The CyberWire Daily Podcast 3.18.21
Ep 1292 | 3.18.21

Radiation disinformation. CISA warns that Trickbot is surging. FBI releases Internet Crime Report, Crytpers get commodified. And notes from the underworld.


Dave Bittner: Disinformation about a radiation leak that wasn't. Another warning about Trickbot. The FBI says cybercrime cost victims more than $4.2 billion last year. Investigation and remediation of the SolarWinds and Exchange Server compromises continue. Crypters become a commodity for malware developers. Robert M. Lee from Dragos on lessons from the recent Texas power outages. Our guest is Bob Shaker from NortonLifeLock looking at baddies targeting online gamers. And some people are looking for jobs in all the wrong places.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 18, 2021. 

Dave Bittner: Poland's government has provisionally attributed a disinformation effort about a bogus radiation threat to Russia, the Washington Post reports. There were three channels for the propaganda - websites of the National Atomic Energy Agency and the Health Ministry were compromised to briefly display fabricated claims of nuclear waste leaking into Poland from neighboring Lithuania, and a Twitter account belonging to a journalist whose beat is Russia and Eastern Europe was also hijacked to push the same story. 

Dave Bittner: It is, of course, bogus. There's no radiation leak in Lithuania, and there's no corresponding threat to Poland. The Polish government representative who attributed the incident to Russia did so on grounds of a priori probability, but it's a pretty good guess as an argument to best explanation. Stanislaw Zaryn, speaking for the head of Poland's security services, told the Associated Press that, quote, "'the whole story looked like a typical Russian attempt' to sow suspicion and division among Western allies," end quote. So Warsaw's betting on form, and it's not a sucker bet either. 

Dave Bittner: CISA, the US Cybersecurity and Infrastructure Security Agency, yesterday issued an alert on the resurgence of Trickbot, the Trojan that was identified back in 2016. The criminals using Trickbot are distributing it through highly targeted phishing emails. 

Dave Bittner: Trickbot was originally a banking Trojan, but it's now evolved into an adaptable, multistage piece of malware. Once it's in the victims' systems, Trickbot is used to drop other malware - often either Ryuk or Conti ransomware - or to serve as an Emotet downloader. The alert, prepared in partnership with the FBI, contains an extensive list of signatures and an equally extensive list of recommended steps for mitigation. 

Dave Bittner: Speaking of the FBI, the FBI's Internet Crime Report for 2020 is out. Phishing retains its position as the leading form of criminal activity. Losses to all varieties of internet crime were high - officially, a bit north of $4.2 billion. And that's real money in anybody's book. 

Dave Bittner: The US House Energy and Commerce Committee yesterday pressed federal agency leaders for details on the scope of Holiday Bear's compromises of SolarWinds, the Hill reports. A parallel Senate inquiry suggests - according to CSO - that US organizations are generally unprepared for such supply chain attacks. The Washington Post describes how the Senate Homeland Security Committee's investigation is expected to continue today with an inquiry into how such attacks might be prevented. 

Dave Bittner: Security firm Radware has added its warning to those in circulation about exploitation of Microsoft Exchange Server. Publishing its findings in iTWire, the company says it assesses the threat as critical, and it doesn't think the threat is confined to any geographical region or economic sector. While it began, as is now generally known, as a Chinese government cyberespionage operation going after governments, pharmaceutical research and development organizations and research institutions generally, including corporate research arms, the exploitation last week had clearly been added to the capabilities of criminal gangs. The crooks have added ransomware and cryptojacking to information theft, and their operations are indiscriminate, opportunistically hitting a range of sectors in most parts of the world. 

Dave Bittner: Tracking the way in which Exchange Server exploits have spread, DomainTools' Joe Slowik tweeted an interesting graphic that summarizes the known and suspected threat actors involved in Exchange Server exploitation. It divides the actors' operation into initial exploitation pre-disclosure share, immediate opportunistic exploitation and lagging opportunistic exploitation. The lagging opportunistic exploitation is the activity Radware is talking about. 

Dave Bittner: Another point about lagging opportunistic exploitation is that it often follows the public release of a patch. Microsoft moved up its scheduled patch of the Exchange Server zero days when it became clear that Hafnium was exploiting them in an unusually restrained way, and the exploits quickly found their way into other hands. 

Dave Bittner: At the second session of the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, which we attended yesterday, we heard Avi Rubin, technical director of the JHU Information Security Institute, discuss controls that can reduce an organization's risk. Timely patching, he rightly pointed out, is important, especially when it can be done before the vulnerability being fixed has been discovered and weaponized by the bad actors. 

Dave Bittner: But releasing a patch inevitably brings exploitation of unpatched systems in its train. The risk associated with a vulnerability rises significantly after a patch has been released since the patch allows attackers to hone in on the vulnerability and create an exploit. Rubin said, quote, "there's a race against time as to when the patch is distributed. If you don't apply the patch, you're much more vulnerable than before it was even patched in the first place," end quote. 

Dave Bittner: Patching isn't always as straightforward as we might think it, but all things being equal, better to patch sooner than later. You'll find our report of the conference's second session on our website

Dave Bittner: Deputy National Security Adviser for Cyber Neuberger outlined the federal response to the various campaigns, both criminal and state-directed, against vulnerable Microsoft Exchange Server instances. She, too, emphasized the importance of patching and stressed the government's willingness to help the private sector, including small businesses, deal with the threat. 

Dave Bittner: Crypters are now becoming a commodity in the cyber underworld's criminal markets. Two security companies have been devoting some research attention to crypters - modules that help malware evade detection. Avast has released its study of OnionCrypter, and Morphisec has an account of HCrypt, an active crypter-as-a-service operation. 

Dave Bittner: And finally, there are a few more notes from the underground. Economic hardship has driven an influx of newbies into the dark web's underworld, a study by security firm Check Point finds. One depressing trend - it used to be the gangs who did most of the advertising on the criminal job boards. Now, it's the job-seekers. 

Dave Bittner: As Check Point writes, quote, "usually within the Darknet market and hacking forums, it is the vendors that are offering openings to those who are interested to apply. These job opportunities are arranged in a format similar to eBay and Amazon, complete with features like advanced reputation, search and shipping," end quote. "However, it looks like the tables have turned. From the beginning of 2021, we noticed that there was an increase in the number of individuals taking the initiative to send out ads seeking work. In fact, we started observing 10 to 16 new ads being placed monthly in select hacking forums," end quote. 

Dave Bittner: Some of it's greed, some of it's desperation, but whatever is driving people to tell the hoods that they're willing to be recruited, it looks like a long-term shift in the underworld. 

Dave Bittner: During this time of pandemic lockdown, my teenage son has been spending a lot of time online gaming. It has become the primary way he gets to socialize and hang out with his friends. That's all good, but, of course, there are security concerns. Those games aren't free, and we've got our credit card information filed into his account. Bob Shaker is head of gaming at NortonLifeLock and an avid gamer himself. He and his team recently published their gaming and cybercrime study. And Bob Shaker joins us with the results. 

Bob Shaker: I think we're beginning to see a positive shift in the way gamers think about security, but in this study that we did with the Harris Poll - and we did this across several countries - the U.S., the U.K., Australia, Germany, New Zealand - we found there's still a gap between what gamers understand about the cyber risks that pertain to them and their likelihood of being attacked and what really could happen. What we thought was interesting about this was how many of them had already been hacked and yet still had that, you know, somewhat of a gap in there. And that was over 2,000 gamers that we included. 

Dave Bittner: What are some of the specific ways that gamers are targeted? What are their particular vulnerabilities? 

Bob Shaker: Gamers are targeted in a few different ways that really everybody is targeted, except that there's a bigger landscape when you're a gamer. So for, like, a phishing attack or a fake website that's promising, you know, we're going to give you the best, newest, latest skins for this new game, click here and, you know, we'll hook you up. Those still exist, but with gamers, the landscape expands because we have access to tools that the average non-gamer doesn't use, like Discord or Twitch or, you know, some of the deeper Reddit boards about gaming, where, because gamers have this competitive nature, in Discord, I can set up an entire server all about, you know, getting the latest and greatest cool things that you need for whatever game that I create the server about and then start sending invitations. And because it's inherent in most gamers to trust Discord, they have a tendency to trust Discord servers. 

Bob Shaker: And it's, you know - when you look at the gamer demographic, it's very broad. I mean, gamers can start - look at my kids. I mean, my kids started gaming when they were, you know, tiny - 2 to 3 years old. We'd be playing together. But gamers go all the way up into, you know, the 60s, 70s age range. But when you look at the crux of gamers, you start getting into that 12 to 35 range, and you get a lot of people who haven't experienced cyberattacks and get led in. So, you know, young people are trusting of Discord. They see a new Discord server invite come their way, join. We're going to help you get the latest game skins. They join the server. They say, hey, get your friends to join. Here's a link. Click on this link to get the invite. The link downloads malicious software onto their machine. They then spread that link to their friends, and it perpetuates through the ecosystem of their friend network. 

Bob Shaker: And that's, you know - that's one of those types of attacks that isn't really different than a phishing attack, except they're taking advantage of the fact that gamers don't really believe that they'll be attacked, don't believe they have anything worth taking and are susceptible to the ecosystem of playing games, which can be very costly and looking for advantages in in-game items that they may not have to spend money for. 

Dave Bittner: That's Bob Shaker from NortonLifeLock. You can find their gaming and cybercrime study on their website. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. You know, it's been a couple of weeks since the trouble that Texas had went down with the unprecedented cold temperatures and the strains that that put on their ability to deliver electricity and various critical infrastructure things. And I wanted to check in with you to see what some of the broader things that you've been thinking about here in terms of, are there lessons to be taken from this when it comes to things like availability? 

Robert M Lee: Yeah. No, absolutely. It's like - I think in Texas, specifically, it's too early to really be assigning blame and fully understand the event. And I'm not saying that there won't be a blame and there won't be some considerations. But what I would coach everyone to look towards is when these types of things happen, whether it's a safety event at a chemical plant and the Chemical Safety Board gets involved or a transportation issue or whatever - or in this case, electric - a number of different organizations do get involved and do really detailed studies of what exactly went wrong and what are - what was the cascading effects. And so we have the same thing in the New York blackouts and similar. And, you know, FERC came out and had a really detailed study of the blackouts in the early 2000s that led to some of the NERC regulations and kind of regulatory standards. And so it's very common for our engineering and operations community to deeply dig in and get root cause analysis and share out those insights. 

Robert M Lee: And what I'm looking for is what does this mean to the broader United States? Because we have a changing energy portfolio. We have aspects of climate change that are making impacts, undoubtedly, but we also have a changing energy portfolio. What I mean by that is we're offloading a lot of fossil fuels like coal. We're bringing up a lot of, like, natural - natural gas takes up more energy - is the source of more energy production in the United States now than ever before. We're also thinking about bringing nuclear back some. We're also talking about green energy plans from the Biden administration and, like, distributed energy resources like solar farms and wind farms and similar that we bring online and electric vehicle chargers and so forth and so on and so on. 

Robert M Lee: So we have all of these massive changes happening all at once and in a relatively short amount of time. So it is appropriate to look at what went wrong and what can inform what we're doing in the future. And it's going to relate to grid stability and modernization. It's going to relate to better analytics and understanding of the data. It's going to relate to grid storage and battery storage. It's going to relate to not being over-dependent on any one energy resource. It's going to relate to the operators of the grid and kind of the reliability coordinators and what their role is. There's going to be a lot of, I think, good takeaways to learn. 

Robert M Lee: And one of the things I love about, especially the electric community, is they deeply study these things and look at the studies, and they are very thoughtful with applying lessons learned. You don't have to, like, go coach them to apply it. They will all be digging into this and doing that. And so I think that's what I would recommend to folks to look for, is kind of the reports that come out of this. And I would take away some confidence that the utilities themselves are most certainly going to be digging into these. 

Dave Bittner: What about things like climate change? I mean, I don't think it's unrealistic for folks to think that, you know, if my local Home Depot in Dallas isn't fully stocked up on snow shovels, you know, like, that's an unreasonable thing. You know, we have the historic weather patterns, but we can't really rely on those the way we used to. It seems like not only are things changing, but the rate of change is increasing as well. 

Robert M Lee: Yeah, for sure. I mean, climate change - it's always funny. It becomes, like, a political topic. I don't know why. There's no political topic here. Climate change is happening, end of story. You don't like that? That's fine. Please go buy a diesel generator. Let's not talk about grid discussions. But for the rest of us, climate change is happening, and it's impactful. And it is not unreasonable that Texas did really not think they were going to get into extended, like, zero-degree temperatures. Like, that's not unreasonable they didn't think about that. 

Robert M Lee: However, as we know, things are changing now. Like, is it reasonable to go forward and say, well, what kind of events do we want to prepare for? And if those kind of breaks take place, if it happens that we get to zero degrees Fahrenheit and we're not prepared for that, then what is the plan ahead of time to make sure that we know how to work across our utilities to make sure that we don't burn out transformers as recycling power, so that recovery takes weeks longer than it should and things like that? 

Robert M Lee: So whether or not it's unreasonable to prepare, I think we can still prepare in some way. But I would actually say I don't think it's really unreasonable to prepare at all. And there's already mechanisms in rate recovery and, you know, resourcing of the government, et cetera, to do what the utilities think is the right call. They obviously didn't think it was the right call in this case. We should understand their logic before we cast any blame yet. Once we understand their logic of why they thought that, then we should look to figure out what we can amend and do better in the next time. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The proud bird with the golden tail. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.