 

Dave Bittner: Yeah, exactly. You want to sleep at night. 

Joe Carrigan: Exactly. I want to sleep at night. And I would not be able to sleep at night under these conditions, regardless of how many millions of dollars in bitcoin I had in some some exchange somewhere... 

Dave Bittner: Right. 

Joe Carrigan: ...Or in my own hard wallet. It just wouldn't be comforting. 

Dave Bittner: Yeah, yeah. All right. Well, the article is over on Forbes - again, written by Simon Chandler. It's "REvil Ransomware Gang Offers $1 Million As Part Of A Recruitment Drive." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Have it your way. Listen for us on your Alexa Smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.