The CyberWire Daily Podcast 12.10.20
Ep 1231 | 12.10.20

Facebook faces anti-trust suit. COVID-19 vaccine cyberespionage. Emissary Panda spotting. SQL databases for sale. Notes on the FireEye breach, the end of Flash, and the Mirai botnet.


Dave Bittner: Hey, everybody. Dave here. I want to tell you about Creating Connections. It's our monthly newsletter for women in cybersecurity created by the women of the CyberWire. Each month, a new issue of the newsletter is released and includes contributed content by thought leaders in the field. I invite you to check out our latest issue and subscribe for free. You can find it at It's not limited to just women. Supporters of diversity and champions of women in the industry, like me, are welcome to subscribe, too. Check it out. It's Creating Connections - Thanks.

Dave Bittner: Facebook faces a U.S. antitrust suit. Cyber-espionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaign goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don't overreact. We welcome Kevin Magee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights on their Business Threat Landscape Report. Flash nears its end of life. Predictions for 2020. And another guilty plea in the Mirai case. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 10, 2020. 

Dave Bittner: We begin by mentioning briefly a major legal development that broke yesterday. The US Federal Trade Commission has filed an antitrust suit against Facebook, alleging years of anti-competitive behavior that could ultimately warrant breaking up the company. The FTC has been joined in the suit by 26 state attorneys general and the AGs of the District of Columbia and the territory of Guam. We'll have more details on the suit in this afternoon's pro privacy and pro policy briefings. But for now, we'll characterize the action this way - if data represent the new oil, then Facebook looks to the FTC like the new Standard Oil. 

Dave Bittner: BioNTech has disclosed, according to The Guardian, that information related to the COVID-19 vaccine the German firm has been developing with Pfizer was accessed in a cyberattack against the European Medicines Agency. The agency simply says that it was attacked without offering, so far, any information on targets, losses or attribution, SecurityWeek reports. Dutch national police are investigating. 

Dave Bittner: Avast yesterday reported sighting Emissary Panda, also known as APT27 or LuckyMouse. The campaign, whose first interest seems to be the government of Mongolia, is phishing with a weaponized document exploiting CVE-2017-11882. The Prague headquartered security firm said in part, quote, "the APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network, such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies," end quote. A number of the tools are from Emissary Panda's familiar kit. But Avast has found some new ones, and it highlights those in its report. Much about the cyber-espionage campaign remains unclear. For example, an unknown company that provides contract services to government agencies in East Asian countries has apparently been under attack, but who that company is and what the Pandas were after is still murky. But the entry point into the government organizations successfully penetrated was gained by pivoting from a compromised third party. 

Dave Bittner: Guardicore says that a relatively simple ransomware campaign they're calling PLEASE_READ_ME has been attacking SQL databases since this past January. It's an untargeted campaign, the security firm's researchers say. The attackers aren't interested in the size or identity of the victims. Their secret to success is volume. Guardicore calls it factory ransomware, and they characterize it as untargeted, transient and simple. 

Dave Bittner: ZDNet reports that criminals are ransoming stolen databases for roughly $550 per database - prices fluctuating with Bitcoin exchange rates. More than 85,000 SQL databases are for sale back to their owners in what appears to be a secondary ransomware market. The market also seems largely automated. And there's no particular reason to think that the databases won't also be sold to third parties in the criminal-to-criminal market. 

Dave Bittner: There's considerable breathlessness in reactions to the FireEye breach. But both Qualys and Hurricane Labs offer more measured, less alarmist advice. Qualys observes that some of the stolen tools may appear in commodity attacks. Hurricane Labs sensibly points out that organizations should pay attention to the vulnerabilities FireEye has said the tools incorporate and apply the available patches and mitigations. Both note that FireEye has shared details useful for protection in its GitHub repository. So the incident should serve as an impetus to more careful patching and practicing better cyber hygiene in general. We note that plenty of vendors are interested in helping you do both. 

Dave Bittner: Speaking of patching and updates, the requiem for Flash has been sounded so often that one almost hesitates to put on mourning. But this time, it seems to be for real. ZDNet reminds all that Adobe has issued its last-ever Flash patch and warns users in very direct language that Flash will reach its end of life on January 12 of the New Year. If you use Flash, plan accordingly. 

Dave Bittner: Looking ahead to the new year, as we've been doing lately, we can sum up most of the predictions by saying that 2020's criminal momentum is expected to carry into 2021, and it's clearly doing so. COVID-19-driven social engineering, for one thing, is here and likely to remain for the foreseeable future. KnowBe4, for example, announces the appearance of COVID-19 vaccine phishbait. It's unlikely to go away soon. Expect this chum to be scattered across inboxes well into 2021. And Armorblox this morning released updates on some representative COVID-19 scams. Reuters sees the same sort of thing. One trend - surprising at first blush, but which on reflection seems right -  is that COVID-19 concerns appear to have driven a rise in romance scams. Under lockdown, apparently, people are looking for love in all the wrong places. G Data summarizes the coming evolution of ransomware by noting that the extortionists will become smarter, more focused and above all, faster. The increased speed, ZDNet points out, is worrisome. The hoods will be likelier to pivot and encrypt before they're detected, getting inside the defenders' OODA loop. The phishbait is getting better designed, too. Bitdefender sees scammers upping their game and impersonating financial services - the language and the logos, for example, much cleaner and more convincing than they've historically been. Other things to worry about? Well, there's stalkerware, which has drawn attention with reports that lawful intercept tools are proliferating into the hands of unlawful users. And, of course, there are North Korean cyberattack units, which the National Interest thinks aren't receiving the attention their level of threat warrants. It's not all mom and kimchi in Pyongyang - whatever the Dear Successor may be woofing nowadays. 

Dave Bittner: And finally, remember Mirai, the botnet that took out the internet over most of the U.S. Eastern Seaboard back in 2016? It was widely believed when the IoT botnet worked its DDoS that Mirai was a shot across the American bow, probably fired by Russia. Within less than a month, it was determined that this wasn't so. The Professor Moriarty of the affair turned out to be a student at Rutgers University in New Jersey and not exactly the pride of the Scarlet Knights, either. He was interested in driving traffic away from competing offerors of "Minecraft" in-game purchases and thought that DDoSing them would be a good idea. It's just that, well, one thing led to another, and things got out of hand. Anyhoo, besides providing a useful cautionary tale about premature attribution and the attendant difficulty of recognizing a digital Pearl Harbor, the incident resulted in three federal guilty pleas. There's now been a fourth. An unnamed defendant had taken a guilty plea before the U.S. Court for the District of New Hampshire. The defendant is unnamed because of the defendant's tender years at the time of the offense. The U.S. Department of Justice said yesterday that according to the plea agreement, the individual conspired to commit computer fraud and abuse by operating a botnet and by intentionally damaging a computer. Because the individual was a juvenile at the time of the commission of the offense, the individual's identity is being withheld pursuant to the Juvenile Delinquency Act. May the individual set his or her feet on a better path. 

Dave Bittner: Researchers at Bitdefender recently published their Business Threat Landscape Report for 2020. Joining us with key takeaways from the report is Liviu Arsene, senior e-threat analyst at Bitdefender. 

Liviu Arsene: This has been a very interesting year, to say the least. So basically, the entire report focuses on how the pandemic has affected both the threat landscape and, you know, the overall infrastructure for organizations, as well as their employees. 

Dave Bittner: Well, let's go through it together. What are some of the key findings here? 

Liviu Arsene: Right, so I guess one of the biggest key finding is that, you know, half of organizations weren't prepared for a pandemic-type situation. So that means, you know, they literally had to redesign their entire infrastructures overnight to accommodate, you know, all their employees working remotely. And, you know, when you do these types of things without proper preparation, you know, misconfigurations and blunders will happen. And it's likely that most of these misconfigurations and, you know, on-the-go infrastructure realignments will probably be exploited by attackers in the next 12 to 18 months, you know, by using very simple techniques - everything from brute-forcing to credential stuffing or simply exploiting, you know, unpatched systems. 

Dave Bittner: So what are some of the takeaways here? With the information you gathered in the report, what sort of lessons can you share with our listeners? 

Liviu Arsene: So I guess the biggest - some of the biggest are that, you know, one of the policies that seems to be less enforced, let's say, is the fact that companies don't have a policy for making employees - or for preventing employees from reusing old passwords. Actually, I think over 93% of employees actually reuse old passwords for their accounts. There's also the fact that I think in the first half, from January up until June, we've seen a spike in suspicious IoT incidents in households. And CIOs and CISOs actually do believe that, you know, the fact that employees are now working remotely from their own homes - their networks could actually be prone to more attacks, to a more diverse attack surface, if you will, that could potentially compromise their work endpoints, laptops or computers and subsequently move those threats to the enterprise environment. 

Dave Bittner: Yeah. Do you suppose that the organizations that went into this better prepared but also have been able to be nimble throughout - are they going to have a competitive advantage when we get to the other side? 

Liviu Arsene: Well, security is - you know, you can look at it as something organic, you know? It's never something that you deploy once, and you forget about it. You know, it's something that you constantly have to evaluate. So those that had a plan were probably a little bit better prepared to face the new threats. But these are not the only threats, the only things that have changed. Even those companies that were prepared for this scenario are now facing threats that they previously didn't face. For instance, we found evidence, if you will - although circumstantial evidence - that there is such a thing as APT hackers for hire, which is a bad thing, because APT groups are mostly associated with governments, you know, and state-sponsored actors. But recent investigations found out - revealed that some of these APT groups may actually be offering their services to the highest bidder. For example, they've - instead of targeting a financial institution or government institutions, they've started targeting completely different verticals, you know? They went after a real estate company and a video production company. So they had absolutely nothing  to do with financial gain. I mean, the attack is not financially motivated or politically motivated. So the only plausible explanation in light of the sophistication of the attack was that they were probably hired by one of their competitors to do a little bit of industrial espionage. And this completely changes the game a little bit, especially for these SMBs that, you know, traditionally didn't face these types of threats. And this is all in the report. There's a lot more detail in that. 

Dave Bittner: That's Liviu Arsene from Bitdefender. 

Dave Bittner: And it is my pleasure to welcome to the show Kevin Magee. He is the chief security and compliance officer with Microsoft Canada. Kevin, welcome to the CyberWire. 

Kevin Magee: Hi, Dave - pleasure to be here. 

Dave Bittner: So before we dig into some of the topics that you're going to share with us along the way, I thought it'd be nice to get to know you a little bit about your own professional journey and the sorts of things that keep you busy day to day at Microsoft. Where did you get your start, and what led you to where you are today at Microsoft? 

Kevin Magee: Well, I often joke that I'm actually educated as a historian and then went into business at a startup in the IT space in the '90s and then came to sort of my security career indirectly later in life, much like the career path of Jack Ryan. So I like to consider myself the Canadian Jack Ryan. And I think that interesting sort of background, sort of an arts degree with an education based on, you know, presenting a hypothesis, defending your hypothesis, building evidence, looking at sources critically and whatnot, building communication skills in a different way - long-form writing has given me a different perspective and a really interesting take on my work that other folks that maybe came up the more technical route hadn't have. And then just joined in sort of the startup community in the '90s, which was sort of a crazy time, was an amazing time to be in technology. 

Dave Bittner: Yeah, and then so what was the path that led you to Microsoft? 

Kevin Magee: Ultimately - and I never really saw myself, again, working for a large company. But Microsoft in the last number of years has really shifted to a different style under Satya Nadella, where we take a very growth mindset, learn-it-all approach to our work. And a lot of the innovations I was seeing that was very interesting started coming out of Microsoft. So when the recruiter called and connected me to a vice president who was hiring, he wanted me to look at the business and growing the business like a startup person would and was very refreshing. And I thought maybe when I joined, you know, that it wouldn't be like that, but it truly is. We're trying to build a culture that looks at diversity of opinions. Innovation and whatnot is what makes you successful in your career, not just delivering numbers or shipping product. 

Dave Bittner: You know, I think about Microsoft as a global company and certainly one with a lot of history. Can you give us some insight? So what is it like to be in a leadership position there in Canada? What are the interactions with the rest of the global community of Microsoft? 

Kevin Magee: Well, the cool thing is I actually started reporting into corporate - so into sort of the mothership - often you folks describe it as. And so that gave me a view of how sort of the global company works and introduced me to folks around the world and then shifted to a Canada-specific career when I took this role a couple of years in. And having both experiences has been fantastic because the Canadian subsidiary really operates like a small team. We all know each other. We all work together. You know, it's a really sort of esprit de corps type of relationship we have. But I can also reach out to my counterparts and really see what's going on around the world. So I can call my counterpart in Australia or Germany or whatnot and get a really global feel on topics or an understanding of how things work in different cultures. Or maybe they're seeing a different threat in a different environment. And I'm just beginning to see it now, where they've experienced it for a number of months because of some aspect of their geography. And often, the smaller regions really can't relate to sort of larger markets like the U.S. or whatnot. So having those folks that I can rely on as part of my intelligence network is fantastic. 

Dave Bittner: And what is your day to day like these days? What sort of things keep you busy? 

Kevin Magee: Well, it's interesting today because we're growing the team. And I'm interviewing and hiring and onboarding folks in a pandemic that I've never met. So it's a full, new dynamic for not only myself but for my team, really, evolving and responding to the current needs, just like everyone else. And, obviously, cybersecurity is moving very quickly now. So we're having to adapt even quicker. So I spend a lot of time not necessarily on the technology but really understanding the needs of customers, the needs of my people and making sure that my folks aren't burning out or really have what they need to do their job. So you would think the chief security officer is really focused on more of the technology and sort of the digging into the code or whatnot. But the business really is becoming more and more about people and understanding people. 

Dave Bittner: Well, Kevin Magee, chief security and compliance officer with Microsoft Canada, welcome to the CyberWire. You can say thank you. 

Kevin Magee: Oh, thank you. 


Kevin Magee: Wasn't sure what the protocol was there. 

Dave Bittner: Yeah (laughter). 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Between love and madness lies obsession. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.