The CyberWire Daily Podcast 1.12.21
Ep 1247 | 1.12.21

Cyberespionage campaign hits Colombia. New malware found in the SolarWinds incident. Mimecast certificates compromised. Ubiquiti tells users to reset passwords. Two wins for the good guys.


Dave Bittner: A cyber-espionage campaign so far not attributed to any threat actor continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compromise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bitdefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on the trend toward chief people officers. And Europol announces the takedown of the DarkMarket.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 12, 2021. 

Dave Bittner: Researchers at security firm ESET report a targeted malware campaign, Operation Spalax, which they say is active against targets in Colombia, which they evaluate as having some form of espionage as its goal. Both government organizations and private companies figure among the targets. The companies being hit have, for the most part, been in the metallurgical and energy sectors. 

Dave Bittner: The campaign uses RATs, remote access Trojans, and the threat actor uses what ESET characterizes as a large network infrastructure for command and control. The researchers count at least 24 different IP addresses that were in use during the second half of 2020, most of which probably represent compromised devices that function as proxies for command-and-control servers. The threat actor also uses dynamic DNS services, and this, in combination with the range of IP addresses, renders their operational infrastructure a moving target. ESET says, quote, "we have seen at least 70 domain names active in this time frame, and they register new ones on a regular basis," end quote. 

Dave Bittner: While the researchers see some possible connections with campaigns against Colombia observed by Qianxin in 2018 and Trend Micro in 2019, ESET has insufficient evidence to offer even a tentative attribution. They can say that the targeting is confined to Colombia, that the threat actors use a complex and shifting infrastructure and that whoever's behind Operation Spalax gets their malware from a third party. 

Dave Bittner: Security firm CrowdStrike late yesterday announced the discovery of a malware implant, Sunspot, associated with the Sunburst backdoor that's afflicted SolarWinds' Orion platform. They see Sunspot as malware that's been used since September 2019 to insert the Sunburst backdoor into Orion software builds. Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code and in doing so takes care to keep Orion builds from failing, lest the compromise betray itself to developers. 

Dave Bittner: CrowdStrike hasn't reached any firm conclusions about attribution. They're tracking the incursions as the StellarParticle activity cluster. CrowdStrike says in their blog post, quote, "the design of Sunspot suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected." They added that the threat actors "prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers," end quote. The details CrowdStrike provides in their account of Sunspot afford an interesting look at how a software supply chain attack is staged and maintained. 

Dave Bittner: So who's responsible for Solorigate? The security firms who've been looking into it have been commendably cautious about the attribution. The U.S. government, however, part of whose business is, after all, to figure out who's out there doing the spying, has, of course, concluded that it's a foreign intelligence service, likely Russian in origin, but it hasn't so far pinned responsibility on any specific group or organization. 

Dave Bittner: Media reports have so far focused on either the SVR or the FSB, both successor agencies to the KGB and associated with units who've received the cute Huggy Bear names of Cozy Bear or, more menacingly, Venomous Bear. In truth, the quiet, low profile of the operation doesn't seem to fit the GRU's noisy and assertive style, so no one has really seen Fancy Bear's pawprints in the operation. 

Dave Bittner: ZDNet has a quick scorecard of cautious and preliminary attribution by security companies. Microsoft and FireEye have called the actor UNC2452. Volexity calls it Dark Halo. And CrowdStrike, as we mentioned, is tracking it as StellarParticle. 

Dave Bittner: Kaspersky said this week it's discerned code similarities between the backdoor threat actors installed in SolarWinds and another backdoor, Kazuar, which had been used by the threat group Turla, also known as Venomous Bear and a lot of other names. But Kaspersky is also cautious and points out that imitation, false flags, common suppliers and former employees now working for another outfit are alternative explanations for the code overlap. Whoever was behind the operation, it remains a very large and very damaging one. 

Dave Bittner: Mimecast warns that a sophisticated threat actor has compromised a Mimecast-issued certificate used to authenticate some of its products to Microsoft 365 Exchange Web Services. The products involved include Mimecast Sync & Recover, Continuity Monitor and IEP. The incident affects about 10% of Mimecast's customers, who've been asked to immediately delete the existing connection within their M365 tenant and reestablish a new certificate-based connection using the new certificate Mimecast has made available. The risk of compromise is that the unidentified threat actor could intercept email traffic. 

Dave Bittner: It's another form of software supply chain compromise. Reuters said late this morning that three distinct security researchers, speaking on condition of anonymity, told the wire service that they believed it likely that the same actor behind Solorigate was responsible for the Mimecast incident. 

Dave Bittner: IoT and Wi-Fi vendor Ubiquiti yesterday disclosed a data breach, saying that its IT systems were accessed through a third-party cloud provider. Ubiquiti recommends that customers change their passwords and enable two-factor authentication. 

Dave Bittner: The mob attack on the US Capitol last Wednesday remains under investigation, as investigators sort out responsibilities and identify rioters. A quasi-vigilante scraping and archiving of Parler data by private researchers has preserved much of that platform's traffic. This is being widely reported as a hack, but that seems incorrect. Apparently, the data collected were all publicly posted and available. The story is developing, and we'll have more as it emerges. 

Dave Bittner: In the meantime, we close with two bits of good news. First, bravo, Bitdefender, which has released a free decryptor for DarkSide ransomware, the work of a phony Robin Hood gang that claimed from a very high horse to donate part of its very large criminal take to various good causes. Good riddance to them. And again, bravo, Bitdefender. 

Dave Bittner: And second, good riddance to DarkMarket. Europol announced this morning that an international law enforcement operation has taken down DarkMarket, generally held to have been the internet's largest dark web contraband market. German authorities took the lead in the investigation, with partners from Europol, Australia, Denmark, Moldova, Ukraine, the United Kingdom and the USA. DarkMarket's wares consisted mostly of drugs, counterfeit currency, pay card information and malware. Bravo to Europol and everyone else who cooperated in the takedown. 

Dave Bittner: What's in a name? Or specifically, what's in a title? And does it matter if we refer to someone as a janitor versus a sanitation engineer, a solutions architect versus a salesperson? How about titling someone the head of HR versus chief people officer? Jessi Marcoff is chief people officer at data privacy firm Privitar. And she makes the case that, yep, in this case, it is a distinction with a difference. 

Jessi Marcoff: So HR's definitely an interesting topic because I think over the last, really, 45 years, but really the last 10 years, this space has changed quite a bit. And you hear a lot of tech organizations calling it the people function or people operations versus human resources or HR. And I think that's rapidly increasing because of folks that are coming into the workforce, especially in the tech space. 

Jessi Marcoff: HR's typically known as, essentially, protectors of the top, or they act as a sifter or police sort of function. And I think that that's changing quite a bit. It's really focused more on engagement and how do you become the bridge between the company and employees, both from a communication perspective and just how you enable them to do their job better and set clear goals around that. And so I think because of that shift in mindset, there's been more of a need for this role at the top. And really, the value that this group brings to an organization, I think, is becoming more recognized, which is fantastic. 

Dave Bittner: Yeah. I'm also intrigued by the choice of wording here to call the title chief people officer rather than chief of human resources. You know, is that a deliberate signaling of a shift in the way that this position interacts with folks throughout the organization? 

Jessi Marcoff: The idea is the verbiage is changing because we're not just looking at our humans, our people as resources from a cost perspective. I think we very much are looking at our people as our biggest asset. And I think that you're seeing that in some of these titles. 

Jessi Marcoff: I mean, there's all kinds of really exciting and fun titles in the space that are specific to engagement tactics, which at the end of the day, again, if people are sticking around for a few years, how do you get them to be at their best? So, yeah, there's definitely a shift in just even what we're calling the space. 

Dave Bittner: And how do you make the case to organizations who may not put their HR folks at this level? What are the key benefits that you see for them to elevate this position this way? 

Jessi Marcoff: Well, I think it's really important to recognize, again, that when you think about your largest assets within the organization, it's your people. And I think collecting that information and data - I mean, at the same time, we're using people data all the time to make decisions. 

Jessi Marcoff: And so I think if, on one hand, if you can show the benefits of retaining really good talent and the actual business outcomes that are associated with that, it's really about showing the value. And I think that that's really important that it goes beyond just what are we providing to employees from an engagement perspective, but how are we enabling people? How are we actually getting the most out of them and setting really clear expectations and really getting them jazzed to be a part of the organization? 

Jessi Marcoff: So I think if you can show really clear time to value, essentially, like you would a customer and a product - I think if you can kind of look at it through that lens, it's a no-brainer. 

Dave Bittner: That's Jessi Marcoff from Privitar. 

Dave Bittner: And I'm pleased to be joined once again by Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: You know, on one of our recent "Caveat" episodes, you and I were talking about facial recognition software and the ongoing challenges there. You highlighted an op-ed from The Washington Post that was pointing out some of the limitations, how several people had been unjustly accused based on inaccurate facial recognition software and how there is undoubtedly a racial bias issue that's going on here. 

Ben Yelin: Yes, yeah. So, you know, we've had a few - several high-profile incidents in the past year or so where facial recognition has falsely identified individuals who have been arrested and prosecuted, and all of these individuals are Black men. So it's clear we have a pretty big institutional problem here where whatever is happening with facial recognition and artificial intelligence, it's misidentifying Black men at a relatively high proportion. And this is a policy problem that we're going to have to fix kind of at all levels of government... 

Dave Bittner: Yeah. 

Ben Yelin: ...Starting with the technologists who are creating these algorithms, but then, you know, the local police departments that are using them. So it's becoming a serious problem. I think the Washington Post op-ed was wise in saying, you know, we need to hit the pause button on the use of this technology until we figure out exactly what's going on here. 

Dave Bittner: Well, when I saw you sharing that story, it reminded me of another study that I'd seen come by. This is from last year in 2020. It was a study done by Georgia Tech. And it was about, basically, self-driving cars, these automated vehicles, that do not do as good a job detecting pedestrians with darker skin as they do with pedestrians with lighter skin. 

Dave Bittner: The study from Georgia Tech found that consistently, the - these systems were between 4% and 10% less accurate when they encountered images of human figures with the darker skin shades. So, you know, again, not to sound flippant, but as we said over on "Caveat," not only are you more likely to be unjustly charged based on facial recognition, you might get run over by a car. 

Ben Yelin: Yeah. I mean, another thing we talked about on "Caveat" is we have, you know, a long history in this country of institutional racism. And you'd think the tools of technology might be used to cut against, you know, some of these historical biases. But now we have two instances here where technology is actually making things worse from a racial equity standpoint. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, this story - or this study from Georgia Tech is, I think, important because of the tangible impact. I mean, if you have technology that's 4% to 10% less likely to identify people with darker skin pigmentation, when we're talking about driverless cars, that means cars are going to be more likely to hit those types of pedestrians. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, that's the consequence that's going to happen here. And, you know, I think some of this is clearly human error. It's - the training dataset for this type of technology had used roughly 3.5 times more examples of white individuals compared to people with darker skin pigmentation. So, you know, it's not exactly surprising that these driverless cars are better at avoiding, you know, the type of faces that they've spent more time learning about, so to speak. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, this is a policy problem and an institutional problem that we have to fix. Yes, you know, people with darker skin pigmentation might be a minority, but you have a large enough subsample that you can, you know, put together a robust dataset and make sure that these types of discrepancies don't exist. 

Dave Bittner: You know, I'm no expert when it comes to how you train an AI, so I'm speaking out of turn here. But I could imagine someone coming at this and saying - looking at the racial breakdown of a community and saying, OK, we're, you know, 50% white, we're 30% African American, we're, you know, 15% Asian, whatever - however those numbers add up, whatever the reality is - and say, I'm going to use those percentages on my training data. 

Dave Bittner: And at first blush, that would seem to be a sensible thing to do. But it's not because what you end up with is, like in this case, you end up with a system that's - a safety system that's not as good at protecting your less represented groups of people. 

Ben Yelin: Right. I think now that we know that these artificial intelligence system have these biases, we have no excuses, you know - orchestrating machine learning, we have no excuses to, you know, not take racial equity into consideration anymore because we have this knowledge now. We know this is a problem that exists. 

Dave Bittner: Right. 

Ben Yelin: So we can no longer ignore it. 

Dave Bittner: Yeah, yeah. All right, well, it's an interesting study. Again, it was from Georgia Tech. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you so much. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Remember the times of your life. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.