The CyberWire Daily Podcast 12.3.20
Ep 1226 | 12.3.20

Cyberespionage and influence operations against prospective members of the incoming US Administration. Cold chain attacks. TrickBoot. Vasya, what do you do for a living?


Dave Bittner: Chinese intelligence services are prospecting think tanks and prospective members of the next U.S. administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary pre-U.S. election suppression, TrickBot is back. Holiday shopping season is bot season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and software-as-a-service apps. And suppose you're a cybercriminal - we know, but suppose. What do you tell your sweetie you do for a living?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 3, 2020. 

Dave Bittner: William Evanina, director of the US National Counterintelligence and Security Center, has called attention to Chinese espionage and influence operations directed against prospective members of President-elect Biden's incoming administration. The BBC quotes Evanina as calling the efforts diplomatic influence plus, or on steroids, and CyberScoop notes that those around the new administration are among the targets. Evanina's remarks follow this week's joint warning from CISA and the FBI that unnamed foreign services are attempting cyberespionage against think tanks. 

Dave Bittner: Why think tanks? In the US political system, think tanks not only contribute advice to policymakers and legislatures, a quasi-academic function, but they also play the role that a shadow cabinet plays in countries with parliamentary systems. Senior executives, presidential appointees at the assistant secretary level, are often drawn from think tanks, so an interest in both influencing and collecting against think tanks is entirely foreseeable as adversaries develop their espionage target lists. 

Dave Bittner: IBM has observed a spearphishing campaign against an important but easily overlooked link in the COVID-19 vaccine development and distribution supply chain: the "cold chain" that "ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation." The actors behind the phishing, IBM say, "impersonated a business executive from Haier Biomedical, a credible and legitimate member company of the COVID-19 vaccine supply chain." The attackers cast a wide phishnet, going after the Vaccine Alliance's Cold Chain Equipment Optimization Platform Program, the European Commission's Directorate-General for Taxation and Customs Union as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These all figure in the cold chain's supply chain, but they have much wider activities than that. 

Dave Bittner: It's unclear who's behind the campaign, but IBM observes that the focus and care on display in the phishing effort and the absence of any obvious cash-out potential suggest nation-state espionage as opposed to criminal activity. The attackers' goal, the researchers think, may well be credential harvesting and thus battlespace preparation for future campaigns. As the report puts it, quote, "moving laterally through networks and remaining there in stealth would allow them to conduct cyberespionage and collect additional confidential information from the victim environments for future operations," end quote. 

Dave Bittner: Criminals can be just as opportunistic as intelligence services. As COVID-19 vaccines approach approval and widespread administration, criminal social engineering can be expected to follow the news. Security firm KnowBe4 warns that vaccine-themed phishing should be expected. 

Dave Bittner: TrickBot has been up and down, driven down by US Cyber Command and a Microsoft-led industry consortium prior to the U.S. elections. It's now returning. Researchers at the security company Eclypsium say that new capabilities, wrapped up in the toolset they're calling TrickBoot, represent a significant evolution that targets firmware and offers the capability of bricking affected devices. Researchers have observed what they take to be preliminary reconnaissance. The report is intended to be alarming, and indeed it is. The researchers note that TrickBot has been a favorite of criminals as well as some of the murkier state-connected operators from Russia and North Korea. They think the reconnaissance means that adversaries leveraging TrickBot now have an automated means to know which of their latest victim hosts are vulnerable to UEFI vulnerabilities, much like they added capabilities in 2017 to exploit EternalBlue and EternalRomance vulnerabilities. 

Dave Bittner: Bots are seeing widespread use in criminal attempts to take advantage of online shoppers during the holiday season. Barracuda reports detecting a staggering number of bots and bot-driven attacks. The leading bad bot personas they're seeing are HeadlessChrome, yerbasoftware and M12bot. E-commerce platforms can reduce the risk to themselves and their customers, Barracuda says, by using web application firewalls and ensuring they're properly configured, ensuring that those security solutions include anti-bot protection and applying credential stuffing protection to help prevent account takeovers. 

Dave Bittner: WatchGuard has joined those offering predictions for 2021, and one of their major predictions is that consumers will revolt over smart device privacy issues during the coming year. After all, who wants to worry about what they're saying in front of the vacuum cleaner? 

Dave Bittner: So maybe you've asked yourself a question like this - if I turned to a life of crime, what would I say when people asked me what I did for a living? Or maybe you're asking for a friend. Since our editorial staff is, for the most part, stuck at home and binge-watching episodes of "Law & Order" in all three of its principal variants, they would have guessed that professional criminals identify themselves as being in the import-export business, or they'll call themselves investors or entrepreneurs, our staff's particular favorites. But that's just an initial, naive take. Digital Shadows' Photon Research team has poked around in Russian cybercriminal chat rooms so the rest of us don't have to, and they offer an interesting window into a frequently overlooked challenge of the whole cybercriminal lifestyle. What do you tell your significant other you do for a living? And even worse, what do you tell your significant other's parents you do for a living? 

Dave Bittner: Some forum participants advise their brothers in crime - and it does appear to be overwhelmingly a bunch of bros - to just stonewall. Tell them nothing. But that's probably not going to work for very long. One of those offering advice said he usually told people he'd been unable to find work since he was released from prison, but that seems unlikely to satisfy Katarina's parents. Some offered responses that Digital Shadows called facetious - antique restorer, car mechanic, truck driver, CCTV operator, cashier or heir to an oil tycoon. Maybe those don't work so well either. Maybe significant other's mom asks you to fix that old car that belonged to significant other's great-grandmother, and then where are you? Out of luck is where. 

Dave Bittner: So perhaps the best reply is something vague and preferably IT related. Bad guys and gals commiserating with their perplexed brethren say they've had some success with telling people they work in search engine optimization, online advertising, information security, website design, software development, IT journalism, programming, or server administration. But even this has its downsides, especially as the general population grows progressively more tech literate. As one criminal shares, "I used to answer that I'm a programmer, an IT specialist, but now every taxi driver out there is interested in what field of IT you're in or what type of programmer you are." Well, you can always fall back on investor or entrepreneur. 

Dave Bittner: JP Perez-Etchegoyen is CTO at application security firm Onapsis. He joins us with thoughts on the risk associated with interconnected cloud and software-as-a-service apps. 

JP Perez-Etchegoyen: So today, what we find - we are wrapping up 2020, and we are finding an even more interconnected landscape in terms of applications, right? Companies that still operate on premise still have their data centers, their cloud services, private clouds and all of that interconnected but also running with SaaS applications, all of them sending data back and forth and being able to operate in this new context, right? So ERP, CRM applications, BI, BW, supply chain, logistics operations - all of these applications are ensuring that organizations are able to fulfill their purposes and really to deliver what they need to deliver to us as consumers. It's all more and more interconnected than ever, right? 

Dave Bittner: Well, and so in your mind, what are the key considerations that people need to keep in mind? As they're either moving to the cloud or continuing to operate in the cloud, what are some of the things that they need to keep top of mind? 

JP Perez-Etchegoyen: I think the key part there is to understand that when we move to the cloud, it's not somebody else's problem, right? It's not that, hey, I offloaded a lot of my workloads to a cloud vendor, and now I don't need to take care of security. I don't need to deal with risk here because it's all my provider's responsibility. Well, you know what? It's still on your responsibility because the data, the responsibility on the data, who ensures that the data is safe is still on the customer, on the company, right? So companies operate by managing a lot of different business processes and data, including personal data, including a lot of regulated data. And in order to make sure that that's secure, they need to be able to put the right controls in place. 

JP Perez-Etchegoyen: So going to the cloud, going to a more interconnected world, it's really about - sometimes it's hard to believe that it's about the basics. Or at least it starts with that, making sure that the settings and the configurations and the patches and really the authorizations, the basic authorizations to how to access those applications, especially in companies that have thousands of employees now remote being able to access those systems. So what we are seeing more and more in organizations is really, like, just start with covering the basics. Start covering the configurations, the integrations, the authorizations, all of that. That helps significantly reducing risk. 

Dave Bittner: That's JP Perez-Etchegoyen from Onapsis. And joining me once again is Professor Awais Rashid. He is the director of National Research Center on Privacy, Harm Reduction and Adversarial Influence Online at the University of Bristol. Professor Rashid, it's great to have you back again. Today we want to touch on this notion of privacy at scale. What can you share with us today? 

Awais Rashid: So we rely on digital technologies for our daily lives on a regular basis, you know, and it has not been any more obvious than now in the pandemic, where we have been able to, in many cases, engage in work, engage with others around the world and utilize services through online infrastructures. So digital technologies play a big, big part in our daily lives. And certainly, you know, for example, there has been a recent report from the U.K. that digital sector is worth more than 400 million pounds a day to the U.K. economy. 

Awais Rashid: Of course, we benefit from all these services, but equally, as these services are very much data-driven, there are increasing concerns about privacy violations or how that data that is actually collected by these services is used. And, you know, this may be from - you know, you don't have to go far. You can look at sort of any major news outlet, you know, and every couple of days, you know, there are questions about, you know, are your smartphones spying on you or what kind of activity tracking can go on through mobile apps or through smart speakers or smart devices and smart assistants. So the question, really, we must ask is, how do we actually provide privacy on a large scale in this kind of digital infrastructure on which we rely, but without also, you know, potentially impinging on privacy of individuals and the information that they would like to keep private about themselves? 

Dave Bittner: Well, this is a fascinating topic for me personally. How do you - what sort of proposals are out there for maintaining privacy at scale? 

Awais Rashid: So one of the key things is that we need to rethink what our data innovation model is. And at the moment, we think that - well, many people think that to get value out of data, one must actually collect all data. And there are some key advances in privacy-enhancing technologies out there, which allow - which are designed to actually get value from data without actually revealing all the information about an individual or a particular setting that people may not want to reveal. So, you know, a good example of this is differential privacy, where an algorithm will actually enable to get particular value out of the data but without revealing all the details that - in a way that you can't construct an individual's data within that dataset from the output that you have received from the algorithm. 

Dave Bittner: You know, again, personally, I - it's my perception that there's been a good bit of hand-waving when it comes to privacy at scale. You'll hear people say, well, we simply can't do that at scale. We can't provide that amount of privacy at scale. And, you know, it strikes me that we shouldn't be satisfied with that. If someone were building a factory or a manufacturing facility and they said, well, you know, this river next to our factory, we simply can't ensure that we don't pollute that river and still operate at scale, that wouldn't be acceptable to us. And yet we have these conversations that somehow operating at a certain scale and privacy might be mutually exclusive. 

Awais Rashid: Yes. And I think that's exactly the kind of conversation that we need to potentially challenge. And I'm reminded of this interesting piece on the Privacy Project website, which had a heading which said, we read 150 privacy policies, and they were an incomprehensible disaster, right? And let's not forget that, you know, strides have been made. So for example, you know, we have a number of privacy regulations. You know, we have in Europe, for example, the GDPR, which requires organizations to demonstrate, you know, how they are taking particular actions around privacy. But the question we have to also ask is, how can we actually really ensure that the requirements that we are expecting as a society can be evidenced in the systems? 

Awais Rashid: And it's also a big challenge for infrastructure providers, you know, even if they want to challenge. The infrastructures are complex. How do they actually evidence this kind of compliance with particular regulations and actually really show that they actually give operationalization to particular requirements? 

Awais Rashid: And I think there is also the flip side of it as to how the user feels empowered or disempowered with regards to privacy, right? And the great example of this is, you know, under GDPR, we have now this sort of cookie law where, when you go onto a website, you have to actually say what cookies people are accepting or rejecting. And there is a really massive divergence into how different websites implement it. So on some websites you go, they will go, well, we start with everything is rejected. You opt in. Other websites will start with everything is accepted. You have to individually opt out. 

Dave Bittner: Right. 

Awais Rashid: But also, interfaces vary so much. And, you know, I am a computer scientist, you know? I understand technology. And even - a lot of the times, it can be quite incomprehensible to people who are actually technology experts. And, you know, if you think about it, you know, this is meant for, you know, all citizens from all backgrounds. And, you know, we all have to be able to understand what is going on and be able to make informed decisions. But it also becomes a really complex task. You know, so every time you go onto a new website, you go, oh, no, I have to do this again, right? And it is very disempowering, and it almost leads to this dejection by the users that not much can be done. 

Awais Rashid: And then that's why we come back to this thing, that we have to start by asking the question, what do we need to do to build privacy into the core of our infrastructures, into the software systems and services that we are deploying? What are the common building blocks that we need so that they can then be leveraged to provide these services? Because it also makes the job of the infrastructure providers easier. But it also actually takes the burden away from the users to constantly have to, you know, deal with this, confronted with this issue of, you know, what do I do here? 

Dave Bittner: All right. Well, Professor Awais Rashid, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - expert recommended to stop the pain. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.