The CyberWire Daily Podcast 11.20.20
Ep 1219 | 11.20.20

Prime Minister Johnson tells Parliament about the National Cyber Force. Vietnam squeezes Facebook. Chinese cyberespionage. SEO poisoning. Printing ransom notes. CISA leadership.


Dave Bittner: Her Majesty's government discloses the existence of a National Cyber Force. Hanoi tells Facebook to crack down on posts critical of Vietnam's government. Chinese cyber-espionage campaign targets Japanese companies. Egregor ransomware prints its extortion notes in hard copy. SEO poisoning with bad reviews. Mike Benjamin from Lumen on credential stuffing and password spraying. Our guest is Mark Forman from SAIC with a look at government agencies' COVID-19 response. And CISA may have a permanent director inbound.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 20, 2020. 

Dave Bittner: Prime Minister Johnson has informed Britain's Parliament of the existence of the National Cyber Force, a new joint command that's been in operation since April. The National Cyber Force contains elements from MI6 and GCHQ and from serving members of the military and personnel from the Defence Science and Technology Laboratory. The Force's planned end strength is placed at some 3,000, a goal it is expected to reach by 2030. 

Dave Bittner: Its charter, according to the BBC, includes both disruption of hostile communications networks and the conduct of information operations. 

Dave Bittner: The National Cyber Force is what in the U.S. would be called a combat support organization. Its mission includes tactical support of kinetic military operations. It might, for example, be called upon to protect British combat aircraft by disrupting enemy air defense command and control. So it would play a tactical role analogous to that filled by traditional electronic warfare operations. 

Dave Bittner: ZDNet points out that the Secret Intelligence Service, also known as MI6, which we suppose we must point out is the home of spy fiction's 007, will contribute its expertise in recruiting and running agents alongside its unique ability to deliver clandestine operational technology. Thus, the National Cyber Force seems likely to have some multidomain capabilities. 

Dave Bittner: But the National Cyber Force also has an everyday mission. It may be called upon to interfere with hostile systems being used to conduct or prepare cyberattacks against the United Kingdom. And it may also be called upon to conduct influence and counter-influence operations against adversaries. It will operate separately from the longer-established and better-known National Cyber Security Centre. 

Dave Bittner: A combination of increased regulation and tougher industry content moderation is increasingly seen by many as the right direction for the future of online platforms in general and social media in particular. 

Dave Bittner: Hanoi might be providing a picture of how that future may look once it's realized. According to Reuters, Vietnam is threatening to block Facebook if the social network doesn't knuckle under to Hanoi's demands for censorship of local political content. 

Dave Bittner: A senior Facebook official told Reuters, quote, "we made an agreement in April. Facebook has upheld our end of the agreement, and we expect the government of Vietnam to do the same. They have come back to us and sought to get us to increase the volume of content that we're restricting in Vietnam. We've told them no. That request came with some threats about what might happen if we didn't," end quote. 

Dave Bittner: The government in Hanoi responded to a Reuters follow-up with the simple statement that social networks should not expect to be able to continue, quote, "spreading information that violates traditional Vietnamese customs and infringes upon state interests," end quote, which is one way of looking at it. 

Dave Bittner: Many reports at week's end elaborate on Symantec's account of the way in which the Chinese threat group Cicada, also known as APT10, Cloud Hopper or Stone Panda, is leveraging the Zerologon vulnerability and using DLL side-loading attacks to collect intelligence on Japanese targets. 

Dave Bittner: Those targets have been drawn from multiple sectors, including managed service providers, engineering and pharmaceutical firms. The effects are international, since they extend to overseas subsidiaries of the affected Japanese companies. 

Dave Bittner: Egregor ransomware, the strain that's been heralded as most likely to take the place of the for-now retired Maze, has adopted a particularly irritating method of delivering its ransom notes. It spits them out in hard copy from compromised printers. The security company Tripwire's "State of Security" blog has a report, and they include a link to a video of a representative print run. 

Dave Bittner: It amounts to a self-proving method of demonstrating compromise. It's one thing to tell someone that you totally pwned them. It's a lot more convincing if you can cause that notification to be printed on the victim's office inkjet. When the hoods put it that way, it seems a lot less likely to be easily ignorable scareware, doesn't it? 

Dave Bittner: A new report from the cybersecurity and cloud delivery firm Akamai describes a relatively unfamiliar form of extortion with a low barrier for entry. Criminals are poisoning companies' search engine optimization results and demanding a payoff in exchange for stopping the virtual bad-mouthing. The SEO poisoning typically takes the form of injecting bad reviews and negative comments into various online fora and then linking those comments back to search results. This sort of extortion has surfaced periodically over the last few years. It has, as Akamai points out, a fairly low barrier to entry. 

Dave Bittner: And finally, the Cybersecurity and Infrastructure Security Agency's executive director, Brandon Wales, has been leading the agency on an interim basis since the dismissal of former Director Christopher Krebs earlier this week, but a permanent successor may be coming. CyberScoop reports that Sean Plankey, currently a senior official at the Department of Energy, is in line for the top job at CISA. 

Dave Bittner: My guest today is Mark Forman, vice president for digital government strategy at SAIC. He joins us with results from their research of government agencies' COVID-19 response when it comes to cybersecurity. 

Mark Forman: Basically, I think for so many of us - the same thing for the federal employees - you were told to go home, and let's try out working virtually. And nobody ever expected, almost overnight, that people would have to work remote. 

Mark Forman: So the situation for some employees - they had been teleworking. They were set up. But their agencies were never set up with the ability to handle the scale. So that was one of the issues and continues to be an issue as we go forward in some of the agencies managing especially the security elements, as well as the access to core mission apps at scale and with the security. 

Mark Forman: A lot of people had to use bring-my-own-device, BYOD. And, of course, what that meant is getting access to things like Outlook, Web Access and not really access to your core mission applications. So that then presented problems. 

Mark Forman: And, of course, associated with that is downloading documents onto the home PC, which violates a number of other security concerns. So those were the kind of initial issues that had to be triaged in the early days of the pandemic. 

Dave Bittner: Well, take us through some of the challenges that you all have listed here in your report. 

Mark Forman: Well, the top five really get into what does the future look like as we're managing through today? 

Mark Forman: The first two relate to keeping people safe in their work environment. Some agencies, you have to come in to do the work - you know, defense agencies, for example, and some of the public health laboratory examples. In addition, some people want to return to work. Now, I think there's been reports from the General Services Administration, and we clearly saw that come out of the survey - that return-to-work doesn't mean that you're stopping working at home. What it means is the work environment shifts, and you rely on that more for collaboration. 

Mark Forman: So how do you get the work environment safe so people don't feel that they're infected when they come in, especially when they want to come in to have meetings, maybe cross-agency meetings. And that is, I think, a key part of what we've seen as well in some of the general employee surveys that have been made public in our area. The workforce and the decision-makers want to make sure the workplace is safe. 

Mark Forman: After that, the maximum capabilities for telework and creating that systems environment that makes us secure from cyberattacks has evolved. Social engineering has evolved with the pandemic. And the executives and decision-makers we surveyed identified that as going hand in hand with giving people access to the core systems, a lot of which are on site. 

Mark Forman: And then finally, dealing with fraud, waste and abuse and making sure that operations are effective and efficient, that they're managing the taxpayers' funds well. And I think what this relates to are a couple things. 

Mark Forman: Of course, a lot of the controls that relate to fraud, let's take as an example - I think people are now coming to identify that some of that is a result of information - identity information being sold on the dark web. And so there - a lot of request for insight on, how do we take these new - this new environment, new fraud controls and put them in place? And, of course, we've seen that at the state government level as well. 

Mark Forman: But that's what's behind this question and the response that we got on how do you make fraud, waste, abuse under control in this new environment. 

Mark Forman: Going forward into the future, I think the other element that we saw from some of the anecdotes is people have to formulate new ways of working together, new business processes. In the past, in some of the anecdotes, a manager could call down the hall to their staff and quickly get everybody together. In the online environment, it just doesn't work that way. So that was one of the challenges - relates to making sure the organizations can work effectively together. 

Dave Bittner: Yeah, I can't help wondering if we're in for - or I guess to what degree we're in for a real culture shift here when it comes to how people think about work - you know, that - on both the worker side and the management side - that going through this together has sort of demonstrated that people can work effectively and efficiently from home, and they don't necessarily need to have that manager looking over their shoulder all day. 

Mark Forman: Well, that's absolutely right. And, of course, the thing that goes hand in hand in our survey is that 80% felt that they found it extremely or somewhat challenging preventing the transmission of COVID-19 in their offices. 

Mark Forman: And so the reality is they didn't feel they could call people back into work and go back to normal. They'd much rather - and I think they've accepted that the future of work is a remote environment. And adjusting for that is what they're now doing in this, what I would call the recovery phase of the pandemic response. 

Dave Bittner: Our thanks to Mark Forman from SAIC for joining us. Don't forget that over on CyberWire Pro, we have a podcast called "Interview Selects," where you can find extended versions of this and many other interviews. You can learn more about that on our website, It's CyberWire Pro. Check it out. 

Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black Lotus Labs, which is part of Lumen Technologies. Mike, it's always great to have you back. I wanted to touch today on something that - one of the basics, which is credential stuffing and password spraying. Can I get a review and insights from you on what we're dealing with here? What can you share with us today? 

Mike Benjamin: So it's helpful to start with a bit of a definition. 

Mike Benjamin: And so at its most simple level, credential stuffing is taking passwords from previous leaks - usernames and passwords, whether that be somebody's Gmail address with a password they used on one site, trying to reuse it on another site, could be business logins, trying to use it in other places - but basically credential reuse, and shove it at a massive volume down some other service to see how many times the credentials were reused. So that's stuffing the credentials down into that service. 

Mike Benjamin: Password spraying is still a high-volume attempt to log in, but it's typically using simple passwords, so password123 - what is it? - you know, fall2020 - whatever those passwords are that are particularly common. 

Dave Bittner: (Laughter) Right. 

Mike Benjamin: And just trying them on every account that they can get their hands on, and now we could try and break into the accounts that way. 

Mike Benjamin: So that's credential stuffing, and that's password spraying. And so at a simple level, that's about what they are. 

Mike Benjamin: Now, they've evolved in recent years where now they're done through large-proxy botnets. And so what might sound relatively easy to stop - one IP address sending a thousand logins should be pretty easy to code (unintelligible) that - now it might be three attempts from one IP address, and then they rotate to the next proxy server. 

Mike Benjamin: And so the actors have become much more advanced in their attempts in order to evade detection. They've even gone to the point where they're doing things around geolocality. So if you are a U.S.-based business, they may only use U.S. proxies. Or I live in Colorado. They might only use Colorado-based proxies. So they've gotten more sophisticated in the attack methodologies in order to hide themselves inside the noise of general logins users. 

Dave Bittner: And is this the kind of thing that can get around - you hear people talking about things like rate limiting that can help with these sorts of things. Would the botnets allow them to circumvent that? 

Mike Benjamin: Absolutely. And so two types of rate limiting. The most simple goes back to what I just said, and they'll rate limit a single IP address and only allow it to log in every few seconds because human beings will take that long to type it. In other cases, let the entire site have a relatively reasonable burst on their normal throughput, and then stop anything that goes above that 'cause it must be attacks. 

Mike Benjamin: Either way, the actors, in many cases, are not just trying to break into one service. They may be targeting 10 services. So they're fine waiting a few seconds between these logins 'cause they'll just go from service to service to service. So rate limiting is really, for the more advanced folks, not going to slow them down in any real way. 

Dave Bittner: What sort of scale are we dealing with here? How big are some of these actors? 

Mike Benjamin: Yeah, so on the sophisticated side, we've seen them build botnets of over 100,000 IP addresses that they can come from. And so if you can imagine trying to discern in your logs as a service, where do I see someone attacking us who's going slow, rotating IP addresses, associating a login to each IP address and doing it from the place where general users are logging in, it, in some cases, can be nearly impossible to find the actor in that noise. And so those are the folks that are hard to get your hands on and stop. 

Mike Benjamin: Now, on the low end of the sophistication, they'll take a password dump, buy a VPS or Bitcoin and attack from one place. Those ones are definitely easy to stop. 

Dave Bittner: So what's the big-picture impact here? I mean, why should folks care about this sort of thing? 

Mike Benjamin: Well, the most simple is that we use our online identities or businesses use those credentials to do something, whether it be shop, sometimes store information about themselves. And those things can be of value in underground markets. 

Mike Benjamin: So the louder, less sophisticated actor groups, they're going in, and they're pulling out information about just raw accounts and selling them. So I got a thousand accounts. I'll sell it for 5 bucks. And they're trying to make money off of it. So leaking your PII, getting access to something somebody shouldn't be in on the low sophistication side, that's concerning, but not something we should run around with our hair on fire about. 

Mike Benjamin: The other side, though, is we see nation-state attackers, too, where they want to target a company. Well, guess what. They'll go to every password dump they've ever found. They'll go grab everything that contains the domain of the company they're targeting. And they'll go try to break in with that. 

Mike Benjamin: It's frightening how often they are successful. And so things like two-factor authentication in place at every perimeter access for business, making sure that the security groups of consumer-oriented services are paying attention to credential dumps and trying them against their own service before the actors can even get to it - those kinds of things are really helpful. 

Mike Benjamin: And I - you know, sort of a funny story one of my co-workers told me the other day. He said, you know, we're dealing with users that will set passwords forever. This is an inevitability. And so it's up to us to either force them into multifactor authentication mechanisms or, even on the simple side, just make sure that the password on input is of a high enough sophistication and not one of those default credentials. 

Mike Benjamin: But the way he drove it home to me, he said, we all saw the stories about the seeds that were being shipped from China to people's homes - kind of interesting news story a few weeks ago. And, you know, I thought with the story, he was going to say, you know, some people planted them, so people are going to make silly mistakes. No. His story - in the news article he posted to me, some people ate them. And so we're dealing with people that at some level... 

Dave Bittner: Oh, boy (laughter). 

Mike Benjamin: ...Are going to eat random things that come in the mail, and so they're going to make mistakes, even if they're not, you know, with poor intention. It's going to happen. 

Dave Bittner: Right. 

Mike Benjamin: And so it's up to us to think about, how do we build the technology in a way that lets that kind of user in and lets that kind of user not cause themselves a problem? And so that's the burden we all bear in the security industry. 

Dave Bittner: I think an old colleague of mine used to say nothing is foolproof to a talented fool. 

Mike Benjamin: There you go. 

Dave Bittner: (Laughter) All right. Well, Mike Benjamin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Think different. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" episode. I'm joined by Matt Chiodi from Palo Alto Networks Unit 42 on their Cloud Threat Report. We'll be talking about how cloud misconfigurations and cryptojacking continue to plague thousands of organizations. That's "Research Saturday." Hope you'll join us. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.