The CyberWire Daily Podcast 4.9.21
Ep 1308 | 4.9.21

A new Lazarus backdoor. Malvertising for a bogus Clubhouse app. Cryptojacking the academy. When is a cartel not a cartel? Strategic competition between the US and China. Choking Twitter.


Dave Bittner: Lazarus Group has a new backdoor. Bogus Clubhouse apps are advertised on Facebook. Cryptojacking goes to school. A ransomware cartel is forming, but so far apparently without much profit-sharing. The U.S. Senate is preparing to make strategic competition with China the law of the land. Dinah Davis from Arctic Wolf looks at phony COVID sites. Our guest is Jaclyn Miller from NTT on the importance of mentoring the next generation. And Russia remains displeased with a lot of Twitter's content.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 9, 2021. 

Dave Bittner: Researchers at ESET have discovered a hitherto unremarked backdoor North Korea's Lazarus Group deployed against a South African freight company. The backdoor, Vyvera, has been in use since December of 2018. Its initial compromise vector is still unknown. 

Dave Bittner: Code similarities and the reuse of familiar techniques lead ESET to attribute Vyvera to Lazarus with high confidence. As they put it, quote, "Vyvera shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there. The use of fake TLS in network communication, command line execution chains and the way of using encryption and Tor services all point towards Lazarus," end quote. 

Dave Bittner: TechCrunch reports that criminals have taken out a number of ads in Facebook to hawk what they misrepresent as a Clubhouse app for PCs. Facebook has removed the ads, several of which stopped attempting to communicate with their command-and-control servers in Russia after they were sandboxed. At least some of the malicious ads appear to have been intended to deliver ransomware. 

Dave Bittner: As much commentary has noted, educational institutions are increasingly attractive targets for cyberattack. Avast points to a large and vulnerable attack surface poorly defended by under-resourced security programs. While ransomware attacks have drawn considerable attention, Palo Alto Networks' Unit 42 has found that other forms of crime, notably cryptojacking, are also causing problems. Recent cryptojacking incidents in Washington State seem to have been incentivized by rising alt-coin prices. Their conclusion is a glum one. Quote, "cryptojacking is always going to be around, and so are the network attacks that make cryptojacking possible," end quote. 

Dave Bittner: The word cartel is one that raises the antennae, sometimes hackles. It sounds menacing, evoking either fat-cat profiteers under Mussolini or lethal drug lords, the kind of people who made you sort of almost root for Gus Fring and Los Pollos Hermanos when you watched “Breaking Bad.” 

Dave Bittner: So when there was talk of the Maze gang establishing a ransomware cartel, that sounded pretty no bueno. How'd it all work out for them? 

Dave Bittner: Well, ransomware-as-a-service and other similar features of the criminal-to-criminal market are well-established and well-known. But a cartel in the narrower sense, the kind that might gather around Don Eladio's pool to arrange cooperation and divvy up turf - did that work? 

Dave Bittner: Analyst1 this week published its study of the aspiring cartel lords, and they found that they fell somewhat short of their aspirations and others' fears. Analyst1 not unreasonably took profit-sharing as one of the essential features of cartelization, and it's precisely such sharing that seems to be missing. 

Dave Bittner: The cartel Maze apparently aspired to organize would have brought in operators of not only Maze, but also RagnarLocker, SunCrypt, LockBit, and Conti/Ryuk as well. The formation of such a cartel was announced in a communique by the Ukrainian gang Twisted Spider. Analyst1 notes, if this is true, this collaborative partnership, sharing resources and revenue, would pose a far greater threat to the community than attacks from smaller individual gangs by themselves. 

Dave Bittner: The gangs involved in the cartel, as distinct from the ransomware strains they deploy, are Twisted Spider, Viking Spider, Wizard Spider and the LockBit Gang. SunCrypt, now defunct, also claimed to be part of the cartel. But in any case, they're now out of business. These gangs are Russophone, and they operate out of Eastern Europe. They also avoid hitting Russian targets, taking steps to ensure that their payloads don't execute against Russian victims. There's some division of labor and some sharing of tips and infrastructure. They're looking into automation, and several of the gangs do offer ransomware-as-a-service to less-skilled hoods. 

Dave Bittner: But profit-sharing? Not so much, at least not so far. The report concludes, Analyst1 assesses that the cartel is not an authentic entity, but instead a collective of criminal gangs who at times work together in ransom operations. There needs to be more than cooperation, resource and tactic sharing between gangs for their partnership to qualify as a true cartel. Profit-sharing is the primary element missing in the coalition of ransomware attackers discussed. Cartels are dangerous due to the large financial resources that profit-sharing provides. 

Dave Bittner: Bloomberg reports that the US Senate Foreign Relations Committee has prepared a comprehensive bill - 283 pages long - that would establish a policy of strategic competition with China. The measure, which the Senate majority leader hopes to bring to a vote with bipartisan support this spring, would increase U.S. investment in technologies deemed strategically important, seek to foster a joint approach to China with U.S. allies and would extend the jurisdiction of the Committee on Foreign Investment in the United States to colleges and universities that receive more than $1 million in gifts from a foreign source. That last measure is designed to close off the relatively unfettered access Senators see China having enjoyed to the relatively freewheeling U.S. academic research system. That access has been regarded as a threat to intellectual property by FBI Director Wray and others. 

Dave Bittner: And finally, the Russian government is still displeased with Twitter, which isn't knuckling under fast enough to suit Moscow in the social platform's compliant removal of content that Russian law and policy regard as illegal. Techdirt has an account of how Russian authorities have extended the slowdown they've imposed by way of reprisal. They're using middleboxes to run Twitter traffic through for deep packet inspection. 

Dave Bittner: Because there are workarounds available to avoid this, Russian authorities are responding to those workarounds with what Techdirt calls the more collateral damage-prone IP-level blocklists. The writer suggests that being forced to use blocklists, quote, "might act as a deterrent for censorship-obsessed governments that don't want a whole lot of attention focused on the fact they are massive cowards afraid of the free exchange of information that might challenge their hegemony." 

Dave Bittner: But, you know, probably not. A government whose predecessor classified road maps and severely restricted access to photocopiers is unlikely to worry too much about that form of reputational damage. Now, depicting them as a cute bear spilling his Halloween candy, that will make them crazy. 

Dave Bittner: Jaclyn Miller is chief information security officer for global managed services and platforms divisions for NTT Ltd. Her day to day includes overseeing security and compliance programs, but in addition to that, she spends time mentoring young women, making sure they know there's a place for them in the industry. Here's my conversation with Jaclyn Miller. 

Jaclyn Miller: Any woman who has grown her career in technology and in cybersecurity has had to overcome some very common challenges, which is, you know, on the way up, there are very few, if no, mentors that looked and sounded like me, right? I've had fantastic mentors over the years and do today, but a lot of them are men and, just to be frank, white men. And they have incredible skill, strengths and experience that I draw from when I have questions or I'm working through something that I need a mentor for, but the challenging part is it's lonely. That rise to the top is lonely, and it doesn't have to be that way. 

Jaclyn Miller: So I think, you know, one of the most important things for me, looking back over how I grew, is helping others that are looking to make that journey into leadership in technology and cybersecurity - make sure that they have forums where they can find like-minded women who are going through the same process as themselves and also women that have been through it. And finding those resources can be challenging, although I will say it is getting considerably easier. And there's just more out there in the world right now, which is fantastic. 

Dave Bittner: When you're out and about, you know, mentoring younger women who are considering coming up into the industry, what's your message? What sorts of inspiration do you share with them? 

Jaclyn Miller: So I pull from, you know, my background as much as possible, which is, it's more important to get started than it is to know all the things that there is to know about cybersecurity. Certainly, if young women have the opportunity to go through an associate's or a bachelor's program before they enter the workforce, that's fantastic. But only about 50% of women that are in the workforce - and even lower with men - actually have a degree before getting into cybersecurity. 

Jaclyn Miller: And I think that's really interesting. And it's - identifies the fact that there are multiple paths into the industry. So when I'm talking with women that are thinking about that, it is to recognize that there are multiple channels in and not to keep your blinders on and think that there's only one path forward or one way to succeed in terms of developing a career in cybersecurity. There's a lot of really great certification programs that can help women if college is not something that is affordable or just from a timing perspective is not something that's achievable. 

Jaclyn Miller: And I think cybersecurity benefits from a really diverse background. So having people that come in from very different experiences is incredibly important to making sure that we have full line of sight of the types of threats and scenarios we need to be aware of going into the future. 

Dave Bittner: And how do you spread that message from the top down - you know, getting that word out to the folks who are doing the hiring? 

Jaclyn Miller: Yeah. One thing I can't stress enough, whether it's cybersecurity or any other type of technical field, is making sure that you have a diverse hiring panel. So one of the key indicators in studies or key success factors in studies that have been done over the last 15 years is making sure that there's women and other diverse hiring managers, or even just advisors, on that hiring panel. It'll help identify resources that don't look so male and don't look so white. 

Jaclyn Miller: You know, we as humans have a natural tendency to be drawn to people that look and sound like us. That's a natural thing that - a natural trend that happens. And by diversifying our hiring panel, we're opening ourselves up to having a different conversation and seeing candidates through different lights, which is really hard to do when you're just trying to do all of that - you know, have all of those world experiences yourself. I don't think that any one manager is that well-rounded. It takes a team to make those types of decisions, especially for leadership or middle management, team lead or senior architecture roles. I highly recommend having more of a panel-style interview. 

Dave Bittner: Our thanks to Jaclyn Miller from NTT Ltd. for joining us. 

Dave Bittner: There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website, 

Dave Bittner: And I am pleased to be joined once again by Dinah Davis. She is the VP of R&D at Arctic Wolf. Dinah, great to have you back. You know, we are being bombarded with information about COVID vaccines as they're being rolled out. And along with that comes folks who are trying to lure us to illegitimate sites. I wanted to check in with you for some tips on, how do you know if a vaccine site is the real deal? 

Dinah Davis: Yeah, I think this is really important, right? You don't want to be giving out your personal information, maybe your insurance information - or in Canada, like, your health card information or things like that - to sites that are not real. So you can actually follow a very similar path that you would for checking out if a website is good to shop on or not. 

Dinah Davis: So the first thing you want to do is check for spelling mistakes in the domain name. If it is a statewide vaccine program, you know, you can probably find it off of the state website instead of, you know, clicking a link that you may have gotten in an email, right? I know in Canada, every single province has a link to its vaccine program on their main provincial websites, right? So clicking things that come in an email, probably not a good idea. Obviously, we always say that, but in this case, you know, these types of sites should be easily found on the internet through sites you trust. 

Dinah Davis: But what if you can't check that, and you're not really sure? OK, let's take a look. Is the website secure? Is it using HTTPS instead of HTTP? If it's not, I would not trust that at all. 

Dave Bittner: Yeah. 

Dinah Davis: And then, you can use a website. My personal favorite is That is the actual thing - And so I ran through one of - I live in Ontario, so I ran through our COVID site for the Ontario provincial government, and I had it run the report for me. And so the report summary was potentially legitimate. So they're never going to say 100% yes, it's legitimate... 

Dave Bittner: (Laughter). 

Dinah Davis: ...Because the one time that they were wrong, they don't want to get sued. So... 

Dave Bittner: Right. Yeah. 

Dinah Davis: ...Usually you'll see potentially legitimate or you will see potentially not legitimate, and you go from there. So then it checks about five things for you that, you know, you could go and check on yourself, but it's easier to do it this way. So it checks the Web of Trust rating or the WOT rating. And that WOT rating is a crowdsourced and collected website ratings and reviews from over 6 million users. It's like a non-profit site that runs. And so the rating of that particular website was 93 out of 100, which is obviously quite good, right? But if it has a low WOT rating or it doesn't even have a WOT rating? Bad. Very bad. Bad, bad, bad. 

Dave Bittner: Yeah (laughter). 

Dinah Davis: It then checks a number of website blacklist sites. So there's a whole bunch of sites that will collect known bad sites. So this service will check against that to make sure it's not on one of those lists. Cool, good, it's not. Domain creation date - so if it's off of a state site or, you know, a local health site, that thing should have been created quite a while ago. So for example, was created 18 years ago. If it was created in the last four months, it doesn't necessarily mean it's completely bad because it's possible that a vaccine site could have been created then, but it's not a good indicator because usually it'll be just a page off of a more stable site, right? 

Dinah Davis: Obviously, the HTTPS it checks. And then it also checks the website popularity. So how much traffic does the site get? So if it's legitimate, it should be a lot of traffic. And they use the Alexa Traffic Ranking. So for, it's ranked like 5,000th among the world's most busy websites. Any rank below 500K, that's lots, so it's probably a pretty legit site. And then it goes into even, like, ten more things you can go check out on your own. But in my experience, if the five things above checked out, you're probably good to go. If any of those are bad, you're going to want to really take a second look or try and get to the site from a formal, like, state site or hospital site or something like that. 

Dave Bittner: Yeah. So 

Dinah Davis: Yeah. 

Dave Bittner: That's a good one. I'll have to check that out. It's a - you know, as you say, it's a convenience to have all of these different tests run. Any one you could do on your own, but to have them all in one place saves everybody a bit of time. 

Dinah Davis: Yup. And I run it all the time on all kinds of sites - shopping sites and anything where I'm like, not really sure if that's legit. 

Dave Bittner: Yeah. All right. Well, good information. Dinah Davis, thanks for joining us. 

Dinah Davis: You're welcome. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It keeps working even after 30 minutes. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Paru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.