The CyberWire Daily Podcast 11.12.20
Ep 1213 | 11.12.20

An overview of threat actors, two proofs of concept, and an IoT botnet bothers the cloud. Patch Tuesday notes. And control yourself, sir.


Dave Bittner: Hey, everybody. Dave here. Did you know that the CyberWire is the world's largest B2B cybersecurity podcast network? Each month, our popular programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. More than 80% of our audience are part of the decision-making process at their organizations, and more than 70% reported checking out the sponsor's website after hearing an ad. The CyberWire is one of the best ways to grow your brand, generate leads and fill that sales funnel. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Our podcasts are sold out for this year, but we're now booking 2021 and beyond. Contact us today by visiting to learn more. And tell them Dave sent you.

Dave Bittner: BlackBerry tracks a mercenary group providing cyber-espionage services. A rundown from Dragos on threat actors engaging with industrial targets. An IoT botnet is active in the cloud. A research team offers a new proof-of-concept for DNS cache poisoning. And another group of researchers demonstrates a novel power side-channel attack. We got some Patch Tuesday notes. Joe Carrigan wonders if you're likely to get your money's worth when paying baddies. Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information operations. And a pro tip - you do know that they can usually see you on Zoom, right?

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 12, 2020.

Dave Bittner: Several research reports have come out at midweek. 

Dave Bittner: First, BlackBerry researchers are tracking what they believe to be a mercenary cyberespionage group whose campaign they're calling CostaRicto. Blackberry doesn't speculate about which nation-state or states or which well-resourced nongovernmental organization would be serving as their paymasters, but they offer four reasons for thinking it's a mercenary operation. It uses bespoke malware. It shows systematic and continual development. It appears to share some network infrastructure with APT28 - that's Fancy Bear, Russia's GRU. And it has a highly diversified target list that suggests more than one customer is using CostaRicto's services. 

Dave Bittner: BlackBerry sees cyberespionage mercenary activity as a natural evolution of other trends in the criminal underworld. If ransomware as a service has found a lucrative market, why not espionage as a service? 

Dave Bittner: Dragos finds that industrial control systems in various manufacturing and industrial sectors are increasingly being subject to the attention of cyberthreat actors. The researchers are following five distinct threat groups. Four of them remain, at this stage of their evolution, espionage as opposed to sabotage operations. They list them. 

Dave Bittner: CHRYSENE, which other studies have called APT34 or Helix Kitten, targets the petrochemical, oil and gas, manufacturing and electrical power generation sectors. It's expanded its interests beyond the Persian Gulf. It's not possible that CHRYSENE was connected with the Shamoon destructive wipers attacks that afflicted Saudi Aramco in 2012. 

Dave Bittner: MAGNALLIUM, also known as APT33 or Elfin, is active against the energy and aerospace sectors, including their supporting sectors. Like most of the other groups, it's a cyberespionage specialist, concerned with stealing information as opposed to disrupting operations. 

Dave Bittner: PARISITE, known also as Fox Kitten or Pioneer Kitten, works against electric utilities, aerospace, manufacturing, oil and gas entities and government and nongovernmental organizations. PARISITE hasn't directly disrupted industrial operations. It targets vulnerable virtual private network appliances, and Dragos thinks this argues an interest in gaining initial access to enterprise networks. 

Dave Bittner: WASSONITE, associated with the Lazarus Group, hits electric generation, nuclear energy, manufacturing and research entities. WASSONITE makes heavy use of DTrack malware. It does a good bit of credential stealing. It's principally a cyber-espionage group after intelligence and intellectual property. 

Dave Bittner: And XENOTIME, best known for the TRISIS attack that disrupted a Saudi natural gas facility. 

Dave Bittner: Dragos doesn't offer attribution of any of these to nation-states, but others believe CHRYSENE, MAGNALLIUM and PARISITE to be Iranian, WASSONITE, North Korean and XENOTIME, Russian. Their activities have focused on the Persian Gulf region, but they've shown recent signs of expansion to other geographical areas of operation. 

Dave Bittner: Lacework researchers describe Muhstik, an IoT botnet infesting cloud services. Signs point to Muhstik being a Chinese criminal operation. It was monetized through XMRig. 

Dave Bittner: Two university teams have come up with proofs of concept that, while hardly an immediate threat, nonetheless bear watching. 

Dave Bittner: The first results from California. University of California, Riverside has published a study of vulnerabilities that forecasts a return of DNS cache poisoning. The researchers determined that 34% of the open resolvers on the internet are vulnerable. This includes a heavy fraction, some 85%, of the most popular DNS services. 

Dave Bittner: DNS cache poisoning works by interposing a malicious IP address into DNS caches. A corrupted DNS record sends visitors to a site that looks like the real one but that's under malicious control. It's a form of spoofing. 

Dave Bittner: It was once a popular attack method, but it fell out of favor when enterprises realized that they could fend it off by randomizing either the number of the port sending the request or the numbers of other locations involved in communicating among networks. Randomization defenses in browsers have made DNS cache poisoning much harder to pull off. 

Dave Bittner: But the researchers at Riverside have found a way in which DNS cache poisoning could exploit resolvers and forwarders in a new side-channel attack. It's a proof of concept, but the results merit some consideration. 

Dave Bittner: A second proof of concept comes from Europe. A team of researchers at the University of Birmingham, the Institute of Applied Information Processing and Communications at Graz University of Technology and the Helmholtz Center for Information Security has identified a new power side-channel vulnerability, PLATYPUS, in Intel central processing units. Power side-channel attacks capture fluctuations in processor power consumption and use these to extract sensitive information from the CPU. Cryptographic keys, for example, might be among the data captured. 

Dave Bittner: Power measurements done by malware have long been relatively inaccurate, and they also required physical access to the target and the ability to connect the target to measuring tools like an oscilloscope. What's different about PLATYPUS is that two methods offer a simpler, more accurate approach to power side-channel attack. 

Dave Bittner: The researchers wrote, quote, "in the first, they use the RAPL interface - Running Average Power Limit - which is built into Intel and AMD CPUs. This interface monitors the energy consumption in the devices and ensures that they don't overheat or consume too much power. RAPL has been configured so that power consumption can be logged even without administrative rights. This means that the measured values can be read out without any authorizations. In the second approach, the group misuses Intel's security function Software Guard Extension - SGX. This functionality moves data and critical programs to an isolated environment called an enclave, where they are secure, even if the normal operating system is already compromised by malware," end quote. 

Dave Bittner: So again, not an immediate threat, but one worth bearing in mind. 

Dave Bittner: Tuesday was, of course, Patch Tuesday, and it was a relatively busy one. Intel released 40 security advisories for its Active Management Technology, wireless Bluetooth and NUC products. Some of the bugs involved a critical risk of privilege escalation. Out in Redmond, Microsoft fixed 112 flaws, one of them a Windows zero-day Google pointed out last month. Google itself addressed two Chrome zero-days. And Adobe took care of issues in Connect and Reader Mobile. The Connect problems were cross-site scripting vulnerabilities. The Reader Mobile issue was an information disclosure vulnerability. Adobe is not likely to issue a follow-up round of patches. 

Dave Bittner: And let's take a quick look at the hot sheets. Oh, here you go. A pro tip - one of the big features of Zoom is that the people you're conferring with can, you know, see you. There's been a bit of housecleaning over at Conde Nast, where one of The New Yorker's high-profile pundits was observed to be spending a little time with himself during an election war game, to the general horror of his colleagues. Look. Passion for the job is great, but take but measure away and hark what madness follows.

Dave Bittner: Having made it past Election Day here in the U.S., online misinformation continues from a variety of sources, both foreign and domestic. The CyberWire's chief analyst and chief security officer, Rick Howard, recently got on the line with Michael Daniel, president and CEO of the Cyber Threat Alliance, to discuss the merging fields of cybersecurity and information operations. 

Rick Howard: Hey, everybody. Rick Howard here. I am pleased to welcome to the show, Michael Daniel. He, in 2017, became the president and CEO of the Cyber Threat Alliance, a nonprofit cyber intelligence-sharing organization for security vendors, an ISAC or ISAO for cybersecurity vendors. And prior to that, he served as special assistant to President Obama and the cybersecurity coordinator on the National Security Council staff. Michael, thanks for coming on. 

Michael Daniel: Yeah, thank you for having me. 

Rick Howard: So you have an interesting take on this development of information or misinformation and disinformation that has sort of been plaguing the world these past five to 10 years. And there have been, you know, admittedly, all kinds of suggestions about how we might curtail this stuff, everything from limiting free speech to holding social media platforms accountable for the information going across their networks. But you have a really interesting idea about who we should recruit into the cause. Can you tell us about that? 

Michael Daniel: Sure. Certainly, I think that information operations is a separate discipline from cybersecurity, but they're very closely related fields. And as a result, I think that both sets of disciplines need to actually gain a working knowledge of the other, meaning that cybersecurity practitioners, network defenders and the like need to develop a basic understanding of misinformation and disinformation - the tools that are used to propagate it, what it looks like and some of the basic tools for defending against it. 

Rick Howard: Is there any advice you can give the newbies listening to the show - what they should be thinking about? 

Michael Daniel: I think that checking out places that have started to work very hard against misinformation and disinformation, like the work that Facebook has been doing, like the work that the company Graphika has been doing is really important and starting to... 

Rick Howard: Yeah. And some of the work at Stanford and - places to look, yeah. 

Michael Daniel: Yeah, absolutely. And Belfer Center up at Harvard has done some very good work in the election space. Just starting to pay attention to that line of work as well. And how do you recognize the basic warning signs? How do you know when your company or the network that you might be defending, that organization that you might be defending - right? - because you're not really just defending the network. You're defending the organization. 

Michael Daniel: How might you know when the organization that you're defending might also be subject to an information operation? And how do you know then when to go get help from the real experts - right? - so that you can handle the basic triage but you know to reach out to the more sophisticated, the more qualified, the higher skilled practitioners to bring them in, just like you would higher skilled, you know, cybersecurity experts in a given area if you detected a particular kind of cyberthreat? And that's really how I view it. 

Michael Daniel: Similarly, on the other side, if you've got people that are working very hard in brand protection and countering misinformation from an organization and they begin to realize that it's actually powered by cybersecurity activity, then they need to know enough to say, hey, I'm recognizing the signs of malicious cyberactivity here. We need to go get some help from the cybersecurity experts. And that will make both sides much better off in terms of how they're interacting with each other. 

Rick Howard: Well, what I really love about the cybersecurity field is there's always something new to learn and something to challenge us with. So I love that part of it. And here's a new skill set that we can all put under our bailiwick and try to become masters of. So Michael, thanks for coming on the show - and really interesting ideas. 

Michael Daniel: Yep, always happy to talk to you, Rick. 

Dave Bittner: That's our own Rick Howard speaking with Michael Daniel, president and CEO of the Cyber Threat Alliance. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, last week on the CyberWire, we made mention of this article over on KrebsOnSecurity from Brian Krebs, and it's titled "Why Paying to Delete Stolen Data is Bonkers." I wanted to dig into this article with you and go over some of the details, because I'm guessing you have some thoughts on this. 

Joe Carrigan: I do. I do. I would like to say that, once again, I have predicted something... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Not that that's difficult to do in this industry. 

Dave Bittner: OK. 

Joe Carrigan: It's one of the easiest things about working in the security field, is you just pick something that's really bad and say, that's going to happen. 

Dave Bittner: OK, fair enough. 

Joe Carrigan: And... 

Dave Bittner: All right. 

Joe Carrigan: ...A lot of times, you're right. And when ransomware started exhibiting the trend of going to also being data breach extortion, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I said, if you're going to pay, make sure that you're paying just so you get your data back from being encrypted. But you should not let the economic pressure of being told that they're going to publish your data if you don't pay up - you should not let that be part of the decision-making process, because you have absolutely no guarantee that they're going to delete your data when they're done with it. 

Joe Carrigan: They could take your money - if the only reason you're paying them is so that they don't release it, they can take your money and then turn around and sell your data anyway. And that's exactly what this article is talking about, and that's what this report says. It came from Coveware, that they're seeing, even after you pay the money, the hush money, they are still turning around and selling the data. 

Dave Bittner: Now, how is this different from, for example, you know, you pay to have your data decrypted, pay them some money and then they come back and either encrypted again or after you pay them, they say, oh, you know what? We're not going to decrypt it until we get more money. 

Joe Carrigan: Well, you know, that's a good observation. If you're dealing with somebody who you've paid to decrypt your data and they don't decrypt it, that's kind of a rare occurrence, but it does happen. But, you know, that's a risk you take whenever you are paying a ransom to a ransomware attacker. As far as getting attacked again, getting encrypted again, that's a separate incident, a separate event. And what we're talking about here is - in fact, there's even a quote in here from Fabian Wosar, who's the chief technology officer at Emsisoft. 

Joe Carrigan: And he says, the bottom line is, ransomware is a business of hope. The company doesn't want the data dumped or sold, so they pay for it, hoping the threat actor deletes the data, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And this threat actor can come back to you over and over and over again. There's another good quote in the article from the Coveware report that says, unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end, right? There's... 

Dave Bittner: Right. 

Joe Carrigan: ...Just no way to do it. And that was one of the points I made, is that these guys can come back to you and essentially say, you know what? Now, you have to pay a subscription fee to keep your data private, right? 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: So because once they have it, they have it forever. 

Dave Bittner: Right. 

Joe Carrigan: And Fabian Wosar makes the point that, technically speaking, whether or not they delete the data doesn't matter from a legal standpoint. You have still incurred a data breach. 

Dave Bittner: There's - yeah, there's no way that you can guarantee to the folks whose data has been stolen that... 

Joe Carrigan: Right. 

Dave Bittner: ...It's been deleted. You can't - there's no way to prove that. 

Joe Carrigan: That's right. That's absolutely right. And a lot of companies think, OK, well, we suffered a data breach. Let's try to cover this up and pay the pay the hush money to these guys and hope that they delete it. And my point has always been, that's no good. There's - you have no guarantee that that's going to happen. Now, this Coveware report is saying that they're going to go ahead and sell your data anyway a lot of the time. So I stand by what I originally said and what Krebs is saying here and everybody else, is if your sole reason for paying a ransom is to keep the data private, give it up. It's - the data's gone, and they're probably going to sell it anyway. You've... 

Dave Bittner: Don't have don't have false hope. 

Joe Carrigan: Don't have false hope. And be responsible. You have suffered a data breach, and you have to report that. 

Dave Bittner: Right, right, right. Take the appropriate action. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah, yeah. Good point, yeah. Well, it's an interesting article over on KrebsOnSecurity. It's called, "Why Paying to Delete Stolen Data is Bonkers." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's mmm-mmm good. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.