The CyberWire Daily Podcast 4.28.21
Ep 1321 | 4.28.21

More intelligence on Ghostwriter, and a convergence of hacking and influence operations. Naikon APT has a new backdoor. FluBot returns. MAPP reconsidered. Defense counsel on Cellebrite.


Dave Bittner: Ghostwriter is back and has moved its chaos troops against fresh targets in Poland and Germany. The Naikon APT has a new secondary backdoor. FluBot, temporarily inhibited by police raids, is back and expanding its infection of Android devices across Europe. Microsoft is rethinking how much and with whom it wants to share vulnerability information. Joe Carrigan examines a phone scam targeting Amazon Prime customers. Our guest is Tzury Bar Yochay of Reblaze on open-source software and scalability. And Signal's discovery of Cellebrite issues is finding its way into court.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 28, 2021. 

Dave Bittner: Several security companies have released news about revived threats. We'll run through a few of the more prominent discussions. 

Dave Bittner: FireEye's Mandiant unit this morning updated its research into Ghostwriter, an influence-operator that came to attention last year as it sought to affect public opinion in Latvia, Lithuania and Poland. Its messaging then was anti-NATO. The campaigns of 2020 relied upon artlessly crude forgeries and implausible rumormongering. But, of course, disinformation doesn't need to be art as long as it can get the right amplification, which Ghostwriter worked to accomplish. 

Dave Bittner: It was easy for officials to quickly debunk such hogwash as the claim that Canadian soldiers were spreading COVID-19 or that an internal memo circulating in the Polish Ministry of Defense called for resistance against an American army of occupation. A forged memo helpfully provided hijacked social media accounts used to lend plausibility to a very implausible narrative. CyberScoop offered a useful account of these efforts at the end of last July. But, of course, lies can have a bit of a run if they're provided with a head start. 

Dave Bittner: In any case, Ghostwriter has now expanded its thematic content to include disruption of domestic Polish politics and also, according to Tagesschau, credential theft attacks on German political figures. FireEye believes the threat actor it tracks as UNC1151 operates some portions of Ghostwriter. The firm characterizes UNC1151 as a suspected state-sponsored cyber-espionage actor that engages in credential harvesting and malware campaigns. 

Dave Bittner: "Tagesschau" calls the attackers chaos troops, which is apt enough for an operation that aims at disruption. At least seven members of Germany's Bundestag have received phishing emails, as have some 30 members of the Lander assembly - that is, the state-level legislators. German authorities are taking activity seriously. 

Dave Bittner: FireEye, as is its practice, doesn't attribute Ghostwriter explicitly to any government, but the firm does note that its activities are aligned with Russian security interests. This isn't, it appears, just prim policy on the company's part, but rather a recognition of the inherent challenges of attribution. 

Dave Bittner: FireEye writes in their full report, quote, "at this time, we do not attribute the Ghostwriter campaign to a specific actor or group of actors. Instead, we refer to Ghostwriter as an activity set, with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself," end quote. 

Dave Bittner: The report goes on to say, quote, "it appears, based on the limited public information available regarding the website compromises we've tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyberthreat capabilities themselves or having ready access to operational support from others who do. It is plausible that Ghostwriter operations are conducted by overlapping actors or groups that are also behind other influence campaigns or incidents of cyberthreat activity," end quote. 

Dave Bittner: FireEye doesn't say as much, but the Ghostwriter actors do prowl and growl like bears. But their study is interesting as a case study in careful study of espionage and influence campaigns. Attribution is inherently difficult. Operational style rarely amounts to dispositive evidence. In American targeting jargon, this sort of evidence amounts to a set of possibly related target indicators, not clearly discerned targets. 

Dave Bittner: Bitdefender reports a new approach by the Naikon APT, a group it associates with the Chinese government. Active for more than 10 years, Naikon focuses on government and military targets in South Asia. It's now deploying a secondary backdoor, Nebulae, which Bitdefender believes plays an important role in the APT's persistence in victim networks. 

Dave Bittner: FluBot, temporarily bopped when Spanish police arrested several of the hoods associated with the Android malware earlier last month, is back and expanding its geographical reach, Proofpoint reports. New infestations have been observed in the United Kingdom, Germany, Hungary, Italy, Poland and Spain. Proofpoint expects FluBot to reach North America soon. 

Dave Bittner: FluBot infections begin with an SMS message baited with a bogus notification from a spoofed delivery service. Should the victim swallow the hook, FluBot installs a payload on their device that includes spyware, an SMS spammer and credit card and banking credentials stealers. 

Dave Bittner: According to Bloomberg, Microsoft is rethinking how it shares information with the 81 corporate members of the Microsoft Active Protection Program. Redmond suspects that some participants may have tipped off hackers when Microsoft gave MAPP members early warning of the vulnerabilities Hafnium rapidly exploited and that were swiftly taken up by cybercriminals. Microsoft and most others regard Hafnium as a Chinese government threat actor. 

Dave Bittner: While Microsoft continues to see many advantages in MAPP, it's reconsidering how much and with whom it ought to share in the future. At present, suspicion centers on two Chinese firms that participate in MAPP. Bloomberg asked the Chinese government about the incident and received the pious bromide one might expect. Quote, "China resolutely opposes any form of online attacks or infiltration. This is our clear and consistent stance. Relevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyberattacks and other criminal activity," end quote. 

Dave Bittner: Beijing also offered some instruction for the media. Quote, "we hope the media adopts a professional and responsible attitude, relying on comprehensive evidence when determining the nature of cyberspace events, but not groundless speculation," end quote. So OK then. 

Dave Bittner: And finally, inevitably, the vulnerabilities in Cellebrite's forensic tool that Signal recently exposed have found their way into the courtroom. Vice reports that defense attorneys for a convicted robber whose collar was enabled by data obtained using Cellebrite have entered a motion for a new trial. 

Dave Bittner: The lawyers argue, quote, "in essence, internal security on Cellebrite devices is so poor that any device that is examined may in turn corrupt the Cellebrite device and affect all past and future reports." They also argue that, quote, "a new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence and examine the Cellebrite device itself," end quote. 

Dave Bittner: This is, as Gizmodo suggests, unlikely to be the last motion of this kind. 

Dave Bittner: There's a popular philosophy that making use of open-source software not only has the potential to save time in your development process but can lead to more secure outcomes as well. Tzury Bar Yochay is co-founder and CTO of security company Reblaze. And he believes that for security, open-source software is the way to go. 

Tzury Bar Yochay: When it comes to cybersecurity, you should aim using as much as possible open-source frameworks, open-source platforms and open-source software. The reason is when you use open source, your security is a factor removed from the equation. And if there is a bug, say bug vulnerability within the framework of the platform, the tool you're using, most likely will the popular open source to be fixed and corrected, even discovered quicker than within any other proprietary alternative. 

Tzury Bar Yochay: Open source, today, security is actually used, I would say, almost everywhere, anywhere. If you're looking at TLS, SSL, HTTPS - secure web applications, secure websites, secure API - most likely, the underlying software used is either open SSL or lever SSL or any other implementation, all of them which are open-source. Encryption - common encryption methodologies and techniques and algorithms are all open-source, so it's everywhere. 

Tzury Bar Yochay: And most of the cases so far that we have been looking at, vulnerabilities were taken advantage by hackers by - I would say by malicious activities. Those actually were made exploiting and taking advantage of a time window of which the used software was known to have vulnerability, such as a CVE disclosure, and yet it took time for the organization to patch, to fix, to correct their platform, to update their platform and to prevent against that, what was, up until that point, a zero-day attack. So again, with open source, things are done usually quicker and faster. 

Dave Bittner: And when you hear that folks are resisting the use of open source, what is typically the argument there? 

Tzury Bar Yochay: I barely hear those voices, to be honest. I can imagine people still thinking that security by obscurity is still a thing, which obviously it isn't. So for them, proprietary - it's like a smoke screen that makes things harder for hackers to break in, which is not the case. 

Dave Bittner: That's Tzury Bar Yochay from Reblaze. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, over on "Hacking Humans," you and I cover a lot of stories about scammers and scams and people being victimized by these folks. And... 

Joe Carrigan: Yes. 

Dave Bittner: ...I want to highlight one of those stories. This is from the Chicago Tribune, article written by Kimberly Fornek. And it's titled "Indian Head Park Woman Loses $48,000 in Amazon Prime Phone Scam That Took a Month to Unfold, Son Says." 

Joe Carrigan: Right. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: So what happened was, actually, this woman was brought to police attention in early March, on March 4, when she went to a grocery store and purchased two $500 gift cards. She's an older woman. She is 87 years old. And the clerk, who is actually, you know, kind of an unsung hero in this story - the first thing this clerk does is call the cops and go, look; I think this lady is getting scammed out of some money 'cause, generally, 87-year-old women don't come in here and buy two $500 gift cards. 

Dave Bittner: Right. 

Joe Carrigan: And the police managed to find the - find this woman. They went to her house. And the woman was adamant - absolutely adamant - that she had purchased these gift cards for family members. 

Joe Carrigan: But come to find out what had happened was she was a victim of an Amazon scam. And we're seeing these more and more in the news. People say the scammers call you up or notify you and say, hey, there was a big purchase made on your account, and we need to work this out, right? And I don't even know if this woman has an Amazon account. Maybe she does. Maybe she doesn't. But the scammer said it was a $600 purchase, and then it became a $6,000 purchase. And somehow, he managed to get her to start sending gift cards to him. And he was saying, look; if you don't help me out here, I'm going to get fired, right? So he was playing on this woman's sympathies, her desire to help people... 

Dave Bittner: Right. 

Joe Carrigan: ...Along with her fear of having to owe money for something she didn't do. But in the end, this guy had managed to get her to send him $48,000 worth of gift cards by constantly telling her, these gift cards - I can't access the money because you purchased them with cash. 

Joe Carrigan: This is things that absolutely don't make sense to me, right? These are non-sequitur statements. But to somebody who's not familiar with how gift cards work, it may make sense. It may be some kind of thing that you can wrap your head around or some kind of model that you can fit in there to complete the thing. 

Dave Bittner: Right. 

Joe Carrigan: But it's important to remember that we have to educate these people. 

Joe Carrigan: Oh, one thing I want to say about this story is that this scammer did a remarkably good job at isolating this woman. She did not talk to people about it. She - when the cops showed up and asked her about it, she was prepared by the scammer. She was groomed by this scammer to say, no, no, I'm buying these for a family member. Even though this - because the scammer knows that's what's going to happen, is somebody is going to say, who are you buying this for? And the scammer says, you tell them that you're buying it for a family member regardless... 

Dave Bittner: Right. 

Joe Carrigan: ...Whatever they ask you. 

Dave Bittner: You don't want me to get in trouble. You don't want me... 

Joe Carrigan: Right. 

Dave Bittner: ...To lose my job. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: This is a gift card scam with a new angle. And I think maybe that's why they're going after it, is because Amazon does accept gift cards, but they have to be Amazon gift cards. 

Dave Bittner: Yeah. 

Joe Carrigan: So maybe they're instructing this woman, go out and buy some Amazon gift cards because you can walk into any store and buy Amazon gift cards. 

Dave Bittner: Right. 

Joe Carrigan: And if I'm pretending to be from Amazon, that might be a plausible scam. 

Dave Bittner: Yeah. And I guess part of what we're after here is trying to get the word out to your loved ones. You know, most of us are probably in a situation where we're providing tech support for many of our family members who may not be as, you know, sophisticated when it comes to devices as we are. 

Joe Carrigan: Yeah. 

Dave Bittner: And so part of that is educating them that if anybody asks you for anything having to do with a gift card, that is a big red flag. 

Joe Carrigan: Right, absolutely. And the problem here is that this woman was isolated. So you have to get out there now and tell people about this because once the scammer gets their talons into the victim, they're not letting go, you know? And that victim is probably never going to tell you about it, which is... 

Dave Bittner: Right. 

Joe Carrigan: ...The way these guys want it. They want this to be an under-the-rug kind of event, you know? 

Dave Bittner: Yeah. In this case, the woman's son found out what had happened, and he was the one who went back to the police. 

Joe Carrigan: Right. 

Dave Bittner: And as you mentioned earlier, she'd been conned out of $48,000. 

Joe Carrigan: Forty-eight thousand dollars, and there's probably nothing she can do to get that money back. 

Dave Bittner: Nope. Nope. All right. Well, go out there, tell your friends and family. Remind them to be aware of these sorts of things. And, you know, gift cards are a red - you know, it's funny, Joe. I was at the local Home Depot just last week. I was buying some stuff to, you know, prep my gardens for spring. 

Joe Carrigan: Yup. 

Dave Bittner: And right there next to the checkout was a sign that talked about gift cards and... 

Joe Carrigan: Yeah, I actually - I had the exact same experience at Lowe's. Both Home Depot and Lowe's had these signs up, I guess. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a big sign that says that this is a scam. And... 

Dave Bittner: Right. 

Joe Carrigan: ...Good on Home Depot and Lowe's. 

Dave Bittner: If someone has asked you to buy gift cards, it's likely a scam. Yeah. 

Joe Carrigan: That's right. Thank you, Home Depot and Lowe's, for putting those signs up. That's fantastic. 

Dave Bittner: Yeah. Yeah. It's a shame it's gotten to that point where it's necessary, but here we are, right? 

Joe Carrigan: Yup, absolutely. 

Dave Bittner: (Laughter) All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.