The CyberWire Daily Podcast 12.7.20
Ep 1228 | 12.7.20

NSA warns that Russia is actively exploiting patched VMware vulnerabilities. CISA alert also a warning to Iran. DeathStalker update. Market pressures in the Darknet. Greetings from Pyongyang.


Dave Bittner: NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North America. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the Hash Table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda - is Pyongyang having a Hallmark moment?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 7, 2020. 

Dave Bittner: NSA this morning published an alert concerning vulnerabilities VMware patched last week. The bugs are being actively exploited by Russian intelligence services. NSA is particularly concerned to warn federal agencies and the companies that make up the defense industrial base, but the agency's advice is also intended for any users of the affected VMware products. 

Dave Bittner: As is so often the case, password access is required for exploitation. NSA writes, quote, "exploiting the vulnerability requires authenticated, password-based access to the management interface of the device, which is encrypted with TLS. That interface typically runs over port 8443, but it could be over any user-defined port. NSA recommends that NSS, DOD and DIB network administrators limit the accessibility of the management interface on servers to only a small set of known systems and block it from direct internet access," end quote. And, of course, as always, patch. 

Dave Bittner: CISA's alert last Thursday in which it warned of a likely increase in Iranian cyberattacks is seen by many observers, Nextgov reports, as aimed more at an Iranian audience than a U.S. domestic one. The U.S. government may be interested in reminding Iran that it's on the alert for them, that it knows what to look for and that it's prepared for accurate, supportable attribution and that it will leave speculation about any possible retaliation as an exercise for the audience. 

Dave Bittner: The large Israeli insurance firm Shirbit at the end of last week refused to pay the actors behind a ransomware attack the company sustained. The Times of Israel reports that Black Shadow, the criminal organization that claimed responsibility, on Friday began releasing some of the data it stole. says exchanges between attackers and victims include a demand for 200 bitcoin, roughly $3.8 million, but Shirbit tells Haaretz that the motive was strategic and not financial. The data is thought by some to have been moved to Iran. 

Dave Bittner: Security firm Kaspersky reports that the DeathStalker hackers-for-hire are now working targets in North America. The group is using the PowerPepper back door, which itself uses DNS over HTTPS as a communication channel, the better to conceal communication with the control server behind legitimate-looking traffic. PowerPepper uses a variety of evasive techniques, including steganography, to fly below the defenders' radar. 

Dave Bittner: Kaspersky's read on the hoods behind DeathStalker is that they're hired guns. Right now in the United States and Canada, they've apparently been hired to gun for financial and legal services. 

Dave Bittner: Chainalysis looks at darknet markets and sees both consolidation and a drop in activity. The number of active markets has fallen to 37 from a high of 49. Some of the decline the researchers attribute to the same COVID-19 delivery pressures legitimate markets face, but they think the operation of market forces accounts for most consolidation. Law enforcement attention may, in part, be credited with the drop in transactions. 

Dave Bittner: Kaspersky shared some predictions with TechRepublic that the security firm thinks will have particular importance for the health care sector in 2021. The researchers believe attacks against developers of COVID-19 vaccines and treatments will continue, with theft of data on breakthroughs being at a premium. They see health-related cyberattacks as a probable geopolitical bargaining chip, with attribution a matter of diplomatic contention. 

Dave Bittner: In an independent statement on the problem not coordinated with or based on Kaspersky's research but arriving at similar conclusions, CNBC quotes former CISA director Krebs to the effect that the familiar four - Russia, China, Iran and North Korea - are actively engaged in industrial espionage aimed at developments in COVID-19 research. 

Dave Bittner: Krebs said yesterday on "Face the Nation," quote, "the big four - Russia, China, Iran and North Korea - we have seen to some extent all four of those countries doing some kind of espionage or spying, trying to get intellectual property related to the vaccine," unquote. So in this respect, 2021 will witness a continuation of a trend already well established in 2020. 

Dave Bittner: To return to Kaspersky's predictions, the security firm also sees cybercriminals as a growing threat to the healthcare sector. Criminals can also be expected to pursue private medical organizations. They not only hold valuable data, but they may be less able to protect it than are better-resourced public health care organizations. As patient data migrates to the cloud, Kaspersky expects criminals to follow. And, of course, medical topics will retain their prominence as phishbait. 

Dave Bittner: Writing in Help Net Security, Futurex offers its take on the near future of encryption. Like every other seer we've consulted, they foretell a greater role for the cloud as cloud-based encryption and key management become more important to financial services in particular. 

Dave Bittner: Homomorphic encryption, which encrypts data in use, will see more widespread adoption, as will bring your own encryption. BYOE is seen as offering a hedge against certain forms of third-party risk, especially legal and regulatory risk. And device manufacturers will increasingly move toward crypto agility, the better to be prepared for quantum computing when it eventually arrives. 

Dave Bittner: Looking ahead to the next U.S. administration, The Washington Post's Cyber 202 lays out the case for significant continuity in cybersecurity policy. The discontinuities are likely to be largely organizational, such as the reappointment of a national cyber coordinator, a position the most recent National Defense Authorization Act reinstated. 

Dave Bittner: With respect to safety during the holidays, Specops Software emailed us their updated list of the 15 most common and most commonly exposed in breaches holiday-themed passwords. They are, in order, star, angel, God, elf, Jesus, snow, carol, noel, Santa, chocolate, gift, bells, December, Xmas and jolly. Piety, affection and happiness are all excellent, but their expression in credentials is probably a mistake. They're short, they're not random and they're easily guessed, even by a soulless algorithm. 

Dave Bittner: The Wall Street Journal notices an unusual turn in North Korea's self-presentation through social media. Pyongyang's become positively cuddly, with sweet homages to Mom and kimchi, not to mention low-key, friendly tours of grocery stores and parks. The goal appears to be the rendering of the DPRK as a place where normal people can lead quiet lives. 

Dave Bittner: It's unsettling. We're used to seeing over-the-top accusations of how the American fascist hangmen enslaved South Korea, of how the weather was responsible for the late Dear Leader's moods, even of images of the Dear Successor hobnobbing with Dennis Rodman. But, Mom, we love you, and isn't it wonderful that it's kimchi season again? It's a lot to wrap your mind around. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst and also our chief security officer. Rick, always great to have you back. 

Rick Howard: Thanks, Dave. 

Dave Bittner: You know, Rick, last week on your "CSO Perspectives" podcast, you mentioned that CISOs and CSOs were not board-designated corporate officers like the CEO or the CFO. 

Rick Howard: Wow. Can you put some more alphabet in that, David (laughter)? 

Dave Bittner: I know. It's like alphabet soup. 

Dave Bittner: You said that their titles had been designated to give the appearance of senior weight, but legally they were not equivalent. Now, beyond everyone who listened to your show, you know, suddenly have a chip on their shoulder when it came to their interactions with the CISOs and the CSOs, right? 


Dave Bittner: Here's the question that came to mind for me. Does it matter? Is it a distinction without a difference? 

Rick Howard: So that is an excellent question - in fact, so good - OK? - that I dropped that little hand grenade right on top of the CyberWire's Hash Table to see what our experts thought. And you know what? It turns out, maybe not that much. 

Rick Howard: I was talking to Gary McAlum about this. He is the USAA CSO. And he's been there for, like, a gazillion years, so he knows where everything is. And he said that the corporate officer label might help a little maybe, but it wasn't essential. 

Gary McAlum: It can't hurt. But again, you could be designated that. And I guess it would help a little bit. But it's - more important is what is the tone at the top, right? What level of support does that person in that position have regardless of what they're designated as, right? And you could even make a, you know, an argument that it also depends on where they're placed in the organization. If they're buried, you know, multiple levels down, do they have the level of visibility they need on this issue? You know, does that indicate the level of support they have or they don't have from the company? So I think it's one variable among several. And I don't think it could do anything but help. But I don't think it's a critical success factor necessarily. 

Rick Howard: So according to Gary, it's much more important for the CSO or the CISO to be part of the C-suite. Can we say C any more times in this thing? 

Dave Bittner: I know. 


Dave Bittner: I mean, does this provide any shielding for them, too, to not be at that level? I mean, can that be a good thing if you're - is it protective for the folks who have this role? 

Rick Howard: You know, I don't know. It seems like it's a legal distinction - OK? - for certain... 

Dave Bittner: Yeah. 

Rick Howard: ...Regulatory requirements that's probably not important for the job that the CSO and the CISO is trying to do. 

Dave Bittner: Yeah. 

Rick Howard: It's more important to be seated at the C-suite table as a valued contributor, all right? So I don't want to be buried three layers down, working for the CIO. I want to be at the table helping the business make decisions. 

Dave Bittner: Right, right. So having that seat at the table is really where the rubber meets the road in this case. 

Rick Howard: Exactly. 

Dave Bittner: Yeah. It reminds me of, you know, the joke from "The Office." You know, are you the assistant manager or assistant to the manager, right? 


Rick Howard: Yeah, that's very true. 

Dave Bittner: All right. Yeah. All right, well, it is "CSO Perspectives" - Rick Howard talking to the Hash Table this week. Thanks for joining us. 

Rick Howard: Thanks, Dave. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, it is always great to have you back. You and I have been talking about Booz Allen's recent 2021 Cyber Threat Trends Report. And one of the things I wanted to touch on with you is this notion about supply chain attacks, specifically via cloud-hosted development environments. That popped up in the report. Can you share some of the details with us? 

Betsy Carmelite: Yes. Specifically, we're looking at threat actor interest in targeting platforms as a service solution, where we see the cloud development environments - these cloud-hosted development environments. For a brief background with platform as a service, the customer manages some of the software but not the underlying host and infrastructure, so there is a shared responsibility there. Historically, threat actors have targeted shared-library software development kits and use it as a means to conduct widespread attacks. This is really where they can insert malicious code into benign applications and carry out nefarious motives. 

Betsy Carmelite: And so we're seeing as cloud-hosted development environments become more popular, we think these solutions may attract the same illicit activity that other development tools and resources have seen in previous attacks. 

Dave Bittner: Can you go through some of the specific risks with us? 

Betsy Carmelite: Sure. With platform as a service, there's really a natural meeting point or convergence of several already-tried-and-true paths of attack. We've seen actors generally have interests in inserting themselves in the dev environment for malicious means. And we've seen threat actors riding on cloud-hosting infrastructure for a long time, for example, hosting malware payloads on cloud storage ultimately to cause damage and compromise the places where legitimate software tools and services are being built. 

Betsy Carmelite: So this convergence is another avenue of manipulating the supply chain. So this is where we get to impacting the products and subsequent customer deployment downstream. 

Dave Bittner: Well, let's go through some of the mitigations there. I mean, how do folks protect themselves against this sort of thing? 

Betsy Carmelite: Sure. So if you're the consumer, organizations can protect against software supply chain attacks by deploying EDR, endpoint detection response, tools that may detect anomalous or suspicious behavior by applications, including those normally believed to be trustworthy. 

Betsy Carmelite: If you're the software developer, it's a good practice to make extensive use of code signing to secure software components, and those components can include configuration files or scripts, and to check the digital signatures of imported libraries or updates. Code signing keys should be stored to prevent those rogue users of the development environment from signing malicious code. 

Betsy Carmelite: And lastly, again, if you're the developer, you should secure your development environments by using strict access controls, ensuring prompt deployment of patches. When using cloud-hosted development tools, organizations should consider private cloud deployments and those models to provide additional control over the environment. 

Dave Bittner: Well, it's the 2021 Cyber Threat Trends Report. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Become legendary. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.