The CyberWire Daily Podcast 12.11.20
Ep 1232 | 12.11.20

OceanLotus tracked. Threats to K-12 distance education. Adrozek is credential-harvesting adware. MountLocker gains criminal affiliates. FCC acts against Chinese companies. CISA internships.


Dave Bittner: Tracking OceanLotus. U.S. advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker's criminal affiliate program. The FCC takes action against Chinese companies deemed security risks. Predictions and holiday advice. Johannes Ullrich from the SANS Technology Institute wonders what's in your clipboard. Our guest is Nina Jankowicz from the Wilson Center on her new book, "How to Lose the Information War: Russia, Fake News and the Future of Conflict." And internship opportunities at CISA.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 11, 2020. 

Dave Bittner: Reuters reports that Facebook has associated the Vietnamese threat actor, OceanLotus - APT32 - to a company in Ho Chi Minh City - CyberOne Group. CyberOne Group said, on their now-suspended Facebook page, "We are NOT OceanLotus. It's a mistake." Vietnam's foreign ministry hasn't responded to inquiries from Reuters, but Hanoi has in the past denied any connection with or responsibility for OceanLotus. The attribution is unusual in its unambiguous association of a cyber-espionage group with a contractor. Facebook, which has been squabbling with the government of Vietnam over content control, declined to give a detailed account of its evidence, saying that doing so would impair its ability to track OceanLotus in the future. 

Dave Bittner: A Joint Cybersecurity Advisory from the US Cybersecurity & Infrastructure Security Agency, the FBI and the Multi-State ISAC yesterday warned that cyberattacks on schools have become increasingly widespread as kindergarten-through-12 systems attempt remote instruction during the pandemic. The advisory singles out ransomware, with Ryuk, Maze, Nefilim, AKO and Sodinokibi being among the most commonly observed strains; Trojans, especially ZeuS and Shlayer; distributed denial-of-service attacks, often by DDoS-for-hire gangs; and video conference disruptions as the most prevalent threats. The agencies urge schools to follow a familiar set of best practices to help secure themselves as the pandemic continues to stress their systems and teachers and staff and students and the families of all these. 

Dave Bittner: Microsoft 365 Defender research team has released a study of Adrozek, browser-modifying malware that affects most, if not all, major browsers. The researchers say that Microsoft Edge, Google Chrome, Yandex Browser and Mozilla Firefox are all subject to modification. It's adware. Quote, "Adrozek adds browser extensions, modifies a specific DLL per target browser and changes browser settings to insert additional, unauthorized ads into webpages, often on top of legitimate ads from certain (ph) engines," Microsoft 365 says, adding that "the intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliate pages. The attackers earn through affiliate advertising programs, which pay by the (ph) amount of traffic referred to sponsored affiliate pages," end quote. Adrozek is usually distributed as a drive-by download. It modifies browser settings, including security settings. Like most forms of adware, Adrozek gets revenue from the referrals it generates. That's normally considered a fairly low-grade threat - obnoxious and profligate of resources, but not really a high-end, high-risk threat. But in Adrozek's case, the adware also steals credentials, and that's a serious matter indeed. So it seems that adware is following the path ransomware took - the original crime continues and is then joined by additional malignant functionality. If this becomes a trend - and there's no reason to think it won't - adware may increasingly be accompanied by credential harvesting in the way the ransomware is now routinely accompanied by information theft as well as data encryption. 

Dave Bittner: Researchers at BlackBerry are describing the latest ransomware-as-a-service development. MountLocker ransomware combines traditional encryption with data theft to add more heft to the extortion and is being run in an affiliate campaign. The researchers describe it as simple, lightweight and efficient ransomware. The operators work quickly against their targets, and they appear to be gaining more criminal market share. 

Dave Bittner: The US Federal Communications Commission yesterday took two actions against Chinese companies. The first requires carriers receiving federal funds to remove and replace equipment that poses a security risk. The second begins the process of revoking China Telecom's authorization to operate in the US. 

Dave Bittner: As you might expect, we've been receiving a lot of notes on the pandemic's opportunities for bad actors, common sense about shopping securely during the holidays, and some CISA internship opportunities. And to summarize what the social engineers are going to do, it's like this. They'll take you to a high place, show you all the kingdoms of the earth and so on. That's the kind of FOMO's been tried before. Don't let it work on you either. That unbelievable offer of a stupendous deal if you work as a secret shopper? It may look like a beacon of light, but trust us, it's coming from a very dark place. 

Dave Bittner: So beyond being taken to a high place, expect more COVID-19 vaccine scams and more criminal collaboration. Check Point finds that malign activity keyed to the pandemic is assuming three general forms – cyber-espionage directed at researchers and pharmaceutical companies engaged in vaccine development, phishing and water holing domains with a COVID-19 theme and, finally, bare-faced scams hawking bogus treatments. Proofpoint, for its part, foresees more ransomware hitting cloud repositories, the continuing threat of social engineering, a relative abatement but not disappearance of business email compromise and growing collaboration among criminal groups. 

Dave Bittner: The winter holidays are upon us. Hanukkah began yesterday evening and will end next Friday evening. Christmas is just two weeks away. So last-minute shoppers are finding time closing in on them. RiskIQ has published its holiday E-commerce Blacklist Threat Report for 2020. The size of the opportunity would seem to explain why the threat is so active this time of year. RiskIQ says that 30% of all retail sales occur between Black Friday and Christmas, that there's a 35% rise predicted in U.S. e-commerce sales compared to last year - probably reinforced by pandemic-driven social isolation - and that 83% of shoppers will spend 50% of their budget online. 

Dave Bittner: Finally, it's neither a trend nor a holiday security story, but since applications close in early January, this is a seasonal story. Students interested in an internship at the US Cybersecurity and Infrastructure Security Agency may wish to explore some recently announced opportunities. The agency is offering student trainee positions in IT management in several pay ranges. You'll find links to the job announcements, which are too long to speak here, in today's CyberWire daily news briefing. You can find that on our website, The jobs are open to high school students, undergraduates and grad students. (And a tip of the hat to the folks over at Katzcy, who tipped us off to the opportunity.)

Dave Bittner: My guest today is Nina Jankowicz, disinformation fellow and former Fulbright-Clinton Public Policy Fellow from the Wilson Center. Her new book is titled "How to Lose the Information War: Russia, Fake News, and the Future of Conflict." 

Nina Jankowicz: Well, I was living in Ukraine in 2016 and 2017 when the U.S. election was happening and all the revelations about Russian interference in the election came to light. And I was working as a strategic communications adviser to the foreign ministry of Ukraine under the auspices of a Fulbright Fellowship. 

Nina Jankowicz: And being there basically on the front lines of the information war - you know, Ukraine has been dealing with this stuff more in a concentrated way since 2014 and 2013 when the Euromaidan revolution began and Russia illegally annexed the Crimean Peninsula and invaded eastern Ukraine, the Donbass. So they're very familiar with these tactics, as are a lot of other Central and Eastern European nations and the Baltic states, places like Poland, the Czech Republic. 

Nina Jankowicz: And I just felt that, you know, watching the U.S. response, which was really categorized by a lot of hubris, you know, it was a lot of, how could this have happened to us, when things like this had been happening in Central and Eastern Europe for the past 10 to 15 years. I really felt that there was a lot that we, the United States, could learn from our allies in Central and Eastern Europe. 

Nina Jankowicz: And that's what the book looks at - five different Central and Eastern European countries - Estonia, the Republic of Georgia, Ukraine, Czech Republic and Poland - and how they responded to the threat of Russian disinformation and increasingly to the threat of domestic disinformation as well. 

Dave Bittner: Well, take us through what you've outlined here. I mean, what were some of the key ways that these nations dealt with this issue of Russian information operations? 

Nina Jankowicz: So one of the most important things is that they all recognize that it's a problem, which I don't think that we can say for the United States, frankly. I mean, I did a hearing a couple weeks ago for the House Intelligence Committee, and only the Democrats showed up. It was a hearing on disinformation and conspiracy theories ahead of the election. And the Republicans just did not deign to make an appearance. And that's very saddening to me because I've briefed Republicans on the Hill before. They care about these issues. But it has become so politicized to even talk about disinformation, particularly in the context of Russia, and that leaves us vulnerable, frankly. 

Nina Jankowicz: Over the past four years, we've done very little to raise the costs for actors like Russia who are using disinformation to achieve their policy goals, to affect and influence our political conversations. And the fact that we're allowing it to be politicized and not even addressing the lowest hanging fruit in terms of dealing with the problem, like transparency around political ads and mandating that through Congress, just shows how difficult this problem is to solve when you don't recognize that it's a problem. 

Dave Bittner: Are you optimistic? Do you think we have a chance at getting control over this to the point where it's, you know, not the issue that it is today? 

Nina Jankowicz: It would be hard for me to get out of bed in the morning if I didn't think we could do something about it. I do think that, you know, there are a lot of things that we haven't even entertained yet. 

Nina Jankowicz: Over the past four years, we really have not seen a good faith effort by the U.S. government to tackle this problem. We have seen parts of the U.S. government dealing with it, in particular, you know, the folks at the Department of Homeland Security. Cyber and Infrastructure Security Agency have done some really valiant work, but they're a small team, and they're underfunded. There are other similar teams across the government. 

Nina Jankowicz: If we had a united strategy that was bringing together the best brains in, you know, Russia policy, cyber policy, strategic communications in a node in the federal government, I'd feel a lot better. But as it is right now, we don't have that sort of joined-up policy. That's a problem. 

Nina Jankowicz: The politicization of this issue, as I mentioned before, remains an impediment to creating policy at the congressional level. And we've not seen really any sort of consensus building in the cross-sector environment, so either between public-private partnership with the social media platforms or bringing in civil society organizations as well who are looking out for things like rights to free speech and human rights online. 

Nina Jankowicz: I think there are so many smart people who are working on these issues in the United States that, yes, we can absolutely make a dent. But the reality is that we have been tardy, and our responses have been, in the international realm, tertiary to a lot of what our allies is doing. We are absolutely falling behind and, in some cases, abdicating our responsibility to the rest of the world, as the place that hosts these platforms where so much disinformation spreads, to do something about this. So I think the clock is ticking, and hopefully we don't tarry too much longer because this is an issue that is getting more concerning by the day. 

Dave Bittner: Our thanks to Nina Jankowicz for joining us. The book is titled "How to Lose the Information War: Russia, Fake News, and the Future of Conflict." Don't forget we have extended versions of many of our CyberWire interviews as part of CyberWire Pro. You can find out more about that on our website, 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. 

Dave Bittner: Johannes, it's great to have you back. Today we are talking about clipboards. And I have to admit that I am a bit of a clipboard nerd in that I use a clipboard manager, and it has greatly enhanced my lifestyle. So I am very interested to hear that you have set your sights on some issues with clipboards. What are you going to teach me today? 

Johannes Ullrich: Yeah, that's really something our handler, Rob VandenBrink, here has researched in detail. And that's - well, malware is actually going after your clipboard because you have a lot of interesting things in your clipboard. It may be passwords that you copy/pasted from a password manager. It may be an account number. For example, there is malware that goes after cryptocoin addresses and such that you may copy/paste because they're way too long to type them directly. 

Johannes Ullrich: And there are now a couple ways how software is trying to prevent some of these attacks. For example, some password managers, they'll try to clear the clipboard after you copy the password. So you copy the password. You paste in your browser. Then the password manager deletes or erases that password from the clipboard, which may or may not work, actually. And if you're a clipboard nerd, I'm not sure if you enabled that clipboard history feature, which... 

Dave Bittner: Yeah. Right, yeah (laughter). 

Johannes Ullrich: It gets a little bit in the way there because clipboard history means, well, that cleared password is now just being added instead of overriding the password that you have, so now it's (unintelligible, laughter). 

Dave Bittner: Right (laughter). It's a handy database - yeah, handy database to all the keys to my kingdom. 

Johannes Ullrich: Exactly. And malware has certainly figured it out. Now, from a defensive point of view, you can, of course, monitor what software is accessing the clipboard. And iOS, Apple's operating system, has taken over the lead here. I'm not sure if you noticed this, but in iOS 14, the latest version of iOS, you'll get the little alert whenever some software is accessing your clipboard. Actually, I think it was LinkedIn or a couple other pieces of software that sort of got in trouble for doing just that. They call it sort of monitoring your network - your clipboard, just like malware does. 

Dave Bittner: Right, right. 

Johannes Ullrich: Now, on other platforms, like Windows and such, of course, we don't have it in the operating system like this. But Microsoft's Sysmon tool actually just recently added a feature that will also monitor what software is using your clipboard. And the nice thing with Sysmon is Sysmon is a tool that you can install on your Windows systems, and you can tell it to report back to, like, you know, your security monitoring console and such what's happening on the system. 

Johannes Ullrich: Now, you better set up some decent rules so you're not getting flooded with alerts. But you can basically have it alert you centrally, like, at the Security Operation Center, hey, this workstation or some software is doing weird stuff with the clipboard. 

Dave Bittner: I see. That's interesting. You know, the clipboard manager I use in Mac OS, for example, you can disallow certain things from being put in the history. Like, so you can say, you know, don't - anything that comes from my password manager, you know, let's leave that be. 

Johannes Ullrich: Yeah, that's a real neat feature. Actually, I was just the other day - so I was getting annoyed at that feature on the MySQL database. It does not save any command that contains the word password in the history. And, you know, as a Unix nerd, you're always, you know, doing your cursor up. 

Dave Bittner: Right. 

Johannes Ullrich: You'd rather go 20 lines back in your history than type in ls. 


Johannes Ullrich: But all of the lines that contain the word password - this was, like, a database where I tracked some SH (ph) passwords that we had from our honeypots. 

Dave Bittner: Yeah. 

Johannes Ullrich: (Laughter) So that word came up a lot. It was a little bit annoying. But, yeah, so that's a feature you're looking for. 

Johannes Ullrich: You want to kind of limit what data is being sent to your clipboard. I don't say avoid it. You can't really avoid it because you want to have these complex passwords. So you often do have to copy/paste it. 

Dave Bittner: Right, right. Yeah. Isn't it fascinating how it's that balance, you know, between convenience and security, right? I mean, that's the age-old problem we've got here. 

Johannes Ullrich: I could just have a simple password, put it on a Post-it, and you don't have that problem. 


Dave Bittner: Yeah, stick it to the bottom of your keyboard. 

Johannes Ullrich: Yeah (laughter). 

Dave Bittner: I don't understand what the problem is. Yeah. All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the nighttime sniffling, sneezing, coughing, aching, stuffy head, fever, so you can rest medicine. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out our "Research Saturday" program. This weekend, my interview with Craig Williams and Matt Olney from Cisco Talos on their NotPetya and Olympic Destroyer research. It's a good one. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you here next week.