The CyberWire Daily Podcast 11.30.20
Ep 1223 | 11.30.20

Phishing for COVID-19 vaccine data. Bandook is back, and mercenaries have it. School’s out for ransomware. Skepticism about foreign election manipulation. The forever sales.


Dave Bittner: North Korean operators phish a major pharma company. The Bandook back door is back and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U continues to work on recovering its systems. The former CISA director says there are no signs of foreign manipulation of U.S. elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And cyber shopping and the forever sales.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 30, 2020. 

Dave Bittner: Reuters reported over the weekend that AstraZeneca, a leader in research toward a COVID-19 vaccine, had been prospected by North Korean intelligence operators. The attackers worked a social engineering angle against the pharma company's personnel, using LinkedIn and WhatsApp to dangle bogus job offers as phishbait before AstraZeneca employees. The attempts are thought to have been unsuccessful. 

Dave Bittner: South Korean Pyongyang-watchers see the Kim regime as under increasing stress from both COVID-19 directly and from the pandemic's effects on the DPRK's already strained economy. Some of that stress is being turned inward, The Washington Post reports.

Dave Bittner: Check Point researchers have noticed renewed attacks using a signed strain of the 13-year-old Bandook back door. The malware had previously been associated with the Lebanese and Kazakh governments - the Dark Caracal threat group has been Bandook's best-known user - but it hasn't been seen recently. Check Point thinks the target distribution - this time around, at least - suggests the activity of an unidentified third-party mercenary group selling its attack services to governments. 

Dave Bittner: The infection chain has a familiar three-step structure. It begins with phishing, the phish hook being a malicious Microsoft Word attachment arriving in a zip file. Once opened, macros drop and execute an embedded PowerShell script, which in turn installs the Bandook back door. 

Dave Bittner: Many, but not all, of the executables have been signed with valid certificates issued by Certum. Check Point says this suggests a connection to Dark Caracal, which itself had been attributed to Lebanon's General Security Directorate. Check Point, however, thinks the range of activity suggests "an offensive infrastructure is being sold by a third party to governments and threat actors worldwide." Sectors targeted include government agencies, financial services, energy, the food industry, health care, education, IT and legal organizations. And Bandook attacks have affected Singapore, Cyprus, Chile, Italy, the United States, Turkey, Switzerland, Indonesia, and Germany. 

Dave Bittner: Baltimore County hasn't resolved the effects of the pre-Thanksgiving ransomware attack it sustained. WJZ reports that the school district will continue to suspend instruction on Monday and Tuesday of this week, at least. Details on the attack remain sparse as the schools concentrate on recovery. 

Dave Bittner: According to WJZ, the Baltimore CBS affiliate, the Baltimore County Public Schools have told faculty, staff and students that it's safe to use Chromebooks issued by the school district and to use Baltimore County Public Schools Google accounts. They should not use school-issued Windows devices until further notice. 

Dave Bittner: A Maryland state audit of the Baltimore County schools' cybersecurity posture, released the day before ransomware shut down classes last Wednesday, found significant risk in the system. The Baltimore Sun quotes the Office of Legislative Assessments as concluding, quote, "significant risks existed within BCPS' computer network. For example, monitoring of security activities over critical systems was not sufficient, and its computer network was not properly secure," end quote. 

Dave Bittner: Schools generally have found it difficult to cope with the remote learning needs the COVID-19 pandemic has imposed. The Washington Post last week reported that the Fairfax, Virginia, schools were seeing a significant increase in failing academic progress, and that's without any malicious intervention in distance learning. 

Dave Bittner: Nor is this a problem confined to the United States. The Wall Street Journal has an account of the difficulties schools in India are having delivering remote learning. 

Dave Bittner: So schools' adaptation to new methods of instruction has often proven fragile, and like any online operation, it's also been distinctly vulnerable to disruption by ransomware attack. The analogy with criminal attacks on health care providers is obvious. Conscienceless hoods will hit organizations when they're under stress and most vulnerable. 

Dave Bittner: Premier League football club Manchester United has continued to play its matches, but its recent ransomware incident remains under investigation. Some internal systems remain unavailable, according to Infosecurity Magazine. Britain's National Cyber Security Centre is investigating. There's no word yet on any ransom demands. 

Dave Bittner: Speaking on CBS's 60 Minutes yesterday, former CISA director Krebs was particularly concerned to debunk claims of foreign manipulation of U.S. voting systems and vote counting. 


Christopher Krebs: So we spent something on the order of 3 1/2 years of gaming out every possible scenario for how a foreign actor could interfere with an election - countless, countless scenarios. 

Dave Bittner: There's a theory in circulation, for example, that software used in Dominion Voting Systems was developed in Venezuela under the direction of the late strongman Hugo Chavez and that such software is designed to corrupt and manipulate U.S. vote tallies. 

Dave Bittner: Krebs says it's all hooey. Votes aren't being counted offshore, and there's no evidence in either initial counts or recounts that the U.S. election was stolen by any combination of foreign intelligence services or transnational groups. 


Christopher Krebs: There's no evidence that any machine that I'm aware of has been manipulated by a foreign power, period. 

Dave Bittner: That's former CISA director Christopher Krebs on CBS's 60 Minutes. 

Dave Bittner: Imperva's monthly Cyber Threat Index extrapolates from the recent attack trends and sees bad bots as a major problem during the online holiday shopping season. This represents a general trend toward threat automation. Help Net Security reports that WatchGuard expects that trend to mark threat activity in the coming year as a whole. 

Dave Bittner: If it's occurred to you that Black Friday and Cyber Monday no longer seem as distinctive as they once did, you're not alone. The Shreveport Times notes anecdotal evidence that the online shopping season, particularly as marked by sales, has now spread beyond the two days that formerly served as hot spots of online consumption. Sales and shopping have been running for some time, and they're not stopping tomorrow. 

Dave Bittner: The usual cautions and counsels that apply to all online shopping, of course, apply now. Don't fall for dodgy retail sites. Be suspicious of requests for more personal information than seems reasonable for the transaction you're trying to make. Keep your software up to date. And use a credit card or gift card for purchases, not a debit card or, heaven forfend, a direct transfer from your bank account. 

Dave Bittner: Be aware that scammers will send you emails telling you that some online account needs updating, restoration or verification. Usually, the sender's domain will tip you off to a scam. Amazon, to take one big online brand, is unlikely to be contacting you via a Gmail address. 

Dave Bittner: Not everyone is advocating a shopping frenzy. Some upscale retailers, according to The Drum, have moved to the next stage of the marketing dialectic, encouraging their clientele to reject consumerism. Planet-friendly accessory and footwear brand Allbirds, for example, is actually touting a seasonal price hike as it exhorts its followers to break tradition, not the planet. Buy less, demand more is Patagonia's slogan as it would move its customers toward the mediated immediacy of globally conscious consumption. 

Dave Bittner: And it's my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief analyst and also our chief security officer. Rick, always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So this week on "CSO Perspectives," you were talking about the actual CISO job and where it fits into the corporate hierarchy. Now, I am sure I am not alone, and I'm sure you got this a lot when you were back at Palo Alto, where people would pass you by in the hallway, and they'd go, what the heck does that guy do? 


Rick Howard: My whole career. 

Dave Bittner: Yeah, right, exactly. So you've been able to keep that mysterious. But seriously, I mean, who does the CISO work for? 

Rick Howard: Well, there are many schools of thought about that today. And really, there's no correct answer, and it's really dependent on the organization's culture, all right? But to understand why that is the case, you got to be very clear about - that the title, the CSO, in most cases does not have the same weight and authority as other officers in the organization that have both the C and the O in their title, you know, like the chief executive officer, the chief technology officer and the chief legal officer. 

Rick Howard: Now, according to Chelan David over at Smart Business, shareholders elect board directors to oversee the business. And then these directors choose officers to run the company day to day. Because of their officer role - I got that in air quotes, right? - these people... 


Rick Howard: ...These people assume a fiduciary responsibility to their shareholders. The rest of the organization's people are just employees. So - and typically, CSOs and CIOs, for that matter, are not corporate officers. They are employees with kind of fancy titles. 

Dave Bittner: So they're C-suite in name only. 

Rick Howard: Yeah, that's really the case - right? - 'cause they needed some authority, but boards and the higher-ups didn't think they needed the full weight of a corporate officer. 

Rick Howard: So what's interesting is that the corporate structure was really the - has been the same for, like, you know, 80 years. It started back in the early 1930s and didn't really change until the mid-1980s. And then CEOs started to realize that these newfangled personal computers - you know, they might be more than just data processing machines, that they might be the nucleus of a business strategy that could give them a competitive edge. 

Dave Bittner: (Laughter) Imagine that, yeah. 

Rick Howard: Amazing about how they came to that, right? 

Rick Howard: So around 1985, American Airlines hires this guy by the name of Max Hopper and gave him this lofty title of vice president of information technology. And according to CIO magazine, this made Max the first ever CIO. It was so important that Harvard Business School's James Cash said that Hopper legitimized the role by making it clear that we - that he had made a unique contribution to be - from the executive who understood technology and can help influence strategy. Just a year after that, Businessweek magazine declared that the CIO was management's newest star. So that's great for them, all right? 

Rick Howard: But the bad news is we didn't get the first CISO until 10 years later. In 1995, in the wake of a very public Russian malware incident, Citicorp hired a guy by the name of Steve Katz as the first ever chief information security officer. And Steve is and was a great avatar for what a CISO should be. He was cut out of the same cloth as Hopper, a technician who could talk to business leaders. But unfortunately, other CISOs hired after him didn't quite meet that standard. And now, this is a gross generalization, all right? But... 


Rick Howard: All right? As I'm one to do. 

Dave Bittner: Yeah, brace for it. 

Rick Howard: Hang on, everybody, all right? 

Rick Howard: But most new CISOs that came after Steve grew up on the technical side, myself included. And we had difficulty expressing technical risk in terms that business leaders can understand. We couldn't convert technical risk into business risk. 

Dave Bittner: Yeah. You know, I remember those early days. It would seem like, you know, everything on the technical side was always a crisis. And it was sort of mysterious to the folks in the boardroom. 

Rick Howard: Yeah. Oh, man, that was so true back in those days. And we thought everything that happened, you know, was going to burn the house down. And CISOs got their reputation quickly for being the Dr. No of the organization. 

Dave Bittner: Right, right, right, right. 

Rick Howard: They say no to a lot, many internet projects. And they got the reputation of being so hard to work with that the corporate officers decided they didn't want to deal with them on a daily basis. So it wasn't long before senior management started to stuff CISOs underneath the CIO within the organization. 

Dave Bittner: So, I mean, is that where we are these days? Is that where most CISOs land or - they're working for the CIO? 

Rick Howard: Yeah, in most cases, that's true. The bulk of the CISOs out there work for the CIO. But there are other organizations where the CISO and the CIO are peers and both work for either the same executive or different executives. And that's what we're talking about in this week's "CSO Perspectives." 

Dave Bittner: All right, well, be sure to check that out. That is "CSO Perspectives." It is part of CyberWire Pro. You can find out all about it over on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, you and your team there at Booz Allen have recently published the 2021 Cyber Threat Trends Report. And one of the things I wanted to highlight there was work that you all have been doing on contact tracing and some of the potential cyberattacks that could be associated with that. What can you share with us today? 

Betsy Carmelite: Sure, sure. In relation to that report, this is really the new lens through which we're seeing the realities of the pandemic and we're seeing the world, you know, moving forward with advances in technology such as these contact tracing apps. 

Betsy Carmelite: So what we're seeing is that these COVID-19 contact tracing apps and their ecosystems, we believe, have created opportunity and made it appealing for threat actors, possibly state-aligned or for-profit criminals and trolls to target these apps. 

Betsy Carmelite: And because the apps are being developed on a country-by-country basis to track nationwide data, some of that is mandatory tracing in countries. We've seen this in Singapore in recent weeks, for example. As of July 2020, Qatar, for example, has achieved a 91% adoption rate through its installation mandate. There's really a large potential for large-scale targeted operations against the apps and the data that they hold. 

Dave Bittner: You know, just in the past few days, I saw my iPhone popped up here in Maryland and said, you know, would you like to take part in contact tracing your - locally? So it was interesting to me that we're continuing to see this rollout, I suppose in this case, better late than never. I'm curious, you know, what are you all thinking in terms of mitigations for this? 

Betsy Carmelite: Sure. Well, to answer that, let me outline a couple of the risks that we're seeing here. To your point, Dave, in the U.S., we do have a little bit of security here in the sense that large U.S. databases of COVID app tracking or nationwide tracking through these apps does not exist. So that could be considered a weakness of COVID tracing, but it's a boon to our privacy here in the U.S. 

Betsy Carmelite: But a few of these risks - we're looking at the contact tracing apps being developed with minimal regard for privacy and security, sometimes resulting in insecure apps, centralized databases of population-wide personally identifiable information. 

Betsy Carmelite: Secondly, adversaries may attempt to surveil these users or install data-stealing and surveillance back doors, leading to the theft of large PII databases. They could create fake outbreaks and blackmail and harass users. 

Betsy Carmelite: And finally, risks of these threats will be the highest in the countries with high adoption rates, which are typically undemocratic countries that mandate these installations with steep civil and criminal penalties. 

Dave Bittner: Yeah. So, again, I mean, what do you recommend then in terms of mitigations? 

Betsy Carmelite: Sure. Much of the burden for securing these contact tracing apps will fall on the companies contracted to develop and deploy them. So there's some accountability there, for sure. This is a process that should include security testing of the app, the use of robust authentication and access controls for communications with back-end databases. 

Betsy Carmelite: However, organizations concerned with the potential risks to mobile devices in their environment, they should consider exploring the use of mobile device management, MDM, platforms that can centralize the control and enable remote management of data security, the configuration, software deployment and other admin functions of their devices. 

Betsy Carmelite: Companies should also explore the use of application containerization solutions that may be used to isolate enterprise applications or data on employees' personal devices. 

Betsy Carmelite: And finally, it all really goes back to general security best practices, enterprise mobile devices. What are the access controls? They should be fairly strict. Data encryption is a must, and always training users to recognize potential threats. 

Dave Bittner: All right, well, interesting information, for sure. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you. 

Dave Bittner: That's Betsy Carmelite from Booz Allen. We're going to be making our way through their 2021 Cyber Threat Trends Report over the next few Mondays. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's Australian for beer. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.