The CyberWire Daily Podcast 4.2.21
Ep 1303 | 4.2.21

Goblin Panda sighting? The attempt on Ubiquiti. More universities feel the effects of the Accellion compromise. National Supply Chain Integrity Awareness Month. Down-market phishing.


Dave Bittner: Goblin Panda might be out and about. Ubiquiti confirms that an extortion attempt was made but says the attempted attack on data and source code was unsuccessful. The Accellion compromise claims more university victims. It’s National Supply Chain Integrity Awareness Month in the U.S. Andrea Little Limbago from Interos on supply chain resilience in a time of tectonic geopolitical shifts. Our guest is Paul Nicholson from A10 Networks on their State of DDoS Weapons report. And some down-market phishing attempts.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner, back again with your CyberWire summary for Friday, April 2, 2021. 

Dave Bittner: DomainTools has a rundown on how both state security services and criminal gangs continue to use COVID-19-themed phishing against a wide range of targets. They’re following one campaign which delivers a decoy document to the user which leverages a signed binary and a modified DLL to execute a Cobalt Strike Beacon payload. Some of the activity is suggestive of Goblin Panda, a threat group aligned with the Chinese government that’s collected most actively against Southeast Asian targets and especially against Vietnam. 

Dave Bittner: Ubiquiti has confirmed it was the victim of an extortion attempt in January, The Record reports. But the IoT shop hasn’t said that either personal data or source code were compromised, as a whistleblower had it. 

Dave Bittner: The company’s statement did say that it had brought in external security experts to help investigate the incident. Quote, "these experts identified no evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have access to any customer information. This, along with other evidence, is why we believe that customer data was not the target of or otherwise accessed in connection with the incident," end quote. 

Dave Bittner: SecurityWeek notes that Ubiquiti shareholders have taken a bit of a bath after the incident came to light, with its share price falling from $350 on March 31 to $290 yesterday. Markets are always jumpy on bad news, however murky or disputed that news may be. 

Dave Bittner: The Accellion compromise continues to affect users of the company’s File Transfer Accessory, with a wave of universities reporting data breaches. The Clop ransomware gang, also tracked as the possibly distinct but associated threat actor UNC2582, is leaking information stolen during its operations. Student, faculty and staff data at Stanford, the Harvard Business School, the University of Maryland Baltimore, and the University of California have been posted affected. Some individuals have begun receiving ransom notes. 

Dave Bittner: The Accellion incident is an instance of the kind of software supply chain risk the U.S. Department of Homeland Security and the intelligence community are currently interested in addressing, in part through a program designed to raise awareness of the problem. April has been declared by CISA and the National Counterintelligence and Security Center as the "Fourth Annual National Supply Chain Integrity Month" with a call to action for organizations across the country to strengthen their supply chains against foreign adversaries and other potential risks. It’s April, people. Do you know where your supply chain is? 

Dave Bittner: Be on the lookout for Alexander Yuryevich Korshunov, an SVR officer wanted by the FBI for conspiracy to commit theft and attempted theft of trade secrets. The wanted poster is helpfully available in Russian as well. The indictment itself was unsealed in 2019. The wanted poster is worth a look for two reasons at least. First, the crime alleged involves theft of corporate trade secrets, and it’s a useful reminder that there are laws against doing that, too. Stealing classified information isn’t the only thing that will get you into hot water. Second, it’s worth noting that, once the FBI has its teeth into someone, it’s loath to let go, whether that someone can be readily extradited or not. 

Dave Bittner: And finally, a couple of notes about down-market phishing attempts. The first is the more sophisticated of the two. Security firm Avanan describes the curious case of a legitimate business using phishing techniques to attract business - a business, we should say, that is in other respects legitimate; that is, it delivers a legal and real service. It’s not the usual straight-up scam we're accustomed to seeing with phishing attempts - the widow of the Nigerian prince, the email from country X's minister of the gosh-darn oil and so on. 

Dave Bittner: In this case, Avanan says that one PERA LLC, a firm based in the Silver State of Nevada, is using, quote, “all the methods you would expect from a well-organized phishing spam campaign” - spoofing the sender in the email header to impersonate an email from the organization, rotating domains and links, rotating the sending IP addresses and changing the subjects and bodies of the emails themselves, end quote. The point is to lend legitimacy to the appeal for business by presenting an appearance similar to that of a state employee pension fund. 

Dave Bittner: Even the firm's name nudges in that direction, since PERA is a commonly used acronym for public employee retirement account. That similarity and the various solicitations coming from the Nevada-based business has prompted at least one lawsuit. Legal Newsline reported in October that a Colorado Public Employee Retirement Association, which also goes by PERA, filed a complaint in a Denver court in an attempt to get PERA LLC to quit it. The plaintiff alleges that PERA LLC has solicited Colorado's public employees under false pretenses and has misrepresented that the third-party investment representatives are approved by PERA or the PERA employee, when they are not. It adds, “PERA LLC has contacted thousands of Colorado public employees in an effort to take advantage of and benefit from PERA's goodwill and reputation with its membership,” end quote. The case has been moved to federal court at the defendant's request, where it's on a pandemic-related hold

Dave Bittner: This isn't unsophisticated, so why do we suggest it's down-market? Well, we do so because it reminds us of a family of physical junk mail that clogs our physical mailboxes. A company sends a prospectus in a plain, vaguely official-looking envelope, without the gaudy colors and other meretricious trappings of junk mail. It may even be festooned with some vaguely heraldic-looking device. Eagles are nice in the U.S. We assume Canadian junk mail gets maple leaves, with other national styles imitated elsewhere. You open it, maybe expecting something from, oh, Medicare or the tax people or the local water department, but a close reading leads you to say phooey and be done with it. So perhaps this is a natural evolution of junk mail into the virtual realm. 

Dave Bittner: The other phishing attempts we'll mention - and we promise this is the last of it today - come to us from security firm GreatHorn, which is throwing up its hands at the lame stuff that's in circulation. Here's one example. A couple of bogus messages misrepresent themselves as originating from Microsoft Teams. The phishbait is a communication about bonuses, and the first message tells the recipient to just send it over now; you have wasted time a lot. There are two problems with this. First of all, there's an improper comma splice joining the two independent clauses, and a lot is misspelled as one word. Second, the tone is angry and impatient, which isn't, in most people's experience, the way businesses tend to communicate by text. 

Dave Bittner: There's a follow-on message, also reaching for a sense of urgency. If I don't respond within a timely manner, you would loose the bonuses. What do you mean, I? And are we going to loose the bonuses the way the Titans in that movie would loose the Kraken? Even the Titans got it wrong. Our ancient mythology desk wonders what a Germanic Kraken is doing over there in Greek mythology anyway. 

Dave Bittner: Distributed denial-of-service attacks tend to make news whenever a new record is set for the number of bots in a botnet or the traffic being unleashed on a victim. The tools available to DDoS perpetrators continue to evolve in their sophistication. The team at A10 Networks recently published their State of DDoS Weapons report. Paul Nicholson is senior director of product marketing at A10 Networks. 

Paul Nicholson: So this report is a little bit unique compared to others because we're tracking DDoS weapons, and these are potential weapons which could be used to attack networks. So we think this is very useful for the community out there to look at what types of attacks could hit their network and what they need to defend against. So I think it actually helps a lot of organizations shore up their defenses. 

Dave Bittner: Well, before we dig into some of the details here, can you give us a little idea of where we stand? What's the state of things? 

Paul Nicholson: Yeah, so it's interesting because this data is some of the first data which we've had which reflects the impact of COVID-19 and what might have happened out there. So what we've seen from our honeypots and other sources is the number of weapons has increased in the second half of 2020. So it went up from 10 million to 12.5 million. And this is kind of in line with what we've seen over all our reporting periods from 2018 through now, which is roughly a 12% increase over time. So this problem is getting larger. And even with the pandemic, that hasn't changed. 

Dave Bittner: As we look forward, what's your outlook here? I mean, in terms of this arms race between the folks coming at us and the defenders, what do you think we're in for in the next year or so? 

Paul Nicholson: Well, one thing - I think we've seen the trend, like I said, I think it was - I said it was, like, 12% increase over the reporting period from 2018. So we don't necessarily see a change in, you know, the landscape in terms of will it escalate. It probably will because you look at the new technologies out there like 5G and some of these other things. It's basically the ability to transmit more data more frequently from more different devices and IoT devices, of course, right? So, you know, there's a lot of potential vectors out there for exploiting, so we think it will increase. 

Paul Nicholson: The good news, however, is I'm heartened to see there's a lot more data going out there, whether it's the AWS threat report, which also sometimes mentions DDoS attacks, or there's some very good information I was just reading recently where Microsoft has given a lot of statistics around what attacks they're seeing on the Azure network - public, by the way. So having this data, I think - and also this threat report, obviously - it allows someone who's maybe doing corporate defenses or service provider defenses a window into what the community is seeing out there and allows them to think, hey, you know, I see A10 mentioned SSDP is the top amplification weapon out there in this report. Maybe I should see, A, if I should have it enabled or where I should lock it down, et cetera, just so that they can't participate in a potential attack out there as a system which is being used in an amplification attack, as an example. 

Dave Bittner: That's Paul Nicholson from A10 Networks. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website, 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it's always great to have you back. You are going to be doing a presentation at this year's RSA, which is, of course, virtual and online. And you're going to be talking about supply chain resilience, a lot of geopolitical stuff going on in the world these days. What can you share with us about your presentation? 

Andrea Little Limbago: Yeah, thanks so much for having me. You know, there's a lot going on as far as transformations and the way that the world's even just being structured and - with tech wars going on, trade wars, obviously the pandemic continues to disrupt. And really, it's been something that has upended supply chains across the globe. And, you know, looking at that but overlaying it with some of the discussions that you and I have had in the past about digital authoritarianism and digital democracies and that divide that's going on as far as the splintering of the internet and really bringing all these multiple layers together to highlight a way ahead during such a time of disruption. 

Andrea Little Limbago: And it really - you know, it's amazing just how much has shifted over the last year and how much things are really continuing to shift. And when you think about supply chain resiliency, we've heard a lot, you know, almost a year ago, about the shortage in various kinds of personal protective equipment. But we've also seen very much so manufacturing shifts. We've seen the impact of geographic concentration risks. And then you have got issues of product risk that we have seen very much so highlighted really over the last year as well. And so a lot of these trends that were underlying prior to COVID have been accelerated. And we'll be looking at how - viewed through the lens of the techno-dictators and what the democracies are doing in return - really looking at it through that lens as far as, you know, what is the way ahead and with a focal point being that we can either allow the techno-dictator model to continue to disrupt, or we need to really have a solid and strong democratic alternative. 

Andrea Little Limbago: And so we'll talk about what some of those alternatives might be. We'll address some of the steps that democracy is already taking, which are - you know, actually over the last year, again, there have been a lot of changes in that area. And, you know, even on top of all that is how industrial policy and cyber policy are really starting to integrate quite a bit as far as the - even on the tech stacks that are becoming a means of dividing between trusted and untrusted networks. So it's a lot that we're packing in, but there's a lot going on in the world right now. So hopefully I'll be pulling it together into a coherent story with some recommended paths ahead. 

Dave Bittner: You know, you use the term techno-dictator. Can you spell that out for us? What does that mean? 

Andrea Little Limbago: Sure. Absolutely. And so what we've seen over the last few years - you know, and really - and it started in the world of cyber norms, which are basically the rules of the road for how you behave in cyberspace. And the techno-dictators are those that - the governments that are really using a whole range of digital information technology to surveil, repress, manipulate information. It's really for complete information control. And what we saw a lot was they started off using a lot these mechanism domestically, but then they apply them internationally - and so from the whole range of disinformation to cyberattacks, but also, you know, thinking about it on the tech side, leveraging technology for implementing back doors for access, and then even to think about the surveillance and repression that's going on across the globe and Internet blackouts. 

Andrea Little Limbago: So it's really full information control is what - is the strategy for the techno-dictators. And it has been able to spread for quite some time. And it's been over a decade now where we've seen Internet freedoms decline. We've seen democracy decline for over a decade. So it's really having a global impact. And it hasn't been until very recently where we've started seeing democracies really realize that they need to get into the game of figuring out what an alternative counterweight might be. And it has taken a lot for both the - on the purely cybersecurity side, looking at the various norms and how those are trying to be shaped through the international governmental organizations, but it's also seeing how the supply chains are being used, as well, as a mode for disruption and also as a motive for compromise. And so a lot of this discussion will be bringing together trade policy and cyber policy and how they overlap, especially when it comes to the various kinds of technologies that are out there. 

Dave Bittner: You know, I've seen word coming out of the Biden administration, for example, that this is something that they may be focusing on, that we don't - to try to ease up some of that dependence on some of the foreign nations that we might have adversarial relationships with, that, you know, there needs to be more than one source for some of these things. 

Andrea Little Limbago: Yeah, and that's exactly right. We're seeing it a whole lot more being discussed. There was an executive order that just went out that addressed, as one component of it, the need for working with alliances and for creating a means to have alternative suppliers so you don't have all your eggs in one basket like we've had for quite some time. And so - and it's not just the U.S. And this is, I think - for me, one of the most important parts of this is while the U.S. has elevated this role of, you know, what a digital democracy could do it, especially - they've been - you know, the U.S. has mainly been working on it through, you know, sticks versus carrots as far as implementing a range of prohibited companies that - from any kind of partnership. 

Andrea Little Limbago: But across the globe, we're seeing both other democracies are doing that as well, as far as prohibiting certain companies, but also, there's this really big push towards alliances. And that's what - where I see a lot of transformations starting to emerge, is having the democracies come together as an alliance, and so one that helps overcome issues of protectionism because no country can be completely self-sufficient. We still have a global economy. And so looking at how the various democracies and likeminded nations can come together, create various kinds of alliances to create greater security - and there's a lot of tech and research components that go under that. It gets into trusted software and hardware. And so it really gets into the entire tech stack and brings in as well these digital norms of what's appropriate behavior as well. 

Andrea Little Limbago: So it really brings together all different components of cybersecurity together into an alliance system, which I think is - you know, it's a bit overdue, but it's one of those things that - we've been living in the post-World War system for quite some time. And we really need to evolve it into the digital era. And this is one way that we're seeing that. And, you know, one good example of it is the Quad, which is India, Australia, the U.S. and Japan looking at building trusted supply chains together. And so it's something to keep an eye on over the next year. But definitely, you know, it's something that was in the most recent executive order, and it's something that we keep seeing other democracies as well saying it's increasingly a priority for them, too. 

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Great. Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Quality never goes out of style. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening, and special thanks to Elliott Peltzman for filling in yesterday. We'll see you all back here next week.