The CyberWire Daily Podcast 11.17.20
Ep 1216 | 11.17.20

Hidden Cobra’s new tricks. Notes from the criminal underground. Draft EU data transfer regulations. And the coming ape-man disinformation.


Dave Bittner: Hidden Cobra inserts Lazarus malware into security management chains. Malsmoke malvertising doesn't need exploit kits anymore. Ransomware operators shift towards social engineering as the ransomware-as-a-service criminal market flourishes. Draft EU data transfer regulations implement the Schrems II decision. Robert M. Lee from Dragos shares a little love for the lesser-known areas of ICS security. Our guest is Gregg Smith from CAMI with insights on promoting cyber capabilities at the state level. And the next thing for disinformation - no surprises here - it's COVID-19 vaccines.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 17, 2020. 

Dave Bittner: Researchers at ESET have found that North Korean threat group Hidden Cobra is deploying its Lazarus toolkit by infiltrating South Korean software supply chains. South Korean internet users are often required to install additional security software before visiting government or financial sites. The application WIZVERA VeraPort is commonly used to manage such additional security, and Hidden Cobra appears able to replace software delivered to WIZVERA VeraPort users from a legitimate but compromised website with Lazarus malware. ESET is highly confident in its attribution of the attacks to Pyongyang. 

Dave Bittner: Malwarebytes warns that the malsmoke malvertising campaign has forsaken exploit kits for social engineering. The malsmoke gang usually targets high-traffic adult websites, and they've most recently been posting notices that visitors to such a page need to install a Java plug-in to view the saucy video they came for. Sure, it's not plausible, but the hoods figure consumers of adult video are unlikely to be skeptical. Whoa, says our hypothetical video user. It says here download that Java plug-in, and that sounds like something you ought to do on a computer, maybe. So, hey, what harm could it do? The hoods are right in some cases, and for some audiences, you really don't need to sweat the plausibility. 

Dave Bittner: The malsmoke operators aren't alone. Security firm Ironscales sees a general shift towards social engineering and ransomware attacks. Ironscales says, quote, "from an attacker's perspective, the transition from spearphishing emails packed with malicious payloads to social engineering was a no-brainer. The overwhelming majority of email phishing attacks are now driven by social engineering messages aimed at prompting an action and distributed via advanced phishing techniques such as business email compromise, VIP or CEO impersonation and other forms of email spoofing and fraud." 

Dave Bittner: Ransomware operations are also well-supported by a strong market for criminal-to-criminal services. Dark web intelligence shop Intel 471 counts at least 25 ransomware-as-a-service outfits currently doing business. They divide them into three tiers based on size, reach and reputation. 

Dave Bittner: The Tier 1 ransomware-as-a-service players are big, offer proven code and continue to operate in the face of widespread public awareness and exposure in the media. They also have to have been around for a while - for months, which counts as enduring in the rapidly evolving world of the criminal marketplace. The outfits in Tier 1 include REvil, NetWalker, DoppelPaymer, Egregor, also known as Maze, and Ryuk. All of these, with the partial exception of Ryuk, also maintain leak sites they use to pressure their victims with the prospect of doxxing. 

Dave Bittner: Tier 2 is for the up-and-comers. They've achieved a certain cachet in the underworld. They offer advanced ransomware strains, but they don't have the volume in terms of either attacks or affiliates that the big Tier 1 players boast. Tier 2 includes Avaddon, Conti, Clop, DarkSide, Mespinoza, Ragnar Locker, Ranzy, SunCrypt and Thanos. 

Dave Bittner: Tier 3 is for the wannabes, or at least the newbies. Some of them may be making it in a small way, but it's often hard to tell whether any one of them is still in business or not. Tier 3 goons have been known to proffer CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus and, lately, ZagreuS. The leading brand in all of this, Intel471 says, is Ryuk, which, by their estimation, has been involved in about a third of the ransomware attacks observed this year. 

Dave Bittner: The Wall Street Journal summarizes draft EU privacy rules expected to drastically circumscribe how Europeans' personal data must be handled when that data is moved outside the EU. The draft guidelines are intended to implement the EU's Court of Justice decision issued earlier this year in the Schrems II case that invalidated the former EU-US Privacy Shield regime. 

Dave Bittner: Cooley describes the new process for transferring data as consisting of six steps. First, map any data transfers. Second, select a transfer mechanism. Third, determine whether your selected transfer tool works without supplementary measures. Fourth, adopt any necessary supplementary measures. Fifth, take any required procedural steps. And sixth, reevaluate at appropriate intervals. That's, of course, a bare outline. There are many details in each step. If you handle European data, call your lawyer. 

Dave Bittner: And finally, you know, all that election disinformation stuff we've been hearing about is so yesterday, isn't it? So what's the new thing coming down the pike in terms of lies and grifting? Well, The Washington Post goes out on a limb and predicts that the next big disinformation fight will be over COVID-19 vaccines. We'll crawl out there with them as well and say they're probably right. In fact, it's already begun. 

Dave Bittner: After all, Moscow's been busily predicting that anyone who takes the AstraZeneca vaccine under development in the UK is likely to turn into a monkey. We think better of AstraZeneca and their partners at Oxford than that, but maybe the Kremlin, like, knows stuff. As with any risk, if you're concerned about the whole simian transmogrification thing, there are three things you can do with the risk. You can mitigate it, transfer it, or accept it. Forewarned is forearmed. AstraZeneca is probably mitigating this risk as well as anyone can. We haven't seen any insurance companies offering to indemnify ape transformation, although in fairness, there's not a whole lot of actuarial data on the process. Or you could accept the risk. That's where we are. 

Dave Bittner: There are organizations at all levels who lend a helping hand to businesses in their area at the local, state and national level. Locally, that could be the chamber of commerce or the county office of economic development. When it comes to cyber, many states in the U.S. have organized efforts to promote this rapidly growing vertical, with its high-paying jobs and potential for growth and prestige. Gregg Smith is chairman of the board for CAMI, the Cybersecurity Association of Maryland, and he shares insights on the value proposition these types of organizations bring to the table. 

Gregg Smith: CAMI is the Cybersecurity Association of Maryland. We have over 580 cybersecurity companies located throughout the entire state of Maryland. We have companies in every county. And really, what we're focused on at CAMI is creating connections - creating connections for our companies, creating connections for employees that might want to work for our companies, creating connections with service providers that provide services to our companies at a discounted rate and also providing connections for our universities to provide students to our companies. 

Dave Bittner: Why is it important for an area like Maryland - a region like Maryland - I mean, we have a very robust cybersecurity sector, partially based on our geography, being close to D.C., having organizations like NSA here. Why is it important for us to have an organization like CAMI to help kind of make those connections and provide the resources that they do? 

Gregg Smith: Well, I think that's a great question. And as an organization when we started, really what we were trying to do is come back to that one word that I said earlier - connections. You know, a lot of our cyber companies are very focused on building product or providing services, but they didn't have a lot of interaction with other companies in our area. They didn't have interactions or the capabilities or the intros to the universities, whether that's from a employee standpoint or from a technology standpoint. One of the other things that CAMI has done pretty effectively is brought vendors to the table, where we've leveraged our membership and gotten discounts on things like health insurance. So again, it's all focused on connections and trying to help grow our members and enhance the ecosystem. 

Dave Bittner: Do you ever get inquiries from other parts of the nation or other parts of the world who say, hey, we see what you all are doing there, and we're thinking about, you know, spinning up a similar organization in our region? Is there that sort of broad interest for these sorts of endeavors? 

Gregg Smith: Interestingly enough, yes, there is. We've had numerous discussions with various states. And really, if you look at the United States ecosystem, there's a lot of other - Cyber Tennessee or Cyber Georgia. And those have all been modeled after Cyber Maryland. So I think what you're starting to see is a definite broadening reach of what we started here at Cyber Maryland, and it's growing, you know, aggressively around the United States. And now we're just starting to touch other parts of the world. 

Dave Bittner: That's Gregg Smith. He's chairman of the board for CAMI, the Cybersecurity Association of Maryland. And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. 

Dave Bittner: Rob, it's always great to have you back. I thought it might be fun to do a little survey together of some of the areas in ICS security that don't necessarily get the love of the high-profile ones. We're always talking about the electrical grid. We're always talking about water and, you know, things like that. Are there areas that you all are still out there protecting that don't really get mentioned so much? 

Robert M. Lee: Yeah, for sure. It's a good question. And you're right. Electric, you know, systems first and foremost, and then oil and gas, are the ones that states are always freaking out about, rightfully so to some degree. But, you know, I find it really enjoyable to go into, like, a water facility and look at the water utilities or look at wastewater treatment facilities. Although it's not always the greatest smell... 

Dave Bittner: (Laughter). 

Robert M. Lee: ...It's a wonderful industrial control environment. And the folks working there are just as hardcore and passionate as anybody you'll find in the industry, usually just don't have as many resources to address the problem. And there's kind of an issue there where they don't have the resources to then look, so they don't see the problems or attribute them to cyber, so they don't get the resources to address it. So it's kind of a self-fulfilling or, I guess, a violent circle, if you will. 

Robert M. Lee: But the water one comes to mind because a lot of people in United States depend on their water utilities, and they don't get the love and attention. You get in some really cool environments, too. Like, we've got a number of customers in the mining industry as well. And getting into mine is a fantastic exploration of different industrial control systems - everything from controllers operating a cyanide bath to strip gold from minerals, everything from the HVAC systems, which are now life-critical safety systems, you know, for those working conditions to self-driving Caterpillar trucks, you know, with MineStar applications on them and similar. It's just wonderfully cool, with absolutely, like, zero interest from your state-level leaders and stuff. They generally don't even think about mining. 

Robert M. Lee: Rail is another beautiful one. When you start looking at not only the intricate control systems inside the control center itself, you're looking at the actual on-board train communication networks and all the control systems that go into there. I mean, it's really, really cool. And personally, here, I live in Maryland. I'm a huge fan of taking the Amtrak. And every time I get on board, it's like, oh, yeah, I know what control systems are on here, you know? It's... 

Dave Bittner: (Laughter) Right. Right. 

Robert M. Lee: ...It's such a cool system. And they have a bunch of risks and cyberthreats as well, but they just, again, don't get the attention, don't get the resources as everyone else. And then I would say probably the last one that comes up is kind of interesting. I's just - and it's more emerging, but it's really airports. When you start thinking of all the control systems that relate to everything from baggage claims to the maintenance lines for the airlines themselves to even some of the non-IoT parts, the actual OT parts related to, like, the vehicles and flight lines. It gets really, really cool. And I would say the - I said the last one, but actually building off of that, the one that's going to become a bigger topic because of space command, obviously is the space side of it. And most people don't realize how many Siemens, you know, controllers and similar are up in satellites and, you know, ground control stations and similar. 

Robert M. Lee: So I think we'll see a lot of focus on that in the years to come, largely because the government is willing to invest the resources there, which will spawn an industry around it. And we'll start seeing more of the threats that have been resident. So anyways, those are kind of the different industries, I would say, that get the least amount of love but have some of the coolest systems and just really interesting challenges ahead of them, as well as unique insights to go and share with the larger community. 

Dave Bittner: Now, is there any correlation between those ones that are sort of, you know, running quietly under the radar that they're not getting the attention - the same level of attention from adversaries? 

Robert M. Lee: I don't think that's correct. So... 

Dave Bittner: Yeah. 

Robert M. Lee: ...You know, what - is it a fair hypothesis to state that electric systems are more targeted than others? Potentially. And that's probably accurate, just anecdotally. But I think a lot about the visibility problem we have in the community. And we take a really large focus of victim-centric targeting and victim-centric analysis, which is good, but it also leads to an overfocus on specific industries. And you know, when we first started getting into mining, as an example, as a company, we were like, OK, let's have some intelligence requirements as it relates to mining threats. Maybe within the next year, we'll find some. And I want to say, like, three weeks into searching, we found our first threat group, targeting mining industry. And we were like, oh, wow, interesting. 

Robert M. Lee: And so I do think the number of OT-specific cyberthreats are much larger than anybody would imagine. And I think our viewpoint right now is especially energy and especially Western-focused. As you start finding more entities that are doing monitoring and visibility and hunting and similar inside of the African state sites, Latin America sites, mining and, you know, rail and similar sites, you're going to start learning about more of these threats and find out that many of them have been there for, you know, a decade plus, not just relatively new. 

Dave Bittner: Yeah. All right, well, Rob Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field. Sign up for CyberWire Pro. It'll save you time and keep you informed - the ultimate driving machine. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.