The CyberWire Daily Podcast 2.5.21
Ep 1264 | 2.5.21

Lazarus Group seems to have deployed an IE zero day. Electrobras discloses ransomware attack. TrickBot returns. Breaches at security companies. Russo-American get-to-know-you talks.


Dave Bittner: Lazarus Group seems to have had an Internet Explorer zero-day. Brazilian power utilities disclose a ransomware attack on business systems. TrickBot's back. Automated attacks are going after web applications. Two security firms report breaches. We've got some patching notes. A look at life in the cleared community. Caleb Barlow from CynergisTek on protocols and best practices for handling inbound intel. And Washington and Moscow hold the usual frank discussions. The Americans, at least, talked about cybersecurity.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 5, 2021. 

Dave Bittner: In an update to the Lazarus Group's social engineering campaign against vulnerability researchers that Google brought to everyone's attention a week and a half ago, BleepingComputer reports that South Korean security firm ENKI has found a new wrinkle in the campaign. MHTML files the Lazarus Group used in communications with prospective victims carried an Internet Explorer zero-day as a payload.  

Dave Bittner: Microsoft had noticed the use of malicious MHTML files earlier, but now ENKI has confirmed that some of its researchers received approaches that contained them. The attempts were unsuccessful, ENKI says, but they were able to examine the file and identify the zero-day, which they characterize as one that abuses a double-free bug in Internet Explorer version 11. The exploit allows the attackers to upload a list of the running process, screen captures and network information to their command-and-control server. It also drops and executes additional malicious code. 

Dave Bittner: ENKI says they reported the zero-day to Microsoft and that they believe other parties have become aware of the exploit as well. 

Dave Bittner: Brazil's Eletrobras, according to Reuters, has disclosed that its nuclear power subsidiary Eletronuclear has sustained a ransomware attack. The word power in the description of a cybersecurity incident is spooky enough. Add nuclear and the flesh begins to creep. 

Dave Bittner: But this incident is said to have affected only business systems, leaving control systems unaffected and posing no threat to safety. Eletrobras has taken steps to contain the damage to its administrative systems, suspending, reports say, the use of some unspecified software, and the authorities have the matter under investigation. 

Dave Bittner: Since attackers have in the past shown an ability to pivot from business networks to control system networks, any ransomware attack on a power utility is to be taken seriously. In this case, Eletrobras seems confident that it's contained the damage. 

Dave Bittner: Kryptos Logic says it's found that TrickBot is deploying a new reconnaissance module, masrv, which uses the Masscan open-source tool, an unreferenced Anchor C2 communication function and a list of hardcoded IPs which have previously been associated with Anchor and Bazar. 

Dave Bittner: Two versions of masrv are in use, and the one the attackers select is determined by the version of Windows the prospective victims are using. 

Dave Bittner: TrickBot's return is another bit of foreseeable, dismal news. TrickBot was clobbered pretty hard back in October, when Microsoft led a consortium to take down its infrastructure. FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT and Symantec were the other companies on board for the whacking. The honorable whackers - and sincerely, bravo to them because it's a necessary whack - warned at the time that takedowns of this sort don't last forever and that they'd be on the lookout for a return. And, of course, TrickBot has returned, with Menlo Security warning just last week that they were seeing signs of the revenant malware. 

Dave Bittner: Barracuda Networks yesterday released a report on automated attacks on web applications, a problem the security firm sees as a growing one. Automated attacks, Barracuda explains, are incidents in which bots work to exploit vulnerabilities in web apps. 

Dave Bittner: Of the attacks Barracuda detected, almost one in five were fuzzing attacks, looking for points where applications can be exploited. Injection attacks came in second at over 12%, and the researchers say that a lot of those were script kiddie-level noise, attacks being thrown at an application without reconnaissance to customize the attacks. A close third, also right around 12%, were bots masquerading as legitimate bots - and there are such things, like Googlebots. Nine percent of the attacks were engaged in application DDoS. 

Dave Bittner: There's a bit of a silver lining in Barracuda's report. Users appear to be migrating to newer, updated and more secure browsers. 

Dave Bittner: The version of Chrome Google released yesterday includes a fix for a vulnerability being actively exploited in the wild, ZDNet reports. In other patching news, SolarWinds has, according to CyberScoop, released fixes for the two vulnerabilities Trustwave reported this week. SolarWinds advises users to apply the patches as soon as possible. 

Dave Bittner: One of those automated attacks hit security firm Emsisoft, well-known for its work against ransomware. On Wednesday, one of its test systems was breached. The company still has the incident under investigation and is working out the nature and extent of the compromise, but for now, the data taken appears to consist mostly of technical logs Emsisoft's endpoint protection system produces in the course of normal operations. 

Dave Bittner: The company said in a disclosure, quote, "the attack profile indicates that this was an automated attack and not specifically targeted at Emsisoft. Also, our traffic logs indicate that only parts of the affected database were accessed and not the entire database. However, due to technical limitations, it's impossible to determine exactly which data rows were accessed," end quote. Investigation remains in progress. 

Dave Bittner: Airbus security subsidiary StormShield has also disclosed a breach. In this case, the breach occurred in a technical portal that Stormshield's partners and customers use to manage their support tickets. They've alerted both the affected parties and French authorities. 

Dave Bittner: The company also found that some of their source code had been accessed by the threat actor. Investigation is still in progress, but Stormshield says that it's found no evidence that any of its code had been altered. 

Dave Bittner: Bravo, Bitdefender, who've released a decryptor for Fonix ransomware. The gang is thought to have shuttered its operation late last month, but there still may be recovering victims out there. 

Dave Bittner: And finally, it seems the new US administration has been on the horn to the Kremlin. The US Secretary of State and his Russian counterpart talked yesterday. Among the matters they discussed was, predictably, cybersecurity. Secretary Blinken told them to knock off stuff like the SolarWinds mischief. Foreign Minister Lavrov probably said that they didn't do nothin', or at least that would be implication of the silence of Moscow's official press release on the matter. 

Dave Bittner: What that press release did say was, more or less, besides, you're just as bad as us, Yankee. You're complaining about this Navalny guy? Hey, what about those people who protested the election of your boss, huh? Huh? You got your laws, and we got ours. 

Dave Bittner: What's it all mean? Probably diplomatic business as usual. 

Dave Bittner: This Sunday, we are releasing a special edition Women in Cyber Security podcast called "Creating Connections." In anticipation of that program, my guest today is a woman working in the cleared community for Northrop Grumman. Because of the nature of the work she does, she's requested we not name her, and we respect that request. She's got valuable insights to share on what it's like balancing a career with a security clearance. 

Dave Bittner: What is it like being in the cleared community? I mean, I think - you know, I grew up in the Fort Meade area. And I remember, you know, a lot of parents of friends of mine, if you asked them what they did for a living, they would just say, I work for the government. And that was it, right? 


Dave Bittner: And everybody kind of knew not to pursue it any farther than that. I mean, that comes with the territory, right? I mean, you are limited - the avenues of conversation at cocktail parties might be limited for you. 

Unidentified Person: Well, you know, actually, it's spectacular. I mean, there is absolutely nothing sexy or interesting if you decide to go to a cocktail party and you say, well, I do math for a living, because then everyone tells you how they don't know how to balance their own checkbook. 

Dave Bittner: I see. 

Unidentified Person: Or they say, oh, man, math - ooh, that sounds difficult. But actually, I find working in the cleared space somewhat liberating, even at cocktail parties, if only because I have to talk about things that are not my job (laughter). And also, it's a reason for me to ask people what they do, if they're really keen on talking about it. 

Unidentified Person: So, you know, it does - I think one of the challenging things about working in this space is that there is this bifurcation in your life. You have work, and you have not work. And I think that - I mean, I'm very thankful. So my husband understands the space. He's been in the Air Force now for 18 years. So I'm very fortunate in having a life partner who understands that I really can't talk about what I do and that there's this - you know, there is a difference between who I am at home and what I can talk about at home and then what I do at work. 

Unidentified Person: So I think if people aren't - there's all kinds of reasons why people might not be comfortable with that, but I find it comfortable and also comforting in some ways. It's nice to be able to leave work at work (laughter) some days. And, you know, as I like to joke, you know, we're not doing television. So it's - sometimes it's just really good to come home, put work away and remind yourself why you're doing the things you're doing. 

Dave Bittner: What about professionally? Is there a risk of finding yourself in a bit of a bubble? Because you're limited in who you can talk to, who you can bounce ideas off of, is that something you have to be deliberate about, of making sure that you - within that community, that you have enough diversity of thought to still be able to do the things that you need to do? 

Unidentified Person: Yeah, no. I think that's, you know, that's a great question. And I think you do - I don't want to say that you risk becoming stale, but I think that one of your responsibilities, especially when you participate in what is an insular community, it is your responsibility as part of your, you know, professional development to do as much as you can to research outside of that community. 

Unidentified Person: Because - like, so for myself, I came from an academic background, where, you know, you're going to conferences, you're having conversations, you're publishing papers, you're sharing ideas, right? And those papers could be formal, peer-reviewed papers or white papers. And you don't have those same opportunities. The problem space is appreciably different. And so, you know, I think one of the challenges is you have to find ways outside of your day-to-day work to stay involved - in my case, in staying up to date on what are the most advanced methodological techniques, what is considered cutting-edge. 

Unidentified Person: And I have to go outside - often outside my work to have those conversations. It just means that, you know, that when I have to think about methods and think about application, I have to immerse myself in another content area in order to do that exploration. So it's a little bit of extra legwork, but it's actually something that I don't mind doing. 

Dave Bittner: What are your recommendations for folks who are feeling drawn to this area, you know, those people who are really mission-focused, who feel as though they want to give something back? Do you have any words of wisdom for them? 

Unidentified Person: You need to know what you bring to the table, and you also need to understand your own limitations. So you need to be able to talk about what you know, and you need to be equally articulate about what you don't know and what you aren't - it's not that you're not capable of doing it, but understand that there's other people whose expertise might be more valued, and so understanding your own limits. 

Unidentified Person: In the context of cyber - right? - there's a lot of buzzwords there - data science and cyber, and it sounds really sexy and it's, you know, it's new and it's interesting. And everybody wants to do 18,000 things, you know? And so when somebody approaches you and they say, oh, can you do - right? - X, Y or Z, can you answer these problems, you want to say yes. You want to say yes, and you want to say, you know, I'll just quickly brush up on some things, or I could learn that. 

Unidentified Person: You know what? You can't know everything. And it's really OK to say no. And it's OK to say, you know what? Those are not problems I'm interested in, but here's where I think I can help you. And I think part of being mission-focused is embracing that it's not about you, right? It's not about what you bring to the table. It's about the table that you're sitting at and understand - right? - what your contribution is. 

Dave Bittner: Our thanks to our guest and to Northrop Grumman for taking the time for us today. Be sure to check out the "Creating Connections" show. It'll be released this Sunday. And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to talk about incident response plans, runbooks and how do you successfully implement those if you have to deal with things like disinformation? 

Caleb Barlow: Well, Dave, this is the new thing that I'm having a lot of discussions with clients about - is how do I deal with disinformation in my runbooks? And, you know, it doesn't sound like something that security professionals would normally have to think about. But just look at what went down in the election cycle, right? 

Caleb Barlow: And without getting into all the politics of this, you know, if we look at what CISA had to do and Chris Krebs, they spent a couple of years preparing plans for what might happen if someone tries to break trust in the election cycle and, most importantly, how do we deal with this information and ensure that we can instill trust in that ultimate vote? 

Caleb Barlow: Well, the same thing holds true with any critical system. And we're starting to see more and more examples where a cybersecurity incident is just the catalyst that causes all these disinformation campaigns to take off. And, you know, we're in a world today where there are legitimate media outlets that help to propagate this. There are illegitimate media outlets that help to propagate this. And then, of course, there's the world of social media. 

Caleb Barlow: So if your company is breached and something significant happened, the old adage of say nothing until you know what's going on might not be the best strategy. Maybe you need to get out there early so that you control the message. 

Dave Bittner: Because if you don't, surely someone else will. 

Caleb Barlow: Well, let's take a look at the recent example of the SolarWinds breach, right? So, you know, likely nation-state actor, likely attributed to Russia. And within a few days, you actually have, in this case, even the president of the United States arguing with his own administration, well, maybe it's China, right? I mean, that's just... 

Dave Bittner: Yeah. 

Caleb Barlow: ...Not helpful in this kind of dialogue. Now, again, let me extract this back out of the politics, just using the politics as the example. 

Dave Bittner: Yeah. 

Caleb Barlow: What would happen if, let's say, your company allegedly had a breach that caused somebody to die or caused some horrible implication - right? - that may or may not be true? The opportunity for runaway in that dialogue is significant in this new world. And you've got to have a way to be in front of that. 

Caleb Barlow: So what does that mean? Well, cybersecurity professionals really need to get to know crisis communicators, how to build things called holding statements, where, you know, you can kind of hold the press dialogue with an early statement of what's going on, add more details to it. You've got to know your media outlets. Use your employees to help push out social media messages, versus what we in see most cases is employees pushing out, you know, the picture of the ransomware screen. Hey, this just happened at work. What does this mean? 

Dave Bittner: What about internally? How do you get everybody on the same page there, 'cause they're going to be seeing inbound stuff, they're going to be seeing all the rumors and all that stuff online? 

Caleb Barlow: Well, this is probably the most critical thing is making sure you have a known pathway for internal communications. And also, you know, we've talked about this before on the CyberWire. I like to see a commander's intent as well. So when something occurs, your employees know, hey, there's a cybersecurity incident going on. I know immediately what to do. And that is not post pictures of what's happening on social media, right? That's defer people to my communications team. That's to make sure that when we speak externally, we speak with one voice, and that one voice had better be transparent. 

Dave Bittner: Is this something - well, you and I always talk about, you know, you got to plan for this stuff ahead of time. The worst possible situation is to be reactive when you're in the heat of the moment and everything's emotional. You know, you got to practice this stuff ahead of time. How does an organization know when they're able to handle something like this internally versus where, hey, we got to get some help from outside? 

Caleb Barlow: Well, I mean, I think the answer to that is simple. You need to get some help from the outside. I mean, not to sound flippant in my response to that, Dave... 

Dave Bittner: Yeah. 

Caleb Barlow: ...But this is a defined swim lane. You know, people that are good at crisis communications - it is an art form. And unfortunately, it is not your VP of marketing, right? 

Dave Bittner: Right. 

Caleb Barlow: So, yeah, get some help from the outside. And that doesn't mean you've got to go spend hundreds of thousands of dollars on a, you know, retainer with some big, expensive firm. But it does mean that you've got to think about it in your runbooks. You've got to build these best practices, and you've got to have exercised them ahead of time. 

Dave Bittner: And I suppose, I mean, build that relationship ahead of time where you've already established trust with these folks before the - before you're presented with a smoking hole in the ground, right? 

Caleb Barlow: Well, that's exactly right because one of the biggest problems in most breach responses is executive decision-making. You're up against a human adversary. They can pivot. They can jog. And here's what I've often said to people - right? - is you want to always consider what is your adversary's likely next move, and what is your adversary's likely worst move? And that should inform your decision-making. And what I'm saying now is add one more thing to that, which is what is the market perception likely to be out of this, and how do you get in front of that story? You know, so what is the dialogue that you want out there about this breach? 

Caleb Barlow: You know, let's take a recent example, Dave, of the SolarWinds breach, right? 

Dave Bittner: Yeah. 

Caleb Barlow: I mean, I think all the parties there have been very transparent. As quickly as they knew information, it's gotten out. And this is obviously a very devastating breach. But imagine if the SolarWinds breach, if we were getting that in drips and drabs over three months because those executives involved weren't being transparent. This would be a whole other realm of crisis. 

Dave Bittner: Well, it's important stuff for sure. Caleb Barlow, thanks so much for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Anticipation. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Looking ahead to next week, Rick Howard examines AWS through the first principles lens. Colonel Stephen Hamilton from the Army Cyber Institute joins us on Tuesday. On Wednesday, we look at quantifying cyber risk with Saket Modi from Safe Security. Chris Cochran from Hacker Valley Studios is my guest next Thursday, with details on his special titled "We Are Here: Black Excellence in Cyber." And next Friday, it's David Barzilai from Karamba Security on why IoT security matters more than ever. Lots to look forward to. We hope you'll join us. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.