The CyberWire Daily Podcast 4.7.21
Ep 1306 | 4.7.21

A Chinese cyberespionage campaign is active against Vietnamese targets. The European Commission acknowledges cyberattacks are under investigation. Data scraping. Bogus apps. Molerats are dudes.


Dave Bittner: Goblin Panda's upped its game in recent attacks on Vietnamese government targets. The EU is investigating cyberattacks against a number of its organizations. Scraped LinkedIn data is being sold in a hackers' forum. Facebook talks about the causes of its recent data incident. A new Android malware poses as a Netflix app. Joe Carrigan shares comments from the new head of the NCSC. Our guest is Fang Yu from DataVisor with highlights from their "Digital Fraud Trends Report." And the Molerats are using voice changers to phish for IDF personnel.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 7, 2021. 

Dave Bittner: Kaspersky researchers describe a new and, in their view, sophisticated remote access Trojan being used in a Chinese cyber-espionage campaign against the Vietnamese military and other government targets. Threatpost reports that the malware used, called FoundCore, is unusually evasive and that it's associated with the Cycldek threat actor, also known as APT27 or Goblin Panda. 

Dave Bittner: That specific attribution is tentative, but the RAT itself, Kaspersky says, constitutes a significant step up in terms of sophistication for this sort of activity, adding that the toolchain presented here was willfully split into a series of interdependent components that function together as a whole. 

Dave Bittner: The researchers also caution against assuming that the group's focus on Vietnamese targets means that no one else needs to be concerned with it. As the report concludes, quote, "experience shows that regional threat actors sometimes widen their area of activity as their operational capabilities increase and that tactics or tools are vastly shared across distinct actors or intrusion sets that target different regions. Today, we see a group focused on Southeast Asia taking a major leap forward. Tomorrow, they may decide they're ready to take on the whole world." 

Dave Bittner: According to Bloomberg, several European Union bodies came under cyberattack last week. Who precisely was affected is unclear, as is the threat actor responsible, but a European Commission representative said that, thus far, no major information breach was detected. The incident remains under investigation. 

Dave Bittner: Onapsis and SAP have warned of a campaign actively taking advantage of vulnerabilities in SAP mission-critical software. SAP has issued patches for all of these, and users are advised to take prompt action. 

Dave Bittner: Data allegedly scraped from some 500,000 LinkedIn profiles is being offered for sale in a hacking forum with 2 million records displayed as confirmation that the sellers have the goods they say they do, CyberNews reports. It's unclear whether the data is newly obtained or simply represents an aggregation of material from past breaches. 

Dave Bittner: In other data scraping news, Facebook has published a commentary on the recent dump of its users' data. Menlo Park wants to make it clear that its systems weren't compromised, but rather that the data now offered for free were obtained through scraping. 

Dave Bittner: Their explanation reads in part, quote, "we believe the data in question was scraped from people's Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists. When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords," end quote. 

Dave Bittner: Check Point describes Android malware that misrepresents itself as a Netflix content enabler, FlixOnline. It's distributed via malicious autoreplies to incoming WhatsApp messages and, once installed, enables the attacker to distribute phishing attacks, spread false information or steal credentials and data from users' WhatsApp accounts. 

Dave Bittner: Why would you install FlixOnline? To watch TV, obviously. But the hoods sweeten the deal with a social engineering come-on - quote, "two months of Netflix Premium free at no cost for reason of quarantine coronavirus. Get two months of Netflix Premium free anywhere in the world for 60 days. Get it now here" - with a link provided, naturally. 

Dave Bittner: Once installed, the malware asks for three permissions - overlay, which allows it to create new windows on top of other applications - Check Point explains that this is usually requested by malware to create fake login screens for other apps, with the aim of stealing victims' credentials - ignore battery optimizations, which keeps the malware running when it would otherwise be shut down as idle by the device's battery saving routine. And finally, it asks for notification access, specifically the notification listener service. This is valuable because it enables actors to automatically perform actions, including dismissing and replying to messages. 

Dave Bittner: Check Point explains, quote, "if these permissions are granted, the malware then has everything it needs to start distributing its malicious payloads and responding to incoming WhatsApp messages with auto-generated replies. Theoretically, through these auto-generated replies, a hacker can steal data, cause business interruptions on work-related chat groups and even extortion by sending sensitive data to all the user's contacts," end quote. 

Dave Bittner: And finally, the Molerats are back and seem to have upped their game a bit as they continue to catfish for Israeli military personnel. The Molerats are also known as the Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal or Moonlight. 

Dave Bittner: Researchers at Cado Security say that the Palestinian-associated group, which they accord a middling grade for sophistication, is using voice-changing software in social engineering calls during which they pose as women seeking to approach Israeli Defense Forces personnel. As Cado points out, the known members of the Molerats are all actually men. So IDF, a pro tip - the women you think you are talking to are probably really dudes, not that there's anything wrong with that. Some of us around here are dudes, too. But you should probably kick the tires on that virtual relationship before things get out of hand. 

Dave Bittner: The team at anti-fraud security firm DataVisor recently published their "Digital Fraud Trends Report." Fang Yu is CTO and co-founder of DataVisor. 

Fang Yu: Yeah. So at DataVisor, we globally protect 4 billion user accounts, and we protect a lot of, like, large institutions for virus fraud attack. And we produce a fraud report every year. So this fraud report is especially interesting because it covers the period of a pandemic, which is actually new to us. So we actually provide quite some interesting insights from the behavior change of both fraudster (ph) and now more user during the pandemic period. 

Dave Bittner: What sort of advice do you have for folks to best protect themselves against this? 

Fang Yu: So there - if you look at the fraud trend - right? - the providers in financial institutions, I think the fraudsters are coming back in high attack waves. So I think the message is that it is true that the fraud went down quite a bit during the pandemic period, but now it's actually coming back. For the e-commerce, et cetera, and the social platforms, we see a spike last year, and we expect continue to see that. 

Fang Yu: And then the one other things we are seeing from the fraud trend is that the fraud is actually going more and more sophisticated. And then - especially in terms of two areas. One is account takeover. So many will see 79% to 90% of the financial fraud attacks are originated or are associated with account takeovers. So account takeover is especially hard for, like, remote, right? Everybody now is actually remote, not actually going to the branch, going online, et cetera. So everyone needs to be very, very careful with their customers' accounts not being taken over. 

Fang Yu: The second, actually, advice I want to give is actually pay very much attention to the attacks from mobile. Although the mobile fraud rate is still much, much lower than the fraud rate from desktop, for example - the fraud rate from the mobile platform is only 0.5%, versus the fraud rate for on desktop is 7.4%. But that's a percentage that's actually going up. 

Fang Yu: And I also want to emphasize that the fraud rate from the mobile platforms are usually those very, very sophisticated ones because they - to conduct a desktop attack, it's actually much more easier. Then you can actually have it programmed. But for attack coming from mobile, you need to look at the device. You can jailbreak. You can hook - you put something there. But it's actually very, very important. 

Fang Yu: Many people are asking if the mobile device is very low fraud. Actually, that is true with less screening. But once attacker actually finds a way to - how to attack on mobile, they can quickly, like, stamp many, many different devices. They can put emulators. They can put things - so the attack wave can be much bigger because nobody is actually very prepared for that. 

Dave Bittner: That's Fang Yu from DataVisor. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: A couple of articles over on ZDNet. These are written by Danny Palmer. And he's been tracking the fact that over in the U.K., the NCSC has a new sheriff in town, to mix national metaphors, I suppose. 

Joe Carrigan: Yes. 


Dave Bittner: Who do we have here, Joe? 

Joe Carrigan: Dave, her name is Lindy Cameron, and she is the new CEO of the National Cyber Security Centre. And the article that caught my eye here was Hacked Companies - this is the headline - "Hacked Companies Had Backup Plans, But They Didn't Print Them Out Before the Attack." 

Dave Bittner: Yeah (laughter). Oops. 

Joe Carrigan: Yep. This is something I've said multiple times, I believe, on this show and possibly over on "Hacking Humans." But, you know, when you go through the trouble of making a business continuity plan and a recovery plan and, you know, let's think about what's going to happen if we get hit by ransomware, well, we've got the plan. It's all right here. But if you don't have that printed out, it's going to be encrypted when you get hit with a ransomware attack. So... 

Dave Bittner: (Laughter) Right, right, right. Have it on a binder on a shelf, right? 

Joe Carrigan: Right. Have it on a binder on a shelf. There - the paperless office is a myth (laughter). It's never going to happen. We're going to need to keep paper because it's really hard to hack paper. One of the things that people say is you can't Google paper, which is true; you really can't run a search engine on paper without first, you know, turning it back into a digital media, which is really an unnecessary step. But it is a critical step if your data is destroyed or damaged. 

Dave Bittner: Yeah. 

Joe Carrigan: And that needs to be addressed. One of the things - she has a quote in here. "I've talked to organizations which have walked in on Monday morning to find they can't turn their computers on. The backup plan was not printed out, so they couldn't find a phone number." 

Dave Bittner: Right. 

Joe Carrigan: If you're doing business continuity planning, you should have a telephone tree for your business continuity plan printed out and put on a shelf somewhere. This is actually something I've taken part in years ago. 

Joe Carrigan: Actually, before I was involved in - you know, made a career shift to cybersecurity organizations, I was involved in working on business continuity plans with a company. And one of the things that we did was develop a phone tree list and print that list out. And the reason we were thinking about that wasn't so much for ransomware because this was back in the early 2000s, but it was for a natural disaster, right? 

Joe Carrigan: It's still the same problem. You have - you've lost access to your systems because they're gone; they don't physically exist anymore. So you need to have a way to access that information. And the only way that we could come up with and the most cost-effective way is just print it out, print it out and keep a copy of it. 

Dave Bittner: Yeah. I would add, too, that - don't count on your corporate phone system to be working, right? 

Joe Carrigan: That's right. Yeah. 

Dave Bittner: I mean... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That could be part of the ransomware grab. Or in case of a natural disaster or something like that, you know, have people's personal mobile phone numbers as part of that tree as well. 

Joe Carrigan: Yeah, that's an absolutely excellent suggestion, Dave. You're 100% correct because these - your corporate phone system is probably computer-system-based now. And it is just as easy to bring that down as it is to take your network of servers down. 

Joe Carrigan: One of the things that's interesting - a good quote from Ms. Cameron here is "there is no doubt that organizations that have experienced" - and she - by that she means a ransomware attack - "have a much more visceral sense of what it feels like to experience (ph) a ransomware attack or a cyberattack, and therefore (ph), they're better prepared." 

Joe Carrigan: I'm reminded of a child that touches a hot pan, right? You know, when your kids were young, you'd say, don't touch the hot pan, don't touch the hot pan, but they had to touch the hot pan at some point in time, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I distinctly remember this as a kid when I did this. I could tell you exactly where it happened. It was at a Roy Rogers in Olney, and there was a sign that said hot. And I was like, well, let's see what happens. 

Dave Bittner: (Laughter). 

Joe Carrigan: And, you know, I was very young and, sure enough, burned my finger, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: I tell a great story about my daughter with this. But you know what? I don't go around touching hot things anymore. Neither does my daughter. 

Dave Bittner: Yeah. 

Joe Carrigan: Neither does any kid that's ever touched something hot. 

Dave Bittner: (Laughter). 

Joe Carrigan: They learn that lesson. And this is exactly... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Exactly the same thing - that people who have been through these cybersecurity attacks, they have an absolutely clear understanding of how bad it is, so they... 

Dave Bittner: Right. 

Joe Carrigan: ...Prepare for it to protect themselves. And boardrooms that haven't been through this are probably less prepared. I think this is a great observation on her part. 

Dave Bittner: Yeah. They also point out that the NCSC has some tools that they offer up. One of them's called Exercise in a Box. 

Joe Carrigan: That's right. That's a great idea. 

Dave Bittner: Yeah. And, you know, I think we've covered this as well, that, you know, you need to practice like you play to use that old sports metaphor - that these tabletop exercises, these simulations, you know, that is going to put you in a much better place than just reading through the plan. 

Joe Carrigan: Right. Absolutely. 

Dave Bittner: You know, to actually go through it and say - to have someone there and say, OK, none of the phones work. Now what are you going to do? 

Joe Carrigan: Right. 

Dave Bittner: You know? 

Joe Carrigan: Yup. 

Dave Bittner: OK, you know, you can't access these files. Now what are you going to do? OK, the press is calling. What's your response going to be? How quickly you're going to - you know, so to feel that heat, right? 

Joe Carrigan: Yes. 

Dave Bittner: That's going to put you in a much better place. 

Joe Carrigan: Those kind of exercises are absolutely invaluable. It's... 

Dave Bittner: Yeah. 

Joe Carrigan: And not only that, but you can actually do - you know, you can hold these exercises, like, annually or semiannually or maybe even quarterly if you like... 

Dave Bittner: Yeah. 

Joe Carrigan: ...To make sure that your team that has to handle this is prepared. The exercises take less than a day. Everybody can come together. I think it pays dividends in the future. But you can also just do on a weekly basis. We've talked about this before. Grab a newspaper, look at one of the cybersecurity headlines and go, what do we do if this happens to us? And just have people think about it weekly, you know? Make sure that people are aware and in that mindset so that when things happen, they at least have the neural pathways already in place to understand what's going on. 

Dave Bittner: Yeah. Yeah. All right. Well, a couple articles over on ZDNet written by Danny Palmer, so do check those out if you're interested. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Put a little distance between yourself and the crowd. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.