The CyberWire Daily Podcast 12.1.20
Ep 1224 | 12.1.20

Cryptojacking cyberspies sighted. Crooks mix banking Trojans and ransomware. Conti ransomware hits industrial IoT company. SCOTUS reviews CFAA. And predictions.


Dave Bittner: Cryptojacking from Hanoi. Dormant networks rise again for no easily discernible reason, but it doesn't look good. A gang is hitting German victims with a Gootkit banking Trojan and sometimes mixing it up with a REvil ransomware payload. Conti Ransomware hits an IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who's tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, December 1, 2020. 

Dave Bittner: Vietnamese threat actors have returned to the news. Over the long weekend, Trend Micro researchers described a recently discovered macOS back door they believe is associated with Hanoi's OceanLotus group. And the Microsoft 365 Defender Threat Intelligence Team has found the group they track with Redmond's customary metallic name as BISMUTH and which they associate with OceanLotus, APT32, actively deploying a Monero miner against its victims. The development is interesting. North Korea's Lazarus Group has long been an outlier among state-directed threat actors in that financial gain was a major objective. It appears that Vietnam's services may be headed down the same path. 

Dave Bittner: Spamhaus has found a suspicious awakening. Fifty-two dormant networks based in North America suddenly became active over the period of only a few days. All are physically hosted in greater New York. While inactive networks do come back to life from time to time, the researchers find it suspicious that so many should reemerge essentially simultaneously without having any obvious mutual connections. Each of the revenant networks was announced by a different autonomous system number (a different ASN). And those ASNs are themselves revenants, silent for some time. Spamhaus isn't certain what's going on, but it doesn't look good, and it advises all to be wary of these no longer quiescent networks. 

Dave Bittner: A significant criminal campaign is underway against German internet users. Malwarebytes finds the campaign unusual in that the criminals are serving either the Gootkit banking Trojan or REvil, also known as Sodinokibi, ransomware. As is typical, in this case, an infection begins with phishing. The payload is usually Gootkit, but they've observed a smaller number of REvil infections. Malwarebytes explains, quote, "The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly named key, many security products will not be able to detect and remove it. However, the biggest surprise here is to see this loader serve REvil ransomware in some instances. We were able to reproduce this flow in our lab once, but most of the time, we saw Gootkit," end quote. 

Dave Bittner: Industrial Internet of Things chipmaker Advantech has confirmed reports by BleepingComputer and others that Advantech has been the victim of ransomware. The strain is Conti, and the criminals stole data that Advantech describes as confidential but low value. The attackers appear to have delivered their ransom demand on November 21. They began leaking data on November 26. The criminals are making a big ask. They want Advantech to pay them 750 Bitcoin, or 12,600,000 U.S. dollars. If they're paid, they say they'll decrypt all affected data and remove any data they've stolen from their servers. Says they. The hoods aren't necessarily promise keepers. Advantech says it's largely restored its operations, but we've not heard what their plans are with respect to the ransom demand. 

Dave Bittner: The U.S. Supreme Court yesterday heard arguments in a case challenging broad interpretation of the Computer Fraud and Abuse Act. At issue in the case, Van Buren v. United States is, as SCOTUSblog puts it, quote, "whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose," end quote. These deliberations take time, but The Wall Street Journal says a decision is likely to come in June. 

Dave Bittner: Netwrix has offered some predictions for 2021, most of which represent reasonable extrapolations of trends that have developed over 2020 - the increase of ransomware, a shift in criminals' interest toward service providers - cloud misconfigurations will account for a significant fraction of data breaches - regulatory compliance and insurance combining to drive organizations toward best practices - and pandemic-induced changes in the workplace will have a delayed effect on security. Two of their predictions strike us as being at least as normative as they are predictive. Organizations will be driven by calculations of risk and value in managing their cybersecurity posture and investment. 

Dave Bittner: Digital Shadows also foresees more aggressive extortion by criminals, but they add a prediction that distributed denial of service attacks will be used more often to hold organizations for ransom. Blind spots that accompany the shift toward remote work will be exploited in social engineering. And the social engineers' lures will continue to dangle phishbait cut from current events to lure the unwary. Criminal markets will continue to thrive and to behave like markets even as law enforcement seeks to crack down on them. Both the cops and the criminals will enjoy some success, that is. And if you bet on form, that seems about right. 

Dave Bittner: And finally - sorry, kids, it's back to Zoom for you, at least if you're up there in Baltimore County. The Baltimore Sun reports that Baltimore County public schools expect to be sufficiently recovered from the ransomware attack they sustained last week to be able to resume instruction tomorrow. The school district has been tight-lipped about details, but they indicate that they have a process in place for bringing the students and teachers back online. The ransom demand is unknown, but it's believed likely to be high. 

Dave Bittner: I suppose that if I make the claim that companies with good cybersecurity practices are generally more successful overall with correlated financial success, you'd likely respond with, yeah, that makes sense. Stephen Harvey is CEO at security ratings firm BitSight. And his team has been exploring that very issue - to see how much of a correlation, if any, there is between well-performing companies with strong cybersecurity and financial success. 

Stephen Harvey: The step we've taken - and - when we announced this about two weeks ago was to actually work with an index provider, a company called Solactive, which is one of the leading index providers - they're based out of Germany, to create a series of indices in which they took out the low-performing BitSight-rated companies and focused the index on high-performing BitSight-rated companies. And what they came back with was really exciting. It was a a empirical demonstration that the - when you look back over time, the value of highly rated companies from a cybersecurity perspective outperform, from evaluation, the market. So the indices that they created outperformed the benchmarks by anywhere from 1.5 to 7%. And 7% in finance is a huge outperformance. 

Dave Bittner: You know, there's that old saying that, you know, correlation is not causation. So how do you weigh in, you know, the various factors that may be responsible for these companies outperforming their peers? 

Stephen Harvey: Yeah, that's an interesting question. I think it's a combination of things, Dave. One is, obviously, a company with a high cybersecurity rating is going to have less breaches. You know, there's a huge multiplier effect when you look at low-rated companies in terms of the amount of breaches that they are likely to have. And that does correlate directly to potential value. Another area that is getting the attention of directors is the notion that cybersecurity is another component of governance and as you look at the governance standards of a company, that cybersecurity is one of the key pillars that should be assessed as part of that review. And what we're seeing, actually, is a very high demand at the moment from boards to hire CISOs directly to the board or to start creating a subcommittee focused on cybersecurity because of the meaningful impact of cybersecurity to the company, but also because of this trend towards governance. 

Dave Bittner: What are your recommendations for folks who want to explore this, who want to find out how this might apply to how they're approaching cybersecurity? 

Stephen Harvey: I would suggest people take a look at the indices that were rolled out. This was made public, and Solactive are actually now marketing these indices to investment managers with the idea that they're going to start investing in an index that's tilted towards companies that perform well from a cybersecurity background with a proven outperformance in the back testing that's Solactive have done. 

Stephen Harvey: And I think that can be found on our website or Solactive's. So, you know, this is really groundbreaking. And I - again, I use the word empirical - it's empirical evidence that there is a correlation here. 

Stephen Harvey: That's Stephen Harvey from BitSight. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for? It's a good show (laughter). 

Ben Yelin: It's a great show. 

Dave Bittner: Ben, great to have you back. Interesting article from CyberScoop - this is written by Tim Starks. And it's titled "After Years of Work, Congress Passes Internet of Things Cybersecurity Bill - And It's Kind of a Big Deal." What's going on here, Ben? 

Ben Yelin: It is kind of a big deal. I mean, first of all, it's a big deal when Congress passes anything, so... 

Dave Bittner: Right (laughter) - right, exactly. 

Ben Yelin: ...You know, let's raise our glass to that. 

Dave Bittner: Yeah, that's not what we sent them to Washington to do, is it? (Laughter). 

Ben Yelin: No. They should be, you know, puffing their chests at a high-profile congressional hearing about something insignificant, not actually... 

Dave Bittner: Right, right. 

Ben Yelin: ...Doing things to address problems. 

Dave Bittner: (Laughter). 

Ben Yelin: So yeah, you know, I think we should be happy that they passed something in the first place, regardless of what it is. 

Dave Bittner: Yeah. 

Ben Yelin: The substantive law is really interesting. It is a bill that sets a baseline for the Internet of Things - so these internet-connected devices that you have to have a baseline level of security in order to contract with the federal government. And the federal government kind of does this in a lot of different contexts to try and set minimal standards for federal contracting in hopes that companies, you know, in trying to obtain these federal contracts, will adopt these practices more broadly. And they're also, as part of this law, going to encourage vulnerability disclosure policies so that organizations can work with experts, security researchers to fix any software flaws that might arise. 

Ben Yelin: So the story of how this bill came into being enacted - it was a three-year effort, started in 2017, ran into some opposition from the United States Chamber of Commerce because they thought this might be too much of a burden on particularly small businesses. And I don't know if you've heard, but the U.S. Chamber of Commerce has some sway in the United States Congress. 

Dave Bittner: Sure. 

Ben Yelin: But there were some enterprising lawmakers in both the House and the Senate - this was a bipartisan effort - they were able to neutralize the U.S. Chamber of Commerce to get them to not oppose the bill, even if they were directly supporting it. And a couple of legislators were able to get it across the finish line. The House passed its version in September, and the Senate just agreed to it by unanimous consent. And to talk about, you know, how bipartisan this was, this is a bill that was drafted in part by Representative Robin Kelly, who is a very progressive Chicago Democrat, and was co-sponsored - at least in the last year or so - by Mark Meadows, who is now President Trump's chief of staff. And she was able - the two of them were able to work with one another to get this done. So this is sort of the rare cybersecurity policy victory that's certainly worthy of celebration. 

Dave Bittner: So I mean, is the general notion here that if we require this in government contracting that it'll be in the company's best interest to have that sort of, you know, sprinkled out throughout all of their products, that it will make its way into the consumer and B2B space as well? 

Ben Yelin: Yeah, absolutely. So you know, the federal government has done this with things like ENERGY STAR ratings. You want to, you know, encourage companies to produce things that are energy-efficient, so you require, you know, in all government contracting that companies that want to work with the federal government institute those types of policies. 

Ben Yelin: And yeah, the idea is, you know, you give them some incentive to adopt safer cybersecurity practices for IoT, then you know, these are going to become more widely adopted. And it's going to affect - it's going to have downstream effects for organizations that, you know, aren't interested in federal government contracts. So you know, in some ways, you could see this as a small step because it only applies in the relatively limited world of, you know, federal procurement. But I think it sort of trickles down into the industry the way it's done in other contexts. 

Dave Bittner: How interesting that, you know, cybersecurity seems to consistently be one of the few areas that can get bipartisan support and actually move things through the process. You know, these gears that are all full of sand right now in Congress, somehow these seem to make it through. 

Ben Yelin: Yeah. You know I'm very cynical about these things. And I think - I always hope that lawmakers can make progress before things get polarized. You know, if you have a really polarizing figure who comes out in support of something, that might lead the other side to be against it. So for the purpose of cybersecurity, it's kind of better for these things to happen under the radar, you know, where it's not like there's a major push by President Trump to get this enacted into law 'cause that might engender some opposition among congressional Democrats. I think you kind of... 

Dave Bittner: Right, just because it's him. 

Ben Yelin: Exactly, exactly. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: And we all have those tendencies. I mean... 

Dave Bittner: Sure. 

Ben Yelin: ...You know, if it's a person that we don't like proposing something, we're naturally going to want to oppose it. 

Dave Bittner: Yeah. 

Ben Yelin: So I think, you know, what's been good about cybersecurity policymaking is it has kind of gone under the radar. It's avoided some of these higher-profile political battles that have ground Congress to a halt. 

Dave Bittner: Interesting, yeah. All right. Well, Ben Yelin, again, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. We'll leave the light on for you. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.