The CyberWire Daily Podcast 11.2.20
Ep 1206 | 11.2.20

Another look at North Korean cyberespionage. Phishing with Google Docs. How Iran obtained US voter information. Election security enters its endgame.


Dave Bittner: Another look at Pyongyang's Kimsuky campaign. Phishing with bogus Google Docs. How Tehran got its hands on voter information. Rick Howard looks at containers and serverless functions. Malek Ben Salem shares the results of Accenture's 2020 Cyber Threatscape report. And looking ahead to the election influence endgame.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 2, 2020. 

Dave Bittner: Researchers at security firm Cybereason have released an account of North Korea's Kimsuky activity, the work of a threat group also known as Velvet Chollima, Black Banshee, and Thallium. Their research follows up information developed and shared by CISA last week. Cybereason offers several new pieces of analysis, including descriptions of the KGH_SPY modular spyware toolset and the CSPY Downloader, both of which lend additional stealth to the group's operations. 

Dave Bittner: The Kimsuky operators began working against South Korean targets, but their interests have expanded impressively. Among the targets Cybereason identifies are pharmaceutical and biomedical research companies working on COVID-19 vaccines and therapies, the U.N. Security Council, South Korea's Ministry of Unification, which works on inter-Korean relations, various human rights groups, which usually take a jaundiced view of Pyongyang's dismal record, the South Korean Institute for Defense Analysis, various educational and academic organizations, selected think tanks, government research organizations, journalists who cover foreign relations and defense issues affecting the Korean Peninsula and, of course, the Republic of Korea's military. 

Dave Bittner: Kimsuky has reached American targets as well. 

Dave Bittner: While Cybereason thinks the evidence is short of dispositive, they conclude that there are clues that can suggest that the Kimsuky infrastructure targeted organizations dealing with human rights violations. 

Dave Bittner: WIRED describes a new scam, evidently the work of Russian organized crime, that phishes victims with bogus invitations to cooperate on Google Drive documents. Essentially, it's Google Drive spam, convincing in the same way earlier campaigns that traded on fake Google Calendar invitations. People are disposed to trust an invitation to collaborate on a document. 

Dave Bittner: While Google says it's doing what it can to suppress this campaign, it does note the difficulty of providing foolproof protection from spam. So again, a cautious and skeptical user is the best defense. If the document is unexpected and if it looks nonsensical, decline the invitation. 

Dave Bittner: There have been follow-ups to earlier reports of hostile activity. The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have published a description of how Iranian threat actors used the Acunetix vulnerability scanner to search websites for voter registration information. Tehran subsequently used the information they obtained from the scans to mount the bogus and implausible Proud Boys campaign of threatening emails, which was quickly exposed and debunked. 

Dave Bittner: We say conventionally that the U.S. elections are tomorrow. Strictly speaking, with widespread early voting, they've been in progress for some time. But Election Day proper is tomorrow, and that's the day voting will be complete.  

Dave Bittner: Most observers think it unlikely that the vote itself is likely to be successfully manipulated by foreign actors. And much of the disinformation surrounding the election, like the rather bumbling Iranian attempt to discredit a campaign with forged threats we just discussed, has probably already taken place. 

Dave Bittner: So the security of the vote itself seems unlikely to be compromised, but there remain eleventh-hour threats to the election. It appears that the most probable cybersecurity incidents likely to arise in connection with the voting are disinformation efforts intended to exacerbate fissures in civil society and retrospectively call the legitimacy of the results into question. 

Dave Bittner: It's also possible, as Politico notes, that various accidents, malfunctions or misunderstandings could be misread as cyberattacks. For example, false rumors about the unreliability of new and less familiar voting machines could gain currency. 

Dave Bittner: Among those less familiar voting systems are ballot-marking devices. These have for some time been used to help people with disabilities vote - people who, for example, have difficulty reading small print or have a hard time holding a pen. These have been widely adopted in the state of Georgia, for example, and by a number of counties in Pennsylvania. 

Dave Bittner: Could such devices be hacked? Well, in principle, sure. But likelier than hacking is the possibility of malfunction or, even likelier, people simply finding them sufficiently unfamiliar to slow down the action of casting a ballot, which voters could misinterpret as a failure or as evidence of tampering. 

Dave Bittner: Election officials in most or all states are urging patience and skepticism. People shouldn't expect official results immediately. These things take time. 

Dave Bittner: And it is my pleasure to welcome back to the show Rick Howard, the CyberWire's chief analyst and chief security officer. Rick, great to talk to you again. 

Rick Howard: Hey, Dave. 

Dave Bittner: On this week's "CSO Perspectives," you are tackling a couple of things - secure containers and serverless functions. 

Dave Bittner: Let's start off with some definitions here. I'm going to go out on a limb here and say that when we're talking about containers, we are not talking about those big crates that get shipped around the world on giant seagoing vessels. 

Rick Howard: (Laughter). 

Dave Bittner: And we'll get to serverless in a minute. But let's tackle containers first. 

Rick Howard: Well, I think you're right about that. And I would say that's a general consensus for most people in the network defender world, including me, before I started working on this story. 

Dave Bittner: Yeah. 

Rick Howard: I had this big idea of what they - what these things are, but I wasn't really sure how they fit into the security world. And it turns out that these two concepts are the current state of client-server architecture. I thought they were just some programming technique. But, no, it's kind of the evolution of this idea that we've had in the computing world since the late 1960s. 

Rick Howard: And about every 10 years or so, the community levels up the model to something completely different in terms of how we do it. It's basically the same idea, though - client-server - but much more efficient. 

Rick Howard: I was thinking about this with my wife this morning, and I was remembering my first real big job in the Pentagon in the late '90s. It was the first time I got a network management job, right? And I walked into the data center on my first day, and to my shock, we had all the important applications running on one computer. It was email, databases, web server, DNS, everything. So if the Windows server would've crashed, we would've lost everything. And I know that would never happen on a Windows server back in those days, but that's... 

Dave Bittner: (Laughter) I was thinking to myself, please let it be Linux, please let it be Linux, please let it be Linux. Right, OK. 

Rick Howard: So we changed all that. And so basically, instead of one big iron server, one operating system, we changed it to the same thing, but one app per operating system on different machines. So instead of running one server running everything, we went to one server running a bunch - I mean a bunch of servers running a bunch of things. And that was the standard model for most of us back in those days. 

Dave Bittner: Yeah. 

Rick Howard: Right? And then in the 2000s, virtual machines started to become stable. So that was the big change. CIOs could eliminate some of the cost to all that big iron. They only needed one beefy, big iron server with lots of RAM, CPU and hard drive space. 

Dave Bittner: Right. 

Rick Howard: But they would have multiple virtual operating systems running, partitioned away from each other so if one crashed, the others would still function. 

Dave Bittner: Right. 

Rick Howard: So that was a little bit better, OK? 

Rick Howard: In the later part of the decade, as cloud services started to come online, CIOs could eliminate the big iron servers altogether. They would put multiple virtual operating systems in the cloud environment, still running one app per operating system, though, but they didn't have to manage all that big iron anymore. So that was better in terms of cost and efficiency. 

Dave Bittner: Well, I can see where we're going in terms of the overall evolution and the efficiency, but I'm still scratching my head when it comes to the use of resources. I mean, what you're describing here, you know, we're deploying a standalone operating system for every app that we're running. That seems like a bit of overkill to me, especially when you consider things like having to keep all of those independently operating operating systems updated with bug fixes and patches and all that sort of stuff. Don't you end up sort of on the upgrade and patching hamster wheel if that's your approach? 

Rick Howard: (Laughter) Exactly right. And, you know, it's the reason you still see some infamous Windows XP blue screens of death as you walk around airport terminals - right? - because... 

Dave Bittner: (Laughter) Right. 

Rick Howard: So - because for those that don't know, Windows or Microsoft into the life of Windows XP back in 2014, there have been five - count them, five - completely different operating systems since then, right? But the application developers for the airport terminal apps found it easier just to keep running the extremely old operating system rather than try to keep their applications up to date, all right? 

Rick Howard: And so that was kind of the current state. But this is where containers and serverless functions come in. This is the big innovation, right? 

Rick Howard: So with containers, you build a virtual standalone box of software that only contains the application, plus the software libraries you use to build it and some other knicky-knack (ph) binaries it requires, plus a couple of operating system pieces it depends on and a couple of configuration files, and run it on a barebones kernel of an operating system, and that's it. The box is hermetically sealed against any future operating system upgrades or patches. 

Rick Howard: And then every container you build this way shares the base operating system, this kernel, but none of the other flotsam and jetsam features that always come along with the operating system package. So this protects the container from, say, the most recent Nvidia graphics driver patch designed to improve the gaming experience of 7-year-olds playing Fortnite, OK? 

Dave Bittner: Right (laughter). 

Rick Howard: But that may cause your app to crash because you share some of the same software library, so... 

Dave Bittner: Right. Suddenly, nobody knows when their flight's going to arrive at LAX. 

Rick Howard: (Laughter) That's right, 'cause I'm killing the monsters inside of Fortnite, right? 

Dave Bittner: Right, right. 

Rick Howard: So that was the giant leap in the client-server architecture idea. Now you have one virtual operating system running in the cloud or your data center and multiple lightweight software containers each running the apps you want to deploy. 

Dave Bittner: OK. Well, all right, that makes a lot of sense to me. But - so let's swing back around and tell me what's going on when we're talking about serverless functionality, then. How can this stuff running on servers be serverless? 

Rick Howard: (Laughter) I know. I've thought about that for many, many years, right? So the serverless function name represents a bit of confusion here, right? So, of course, there are servers in this evolution of client-server architecture. They don't disappear. They have to be running somewhere. 

Dave Bittner: Yeah. 

Rick Howard: The point is they are serverless for the customer. The customer doesn't have to manage the server and operating system at all. The cloud provider does it. Serverless functions take the idea of containers to the extreme. Instead of maintaining an operating system and building your own containers, developers write the code - the functions, in other words - and deploy them in the cloud provider's system for future execution. 

Dave Bittner: All right. I guess I'm still trying to get past this not being semantics and smoke and mirrors. I mean, it sounds to me like these are programming techniques. And I see the value in sort of developers being able to kind of isolate potentially buggy code. But what about the security implications here? How does it affect that? 

Rick Howard: Well, I mean, you're spot on here - right? - 'cause the difference in this new kind of client-server architecture today, compared to how we wrote code before, is that these things take up internet real estate. They essentially add more attack surface for a potential adversary to leverage and require the same first-principle cybersecurity protections that we would apply to any other digital asset within our organization. They're exposed - or they're more exposed than they were in previous lifetimes. 

Dave Bittner: All right, well, it is - it sounds like you got a great episode going. And this is one - this is a can't - this is a don't-miss episode of "CSO Perspectives." 


Dave Bittner: I know I'm going to be tuning in 'cause it sounds to me like I got a lot to learn that I didn't know I had to learn. So I'm going to let you teach me. It's "CSO Perspectives." It's part of CyberWire Pro. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the America security R&D lead at Accenture Labs. Malek, it's always great to have you back. You all recently released the most recent version of your Cyber Threatscape report. Let's go over that together. What sort of things did you focus on in this round of the report? 

Malek Ben Salem: Thank you, David. Yeah, we just released our Threatscape report. This is a report that focuses on the latest threat trends that our CTI analysts have observed. And we've highlighted three major trends that we've seen over the year of 2020. 

Malek Ben Salem: The first one is that sophisticated adversaries are masking their identities with off-the-shelf tools. This is a trend that we've seen with a number of, you know, suspected state-sponsored and organized criminal groups. They are using a combination of off-the-shelf tooling, as well as open-source penetration testing tools at unprecedented scale. And you may ask, why would they do that? And they're probably doing that, well, first, because of tools are available and easy to use, but also, the main reason is to hide their identities. 

Dave Bittner: So they look like folks of perhaps lower capabilities than they actually are. 

Malek Ben Salem: Exactly, exactly. 

Dave Bittner: Yeah. 

Malek Ben Salem: And our analysts have seen that with a group that Accenture refers to as SOURFACE. It's also known as Chafer or Remix Kitten. They've been around since at least 2014, and they're known for their cyberattacks against - on oil and gas, communications and transportation industry in the U.S., Europe or Saudi Arabia. And our analysts have observed that they are using the legitimate Windows functions and freely available tools, such as Mimikatz, which is very known for credential dumping. 

Dave Bittner: What else have you been tracking? 

Malek Ben Salem: The second trend that we've observed is that new, sophisticated tactics are being used to target business continuity. In fact, the threat report notes how one group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access and then uses these compromised systems as beachheads within a victim's environment to hide traffic and to relay commands and compromise email and steal data. 

Malek Ben Salem: In particular, you know, the group that we've observed, which is operating from Russia and is known as Turla or Snake, it has been active within the last 10 years and is associated with many cyberattacks. Its target is really business continuity, so bringing systems down and compromising email and stealing data. 

Dave Bittner: And then what's the third category that you've focused on here? 

Malek Ben Salem: So the third main trend that we've observed is that ransomware seems to be growing. It's feeding a new, profitable and scalable business model. As a matter of fact, there has been a 60% increase in the average ransom payment, and that's across the first quarter of 2020. So this obviously encourages these groups to expand their activities. 

Malek Ben Salem: Our analysts have observed that one group was performing a recruitment campaign on a popular dark web forum. This is a group known as Sodinokibi. It's also known as REvil. And so this basically demonstrates that, you know, this business is profitable, it's scalable, and it will continue to be so over the next year. 

Dave Bittner: Yeah, it's funny how a couple years ago, we were speculating that perhaps, you know, cryptomining was going to take the place of ransomware. That did not play out, did it? 

Malek Ben Salem: I know. (Laughter) No, it didn't. It didn't. And there is no need to, right? 


Dave Bittner: Right. 

Malek Ben Salem: As people continue to make the payments, then, you know, attackers will continue to take the easy way. 

Dave Bittner: Yeah, yeah. Absolutely. All right, anything else in the report that you wanted to highlight? 

Malek Ben Salem: Well, I think all of these trends basically emphasize the need for agile security, right? Businesses need to be ready and need to be able to adapt quickly and to change their game quickly in response to the attacks that they're receiving. And the fact that COVID-19 has radically shifted the way we work also, you know, drives the need for that security agility that is of utmost importance. 

Dave Bittner: All right. Well, Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Oh, what a relief it is. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.