The CyberWire Daily Podcast 10.15.20
Ep 1194 | 10.15.20

Disinformation, foreign and domestic. Content moderation, always harder than it seems. US Cyber Command’s defend forward doctrine.


Dave Bittner: Tehran says this week's cyberattacks are under investigation. Silent Librarian returns to campus for academic year 2020-2021. Crooks are posing as nation-state hackers. Domestic disinformation reported in Guinea and Ghana. Disinformation, content moderation and the difficulties presented by both. U.S. Cyber Command's forward engagement campaign. Mike Benjamin from Lumen on how bad actors reuse infrastructure. Our guest is Ralph Sita from Cybrary with a look at their Skills Gap research report. And an extended mediation on the Scunthorpe problem.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 15, 2020.

Dave Bittner: We begin with a follow-up to an earlier story. It seems that Tehran has acknowledged sustaining cyberattacks this week. The AP, citing Iranian state-operated media, says that Tehran has confirmed that it sustained cyberattacks Tuesday and Wednesday of this week. The disclosure was brief, said that the incidents were serious and stated that they were under investigation. No attribution was offered. The story continues to develop. We'll continue to follow it. 

Dave Bittner: Malwarebytes researchers report that the Iranian-linked cyberespionage group Silent Librarian has made its annual return to campus. The threat actor is active mostly against universities, where it seeks to collect sensitive research and intellectual property. Malwarebytes writes, quote, "considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well-funded," end quote. Silent Librarian has shown up in the late summer and early autumn - back-to-school time - in both 2018 and 2019. 

Dave Bittner: You needn't be an actual APT to pose as one. Radware notes that criminal organizations posing as flashy, well-known state actors like Fancy Bear, the Armada Collective, the Lazarus Group and so on, have been sending extortion letters to victims. They typically threaten distributed denial-of-service attacks if they go unpaid, but the threats are more scareware than malware. The demand letters have followed new reports of high-profile attacks, and Radware says the quality of their language has improved. And why not? If they can call you and say they're the Social Security police, why can't they email you and say they're Cozy Bear? 

Dave Bittner: Bloomberg reports that African governments are actively using social media to spread what it characterizes as disinformation during the run-up to this year's elections in order to dominate the narrative around campaigns. In these cases, Bloomberg cites Guinea and Ghana. The influence operations are domestic, not foreign. Government-aligned operators are said to have been particularly active on Facebook. 

Dave Bittner: Reports by The New York Post that alleged smoking gun emails involving U.S.-Ukrainian relations have been found on a computer belonging to Hunter Biden, son of former U.S. vice president and present Democratic presidential candidate Joseph Biden, raised questions of influence operations - potentially foreign and demonstrably commercial. At issue is the long-running and much investigated nature of the relationship between Bidens and various foreign business interests - notably, Ukrainian energy firm Burisma - and whether such relationships amounted to influence peddling or at least the invidious appearance of influence peddling. The elder Biden has denied detailed knowledge of his son's business relationships, and the younger Biden has periodically regretted any appearance of impropriety. 

Dave Bittner: The provenance of the emails the Post reported is disputed, coming as they did from a laptop of uncertain origin but with some appearance of connection to the younger Biden. Johns Hopkins University's Thomas Rid points out the ways in which the emails could amount to a disinformation operation, and that cannot be ruled out. The story's details have been difficult so far to corroborate, and some of the emails give the appearance of having been either reconstructed or fabricated, but the treatment of the Post's reporting has also raised questions about content moderation. 

Dave Bittner: Ars Technica has a summary of the issues the case raises for social media content moderation. Twitter and Facebook were quick to inhibit sharing of the Post's coverage, and that's aroused more questions about the ways in which they attempt to control alleged disinformation or misinformation. Twitter simply blocked it and blocked some accounts that had shared the story. Twitter's CEO Jack Dorsey tweeted some regrets about his company's handling of the material. Quote, "our communication around our actions on the New York Post article was not great, and blocking URL-sharing via tweet or DM with zero context as to why we're blocking, unacceptable," end quote. So what we have, Mr. Dorsey says, is a failure to communicate or specifically a failure to communicate context. 

Dave Bittner: Facebook didn't block sharing or discussion of the content. Instead, it deprecated sharing, which is to say that it reduced the likelihood that the platform's algorithm would amplify the story. In any case, the two platforms seem to have enmeshed themselves in a lose-lose approach to the story, with Republicans incensed by what they characterize as censorship and Democrats upset by what they see as an instance of the Streisand effect, where an attempt to downplay information has the unwelcome and paradoxical effect of drawing attention to it. 

Dave Bittner: It's almost pleasant to turn from this to the more refreshing atmosphere surrounding Trickbot. The criminal botnet that was affected by separate operations by Microsoft and its partners on the one hand and U.S. Cyber Command on the other hasn't been destroyed, CyberScoop reports. But it's been forced to trim its sales, and its targets have been given a reprieve during which they can shore up their defenses. Microsoft was able to make effective use of trademark law to hit the criminal operation, and Cyber Command was able to degrade its command and control by pushing bogus updates into the gang's network. 

Dave Bittner: Cyber Command's action represents an unusually public instance of the organization's defend forward doctrine, in which persistent engagement with hostile networks complements direct defense of friendly systems. WIRED describes the operation as showing how Fort Meade has increased both its reach into adversary networks and its willingness to use that reach to act against them. Some have noted that Trickbot is principally a criminal operation and that it seems unusual for a military organization - which Cyber Command, of course, is - to take action in what might be read as a law enforcement matter. But it shouldn't be overlooked that Russian criminal organizations survive at the sufferance of Russian intelligence and security services and that their resources have been co-opted by those services in the past. 

Dave Bittner: And finally, to return to the question of content moderation. The process is difficult and labor intensive, and the quest for automated tools that could reduce the workload goes on. It doesn't, however, always proceed happily. Witness the meetings of the Society of Vertebrate Paleontology, a society devoted to the study of the fossilized remnants of prehistoric beasts, many of them skeletal - you know, mastodons, giant ground sloths, stegosaurians, guys like that. Anyhoo, they're holding their meetings virtually like the rest of us, and the conference software came equipped with filters that screened out certain words. Vice reports that prominent among the words it excluded is bone. Ha, ha, ha, right? But as is usually the case, the bowdlerizing software is inconsistent. For example, if your name should be Wang, you're out of luck. Call yourself something like Ace or Lefty instead. But if you're a Johnson, well, that's OK. Weird, right? 

Dave Bittner: It's an old problem, sometimes seen in nondigital forms where different dialects of the same language collide. Our NATO desk, for example, told us a story at greater length than we really wanted to hear about, planning meetings in which the transition from the coverage force engagement to the main battle were discussed. The Americans, thinking as usual of American football, called the process of the covering force turning the fight over the main force, the battle handoff, you know, like play action between a quarterback and a running back. The Royal Army asked with pursed lips if the U.S. Army might change its terminology to battle handover, since handoff had unfortunate connotations in British English. After getting it, the U.S. Army obliged. 

Dave Bittner: Sometimes, it went the other way. A Royal Army staff officer once promised in the presence of our NATO desk to deliver some useful resources no matter what, even, quote, "if I have to knock up the prime minister," unquote, a technique the Americans received with surprise, sniggering, and some admiration. The Bundeswehr representatives were completely baffled, and they probably spoke more correct English than anyone else in the room. Anyhoo, we suggest that once in-person meetings are possible again, the Society of Vertebrate Paleontology holds its conference in Scunthorpe. We hear it's nice there. 

Dave Bittner: There is ongoing debate about the degree to which the so-called cyber skills gap exists or if it really exists at all. Some say it's an industry-wide obstacle, while others maintain it only affects certain skill levels or that it may be self-inflicted due to organizations' unwillingness to invest in training up the next generation. Ralph Sita is CEO at Cybrary, and he joins us with insights from their Skills Gap research report. 

Ralph Sita: We've been saying all along and the industry has been crying out for help, you know, that there's a talent gap, meaning there's not enough people out there to fill these roles in cyber that, you know, exist and are going, you know, vacant too long. But then we also just, you know, came to the realization that not only is there a talent gap, but there's an actual skills gap within the employed ranks within these companies. So we've heard this anecdotally. We've seen it, you know, from our user base. And we decided that, hey, now's a great time. We have this - you know, we have this vast array of folks that could add value with their feedback and, you know, let the other industry people - their contemporaries, their competition, even - you know, understand what they're going through because it's a commonality that they all have. 

Dave Bittner: Well, let's go through some of the key findings together. What were some of the things that drew your attention? 

Ralph Sita: Well, I mean, it's most importantly that all these organizations from, generally, the employee upward feel like they are inadequately prepared to do their jobs. 

Dave Bittner: And so in terms of this gap, I mean, is it a matter that the companies need to be investing in more training? 

Ralph Sita: That's just the beginning of it. Training is fine, but unless you have a critical path for employees to see the light at the end of the tunnel and the light's not an oncoming locomotive, it's - training is just part of the equation. You have to have a structured curriculum, a structured career path set for them so they know that they're working towards a goal that is going to improve their skills, improve their job preparedness and make them better to do what they have to do. 

Dave Bittner: How about coming at it, you know, from the other direction, for that person out there who's on the hunt for a new job or a better position? Did you get any insights on how that person can best prepare themselves to make them - just set themselves apart from the crowd? 

Ralph Sita: I believe that certifications are still important, so I don't want that to, you know, think that that's the tenor of my comments here. What I'm trying to say is that assessments that prove skills are more important. The best thing for people to do and new people to get in this profession is, grab a couple of the certifications that get the minimum boxes checked, but make sure you are continually learning. You know, our study shows that 78% of employees right now are finding time on the job to learn. Some of the bigger, worldwide brands are encouraging their employees to learn on company time because they realize that, you know, if they don't, then it's only hurting the company because these folks are struggling to get this type of training done. So again - constant learning, prove that you know what you know. You'll find a job in this industry really fast. 

Dave Bittner: That's Ralph Sita from Cybrary. 

Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black Lotus Labs, which is part of Lumen Technologies. I want to touch today on the reuse of infrastructure and some of the pros and cons of that. What can you share with us today? 

Mike Benjamin: Yeah, so what I really wanted to touch on was how actors reuse infrastructure. And it's pretty common that we will see an actor set up a campaign. They'll put their malware downloader on a web server or so. They have to install a web server or break into, as it depends. And realistically, as long as they can deliver malware from that, they're going to leave it up. And so a lot of times, we think about a malware infection as something that can be, you know, quote, unquote, "cleaned up." But how often do we as an industry clean up endpoints and don't take the time to go back and make sure that the originating delivery host has been removed from the internet? Unfortunately, I can tell you, it's very common. And so just because we've eradicated a component of a campaign doesn't mean it's all gone. And so if I'm an actor and I've taken the time to take a stolen credit card, put some Bitcoin, whatever, into the purchase of the VPS host I've installed - Nginix or Apache - and I've set up in my environment, realistically, I'm just going to keep using it. And maybe I don't even use it for the same campaign. Maybe that campaign really is burned. It was a phishing website and the domain got taken away and the, you know, data I was trying to exfil - that host is gone. But heck, I can move it to a malware delivery host the next week. 

Mike Benjamin: So as a criminal actor, they are very common in reusing components of the infrastructure they have in the campaign. And so why we think it's important to call out and talk about why everything I just said may be intuitive, too often, we don't maintain as an industry those blocks in our firewalls, those alerts in our SIMs. When we know something's bad, keeping it there for a while really can be a benefit to the defense of an environment because the actors are, in many cases, going to reuse that at some point in the future. 

Dave Bittner: Well, can you give us some specific examples, some things that you all have seen? 

Mike Benjamin: Yeah. So recently, we were looking at a report that the team over at FireEye had produced on the Maze ransomware. It's a pervasive threat right now. A lot of people are looking into it. And upon diving into it, we actually saw components of a Maze campaign that we now saw delivering Cobalt Strike beacons. And so the Cobalt Strike payload was sitting in a directory on the server and it was completely unrelated to the previous Maze campaign. And so anyone who had come along and maybe read that FireEye report or someone else looking at that particular campaign and had blocked those IP addresses in their perimeter firewalls, alerted on them in their SIM, done anything on that piece of the infrastructure would have been precluded and never impacted by the subsequent Cobalt Strike campaign that we saw. And so just a simple reuse of an IP address that was delivering a payload from one campaign to the next could have completely removed any threat from the secondary campaign. 

Mike Benjamin: Another example we see is on the victim side, where we've many times seen IoT hosts reused across very different campaigns, maybe even by different actors, just because they were a vulnerable pool that remains unpatched over time. So we may see a DDoS attack come from a thousand IPs, and six weeks later, a hundred of those pipes popup in a credential-stuffing campaign. So one actor group installed a DDoS payload, the home users rebooted their DVR or whatever it was, and a few weeks later, somebody came along and installed proxy servers. So again, knowing that those vulnerable pool of devices could attack you over time could have alerted to or prevented those credential-stuffing attacks that happened a few weeks later. So being cognizant of how IP addresses, domains and, you know, other components' infrastructure can be used over time is really a useful way to prevent future attacks. 

Dave Bittner: I see. Now, is this something where the attackers could catch on and stop doing this? 

Mike Benjamin: Well, of course, right? Anybody who reuses a tool could take the time and stop and just set up a new tool, install the host somewhere else, a new software - heck, in some cases, just grab a different IP. It's as easy as that. But let's face it; it's easy for them not to. And human beings are lazy. And so as long as, let's say, the criminal market - they can make money, they're not going to take the extra few minutes to set up a new host or roll an IP or grab a new domain. As long as they can still make their money and still carry out their objectives, they're going to continue down that path. And so as defenders, it's all of our job to raise the cost of being bad and carrying out those campaigns. And so if we can make it harder, they're going to go a little slower. They're going to spend a little more money and make a little less profit, hopefully be less motivated a little bit over time to do this kind of work. 

Dave Bittner: I see. All right, well, Mike Benjamin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, and it smells April fresh. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.