The CyberWire Daily Podcast 10.29.20
Ep 1204 | 10.29.20

Familiar threat actors are back in the news. Big Tech’s testimony on Capitol Hill had less to do with Section 230 than many had foreseen.


Dave Bittner: Hey, everybody - Dave here. Did you know that the CyberWire is the world's largest B2B cybersecurity podcast network? Each month, our popular programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. More than 80% of our audience are part of the decision-making process at their organizations, and more than 70% reported checking out the sponsor's website after hearing an ad. The CyberWire is one of the best ways to grow your brand, generate leads and fill that sales funnel. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Our podcasts are sold out for this year, but we're now booking 2021 and beyond. Contact us today by visiting to learn more. And tell them Dave sent you.

Dave Bittner: Some familiar threat actors, both nation-states and criminal gangs, return to the news - Venomous Bear, Charming Kitten, Wizard Spider and Maze - oh, my. Mike Benjamin Lumen looks at the Mozi malware family. Our guest is Neal Dennis from Cyware on why it's time for organizations to step up their data sharing. And Big Tech's day on Capitol Hill involved more discussion of censorship and bias than it did Section 230 of the Communications Decency Act. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 29, 2020. 

Dave Bittner: Several familiar threat actors are back in the news. Some represent states; others are just criminal gangs. We'll take up the state actors first. 

Dave Bittner: The Russian government operation Turla, also known as Venomous Bear, is back. According to Accenture Cyber Threat Intelligence researchers, Turla has hacked an unnamed European government. BleepingComputer reports the Russian group deployed recently updated remote administration Trojans and remote procedure call-based backdoors in attacks between June and October of this year. 

Dave Bittner: The Estonian government and others have associated Turla with Russia's FSB, the Federal Security Service, a principal successor to the old Soviet KGB. CyberScoop's discussion of the reasons behind Turla's repeated success focuses on the care, patience and attention to detail the threat group uses to gain access to its targets. Embassies and diplomatic missions have figured high on Turla's target list, but it's also made attempts on military organizations, including United States Central Command. 

Dave Bittner: Accenture's report concludes, quote, "Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long-term access to its victims because these tools have proven successful against Windows-based networks. Government entities, in particular, should check network logs for indicators of compromise and build detections aimed at thwarting this threat actor," end quote. 

Dave Bittner: The other state actor in the news comes courtesy of Tehran. Microsoft has reported successful efforts by the Iranian threat group Redmond tracks as Phosphorus, also known as APT35 or Charming Kitten, to access accounts belonging to people thought likely to attend the Munich Security Conference and the Think20 Summit in Saudi Arabia. 

Dave Bittner: Charming Kitten's goal this time around appears to have been collecting intelligence on foreign policy. The initial entree is gained, as is usually the case, through phishing. People whose background and expertise make them plausible participants in the two high-profile conferences are being sent spoofed invitations by email. COVID-19 restrictions serve as an aid to the plausibility of the invitation. If you live, for example, in Rio de Janeiro, you might not be likely to hop on the next Lufthansa run to Munich. But signing up to attend a conference online is a different matter altogether, and the phishbait proffers access to remote sessions that anyone might well be tempted to consider. Once you sign up, well, the credential harvesting begins. Microsoft says the emails use near perfect English and were sent to former government officials, policy experts, academics and leaders from nongovernmental organizations. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency, with the FBI and the Department of Health and Human Services, yesterday issued a warning that the Ryuk operators were conducting a very large campaign against U.S. hospitals. Much of the ransomware deployment is being conducted from the revived Trickbot Trojan - somewhat impeded but still affected. The Ryuk operators are sometimes known by the name security firm CrowdStrike gave them, Wizard Spider. They're a Russophone criminal gang, not a unit of the intelligence or security organs. 

Dave Bittner: Ryuk may be run by feral, conscienceless criminals, but at least they can't be accused of pious hypocrisy. They're not among the gangs who promised to put health care organizations on a do-not-touch list nor are they among the crooks posturing as Robin Hoods by making donations to charity. Ryuk is run by old-fashioned bandits with no interests beyond the main chance. 

Dave Bittner: Organizations in the health care and public health sectors should be especially on their guard. Their services are more important than ever during the pandemic, and any disruptions are a serious matter. CISA has some useful advice on its site. One prominent and much repeated bit of advice is that you shouldn't pay the ransom. Not only does that fuel the bandit economy, but there's no particular reason to think it will do you any good. An effective preparation and recovery plan should be well within the grasp of any health care organization. 

Dave Bittner: And there are signs that a prominent ransomware group may be shutting down. BleepingComputer says that the Maze gang appears to be closing its operation. New infestations appear to have stopped in September, and the gang is making what appears to be a last-minute push for payment from its existing victims. 

Dave Bittner: Maze is well-known as a criminal innovator. The gang was among the first to combine conventional ransomware with direct blackmail, stealing as well as encrypting its victims' data and threatening to release it online. It's also been marked by its relatively sophisticated media relations, acting more like a corporation with a public affairs office than like a collection of thugs beating their chests in some biker bar. 

Dave Bittner: The speculation about a shutdown comes largely from fringe chatter and rumor. When BleepingComputer contacted Maze's press contacts, the only answer they got was a coy, wait for the press release. Other criminal operators have shut down in the past. And if Maze does close its doors, that's not to be taken as unalloyed good news. It won't mean they've seen the error of their ways and gone straight. It's just that they'll have shifted operations to another criminal toolbox. In the case of Maze, that's likely to be the relegated Egregor ransomware. 

Dave Bittner: And finally, according to The Wall Street Journal, yesterday's U.S. Senate Commerce Committee hearings largely addressed senatorial concerns about online platforms' content moderation. Facebook, Google and Twitter CEOs testified. TechCrunch complains that Section 230 was hardly addressed, at least not directly. Section 230 of the Communications Decency Act is the law that gives internet platforms the intermediate status they presently enjoy, with most of the benefits of a neutral public square on the one hand and a publisher on the other but without many of the responsibilities or liabilities of either. Section 230 has been widely credited with fostering the growth of the internet, but its continuing utility has come into question in recent years as the internet strikes many observers as having outgrown the need for that sort of shelter. 

Dave Bittner: Questions were perhaps predictably partisan, with Republicans concerned that Big Tech was censoring speech Big Tech didn't care for but Conservatives liked and Democrats concerned that Big Tech wasn't censoring enough speech progressives didn't like. In general, Twitter's Dorsey was the most defiant, Google's Pichai the most determinedly respectable and Facebook's Zuckerberg the most - well, maybe we could all do better, and let's all try to get along. 

Dave Bittner: The online criminal bad guys and gals have long established a culture of information sharing, dating back to the days of dial-up BBSes to today's dark web forums and markets. Our guest Neal Dennis from Cyware says it's time organizations took a page out of the hackers' handbook and stepped up their information sharing. 

Neal Dennis: Today, we're very fortunate where we're at, I think, personally, technologically and scale of what's going on today than where we were maybe, say, even five years ago. Today, we see a lot of new technologies out there that are able to standardize and facilitate, like the machine-to-machine aspects of things that, when I first got into the ISAC world a handful of years ago, were not really well-founded. We've got a lot better standards, a lot more initial adoption around even some of those standards, which is obviously key. But even more importantly, you know, five, six years ago, ISAOs as a concept were new. We kind of had that happen in 2015 with the executive order. 

Neal Dennis: But we've gone from nothing to a lot of little things. And we're kind of reaching, I think, critical mass in the sense where most of them understand that they still can't - even if they have a hundred-member base or a 10,000-member base, they can't necessarily continue to go at it alone. So a lot of them are starting to foster legit relationships between those communities and starting to have those more kind of open-door policies for sharing between - at the very least between the analysts that facilitate the community at the very least, if not actually fostering, like, cooperative groups and things like that and moving that ball forward a lot. So we're definitely not to the 100% mark, but we are starting to see a lot more collaborative environment, even within the actual communities themselves like intercommunity. And that's a big key development, I think. 

Dave Bittner: And just for clarity, ISAOs are information sharing and analysis organizations, and ISACs are information sharing and analysis centers. What is holding folks back at this point, the people who are still feeling a little resistant to it, what's getting in their way? 

Neal Dennis: There's a couple of things. There's a lot of people, especially in the ISAO world, specifically - not the ISAC world. A lot of people getting involved in there have some legal concerns. I think that the structured legality of an ISAC blatantly provides you with a little bit more overhead on what constitutes safe-to-share information versus what would be considered a breach. And even then within ISACs, they still have some concerns. But long and short, ISAOs - that legal overhead is a little fuzzier for good reasons. We didn't want to - the government didn't want to dictate too much within them. They kind of wanted to see this kind of native growth within the industries for these things - and so I think legality issues, concerns around that, understanding what is OK to share, what's considered noncompete, what's considered competitive sharing, you know, and those antitrust laws and things of that nature. And then the other part of that, just, you know, institutionalizing and adopting of both, you know, the human-to-human interface and then that machine-to-machine component. So technology plays a good role in lack of adoption. 

Neal Dennis: We're still new as a whole to this idea. And people's first questions - one of the first ones is, you know, hey, do I actually - is there actually any value proofed out from this? Has anybody shown that me being involved in these organizations actually matters other than just me saying I'm there? And once again, we're reaching that critical mass. We're reaching that capability where we can start showing these things, and we have use cases and scenarios that prove out the value of these communities. And hopefully in the next year to two years, you know, what's available now just exponentially explodes as we start building more around those use cases and those scenarios that show that value added. 

Dave Bittner: That's Neal Dennis from Cyware. 

Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black Lotus Labs, which is part of Lumen Technologies. I want to talk today about something you and your team have been tracking, and you call it Mozi. What's going on here? 

Mike Benjamin: Mozi is a malware family that targets IoT devices. And it's interesting because the actors behind it have taken some of the source code from a few different IoT families and put them together to create a new generation of malware. And so this particular malware family is capable of DDoS attacking. It's capable of data exfiltration. And then, as many families do these days, it supports arbitrary payload execution. So the actors at the end of the day can tell it to do just about anything on the endpoint that's infected. What's interesting about this compared to many of the other IoT families is that this one is a peer-to-peer network rather than a simple hierarchical C2 back to a single or a small subset of domain names. So it works, from a network perspective, very different. But at the end of the day, the DDoS code came directly from other families. 

Dave Bittner: Now, why peer to peer? What are the advantages here that it gives the attackers? 

Mike Benjamin: You know, it's interesting. Just as some attackers like writing in C and others write it in Go, it, in many cases, is a preference of the tooling of the particular actor group. There are benefits to them that, from a takedown perspective, can be a little more difficult to remove the infections. However, from a control perspective, it can be more difficult for them. So making sure that they maintain access to the network and access to the infrastructure can be difficult. It's also more code to maintain in order to maintain the distributed tables and other things. Even when they're taking code from other open source projects, it's still a larger software development exercise than a simple TCP socket to a standard C2. 

Dave Bittner: Now, what kind of devices is Mozi targeting here? 

Mike Benjamin: Well, unfortunately, it's the same answer we give to a lot of IoT malware families. So it's consumer-grade routers, and it's, you know, small business and consumer-grade DVRs and NVRs. It's the same embedded Linux systems that we've sort of been plagued by in this space for the last few years. It really isn't changing. I am happy to report that at least they are new generations of devices. They are different vendors. They are different software revs. And so whereas a few years ago we were seeing the exact same revs from the exact same vendors just get compromised over and over, the industry is getting better, and it is taking a little longer for the actors to release new exploits, to incorporate new exploits. And they are going away faster once they're incorporated. So we're getting better, but I'd rather not come on and tell you that it's consumer routers and NVRs is again in the future. So we've still got room to improve. 

Dave Bittner: Yeah, what can we do to stop this? What's effective for shutting it down? 

Mike Benjamin: Well, the first is making sure things are patched, making sure you're buying equipment that autopatches or is capable of patching is the most basic - but even then, making sure that the TCP connections are not available to the open internet. And so most of these active groups, they scan the internet on some pretty common ports, use some pretty well-known exploits. So if the port's not open and they exploit doesn't work, they're going to move right on because there's pools of thousands and thousands of these things. You know, as of this morning, this botnet is about 14,000 strong that your one individual home is just not going to be of interest if they can't connect to it. They're going to move to the next one. 

Dave Bittner: I see. Interesting. All right. Well, Mike Benjamin, as always, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Make a run for the border. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.