The CyberWire Daily Podcast 2.17.21
Ep 1271 | 2.17.21

US warns of DPRK threat to cryptocurrency holders, and indicts four on conspiracy charges. Centreon says Sandworm affected unsupported open-source tools. Big Hack skepticism. Patch notes.


Dave Bittner: High Bitcoin valuation draws the attention of cybercriminals, and a number of those criminals work for Mr. Kim of Pyongyang - alleged criminals, we should say. Centreon offers an update of its investigation of the Sandworm incident ANSSI uncovered. Reports of The Big Hack are received with caution. Patches applied, pulled and replaced. Joe Carrigan describes a legal dust-up between Proofpoint and Facebook over lookalike domains. Our guest is Sinan Eren from Barracuda Networks on their state of cloud networking report. And Florida's water system cyber sabotage provides a good reminder to stay away from unsupported software.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 17th, 2021. 

Dave Bittner: Criminals respond to market pressures and chase market opportunities as much as do participants in legitimate trade. Kaspersky published a study yesterday that sees a shift in the focus of much criminal activity over the latter part of 2020. One of the incentives the underworld saw late in the year was a significant rise in the value of Bitcoin, and so criminals repurposed much of their infrastructure away from less lucrative efforts - notably distributed denial-of-service attacks - and turned to coin mining. That's where the money has been. 

Dave Bittner: Among the criminals who took note were the state-sponsored hoods being run from Pyongyang - that is, the North Korean threat crew the U.S. calls Hidden Cobra. Cybercrime has long been attractive to the DPRK as the Kim regime seeks to redress its general economic failure and sanctions-driven isolation from international markets. In this case, however, Hidden Cobra is more interested in direct theft than it is cryptojacking - that is, installing coin miners on noncooperating systems. 

Dave Bittner: This morning, the US Cybersecurity and Infrastructure Security Agency issued a joint alert with its partners in the FBI and the Department of Treasury, the alert's goal being to highlight the cyberthreat to cryptocurrency posed by North Korea and provide mitigation recommendations. 

Dave Bittner: The tools Hidden Cobra has used in this campaign are collectively referred to as AppleJeus. The alert explains, quote, "the North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. Initially, Hidden Cobra actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking and social engineering techniques, to get users to download the malware," end quote. 

Dave Bittner: So trade with caution and armor yourself with appropriate skepticism in the face of social engineering. 

Dave Bittner: The US Justice Department has gone one better than simply participating in a joint alert. The Washington Post today reported that Justice has unsealed charges against three North Korean espionage officers. They're accused of conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around the world. The conspirators are alleged to have been active since 2014, at least, and to have pursued a state policy of revenue enhancement with a bit of revenge thrown in. 

Dave Bittner: The indictment was filed on December 8, 2020, in the US District Court of Los Angeles. The three defendants are identified as belonging to the North Korean Reconnaissance General Bureau - the RGB - intelligence service. It's noteworthy, perhaps, that the three were sometimes posted outside of the DPRK itself, including tours in China and Russia. 

Dave Bittner: The range of what the Justice Department press release calls schemes is indeed impressive. The list of criminal activity alleged in the indictment includes some familiar and famous capers, including cyberattacks on the entertainment industry - that includes the famous November 2014 Sony Pictures hack; cyber-enabled heists from banks from 2015 through 2019 - these involve fraudulent SWIFT transfers from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and various African countries; cyber-enabled ATM cash-out thefts; ransomware and cyber-enabled extortion, including creation of WannaCry 2.0 in May 2017; creation and deployment of malicious cryptocurrency applications; targeting of cryptocurrency companies and theft of cryptocurrency; spear-phishing campaigns and, finally, marine chain token and initial coin offering, a 2017 and 2018 scheme that sought to evade sanctions by peddling fractional ownership in maritime fishing vessels. This operation was, of course, supported by a blockchain. 

Dave Bittner: A Canadian resident has also been charged with abetting the conspiracy with money laundering. Centreon, a firm whose IT resource monitoring tool France's ANSSI identified as compromised in what appears to be a Russian operation, yesterday provided an update on its own investigation. The software in question is an older version of the tool that's been unsupported for the last five years. There have been eight updates since that version reached its end-of-life. The company says that none of its current customers were affected and that the 15 entities that were afflicted by Sandworm's backdoor were all using open-source versions of the obsolete software. 

Dave Bittner: ZDNet reports that the backdoor found in the open-source version of Centreon software was Exaramel, a malware that bears some similarity to Industroyer. ESET offers some background and context, describing how they found Exaramel at the heart of Industroyer during their 2018 investigation of Russia's 2016 cyber sabotage of Ukraine's power grid. As BleepingComputer reports, it's unclear how the threat actor succeeded in compromising the software. 

Dave Bittner: Fortune summarizes the current state of opinion about Bloomberg's renewal of its story on alleged discovery of Chinese hardware backdoors into Supermicro chips. Fortune notes that the current version relies on secondhand and anonymous sources, which, according to Fortune, does not inspire confidence. 

Dave Bittner: It's a curious story that Bloomberg first ran in October 2018. Supermicro has vigorously disputed the report, most recently in a statement it issued this week, and industry sources cited in the initial article did not confirm their statements when queried by other media outlets. U.S. government officials said in 2018 that they had seen no evidence of the compromise Bloomberg reported and that they would welcome being shown evidence that it had occurred. The present version of the Big Hack story is being received by most observers with a heavy dose of caution. 

Dave Bittner: Some news on patches and updates. 

Dave Bittner: Microsoft has pulled one of its Patch Tuesday fixes for Windows 10, version 1607 and has issued an update to replace it. 

Dave Bittner: CISA yesterday issued four new advisories on control systems. The affected products include the HAMILTON-T1 ventilator, the Open Design Alliance Drawings Software Development Kit, Rockwell Automation's Allen-Bradley MicroLogix 1100 Programmable Logic Controller and WAGO M&M Software fdtCONTAINER (Update B). 

Dave Bittner: Authorities in Florida continue their inquiry into the Oldsmar water utility cyber sabotage incident, but beyond expressing the hope that they'll be able to discuss the attack more once the investigation is complete, they've had little to say. Water systems in other parts of the U.S. continue to look to their defenses and seem to be using recent federal advice as their guide for doing so. 

Dave Bittner: Sinan Eren is VP of Zero Trust Access at Barracuda Networks. He joins us with takeaways from their recently published report on the state of cloud networking. 

Sinan Eren: I mean, it's always helpful, you know, for us to have a cohesive product strategy looking into the future - you know, what our customers want, whether their infrastructure has been, you know, as we predicted, has been, you know, shifting away from on prem and data centers to cloud infrastructure - called the cloud infrastructure. So it's always helpful to probe, you know, a diverse set of customers and, you know, organizations and all verticals coming from different compliance and regulatory frameworks to find out, you know, what its future looks like for them, what the digital transformation looks like for them and how they're going on about it. 

Dave Bittner: So what were some of the key findings here? What were some of the things that stood out to you? 

Sinan Eren: Yeah. I mean, one of them actually stood out impressive in a sense that I wasn't expecting to hear that, but more than three-quarters of the participants, the organizations mentioned that they use multiple cloud providers. To be completely fair, I mean, and transparent here, I always assume that you kind of take a bet - right? - Microsoft Azure, Amazon Web Services. To hear that, you know, three-quarters of organizations have multi-cloud meaning that they kind of pick the best for whatever the functionality and the service that they're looking for - whether it's storage, whether it's computer networking, they pick and choose. They pick and choose whichever is more optimized. Whichever offers the best SLAs and best quality of service, they tend to go with that, which was refreshing, and it's brilliant. But at the same time, it was surprising. 

Dave Bittner: Yeah, fair enough. What were some of the other things that stood out to you? 

Sinan Eren: I would say that, also, this was a positive surprise, and it was nice to hear that about 90% - 89% to 90% of the respondents say that they understand the shared responsibility model when it comes to cloud security. You know, when they're using Amazon, Microsoft or Google, they know that the vendors are responsible for the security of the cloud infrastructure itself, right? But then they are responsible for the security and the posture and management of everything that they put on the cloud, right? So that's - unfortunately, a lot of the breaches came through, you know, misconfigurations in the cloud and all kind of customer-driven, perhaps, I would say, perhaps not quite understanding their responsibility model. We've been hearing data breach after data breach over the years, but it seems like it's finally that folks are aware that the responsibility is shared between - infrastructure security is on the vendor, and how you configure and how you protect the data and the configurations that you upload to the cloud is the customer's responsibility. So that's refreshing to hear. 

Dave Bittner: Yeah, you mentioned the fact that there was so much multi-cloud use was a bit surprising. Was there anything else that was unexpected when you read through things that you weren't looking - you weren't expecting? 

Sinan Eren: One other thing. I mean, I was, you know, I would say that we all have a healthy bit of skepticism about SAS applications scaling super fast. You know, take your mail and productivity suites or your favorite CRM. So we heard from our 800 participants that they endure latency, and they were not very happy with the performance, right? So there could be many reasons. This was taken back in October 20, 2020, this survey. And of course, shelter-in-place and lockdown was in full force. So there might be an outcome based on that that our basic utilities were not meant to take on this - a lot, you know, super increased load of everybody working from home and hitting Salesforce or Office 365. But we did hear 70% of the participants mentioning that their SAS workloads seem to endure a lot of latency. 

Dave Bittner: That's Sinan Eren from Barracuda Networks. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from the folks over at ZDNet. This is written by Catalin Cimpanu. And it's titled "Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests." What's going on here, Joe? 

Joe Carrigan: So what has happened is Proofpoint has a phishing test product that they offer to companies, right? This is a product to increase security awareness for the employees. And they'll send links out to people that, when they click on them, the people will see a message that says, OK, you just clicked on a phishing link. It's... 

Dave Bittner: Right. 

Joe Carrigan: But these domains look very much like Facebook domains. In fact, they are - one of them is, which is just Facebook login without the E. Another one is really good. This one actually made me look twice in the text of the article. It's And now, from looking at it here with my with my old eyes, old man eyes, this looks to all the world like Instagram. I mean, the R and N at the end make that M. And when I look at it, I see Instagram. It's a good name. 

Dave Bittner: Right. Right. 

Joe Carrigan: They also have and Now, Facebook is using a process called UDPR. And that stands for uniform domain name dispute resolution. And that is where they make a request to get control of the name, the domain name from the registrar under the auspices that this is somebody acting in bad faith and somebody trying to impersonate Facebook, right? 

Dave Bittner: Right. 

Joe Carrigan: Or Facebook intellectual property. Now, here's the thing, Dave. I don't know where I come down on this one, right? Because Proofpoint has a good point that they didn't register these in bad faith. They're not harming anybody by using them. They're actually using it for education. 

Dave Bittner: Right. Right. Maybe better for Proofpoint to have them than have them be available to a bad guy. 

Joe Carrigan: Exactly. But Facebook has a good point here. But these are still out there and available and Facebook doesn't control them, right? So what happens if Proofpoint, let's say - I don't wish this on Proofpoint. I don't have any - I don't think this is going to happen. But let's say Proofpoint gets acquired - right? - and that business gets shuffled off. And they stop renewing those domains. Those domains become available for anybody. 

Dave Bittner: Right. 

Joe Carrigan: Right? I wonder if there's a resolution here where Proofpoint could say, you know what, Facebook? We will reach an agreement. We'll reach a settlement here. We'll give you these domains. These will become your domains as long as we can continue to use them in our phishing exercises in an agreement for as long as we're a company and we never use them maliciously. 

Dave Bittner: Yeah, yeah. It's - you know, this can be a prickly thing where, you know, we've seen examples of folks, companies spinning up some of these fake phishing examples where they've used things like where they've said click here for your Christmas bonus. 

Joe Carrigan: Right. 

Dave Bittner: And it's a phishing test. And on the one hand, it's compelling, right? Everybody wants a Christmas bonus. But on the other hand, in the midst of a pandemic, when there's lots of bad things going on, getting someone excited about a Christmas bonus that does not exist... 

Dave Bittner: Right. 

Dave Bittner: ...It's not very sporting to do. 

Joe Carrigan: Yeah, that is not very sporting. I think that's bad form in these phishing tests. But I think these phishing tests actually target social media, right? Like, there was a phishing test I got one time that - it was just somebody going, hey, is this you on Instagram? And it was just a link in the - you was highlighted. And I moused over the link, and I was like, that's not Instagram. But if somebody said, is this you on Instagram and used one of these Instagrarn things - and I said while reading the article, I couldn't tell the difference. I couldn't tell. It looked to me like Instagram. The only thing that would have tipped me off is a top-level domain being .net, .org or .ai and then instead of .com, which I know Instagram is This is an excellent tool for people. It could further increase the granularity. And it's not that malicious or - I don't know, I wouldn't say malicious, but ill-planned idea of saying, hey, look at your Christmas bonus. And then now the employee's really mad that, first off, they got caught by a phish test. And second, and more importantly, there is no Christmas bonus. You're just enrolled in the Jelly of the Month club now. So... 

Dave Bittner: I wonder how far this goes. To what extent can Facebook request these takedowns and to what extent are they granted? You know, how far afield can a name look? And could folks who have legitimate businesses that just happened to resemble an organization like Facebook's, could they accidentally fall into this net? 

Joe Carrigan: That is a good question. And I actually thought about that question. And I thought about, you know, if I had a company that was maybe something - I don't know - let me think of something really stupid, just a picture book of faces that I have. 

Joe Carrigan: Right. Right. 

Joe Carrigan: Right? And I called it Facebookbook, right? And that was what I did, is I sold a book of faces. Is that a legitimate business? Yeah, I think that is, I think that Facebook shouldn't be allowed to infringe upon that. But, that being said, if I'm just publishing a book and I'm just some guy in my house publishing a book, I don't have the resources to fight the millions of dollars or billions of dollars that Facebook spends on lawyers every year. I'm not going to win that court battle. 

Dave Bittner: No, no, no. It's, you know, I guess it's just a matter of who ultimately has authority in a takedown request like this. And will Proofpoint be successful in pushing back on it? I think it's interesting. It's worth watching. 

Joe Carrigan: Yeah, it is worth watching. Well, this is part of the uniform domain name dispute resolution process. So there is a process that's defined, so we'll have to see how this goes. I want to follow this one. 

Dave Bittner: Yeah. All right. Again, the article's over on ZDNet. It's titled "Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - everything you want, nothing you don't. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cyber security teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.