The CyberWire Daily Podcast 12.2.20
Ep 1225 | 12.2.20

The Shadow Academy schools anglophone universities. Turla’s Crutch. Cryptojacking as misdirection. Cyberespionage against think tanks. DPRK tries to steal COVID-19 treatment data.


Dave Bittner: The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla's Crutch, an information-stealing backdoor. Bismuth was using cryptojacking as misdirection. CISA and the FBI warn think tanks that cyberspies are after them. North Korean cyber-espionage is interested in COVID-19 treatments. Our guest is Carey O'Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. And a member of the Apophis Group gets eight years in prison.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 2, 2020. 

Dave Bittner: RiskIQ this morning released a report on a threat actor it calls the Shadow Academy. While it walks and quacks like the Iran-linked Mabna Institute and Silent Librarian and shares a number of their targets, researchers don't think the overlap in TTPs and targeting sufficient for definitive attribution. The name Shadow Academy alludes to the group's use of domain shadowing to gain access to its victims' networks and to the fact that its targets were universities. The attacks hit 20 institutions in Australia, the United States and the United Kingdom. 

Dave Bittner: Also this morning, ESET reported finding a backdoor and information-stealer in the systems of a European Union member country's foreign ministry. The malware is not new, as it seems to have been in use between 2015 and 2020, but it had been undocumented. ESET calls the backdoor Crutch, and they're confident it belongs to the threat group Turla, which has been using it to pull stolen files into a Dropbox account Turla controls. Crutch isn't a first-stage backdoor but is installed into previously compromised networks. Turla, of course, is also known as Uroboros and Venomous Bear. It's a Russian cyber-espionage outfit that specialized in former Soviet republics and former members of the Warsaw Pact. 

Dave Bittner: The cryptojacking associated with the threat actor Microsoft calls Bismuth, also known as OceanLotus, or APT32, cryptojacking associated with the government of Vietnam, appears to be misdirection for more conventional cyber-espionage. As TechNadu points out, defenders who see cryptojacking are likely to dismiss the incident as the work of a commodity botnet - deal with it, move on and overlook the possibility that a more sophisticated attack is underway. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency and the FBI have issued a joint warning that unspecified threat actors are pursuing think tanks. They are significantly but not exclusively prospecting individuals and organizations that focus on international affairs or national security policy, and they're using social engineering to gain access. Given the important role think tanks play in informing and shaping national policy, CISA and the bureau recommend that these organizations take steps to improve their resistance to cyber-espionage. 

Dave Bittner: The advice could well be applied to other organizations under this kind of threat as well. Leaders should implement a training program to familiarize users with identifying social engineering techniques and phishing emails. Staff should apply that training and stay vigilant against highly tailored spearphishing attacks that target them through not only organizational accounts but through personal accounts as well. They should be particularly careful about opening email attachments and using removable media like thumb drives. The caution about email attachments, CISA and the FBI comment should extend even to emails the recipient expects and even to emails from senders the recipient knows. They add a number of other recommendations for sound cyber hygiene, and the warning is worth a look whether you work at a think tank or not. 

Dave Bittner: The Wall Street Journal has the story on another cyber-espionage campaign, this one targeting pharmaceutical companies working on COVID-19 vaccines. In addition to the British firm AstraZeneca, the affected companies were US-based Johnson & Johnson and Novavax and three South Korean companies - Genexine, Shin Poong Pharmaceuticals and Celltrion. 

Dave Bittner: The attackers were North Korean. And while it's unknown whether they had any success, it appears that they fell short of getting whatever they were after. Even if they had succeeded in stealing detailed information on COVID-19 treatments, it's thought unlikely that Pyongyang would be able to produce the vaccines or pharmaceuticals. It's likelier that the DPRK would sell the information to some third party who could - perhaps China. 

Dave Bittner: So start snitching. No, seriously, start snitching on Pyongyang and win valuable prizes. Foggy Bottom will make it worth your while. The US State Department is offering rewards of up to $5 million for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyberactivity and actions that support WMD proliferation. The offer is made under the department's Rewards for Justice program. 

Dave Bittner: Consensus in the security sector seems to be that extortion will dominate cybercrime during 2021, primarily ransomware in increasingly virulent forms involving the now-routine sweetener of data theft and the prospect of doxxing and a probable resurgence of shakedowns by threatened distributed denial of service. Acronis has a useful summary of the grounds for expecting this trend, and Asigra distills five predictions relating specifically to ransomware. 

Dave Bittner: First, expect ransomware attacks on Kubernetes containers. Second, SaaS-based applications will be targets as remote work remains widespread. More attacks will be enabled by artificial intelligence. Legislators are increasingly moving toward making ransom payments illegal. And managed security service providers should expect more government regulation, including requirements to register with the government. 

Dave Bittner: Recognizing this trend, IBM's Security Intelligence blog offers five lessons learned from 2020 that organizations ought to consider applying in 2021. First, build a cybersecurity incident response plan - a formal plan, not seat of the pants, stick-and-rudder improvisation. Next, understand that the SERP is a living document. The adversary adapts and shifts and so must the defenders. Test and exercise your cybersecurity incident response plan, and when you test and exercise it, make sure the right people participate. Design the exercise to engage and profit them. And last, try online crisis simulation training, an important kind of exercise, and try to gamify it. 

Dave Bittner: So do these predictions come true? If the Black Friday and Cyber Monday experience is any indication, many of the forecasts are accurate, at least in broad outline. Cyberint has found, as expected, a high volume of criminal activity during the holiday shopping season. TransUnion connects the rise in fraud to another trend, bluntly writing, "Holiday fraud concerns during pandemic come true." The crooks have their own holiday sales. SpyCloud sees the bad guys offering bargains galore in the criminal-to-criminal market. 

Dave Bittner: Among the small coterie of jerks who styled themselves the Apophis Squad was one Timothy Dalton Vaughn, now 22, formerly of Winston-Salem, N.C. On Monday, Mr. Vaughn received a sentence of eight years in prison for conspiracy, conducting computer attacks and possession of child pornography. 

Dave Bittner: Mr. Vaughn and the other malign losers of the Apophis Squad specialized in website defacements, bogus threats of school violence, false reports of airline hijacking and so on. Their motives ranged from just the lulz to money. In one 2018 case, the U.S. Department of Justice describes in their account of the sentencing, Mr. Vaughn demanded 1.5 Bitcoin, then worth about 20 grand, from a company in exchange for not shutting down their site with a distributed denial of service attack. They didn't pay, and he followed through with the DDoS. 

Dave Bittner: In his salad days, Mr. Vaughn gloried in his hacker names WantedByFeds and Hacker _ R _ Us, which he might now consider changing to GottenByFeds and Inmate _ R _ Us. The Bureau of Prisons will host Mr. Vaughn during the sabbatical he's been granted by the U.S. District Court for the Central District of California. 

Dave Bittner: Carey O'Connor Kolaja CEO at identity intelligence firm AU10TIX. She shares her experience combating fraud in the financial services and payment industries. 

Carey O'Connor Kolaja: What we found, Dave, is that in the last, you know, six to nine months, there's been 300% increase in fraud in general, a majority of that definitely happening within the financial sector. And the evidence of that is based on what we're seeing particularly right now in the U.S. with unemployment fraud, PPP fraud, identity fraud being at the core of all of this. And the growth is bringing us to a state of where there could be close to $42 billion in fraudulent activity that is committed in 2020. 

Carey O'Connor Kolaja: And one of the big reasons for that is this move to society - and particularly in the COVID age - moving more and more online. And every moment of our lives, whether it's we're looking at our watch or we're logging into our computer or we have a connected appliance in our home, is when we're transferring information. And each time we transfer that information with the endpoint, you know, opens up a potential door for a fraudulent attack. And so this - you know, this year, the growth in fraud has been tremendous because of each of us living our lives - whether we work, we play, we live - online. 

Dave Bittner: Can you give us some insights on two things - I mean, sort of the - you know, the bread-and-butter fraud prevention that fintech organizations rely on, but then also, where are we in terms of the cutting edge? 

Carey O'Connor Kolaja: The big trajectory over the last couple years is all around, you know, KYC, KYB - so know your customer, know your business. We're now seeing kind of an emergence of know your employee. And the fraud checks that have been - have happened in the past tend to happen up front in the customer journey. So if I want to open up a bank account or I want to open up an account to move money to a friend, a P2P transaction, there's a set of checks and balances that are put in place in order to reassure the institution or that fintech that I am who I say I am. 

Carey O'Connor Kolaja: And, you know, there's been a lot of advances in how do you make that determination - everything from capturing your driver's license or a government-issued ID to checking to see whether you're a live person and if your selfie matches the picture on the ID to triangulating geolocation and behavioral-based data. 

Carey O'Connor Kolaja: But what's really shifted is, you know, these checks don't just need to happen at the beginning of a customer relationship with an entity, whether it's a fintech or any enterprise, but it also has to happen in a continuous way. It may not be enough to just submit that - who I am and some information about me. But I may also need to submit my - you know, a year's worth of financial information for my business. Maybe I have to do a selfie check. Maybe I have to share something else. And so these different layers of defense are effectively what's becoming the new norm in the world that we live in. 

Dave Bittner: That's Carey O'Connor Kolaja from AU10TIX. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering at Webroot. David, it is always great to check in with you. I don't know about you, but I am wondering where this year has gone. At the same time, I will admit 2020 - not going to miss it. Not going to miss it. How about you? 


David Dufour: Hey, David. It's great being here, David. And I got to agree with you - 2020 is one for the record books. I am not going to miss it, either. It has been pretty crazy both, you know, with everything going on. So absolutely. 

Dave Bittner: Yeah, yeah. Well, I mean, it's that time of year when we start looking towards 2021. What sort of things are on your list? What's on your radar for what we might see in the coming year? 

David Dufour: Well, let's kind of start with boring obvious, and then we'll work our way from there. I... 

Dave Bittner: Way to sell it, Dave. Way to sell it. 

David Dufour: Exactly. 


Dave Bittner: Go ahead. 

David Dufour: So - well, I mean, the most obvious thing - all your listeners are going to be like, ransomware, of course, it's going to continue to be a threat. 

Dave Bittner: Right. 

David Dufour: We're going to continue to see, you know, problems there. It's - they're just making so much money, the cybercriminals, with ransomware that we've just got to stay focused on ensuring we've got good backups, ensuring we've got software to detect and prevent it and then just being ready, having that actual physical plan that you're going to execute if you fall victim to a ransomware because it's just so pervasive and makes so much money. I don't see that going away next year. 

Dave Bittner: Do you think we might see any movement on - for example, we've seen some policy decisions where perhaps we could have some regulations forbidding folks from paying the ransom. 

David Dufour: Well, so I fear that because I'm kind of afraid that if you forbid somebody to pay a ransom, are they going to be able to run their business after the fact? And, you know, if you make a government policy like that, are you literally shutting down someone's business? But it's a fair question. And I don't have an answer for that, by the way. 

Dave Bittner: Yeah. 

David Dufour: Because it literally is - what did you do before the attack that will help you survive afterwards? And so if the government comes through with something like that, we absolutely have to make sure we're prepared to recover if we're not allowed to pay the ransom. That's very interesting. 

Dave Bittner: Right, right. What else do you see coming along in 2021? 

David Dufour: You know, this one is arguable. There's a large discussion happening around - will people stay remote for the rest of their lives? I think there's a lot of people that want that office-home life balance. I don't think people would have ever thought they really wanted that until they were forced to work at home with their family 100% of the time. So I think there will become some equilibrium that we reach around how we work from home or remote - what that looks like, what those expectations are. 

David Dufour: And then in terms of cybersecurity, as that equilibrium is reached, then we'll be able to really see what the cybercriminals are able to take advantage of, based on the tools that people are using, etc. That'll take a year or two to bake in, I think. You know, the - out the gate, we saw the attacks on video conferencing and things like that. But right now, it's still kind of up in the air. The pendulum's still swinging, hasn't settled in yet. So until we see that, I can't exactly say what we're going to see in terms of the cyberattacks. But I do think we'll see that normalization of work that'll be more remote than it was, but it won't be 100%. 

Dave Bittner: Do you think we're going to continue to see this movement towards the cloud? 

David Dufour: Hundred percent, and not only that. Like, cloud - everything we do, everything, you know, I'm doing in my work and everything I hear from different people, cloud is the focus. And I, you know, take this one step further. And you may or may not know this, but in 2017, I bought a two-in-one laptop. I put a SIM card in it. And for 12 months, I did not use a wired network. I was either using, you know, a cellular LTE network or I was using - I wasn't even using Wi-Fi. I stayed on a SIM card for a year. 

David Dufour: Why am I saying this to you? I believe that over the next 10 years and by 2030, we're going to see a transformation that's not just cloud for our servers and our applications, but I believe there's going to be a huge push for a cloud network infrastructure where we don't have the level of network infrastructure we have today, the physical layer. All of this will exist in the cloud. We're going to connect to the network with our 5G SIM card, and off we go to the races. And we're going to have a lot of security implications around that, but I've got to wait for the cybercriminals to figure out how to attack that, and then we can defend against it. 

Dave Bittner: Yeah. What about the people side of things? I mean, we have this perceived skills gap. Do you think we're going to see any relief there in the coming year? 

David Dufour: Well, you know, I don't know what you're talking about here, skills gap. I think we got plenty of cybersecurity people, David. We're covered there. So we don't even need to talk about that. 


David Dufour: You know, honestly, you know, I don't know what we're going to do. You know, there's a lot of automation going on. I know a lot of the solutions we try to focus on are about automating so you don't have to bring people in. But when you're in an enterprise situation, you're investigating at such a level that you need more and more people. So there's a huge, huge skills gap. 

David Dufour: And something that I keep chewing on - and it might be fun to talk about sometime, David - is it's not only a skills gap on a reverse engineer who can break down a piece of malware, then understand it so you can build a tool to protect against it. It's about the analysts. It's about the data, the machine learning specialists. 

David Dufour: You know, you don't have to have a Ph.D. in particle physics to be part of the solution here. Maybe you're training models that someone else came up with, or maybe you're analyzing things in a new way that lets you, you know, report things out. There's such a spectrum of jobs that could be filled to assist this whole thing. It's not having everyone know about every type of malware. And I think we need to have that conversation. 

Dave Bittner: Yeah, that - to me, I think you're really onto something here because I hear folks saying that, yeah, you know, there might be a skills gap, but really, it's those higher-level folks who are able to walk in and hit the ground running. That's the folks we have a shortage of. But at the same time, we don't seem to be willing to train up the people to fill in from below. 

David Dufour: And that is exactly the point. What is the model for bringing in an intern, someone out of school that's just really looking to, you know, cut their teeth on cybersecurity? How do we get them involved and then move them up the ladder as we, you know, backfill all the way up 'cause that's the road to success, I think, in this industry. 

Dave Bittner: Yeah. All right, well, we'll have to check in a year from now and see how you did (laughter). 

David Dufour: How horribly wrong I was. Ransomware is gone, and we've solved it. 

Dave Bittner: Right, right. Yes, yes. Exactly, exactly. All right, David Dufour, thanks for joining us. 

David Dufour: Take care, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the pause that refreshes. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.