The CyberWire Daily Podcast 5.28.21
Ep 1343 | 5.28.21

A phishing campaign poses as USAID. APTs exploit unpatched Pulse Secure and Fortinet instances. Healthcare organizations continue recovery from ransomware. A look at Criminal2Criminal markets.


Rick Howard: Hey, guys. Rick here with a special announcement. You all know about CyberWire Pro, our subscription service that unlocks access to our premium and original programming, where we bring in leading industry experts to create informative and actionable cybersecurity content that you just can't get anywhere else. I wanted to let you all know about a special promotion we're currently running for Memorial Day. Just this week, you'll get one month free on top of the already discounted price of $99 when you purchase a CyberWire Pro annual subscription. Sign up and get your free month at

Dave Bittner: A phishing campaign this week appears to be the work of Russia's SVR. Chinese government threat actors continue to exploit unpatched Pulse Secure instances. The FBI renews warnings about unpatched Fortinet appliances. Health care organizations still work to recover from ransomware. Rick Howard speaks with author Andy Greenberg on his book "Sandworm." Ben Yelin weighs in on questions Senator Wyden has for the Pentagon. And a look at the criminal ransomware market, including the consultants who serve the extortionists. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 28, 2021. 

Dave Bittner: The week ends with more stories of cyber-espionage. Microsoft yesterday announced its discovery of a new campaign by the Russian threat actor Redmond calls Nobelium, which is the group others know as Cozy Bear. By general consensus, it is associated with both Russia's SVR and the SolarWinds compromise. Nobelium this week succeeded in compromising a Constant Contact email marketing service account belonging to the U.S. State Department's internal assistance agency, USAID. The threat actor then used that account to send convincing phishing emails to more than 3,000 accounts at over 150 organizations. The phish hook was a link that installed the NativeZone backdoor. And Microsoft has provided technical details about the attack. U.S. organizations were most heavily targeted, but at least 23 other countries were also affected. 

Dave Bittner: Volexity, which has also been tracking Cozy Bear's new campaign, points out that the phishbait in the emails was frequently election-themed. Here's one representative screamer - USAID Special Alert. Donald Trump has published new documents on election fraud. Another is, foreign threats to the 2020 U.S. federal elections, which seems like a cheeky bit of phishbait for Cozy Bear to use as chum. Volexity doesn't claim to have any certainty about who's behind the campaign, but it does think the attack looks like the work of a known threat actor it has dealt with on several previous occasions. It does cite four attributes that point toward APT29 - that is, the SVR. The attackers use an archive file format with an LNK to deliver the initial payload. This technique was observed in 2018. They also used an election-themed lure that appears to come from a US government source. This has been seen since 2016. Cobalt Strike, with a custom, malleable profile, was used as an initial payload, as has been done since 2018. And finally, the scope and timing of the campaign looks like the familiar paw prints of a Huggy Bear. Many targets got the same phishing content at about the same time. 

Dave Bittner: Chinese intelligence services have also been busy. FireEye's Mandiant unit has followed up earlier research into PulseVPN exploitation and concluded that the Beijing-linked threat actors UNC2630 and UNC2717 have introduced four new families of malware and deployed these against economic verticals given priority in China's 14th Five-Year Plan. The cyber-espionage is characterized as sophisticated and evasive and as exhibiting an intimate familiarity with the victims' networks. The four new strains of malware are BLOODMINE, a utility that passes Pulse Secure connect log files and extracts information related to logins, message IDs and Web requests. It then copies the data it obtains to another file. BLOODBANK, a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt. CLEANPULSE, a memory patching utility that may be used to prevent certain log events from occurring. Researchers found CLEANPULSE in close proximity to an ATRIUM webshell. And finally, RAPIDPULSE, a webshell that's capable of arbitrary file read. As other webshells so often do, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. The attacker can use RAPIDPULSE as an encrypted file downloader. While some European organizations have been targeted, the great majority of those affected have been in the United States. 

Dave Bittner: The U.S. FBI yesterday warned that foreign actors were exploiting unpatched Fortinet VPN to compromise U.S. municipal governments, quote, as of at least May 2020, an APT actor group almost certainly exploited a FortiGate appliance to access a web server hosting the domain for a U.S. municipal government. The APT actors likely created an account with the username elie to further enable malicious activity on that network," end quote. Once they're in, the attackers can accomplish a number of unwelcome things - data exfiltration, further malware installation, data encryption and so on. Organizations that think they may have been affected should look for FTP transfers over port 443 and unrecognized scheduled tasks, especially SynchronizeTimeZone. 

Dave Bittner: This isn't the first warning the FBI or CISA have issued about the risk of leaving Fortinet appliances unpatched. And we emphasize that Fortinet has had a patch available for some time. Their first warning arrived on October 12 of last year. The second was issued almost two months ago on April 2. There's almost a touch of weariness in yesterday's warning. It's like, come on, people. How much more can we spell it out for you? Tell his honor to have people patch the city's stuff, OK? It's worth noting that local governments shouldn't presume they enjoy immunity from the attentions of unfriendly foreign states. 

Dave Bittner: BlackBerry puts the worldwide Conti ransomware victim count north of 400. A lot of these have been health care or first responder targets, prominently Ireland's HSE, New Zealand's Waikato DHB and California's Scripps Health, all three of which continue to work toward recovery. 

Dave Bittner: BlackBerry took a look at the free decryptor Conti operators offered in a fit of either remorse or, more probably, fear of the attention from law enforcement that widespread public odium would spur. BlackBerry concluded that the decryptor was indeed legitimate and not a further scam. But lest one be inclined to credit Conti operators with a functioning conscience, consider the comment they provided Newshub about their infestation in Waikato. Quote, "for last three days (ph) we tried to contact them, and we offered help with restoring the network. With our help, they could restore it for one day. Without our help, they will have to rebuild their network from the beginning. They decided to ignore us and torture their employees and patients. It is only their fault that DHB is still offline. They can't use their backups. We deleted most of it," end quote. 

Dave Bittner: Newshub also reported that the Cancer Society's medical director called the ransomware attack worse than COVID, which seems perhaps overheated. But there's little doubt that disrupting networks in Waikato has also disrupted the delivery of care. In Ireland, officials now estimate that the total costs of the Conti attack on HSE will probably exceed 100 million euros. 

Dave Bittner: The DarkSide is another crew that's claimed to have gone dark, but U.S. law enforcement authorities aren't counting on them keeping their word, Infosecurity Magazine reports. If you take the gangs at their word, then, hey, we've got a non-fungible token of a perpetual motion machine you may be interested in as an investment opportunity. 

Dave Bittner: And finally, the underground criminal economy is a complex one that mirrors many aspects of legitimate markets. Crooks have their consultants just as legitimate businesses do, Gemini Advisory reports. They squabble sometimes. A dark web fight between REvil and a criminal middleman, a ransomware consultant, has revealed some of the features of that market. The consultant scouts victims to come up with recommendations for a ransom the victims are likely to pay and also handles negotiations between the extortionists and the victims. Sleazy, but still complex. 

Dave Bittner: Rick Howard winds up his week-long series of interviews with highly respected authors of cybersecurity books, each one an inductee into the Cybersecurity Canon. Here's Rick with the latest. 

Rick Howard: We are at the end of Cybersecurity Cannon Hall of Fame week here at the CyberWire. I've been interviewing all the winning authors for this year. And our final interview is with Andy Greenberg, the author of "Sandworm: A New Era of Cyberwar." I asked Andy, what exactly is Sandworm? 

Andy Greenberg: Sandworm is a group of Russian hackers that since late 2015 or so have carried out what I think is the first full-blown cyberwar. Starting in Ukraine, they attacked pretty much every part of Ukrainian society with these data-destructive attacks that hit media and the private sector and government agencies and then ultimately, the electric utilities, causing the first ever blackouts triggered by cyberattacks. Sandworm hit Ukraine's power grid not once, but twice in late 2015, and then again in late 2016. And then finally, this Ukrainian cyber war that Sandworm was waging essentially in the middle of 2017 exploded out to the rest of the world with this cyberattack called NotPetya - a worm, a self-propagating piece of fake ransomware that was actually just a destructive attack that spread from Ukraine to the rest of the world and took down a whole bunch of multinational companies, medical record systems and hospitals across the United States and ultimately cost $10 billion in global damages - the worst cyberattack in history by a good measure. 

Andy Greenberg: So the story of "Sandworm" is a detective story about the security researchers across the private sector trying to track this group and figure out who they are and try to warn the world that this Ukrainian cyber war was soon going to spill out and hit us, too. And then that is exactly what happened. And when that happens, the book kind of switches from a detective story to a disaster story. And I track the effects of NotPetya across the world as it causes this wave of devastation. 

Rick Howard: I've been including "Sandworm" into a triad of recent must-read Cybersecurity Canon Hall of Fame books that not only tells the history of the relatively new development of continuous low-level cyber conflict between nation states from about 2010 until present, but also attempts to explain the current thinking of some of the key cyber power players, like Russia, China, the United States, Iran and North Korea. David Sanger's Hall of Fame book, "Perfect Weapon," covers the history and key thinking of all the power players. Richard Clarke and Robert Knake's Hall of Fame book, "Fifth Domain," covers similar material but leans towards the policy side of the discussion. And finally, Andy Greenberg's Hall of Fame book, specifically on Russia. The book is called "Sandworm: A New Era Of Cyberwar" by Andy Greenberg. And you can hear a much more in-depth, longer interview in my CSO Perspectives podcast exclusively on the CyberWire Pro subscription services. And congratulations to Andy for his induction into the Cybersecurity Canon Hall of Fame. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security but also my co-host over on the Caveat podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from Joseph Cox over on the VICE website. And it's titled "Pentagon Surveilling Americans Without a Warrant, Senator Reveals." What's going on here, Ben? 

Ben Yelin: So this is Senator Ron Wyden, who, if there is a story about government surveillance and it involves a lawmaker, you probably have a 90% chance that it's going to be Ron Wyden. 

Dave Bittner: Right. 

Ben Yelin: He has sent a letter to the Department of Defense asking them to declassify a program where they are conducting warrantless surveillance of Americans. So he's asking for detailed information from the Department of Defense, the Pentagon, the NSA and the director of national intelligence about this program where special forces in the U.S. military are buying location data from data brokers. So these are private data brokers, and without a warrant, the government is going in and obtaining some of this data. 

Ben Yelin: So Senator Wyden has a bunch of questions that he specifically wants answered. One I think that's particularly relevant both because it's what the majority of the American people care about and there's some legal significance, is how many of these communications were between American citizens or U.S. persons, where you have an American person on one end or the other? Those types of communications merit significant Fourth Amendment protection, even if they have some sort of national security implication. You know, other communications, when we're talking about somebodies phone conversations or internet traffic being incidentally scooped up because they've been coordinating with an overseas terrorism target, that might have a slightly higher justification under the law. But that's sort of what Senator Wyden is asking here, is what is the extent of this data collection program? 

Ben Yelin: So the ask here - and this is a letter to the defense secretary, Lloyd Austin - is please release this information publicly so members of Congress, including those that aren't on the relevant intelligence committees, could have a reasoned debate on what the issues are here. And this can inform the decision of lawmakers as to whether to pass some sort of remedial legislation like the Fourth Amendment is Not For Sale Act, which we discussed on our Caveat podcast. 

Dave Bittner: Yeah. Now, one of the things that caught my eye here is Wyden is making the point that a lot of this information they can't publish, like, some of the responses from the DOD, they can't publish because some of their answers are classified. And Senator Wyden is pushing them to declassify these answers, as you say, so they can have more public review. 

Ben Yelin: Yeah, I mean, that's one of the problems about any sort of public debate about these programs is oftentimes we're all flying blind. You know, some of the only public debates we've had about counterterrorism intelligence programs have been after high-profile leaks - looking at you, Mr. Edward Snowden. 

Dave Bittner: (Laughter). 

Ben Yelin: Other than that, it's really hard to have reasoned debate on this because even if information is declassified, it's usually declassified long enough in advance that, you know, the particular information might not be timely or relevant, you know, the way it had been six or eight months ago. You know, so we see that with the release of FISA court opinions, where it reflects information that might have been useful, you know, a year ago, but the intelligence community has already moved on. They have different targets. They already have new methods under consideration. And that's what's happening here. 

Ben Yelin: You know, there are some members of Congress, particularly the eight members of the leadership in the House and the Senate and then the chair and ranking members of the Intelligence Committee, who are able to see this, but they can't really spark a public debate if so many other members of Congress and the general public are completely in the dark as to how this program works. And it's one thing that's very frustrating about trying to seek reform on these types of issues as you are dealing with classified information. 

Dave Bittner: Right. 

Ben Yelin: I will say that there's a reason this information is classified. It really does reveal some of our intelligence methods. It could reveal confidential sources. And, you know, so it's not like they're just arbitrarily keeping things classified, although they have done that in the past. 

Dave Bittner: Yeah. I mean, Wyden kind of speaks to that, too. And in his letter to Secretary of Defense Austin, he said - he sort of points to, I guess, you know, that notion of that the DOD has been accused of over classifying things. And in Wyden's letter, he says information should only be classified if its unauthorized disclosure would cause damage to national security. The information provided by DOD in response to my questions does not meet that bar. Interesting. 

Ben Yelin: Yeah. So I'll tell you... 

Dave Bittner: Is that for him to say (laughter)? 

Ben Yelin: It is. I will tell you a quick story, though... 

Dave Bittner: Yeah. 

Ben Yelin: ...That is a staple of mine in some of my law classes. There is a very famous Supreme Court case, United States v. Reynolds, which came out in 1953, which was about the so-called state secrets privilege, where the government could assert that a case concerns a state secret, and that case could be dismissed from court where the plaintiffs wouldn't be able to seek relief. So this was a case where family members of people who are in the military sued the government because their family members died due to a plane crash. And they were alleging that, potentially, the government was negligent in the design or operation of these airplanes. 

Ben Yelin: And since these were military aircraft, the government at the time said this is highly secretive information. We can't litigate this. If we did, you know, we would be revealing state secrets, and that would do damage to our national security. We're trying to fight the USSR here. Let's get serious. Came out about 40 years later, well - some of the plaintiffs of this case were still alive - that that was basically BS, that there was no relevant national security information in the Reynolds case. And in fact, they really tried to conceal the information because they were scared of facing civil liability. So it became this kind of cautionary tale about overclassification. And maybe I sound paranoid, but it is a lesson to, you know, not just instinctively trust when the government says they're classifying something for national security purposes because they've been known to lie in the past. 

Dave Bittner: (Laughter) I mean, I guess that's exactly what Senator Wyden is doing here. He's the one who - he has a view into this, you know, having the ability to see the classified information and share his opinion that it doesn't meet that standard. 

Ben Yelin: Yeah. And Senator Wyden has done this before. I mean, he said things on the Senate floor, like, I know things I'm not allowed to say here, but if you don't release unclassified information, you know, I might find a way to make it public. It's just because he is very passionate about these surveillance issues. 

Dave Bittner: Yeah. All right. Well, the article is over on the Vice website. It's titled "Pentagon, Surveilling Americans Without A Warrant, Senator Reveals," written by Joseph Cox. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: If you are looking for something to do over the upcoming long holiday weekend, at least here in the U.S., be sure to check out my conversation with Brandon Hoffman from Intel 471 on "Research Saturday." We're discussing EtterSilent, the underground's new favorite maldoc builder. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Velicky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.