The CyberWire Daily Podcast 7.30.21
Ep 1386 | 7.30.21

Multiple Cozy Bear sightings (at least the bear tracks). Spyware in a Chinese employee benefits app. Phishing campaigns. DoppelPaymer rebrands. And ignore that bot--it hasn’t been watching you surf.


Dave Bittner: Cozy Bear's active command-and-control servers are found, and people conclude that Moscow's not too worried about American retaliation after all. Spyware is found in an app for companies doing business in China. What to make and not make of the Iranian documents Sky News received. Phishing with Crimean bait. HTML smuggling may be enjoying a moderate surge. DoppelPaymer rebrands. Andrea Little Limbago from Interos on growing the next generation of cyber. Our guest is Jamil Jaffer from IronNet Cybersecurity on protecting the Black Hat Network Operations Center. And good news - that blackmailing bot really does not know what you did last summer.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 30, 2021. 

Dave Bittner: Security firm RiskIQ this morning reported having identified more than 30 active APT29 command-and-control servers delivering WellMess and WellMail malware, espionage tools CISA identified last year as particularly active against COVID-19 vaccine development efforts in the U.K., Canada and the U.S. APT29, also commonly known as Cozy Bear, is, of course, generally associated with Russia's SVR. 

Dave Bittner: Bloomberg sees the discovery as evidence that Russia isn't taking U.S. complaints of cyberactivity targeting critical sectors particularly seriously. Indeed, the Russian Embassy in Washington was positively blase, simply referring enquirers to their earlier statement that people should avoid sweeping accusations and saying that further discussions with the U.S. would surely improve the security of the information infrastructure of our countries. 

Dave Bittner: Kevin Livelli, RiskIQ's director of threat intelligence, told Bloomberg, quote, "often when an APT group receives a lot of public attention, either in security research or politically, it goes to ground for a bit until the heat is off. Our findings show that APT29 is back to business as usual despite widespread exposure in the SolarWinds episode and a high-level summit where President Biden leaned on President Putin to be less aggressive in cyberspace. In fact, APT29 is using the same malware they used to steal COVID-19 research a year ago despite the fact that the U.S., U.K. and Canadian governments called them out on it. They haven't missed a beat," end quote. 

Dave Bittner: Indeed, they haven't. As RiskIQ's own report puts it, the activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin. The White House had a tight-lipped no comment. Cozy Bear's activities appear to occupy the gray zone of espionage. There's, at present, no suggestion that sabotage was involved, although theft of IP, reconnaissance and battle space preparation are certainly possibilities. 

Dave Bittner: Recorded Future's Insikt Group has evaluated Beijing One Pass, an employee benefits application the Chinese government provides companies doing business in that country. The app appears to be spyware. Quote, "the installed application exhibits characteristics consistent with potentially unwanted applications and spyware. Some notable suspicious behaviors relate to several dropped files and subsequent processes initiated from the primary application. These behaviors include a persistence mechanism, the collection of user data such as screenshots and keystrokes, a backdoor functionality and other behaviors commonly associated with malicious tools such as disabling security and backup-related services," end quote. 

Dave Bittner: At the time of writing, it is unclear if the spyware features were added inside the Beijing One Pass software on purpose or if they were inserted after a compromise of the company's software development pipeline. In fairness to Beijing, attributing the undeniable spyware functionality to China's intelligence services isn't a matter of certainty since, as the Insikt group points out, it's possible that unknown parties, criminals or others, inserted the spyware after having compromised the app's development. Recorded Future called BJCA, the state-owned enterprise that makes Beijing One Pass, but they were unwilling to comment. 

Dave Bittner: It's a problem for companies doing business in China. Quote, "while information about how the spyware functionality made it inside the app is still shrouded in mystery, its presence is undeniable. Furthermore, companies doing business in China may not have an option and may be forced to install the software," end quote. If that's you or your organization, isolate the app and keep it away from systems that handle sensitive information. 

Dave Bittner: Beijing One Pass isn't the first time an app whose installation the Chinese authorities pressure foreign companies to install has exhibited troubling behavior. As Recorded Future gracefully points out, a little more than a year ago, Trustwave Labs found that a Chinese bank was requiring foreign companies operating in the country to install an app to file taxes with local governments. That app was backdoored. 

Dave Bittner: Haaretz looks at the documents Sky News obtained that appear to be Iranian studies of cyber sabotage operations and points out that the documents are based on readily available open sources. They aren't in themselves offensive planning documents and could be equally relevant to defensive measures. There's a term-paperish quality about them that falls well short of what an actual operations plan might look like. Still, the possibility of cyber sabotage is worth keeping an eye on. 

Dave Bittner: Security firm Malwarebytes describes a phishing campaign baited with a Crimean manifesto whose hook is a VBA RAT. The document, appearing in both Russian and English, represents itself as opposed to Russia's occupation of Crimea. But this isn't grounds for even circumstantial attribution. 

Dave Bittner: Researchers at Menlo Security are tracking an HTML smuggling attack it calls ISOMorph. The attack bypasses network security solutions like legacy proxies and sandboxes to gain access to targeted devices. Subsequent stages install AsyncRAT or njRAT. NjRAT has been used for some time by so many different threat actors that its presence has little to say about attribution. Those who have used it have tended to go after what Menlo Security characterizes as high-value targets in the Middle East. HTML smuggling is enjoying a resurgence in popularity among criminals and nation states. Menlo Security points out that the Nobelium threat group - also known as APT29 or, again, Cozy Bear, Russia's SVR - used it during the campaign that exploited SolarWinds vulnerabilities. 

Dave Bittner: There's another rebranding in progress down in the ransomware underworld. Security firm Zscaler says that DoppelPaymer, which had been quiet for a bit, seems to have reemerged as Grief. This kind of rebranding constitutes a low-order form of misdirection, the criminal equivalent of the magician's nothing-up-my-sleeve, and should by now be considered a regular phase of the criminal-to-criminal market's business cycle. 

Dave Bittner: And finally, remember scareware, the stuff that would pop up and tell you that you'd been caught visiting naughty content on what we've come to call adult websites - although perpetually adolescent websites would probably be better. The stuff said that the FBI was on to you and that you would be unmasked and disgraced before your friends, family, employer and whatever gods you prayed to. Yeah, remember that stuff? Well, it's back in the form of bot-driven spam. 

Dave Bittner: Security firm Bitdefender said today that they've been following a multilingual, multinational spray-and-pray campaign that's spamming people to tell them that their credentials have been compromised and that they, the criminals, know what you've been up to online, and that it's not a pretty sight. If you pay them off, they'll keep it all quiet. 

Dave Bittner: The extortion demand varies with the language of the message. In Italy, they want 950 euros. In Brazil, 600 reals, 1,350 euros from those who speak Dutch, $650 from francophones insultingly denominated in U.S. dollars. From Romanians, they want 1,250 Yankee greenbacks. And from the monoglot Americans, they ask 1,500 bucks. The price list suggests that consciences are about a hundred bucks guiltier in Amsterdam than they are in New York or even Los Angeles, which strikes us as unlikely, but who knows? All payments, naturally, should be remitted by bitcoin. 

Dave Bittner: The good news? It's all hooey. They've got nothing on you. Delete that message, and have a nice day. 

Dave Bittner: The Black Hat Conference is once again upon us, and this year, IronNet Security are among the organizations partnering with Black Hat organizers to secure the event's Network Operations Center. It's an interesting task, to say the least, given the high-profile and history of Black Hat. Jamil Jaffer is senior vice president at IronNet Security. 

Jamil Jaffer: Sure. So, you know, IronNet Cybersecurity was founded by General Keith Alexander, the former director of the NSA and the founding commander of U.S. Cyber Command. And we brought together a great group of people, you know, offensive operators from NSA. The best and the brightest were going up against the Russians and the Chinese, getting into their systems - and the defensive side, defending the U.S. government from these types of attacks, the DOD and the defense industrial base - and so brought together some great folks. 

Jamil Jaffer: And when this company got started, you know, right, actually, before General Alexander left NSA, he was the first NSA director to actually go to Black Hat and engage the audience, to go to those organizations to talk about what NSA does. And it was a fundamental sea change in the way the government operated with respect to hackers and the like and the community that's there. He came in jeans. He talked candidly, you know, and we've seen that happening more. 

Jamil Jaffer: And so IronNet's always had in our culture to be part of these events and to be part of that community, whether it's Black Hat or DEF CON or the like. And so we've always engaged. We've always been there. I've spoken a couple of times at Black Hat, and I've sherpa-d (ph) members of Congress to DEF CON just two years ago before COVID hit. So, you know, we've been engaged the whole way. 

Jamil Jaffer: This year, we've had to up that engagement with Black Hat. This year, we decided we're going to be one of the organizations that's going to defend the NOC. So, you know, Black Hat has a Network Operations Center. As you know, everyone tries to come after Black Hat. To say you took out the Network Operations Center of Black Hat is a matter of pride both white hat and other hackers, gray hat and the like hackers. 

Jamil Jaffer: And so to be the organization defending the NOC is a big task. And so we're doing that this year. We're excited about it. And frankly, we're bringing this collective defense mentality, this collective defense capability to the NOC. So we're not just going to be defending the NOC itself, but we're going to be taking information for our existing clients in an anonymized way, bringing that together to defend the NOC not just against what we know about, but the unknown unknowns, right? Trying to find those new and novel threats that are coming up against the NOC, that'll help defend the NOC better at Black Hat, but it will also help defend our clients out in industry better all at the same time. So you know that collective defense we were talking about or what the Cyberspace Solarium Commission talked about? We're going to bring that to bear this next week at the Black Hat Network Operations Center. 

Dave Bittner: Yeah, I mean, it's a really good point, in that collaboration flows both ways, that you're able to provide your services, your expertise to help defend. But at the same time, all of that stuff that's going to be coming at you, that's a great learning opportunity, looking for, you know, novel approaches and things you can take back to your clients and share with the community. 

Jamil Jaffer: Well, exactly right. And at the end of the day, that's what this is all about. You know, the idea - you know, we've never thought about in no other sort of area of nation-state activities - right? - where we know nation-states of highly capable actors, criminal gangs that are sometimes funded by nation-states - we've never thought that was the job of individual companies to defend against. I mean, think about it, right? If the Russians were to fly a bomber over U.S. territory, we don't think Target or Walmart or JP Morgan should have surface-to-air missiles on the roof of their buildings or - we're asked to defend against the Russians? That's crazy. 

Jamil Jaffer: And yet in cyberspace, the theory is exactly the opposite. Every single company - large, small, mom and pop, big bank, big energy - they all have to defend against the Russians, the Chinese, the Iranians, the North Koreans, major criminal gangs emanating out of northeastern Europe, major criminal gangs operating out of China now, increasingly. That doesn't make sense. You can't expect a single company that's a profit-making entity whose job it is to build services for consumers or other businesses or products to also spend the kind of money it takes to go up against the nation-state or a nation-state-like attacker. 

Jamil Jaffer: And so the only way to get around that and to solve that problem is to bring companies together, industries together, and, frankly, industry and government together to really defend one another in this new domain that we're fighting in. 

Dave Bittner: That's Jamil Jaffer from IronNet Security. 

Dave Bittner: And I am pleased to be joined once again by Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, we always talk about how there aren't enough folks to fill all of the jobs that we have available in cyber. And I know you've got some stories to share of some of the next generation coming up, some kids who are interested in joining us in this good fight. 

Andrea Little Limbago: Yeah. You know, it's been one of those things where, you know, over the last year has certainly been hard for so many different reasons. One of the silver linings has been the ability to reach out to more - for me, it's been the ability to reach out to more students wherever they are across the country and, actually, across the globe, you know, due to the virtual format now. And so, you know, I've had the opportunity to either, you know, fill in as a professor at a university or just speak at various kinds of conferences at the universities. And, honestly, they are some of my best experiences over this last year. 

Andrea Little Limbago: And I've done it before, but, you know, it's always - it's increased, actually. For some reason, over this last year, I have been able to have the opportunity to do it a lot more. And, you know, the questions that the students are asking - you know, they're really insightful. The areas that they're studying, you know, for me, like, didn't exist when I was in college or even come close to it. They're really engaged. And then they really, I think, are taking just a really nice angle on it, where, you know, I - as a social scientist, you know, I, you know, basically was trained in, you know, my lane of, you know, international relations. And I think the same thing happens across, you know, across engineering, across math, the various sciences. You know, it's kind of stovepipe. 

Andrea Little Limbago: What I saw a lot from these students was really this multidisciplinary approach. And so looking at, you know, biology and technology now help them in the biotech area - those that are in political science are also, you know, taking computer science and really focusing on, you know, what digital democracy could look like and really rethinking a lot of those kind of - those frameworks and models. Like, they're just really coming at it with a lot of interesting and different ideas, different perspectives and enthusiasm. And so that - I think that was one of the things that - you know, it gave me - you know, it was sort of - it was like a jump-start for me to reignite my own enthusiasm that I've had, you know, 'cause it can - this industry can be hard... 

Dave Bittner: Yeah. 

Andrea Little Limbago: ...Day after day. And so there's so much excitement, enthusiasm and good ideas that we do - I mean, it's been really exciting. And I think one example - Atlantic Council does Cyber 9/12, where they have students come in, and they basically - the universities compete against each other to tackle - they make up a policy scenario, and they have to come in and they create what the policy responses should be. And they were just really bright, like, really looking at - they were able to pull a thread together across different areas just in ways that I think doesn't always happen. And so it's - it was really - you know, it was nice to see. And there's these really just bright, articulate, enthusiastic - you know, it gave me a lot of hope for where we're going as an industry. And I think it's really going to - not revitalize, but just help transform the industry as - in light of what - you know, all the various kinds of threats and opportunities that are going on in the world. 

Dave Bittner: Do you have any thoughts on what is driving that breadth of information that - I mean, is it the way that they are - the accessibility they have to information that perhaps, you know, you and I growing up didn't have? We had to go to the library. We had to pull out the encyclopedia. And this group of digital natives have everything at their fingertips. 

Andrea Little Limbago: They do. And I think that, for sure, is part of it, which I think also is how they think about things. You know, almost everything they look at has some technology component to it. So when they're thinking about health care, they still think about technology with it. Or when they think about doing some sort of biomedical research, there's - or even energy, they think about the technology driving it. I think that just is a natural component, whereas I think for us, you know, that was - it was a separate area of study. 

Dave Bittner: Right. 

Andrea Little Limbago: And even, like, when we think about cybersecurity, I mean, cybersecurity just - you know, it's pervasive throughout every industry possible. And when we try and, you know, look at it separately outside of some of those industries, you know, that's where we've gotten into some problems. They really are so interconnected. 

Andrea Little Limbago: And so I do think that because they are digital natives, they always had that technology in hand and so they always think about, you know, how technology can be used for good and for bad. I think that's also the difference is because they - you know, they've seen it. You know, as they grew up, they've seen how technology can be great for that access of information. They've also seen or experienced, you know, personally or amongst their peers, you know, the negative sides of the technology and information access. So I think they're just much more aware of the benefits and the harms and really trying to do what they can to optimize the benefits that we can have and the impact that we can have. 

Andrea Little Limbago: And so it's been interesting. It's - you know, going - at the conferences, you know, like, some of the BSides and so forth still had, you know, career mentoring and resume reviews. And, you know, there - more and more of the students were able to access those this year. And so I think that's been great, too. Like, that's how when - you know, greater interaction for those of us in the industry with the students, which has been good. 

Andrea Little Limbago: But for those students, you know, it made them - it made those conferences that they couldn't - I mean, I would never have been able to afford any of the conferences when I was in college - but just made them accessible to hear. And so I think that also - you know, I hope that's something that doesn't change going forward - is keeping some of the virtual, you know, ability to watch some of these for - especially for students. I think that that's - I think it really can help open a lot of minds and exposure to the whole breadth of what the industry can provide. 

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" program. I'm speaking with Charity Wright from Recorded Future's Insikt Group. We're going to be talking about China's digital colonization. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.