The CyberWire Daily Podcast 2.22.21
Ep 1274 | 2.22.21

Facebook takes down Myanmar military page. Chinese cyberespionage and cloned Equation Group tools. Supply chain compromises. Threat trends.


Dave Bittner: Facebook takes down Myanmar junta's main page. APT31 clones Equation Group tools. Silver Sparrow's up to something. Bogus Flash Player update serves fake news and malware. Effects of supply chain compromises spread. Clubhouse has some privacy issues. A VC firm has been breached. CrowdStrike releases its annual threat report. We welcome Josh Ray from Accenture security to our show. Rick Howard examines Google's cloud services. And a Maryland school continues its annual cyber challenge.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 22, 2021.

Dave Bittner: Facebook yesterday took down the main page belonging to Myanmar's military, according to Reuters. The social network explained its decision in terms of its policy against incitement of violence - quote, "In line with our global policies, we've removed the Tatmadaw True News Information Team Page from Facebook for repeated violations of our community standards prohibiting incitement of violence and coordinating harm," end quote.

Dave Bittner: Check Point reports that a Chinese threat group, APT31, cloned a leaked U.S. Equation Group tool and has now used it for several years. APT31 is also known as Zirconium in Microsoft's metallic taxonomy of threat actors or as Judgment Panda to other scorekeepers. This isn't the first time a Chinese threat actor has used what appears to be NSA tools. They had found their way earlier into Beijing's cyber arsenal and, apparently, at some point before the ShadowBrokers committed their big Equation Group leak to the internet.

Dave Bittner: Silver Sparrow, described last week by researchers at Red Canary infesting devices with Apple's new M1 chips, as well as some using Intel processors, remains baffling. Although Malwarebytes researchers found the malware on some 30,000 endpoints, Ars Technica says Silver Sparrow has no apparent payload. The binaries don't seem to do anything - they're being called bystander binaries - and may simply be placeholders. Silver Sparrow also has a self-destruction mechanism designed to expunge traces of itself from infected systems. Whoever's operating Silver Sparrow hasn't yet used that functionality, and as Computing reports, researchers are still in the dark about what might trigger self-destruction. Silver Sparrow will bear watching, especially if it proves to be a staging mechanism for further cyber campaigns. 

Dave Bittner: A fake Adobe Flash Player updater is in circulation, BleepingComputer reported yesterday. It's a relatively complicated scam. Javvad Malik, security awareness advocate at KnowBe4, summarized the activity as follows - quote, "Threat actors are using Google Alerts to promote a fake Adobe Flash Player updater that installs other unwanted programs on unsuspecting users' computers. The threat actors create fake stories with titles containing popular keywords that Google Search then indexes. Once indexed, Google Alerts will alert people who are following those keywords. When visiting the fake stories using a Google redirect link, the visitor will be redirected to the threat actor's malicious site. However, if you visit the fake story's URL directly, the website will state that the page does not exist." 

Dave Bittner: Adobe Flash Player has reached the end of its life, but many users, habituated by years of updates, may not know this and may not recognize the bogus update for the imposture it is. The unwanted program being served is OneUpdater, and it will, from time to time, offer other phony updates that themselves carry other unwanted programs. So here's a direct risk from fake news stories being indexed by search engines - in this case, by Google. Not only do they cloud your mind with misinformation, but they also serve as the entering wedge of a malware distribution campaign. 

Dave Bittner: Breaches of vendors in the software supply chain continue to flow through third parties. The Accellion FTA compromise has now affected the Kroger supermarket chain, and The Wall Street Journal describes the ways Accellion's troubles have afflicted its customers. StateScoop has an account of how a ransomware attack by Cuba RANSOMWARE, a gang having the poor taste to illustrate its dumpsite with heroic images of political mass murderers, has affected customers of Automatic Funds Transfer Services. Many AFTS customers are U.S. state and local governments, and they've been in the process of warning individuals whose data may have been compromised. 

Dave Bittner: Emergent social media platform Clubhouse appears to be experiencing the sorts of security issues that accompany rapid growth, especially when the growing company has strong business links to companies in China. Bloomberg reports that the app's chats have been breached. A Guardian op-ed summarizes causes for concern. You're telling the app that you're connected with various people and they're connected with you, for example, and that's something you and your contacts may not want to share. And then there's the business of Clubhouse making unencrypted copies of the chitchat going on in its various rooms. As The Guardian's essayist puts it, Clubhouse says it deletes these once it determines nothing untoward is going on, but still, that's not particularly reassuring, especially when your backend services are provided by a Shanghai outfit. Nothing wrong with Shanghai, necessarily. Lots of nice, hardworking people. But still, after all, Beijing's writ runs there. 

Dave Bittner: Axios reports that Sequoia Capital has disclosed a data breach that may have affected some of the personal and financial data the venture capital firm holds. Sequoia says it's notified affected individuals and has so far found no signs of the data's abuse. 

Dave Bittner: CrowdStrike this morning published their annual Global Threat Report. They see an intensification of now-familiar trends with supply chain attacks, ransomware, extortion and nation-state espionage all on the rise. They also see increasing sophistication on the part of cybercriminals. Remote work will continue to expand attack surfaces, and health care will unfortunately remain a priority target. They think Dedicated Leak Sites will make it easier for criminals to carry out data extortion attacks. Looking at the state actors, CrowdStrike sees China focusing on supply chain compromises with an emphasis on industrial espionage against verticals that could yield IP useful to the goals of the Fourteenth Five Year Plan. And North Korea will be more motivated than ever to shore up its failed economy through direct cybertheft. 

Dave Bittner: And finally, it's good amid the ice storms and the data breaches to share some local good news. This past weekend, Loyola Blakefield, just up the road from us in Baltimore County, held its fourth annual Loyola Blakefield Cyber Challenge virtually this year, and they sent us a note this morning to give us the results. The challenge categories this year included Web Exploitation, Cryptology, Forensics, Programming and Network Analysis, and the 51 teams that competed came from as far away as Illinois. This is a student-run challenge, and we're happy to share the congratulations Loyola Blakefield sent to the winners. 

Dave Bittner: They wrote, On behalf of LBSCI, congratulations to Audrey Wheeler from Rolling Meadows High School, Robbie Hauf and Mark Ghattas from John Carroll School, Ryan El Katcha from Damascus High School, Daniel Matthew from Poolesville High School and Jason Walter from Calvert Hall College. Special congratulations to Daniel Matthew and Ryan El Katcha and their teams for winning the beginner and advanced divisions, respectfully (ph). If you're interested in how Loyola Blakefield put the challenge together, check out their website and drop them a line. We're sure they'll be happy to hear from you. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst and also our chief security officer. Rick, it's always great to have you back. 

Rick Howard: Thanks, Dave. 

Dave Bittner: This week on "CSO Perspectives," you are launching a two-part series on securing the Google Cloud Platform. Now, I know that we have just recently done similar things for Amazon AWS and Microsoft Azure. Is this, you know, lather, rinse, repeat? 


Dave Bittner: Or does Google have a different approach here? 

Rick Howard: (Laughter). That's a good way to put it. Well, you will be pleasantly surprised, David. Google's plan for cloud services is fundamentally different from the other two, right? And their official name for the service is Google Cloud Platform, or GCP. And I have to tell you I can never remember what that acronym stands for. I have to look it up every single time, right? 

Dave Bittner: Yeah. Yeah. 

Rick Howard: And they didn't roll it out until 2012. You know, this is a good six years after Amazon released AWS and two years after Microsoft released Azure. And now looking at all three of them, it's pretty clear to me that Google studied their two competitors and made some design changes. And the most obvious is how they placed zero trust as a cornerstone to the entire experience. 

Dave Bittner: Yeah, I mean, that's interesting because in the previous two series, you made the solid point that both AWS and Azure - they provide means to implement zero-trust concepts. What makes GCP different? 

Rick Howard: So Google took the design concept, this thing called software design perimeter, or SDP. It came from the US government way back in the early 2000s, you know, from the Defense Information Systems Agency, or DISA, for all places, right? And then they built it. You know, and in our last Hash Table episode on AWS security, the chief security officer for Sallie Mae, Jerry Archer, said he uses a third-party tool to implement step for his AWS deployments. But in the Google Cloud Platform, SDP is how the system works out of the box, right? So we spend some time in this episode talking about what that means for our first-principle approach to securing cloud environments. 

Dave Bittner: All right. Well, it is "CSO Perspectives," and it is part of CyberWire Pro. You can find out all about that on our website, Rick Howard, always a pleasure. 

Rick Howard: Thank you, sir. 

Dave Bittner: And it is my pleasure to welcome to the CyberWire Josh Ray. He is the managing director and global lead of Accenture's cyberdefense business. Josh, welcome to the show. 

Josh Ray: Thanks, Dave. Pleasure to be here. Look forward to talking about some really interesting topics today. 

Dave Bittner: Well, before we jump in with some of the technical things, I'd like to introduce you to our audience. Can you give us some notion - what is your day to day like? What are the types of things that you're doing for Accenture? 

Josh Ray: Yeah, Dave. Within our cyberdefense business, my team and I - we really focus on looking at threat activity but really primarily looking at it in very highly customized ways. So a lot of the things that we do are helping our clients on their darkest day but also helping them prepare for the most advanced cyber-adversaries that they're going to face. And really, it's about us being able to provide our clients with a level of confidence to kind of chart that journey through not just that worst day but hopefully improving their overall security posture and capability when they come into contact with some of these advanced adversaries. So we do things like instant response and threat hunting, cyberthreat intelligence. We do a lot of intelligence-driven red teaming and advanced adversary simulations. We also help our clients with application security, as well as helping them transform their threat operations capability to really, in many cases, make use of investments that they've made in technologies, so they're able to properly operationalize it within their environment. 

Dave Bittner: Can you give us some insights on your own background and what led you to this particular position. 

Josh Ray: It's actually - I've been very fortunate and blessed to kind of grow up within the mission, started my career in the Navy and then went back to school when I got out and found myself at Naval Intelligence, actually doing an internship and focused, really, right away on some advanced nation-state adversaries, went on to work, do some work within the DOD and the defense industrial base, which - we were very much kind of the tip of the spear and focused on, you know, a lot of the same types of threats that most folks know today as the APT - and then from there went on to work for Verisign where I helped protect dot-com and dot-net and was fortunate to run the iDefense business. And then I led that acquisition from Verisign into Accenture in 2017. So again, very, very focused on a specific mission and really threat operations throughout my whole career. And, you know, couldn't find myself in it in a better place now. 

Dave Bittner: Yeah, it's interesting. You mentioned incident response, which I suppose is the - you know, the part of your business that your hope - you hope for your customers they never have to engage with you on (laughter). But, I mean, how much of that is sort of dialing in ahead of time to try to have all the proper things in place for them to try to put off that need for incident response as long as possible? 

Josh Ray: Yeah, breach readiness is a huge part of what we do for our clients. And it's really about, you know, actually taking not only the lessons learned from all of the incidents that we help our clients kind of work through but also taking kind of an offensive mindset. So having kind of that full offensive portfolio, whether it be pen testing or red team or doing things like an advanced adversary simulation, really helps our clients, you know, be able to anticipate and gain those breach learnings without actually having to experience those types of breaches or the pain of that breach. And then we can transform them and kind of tune their security programs and their threat operations programs to really kind of drive that kind of end-to-end threat-focused approach. And again, core to that, obviously, is having the ability to know the threat at that tactical, operational and strategic level through, you know, a high-confidence threat intelligence. 

Dave Bittner: Can you give us some insights as to how organizations go about dialing in, how much they interact with a company like yours, like Accenture, how much they do in-house and how they choose how they're going to turn those knobs? 

Josh Ray: That's a great question. And I think it really depends on the business, I would say requirements of each one of the individual clients. And it varies by industry, as well, too. So we see some clients that really want to in-house as much as they can, and they use us for some of the higher-end testing. And then there's other clients on the other end of the spectrum that really just want to focus primarily on running their business and leverage us to, you know, run much of their security operations for them, as well. And then there's some in the middle that, you know, kind of take that hybrid approach - right? - realizing what they can do or are able to do internally and then augment their capability with some of the things that we deal with in cyberdefense. 

Dave Bittner: All right. Well, Josh Ray, managing director and global lead of Accenture's cyberdefense business, great to have you on board. Thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - so chunky, you'll be tempted to eat it with a fork. Listen for us on your Alexa smart speaker, too. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.