The CyberWire Daily Podcast 8.4.21
Ep 1389 | 8.4.21

Espionage phishing in unfamiliar places. OT vulnerabilities. LemonDuck’s rising fortunes. Data exposure. Kubernetes advice from NSA and CISA. Meng Wanzhou’s extradition.


Dave Bittner: APT31 casts its net into some waters that aren't yet phished out. Vulnerabilities in the NicheStack TCP/IP stack are reported. LemonDuck may be outgrowing its beginnings as a cryptojacking botnet. A large marketing database is found exposed. NSA and CISA offer advice on securing Kubernetes clusters. Adam Darrah from ZeroFox checks in from the floor at Black Hat. Our guests are Nic Fillingham and Natalia Godyla from Microsoft's "Security Unlocked" podcast, David Dufour from Webroot on the hidden costs of ransomware. And Huawei's CFO returns to court as her extradition hearings enter their endgame.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 4, 2021. 

Dave Bittner: Positive Technologies, the Moscow-based security company with operations in multiple countries, late yesterday reported widespread activity by APT31, also known as Zirconium, Judgment Panda and Hurricane Panda, a Chinese cyber-espionage group usually associated with collection against governments in pursuit of Beijing's strategic goals. 

Dave Bittner: Between January and July of this year, the campaign used phishing emails to prospect targets in Mongolia, Canada, Belarus, the United States and, unusually, Russia. Positive Technologies, close to the Russian government and a participant in the GosSOPKA information-sharing system that Russia's CERT oversees, intends to keep Russian organizations in particular apprised of APT31's activities. The company believes this marks Hurricane Panda's first significant effort against Russian targets. 

Dave Bittner: It also expects the activity to continue, at least over the near term. Since the Hurricane Panda's typical approach has been through phishing emails, the usual cautions about proper suspicion and skepticism with respect to the stuff that shows up in your inbox would apply. 

Dave Bittner: Security firm Forescout and security research shop JFrog this morning disclosed their discovery of 14 vulnerabilities in the NicheStack TCP/IP stack widely used in OT and industrial IoT environments. The vulnerabilities could be exploited for remote code execution, denial of service, information theft, TCP spoofing or DNS cache poisoning. Recommended mitigations include prompt application of patches when they're available, network segmentation and blocking unused protocols. Forescout sensibly acknowledges the difficulty of patching operational systems, with their mission criticality and multiple dependencies, and offers a range of things organizations can do until they're able to apply available fixes. 

Dave Bittner: The LemonDuck botnet, once known as a small potatoes cryptojacking operation, has outgrown its origins, the Record reports. It's become massive and is showing signs of expanding its capabilities to include hands-on keyboard intrusions into hacked networks. This suggests a possible move into ransomware or destructive attacks in the near future. 

Dave Bittner: Researchers at security firm Guardicore first described LemonDuck in 2019. And Microsoft, within the past two weeks, devoted a two-part series to LemonDuck and LemonCat. As is usually the case, the bad actors run by many names. It would be convenient to simply call them Legion. LemonDuck is now a cross-platform threat, infesting both Windows and Linux systems. And it also operates as a loader. We disclose, again, that Microsoft is a CyberWire partner. 

Dave Bittner: The Guardicore malware analyst, Ophir Harpaz, who first noticed LemonDuck back in the day, told the Record that it began as a classic spray-and-pray cryptojacker. But even in its early stages, LemonDuck, while small, seemed to be serious about its business and determined to build for the future. They showed strong technical chops, for one thing. Quote, "their multistage PowerShell scripts were more complex and obfuscated than others', and they already made extensive use of open-source tools for code execution and infection," end quote. 

Dave Bittner: And some of the features Microsoft called out were there from the get-go - credential theft, removal of security controls and lateral movement. They were all there from the very start. So for now, while LemonDuck remains a mining operation, we may be seeing an incipient entrant into the criminal-to-criminal ransomware-as-a-service sector. 

Dave Bittner: The annual Black Hat Conference is officially underway in Las Vegas, albeit with lighter crowds, as many have chosen to sit this one out, thanks to COVID. I checked in with ZeroFox's Adam Darrah from the Black Hat show floor to get his sense for how it's going. 

Adam Darrah: We anticipated the same thing everybody else was anticipating. You know, we were watching the news closely on what Black Hat had in mind as far as, like, rules, regulations, best practices. And I will say that they're doing a great job so far. And, you know, people are being very courteous. People are being kind, respectful of, you know, maybe not wanting to be so close, shake hands and stuff. 

Adam Darrah: But, you know, in the runup to it all, at the end of the day, it was - we expected a lot less people to show up. I mean, some vendors, some pretty major vendors, we had heard pulled out. And judging by the, you know, the floor right now, you can definitely tell that there's - it's definitely been tamed a bit as far as vendor participation and even, like, user participation. 

Adam Darrah: But, you know, we just decided that it would still be worth our time and our efforts to be safe, to be reasonable and to give people an opportunity to both - to meet with us in person, you know, 'cause those relationships matter. And I think people are excited to, you know, meet with each other face to face and in as reasonably safe manner as is possible. So we just went for it, man. 

Dave Bittner: You know, I've heard folks say that when you have a year like this where attendance is down, it might not actually be such a bad thing because you get to spend more time with the folks who are interested in having a substantive conversation. You can actually step aside and have the time you need to make those things happen. 

Adam Darrah: Yeah. So I happen to agree with that. You know, you definitely don't want people to get the impression that you're not caring, you're not attentive to what they're doing. So you're sitting - you know, you're sitting at a booth or walking down the hallway, you see somebody that you know, you definitely want to give them the time they deserve. So this year definitely will afford us that opportunity. However, in the opening hours, we are still seeing quite a rush. So we will see if that dies down as the day - as the days continue. 

Adam Darrah: But I happen to agree with you. I really love and prefer taking the time one-on-one to be thoughtful with my answers, to be substantively accurate with my answers and make sure we're resolving the concerns or seeing things through to the end. So, yeah, that's definitely the vibe this year, I think, is what I'm seeing so far. 

Dave Bittner: What about beyond the show itself? You know, a big part of events like this are being able to get together with friends and colleagues you don't get to see very often. Is - are those sorts of things still happening? 

Adam Darrah: Absolutely. Wow, that's loud. 

Dave Bittner: (Laughter). 

Adam Darrah: That's - very festive. Yes. So those things are happening. You know, based on just my personal preferences, I find it quite therapeutic to be back in person talking to people, you know, shaking hands, giving hugs, high-fives, elbow high-fives, whatever people are comfortable with. 

Adam Darrah: It definitely provides an added layer of trust. In the security business, I think trust is paramount. Mutual trust and respect is paramount. And to be able to reestablish that in person, face to face, touch, talking - just all those things are great. And they are happening outside of the venue itself, which is really refreshing to see. 

Dave Bittner: That's Adam Darrah from ZeroFox. 

Dave Bittner: VpnMentor reports finding an unsecured database maintained by business-to-business marketing firm OneMoreLead. The database included personal data on between 63 million and 126 million people in the U.S. OneMoreLead secured the data when vpnMentor contacted them. How the data were collected in the first place remains unclear, and vpnMentor speculates about possible connections to earlier incidents involving other marketing outfits. 

Dave Bittner: NSA and CISA issued joint guidance on Kubernetes configurations intended to help organizations build and maintain secure Kubernetes clusters. The two agencies explain, quote, "Kubernetes is an open-source system that automates the deployment, scaling and management of applications run in containers. Kubernetes clusters are often hosted in a cloud environment and provide increased flexibility from traditional software platforms. The report details recommendations to harden Kubernetes systems. Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible and using network separation, firewalls, strong authentication and log auditing," end quote. 

Dave Bittner: The advisory also details the reasons threat actors are interested in Kubernetes. Quote, "Kubernetes is commonly targeted for three reasons - data theft, computational power theft or denial of service. Data theft is traditionally the primary motivation. However, cyber actors may attempt to use Kubernetes to harness a network's underlying infrastructure for computational power for purposes such as cryptocurrency mining," end quote. 

Dave Bittner: And finally, the extradition hearing for Huawei CFO Meng Wanzhou is entering its final stages out in Vancouver, where Canadian authorities are considering whether to honor the U.S. request that she be expedited to face charges related to alleged illegal Huawei trade with Iran. She's been in Vancouver since she was detained on a U.S. request in December of 2018. Bloomberg says that if you bet on form, the odds of Canada sending her south to the U.S. are about a hundred to one in favor of extradition. 

Dave Bittner: The case involves some murky financing Huawei is said to have arranged with bankers at HSBC involving a subsidiary or partner - their relationship was obscure - Skycom. Skycom is said to have tried to sell HP equipment to a service provider in Iran, which would constitute a violation of U.S. sanctions on Tehran. Meng is alleged to have lied about Skycom's true relationship to Huawei. 

Dave Bittner: An essay in light reading, while not particularly friendly to Huawei or blind to the questionable aspects of the company's operations that have brought it hostile U.S. security regulation, thinks the prosecution of Meng looks, at this point, vindictive, especially since she's been stuck in Vancouver effectively under house arrest for more than two years. And given the reach and effectiveness of U.S. sanctions on Huawei, if Meng's prosecution is intended as a further measure against the company, it seems to amount to making the rubble jump. 

Dave Bittner: In any event, the case is nearing its conclusion and should be decided soon. The latest round of hearings began today. 

Dave Bittner: We here at the CyberWire are very pleased to announce that another Microsoft cybersecurity podcast is joining the CyberWire podcast network. The show is called Microsoft "Security Unlocked," and it's hosted by Natalia Godyla and Nic Fillingham, who join me with a preview of what to expect. 

Nic Fillingham: We're very fortunate. You know, there's, I mean, literally thousands of people at Microsoft working on security, be it, you know, building AI, be it building product and actually protecting customers. And so we are in a very fortunate position that we can send them an email and say, hey, we've got this little podcast, and we think you're doing some cool stuff. Can we talk to you about it and try and bring to light some of the, you know, the great, you know, new techniques or research that's being uncovered on a daily basis? It's a very fun job. Natalia and I are very fortunate, and we're very much enjoying the podcast 

Natalia Godyla: Other than just having the massive Rolodex, we also are fortunate to have so many eager new guests. The Microsoft security folks are so excited to share the work that they're doing. So you can feel that energy on the show. And it's also just awesome to continuously have new guests who want to come on and share the work that they're doing. It really speaks back to that mission-driven approach to security. 

Nic Fillingham: As a - as the co-host and some of the producers of this podcast, we really do want to make sure that we aren't, you know, just talking about Microsoft and Microsoft products. We actually try not to say the word Microsoft in the podcast... 

Natalia Godyla: (Laughter). 

Nic Fillingham: ...Or the names of the products because that's not what this is about. This is about bringing to light the work that really, really talented and experienced people, dedicated folks, you know, at Microsoft, really, across the globe, are doing to protect obviously ourselves and our customers, but also really trying to make the cyberspace sort of a safer place. 

Nic Fillingham: Some of the more recent episodes we did - you know, a very recent episode was about how do you have cybersecurity conversations with business partners that have no idea what cybersecurity is. So that wasn't a technical discussion at all. It was really about how do you talk to people that don't really understand your domain. And then we've also dived into, you know, the nuts and bolts of sort of the Rust programming language. And we've looked at how do you secure firmware. And we've really gone up and down the stack. We cover a very, very wide range of topics. 

Dave Bittner: You know, Natalia, I'm curious. You all are a few dozen episodes in now. What is the value proposition that you think the two of you bring to the table? What's the - do each of you as co-host bring a different perspective to the program? 

Natalia Godyla: I don't know about perspective, but I do think that we tend to ask different questions, which is great. We complement each other in that way. I'm going to speak for both of us, Nic, but you can correct me. I think we're just both really interested in the cybersecurity domain. So you - we have that inherent passion, and we're both very curious, and so we come to these episodes and speak to our guests with that perspective and minds just eager to find out what they're doing and eager to unlock that for - ooh, I used unlocked. Look at that. 


Nic Fillingham: (Unintelligible). 

Natalia Godyla: Unlock that for our audience. 

Nic Fillingham: Well, one thing I'll add is I'm not a security professional. That's not my background. And, you know, I've been at Microsoft a long time. I've sort of been in the technical space for a long time, but I don't come from a professional cybersecurity background. And so I actually use that, I hope, to the benefit of the audience. I hopefully get to ask some questions that maybe sometimes don't get asked because they're thought of as, you know, sort of table stakes. 

Nic Fillingham: So we do revisit a lot of those sort of fundamentals. And I hope that the audience sort of appreciates that because we will from time to time come back and say- you know what? - that's a sort of a buzzy word that we've used a lot there. Let's just sort of pause and sort of revisit what that means and wrap our head around that concept. 

Nic Fillingham: So, you know, I think, you know, Natalia and I have 40-odd episodes in on this one. So we - we're starting to understand the space, but we're also sort of bringing to it that sort of fresh perspective of people that, you know, want to make sure that we're not glossing over a concept or an idea or a technique that may not be familiar to everybody. 

Dave Bittner: Now, Nic, just for a point of clarification here, I mean, previously joining our CyberWire network was Microsoft's "Security Unlocked: CISO Series." This is Microsoft's "Security Unlocked" in a bit of a challenging branding differentiation there (laughter). Can you help us understand the difference between the two shows and - so that people aren't confused and know why they should tune into this one? 

Nic Fillingham: Yeah, Dave. Thanks. We'll get on trying to create some clarity there. We might need to revisit both brands. 

Dave Bittner: (Laughter). 

Nic Fillingham: But, yeah, there are two podcasts. The first one is "Security Unlocked" that Natalia and I co-host. That's a weekly podcast. We've been going for about 40 episodes now. And that's where we have conversations with, you know, really anyone and everyone at Microsoft working on security. And we'll cover a really wide range of topics based on what's going on. 

Nic Fillingham: "Security Unlocked: CISO Series with Bret Arsenault" - that actually came to the CyberWire earlier, a couple months back. And that is with Microsoft's chief information security officer, our CISO, Bret Arsenault. We have been pestering Bret for years to allow us to create a podcast with him. He has the ultimate Rolodex. And so his podcast comes out every two weeks. And that's him having conversations with his security leader colleagues at Microsoft, but also some of the CISOs of, you know, the biggest and most interesting companies out there - TikTok's CISO, Lululemon, you know, telcos (ph), you name it. He knows them all, and that's what's happening on his podcast. 

Nic Fillingham: I would say to CyberWire listeners, you should really subscribe to both and listen to both. But they are different podcasts. One is weekly. That's Natalia and myself. And then Bret comes out every two weeks, where he chats to other CISOs. 

Dave Bittner: I have to say, for our listeners who may not have yet checked out "Security Unlocked," there is a tremendous amount of energy and a real sense of curiosity there that I think is contagious. And one of the things I like about it is that there's something for everyone. You can be someone who's just starting out on their journey or someone who's a seasoned pro who's been at this for a while. And the spectrum of things that you all cover, as you say, is so wide, everybody can get something out of it. It's time well-spent. 

Dave Bittner: That's Natalia Godyla and Nic Fillingham. They are co-hosts of the Microsoft "Security Unlocked" podcast. You can find it on our website,, or wherever the fine podcasts are listed. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. You know, we've been seeing a lot in the news, obviously, about ransomware - certainly a hot topic. I wanted to touch base with you today about some of the things that are kind of running below the surface, some of those hidden costs that folks don't always think of when it comes to ransomware. What can you share with us today? 

David Dufour: Yeah, David. So, yes, it is in the news everywhere. First of all, great to be back. Love being on the show. But, yeah, you know, we think about the paying the ransom. We think about the folks who maybe you're not able to deliver your solutions or do business when you've been affected by ransomware. But there are a lot of other costs behind the scenes - some of them tangible, some of them intangible - that I think a lot of people need to think about. 

Dave Bittner: Well, let's go through some of them together. 

David Dufour: Well, operationally, one of the first things you have to think of - how much is it going to cost you to get back up and running? And that's not just, I have to restore some computers. You know, there could be systems that went down hard that may be affected directly by how are you going to bring them back online - these large industrial systems. You don't just flip a power switch and turn them back on. You know, you don't reboot them like a PC or something. There's a lot of effort operationally in bringing large industrial systems online, and that's something people aren't thinking about. 

Dave Bittner: What other things are you thinking of here? 

David Dufour: Well, there's the brand reputation. I mean, you and I are - you can't really hurt our brand because our reputations are terrible. 

Dave Bittner: No, no, it's the bottom of the - can't go lower than zero. Yeah. 

David Dufour: That's exactly right. So we don't worry about that. But... 

Dave Bittner: (Laughter) No. 

David Dufour: ...You know, there's a lot of really good companies out there that this brand reputation is a big deal. And one of the things we say tongue-in-cheek is, it's always nice to be the security guy of the competitor of the company that got hacked because all of a sudden, you're going to get a lot of money because the - you didn't get hacked, but your company doesn't want your brand to go bad. So if it happens in your industry and it's one hop over, you know, that's when people start paying attention and saying, you know, this really does affect our brand, and we've got to keep our reputation strong. 

Dave Bittner: Right. Right. What do I have to do, security person, to keep that from happening to us? 

David Dufour: That's exactly right. And again, you might see it happen in health care. But recently here, if you're in oil and gas, you're like, well, we're not health care. We don't care about that. But I promise you, everyone who was a competitor of JBS, their security people got a bump in their annual budget. 

Dave Bittner: Yeah. Yeah, that's interesting. Any other ones that come to mind for you? 

David Dufour: You know, it's just a general shutdown of business. A lot of times, people stop, and they say, you know, here's the cost if we want to, you know, recover from ransomware, but they don't look at the bigger picture. And if you can somehow factor in that larger picture across your organization, it becomes a lot less cost-efficient to be prepared for a ransomware attack. And that's easier to take to your senior management and your board and justify the cost. 

Dave Bittner: What about the emotional impact to a company, to have - I don't know - this sense of violation? It seems like it's hard to put a dollar sign on that. 

David Dufour: You know, that's something I haven't thought a lot about because usually we're in the middle of it trying to recover from it. But you're absolutely right. And not only that. You're wondering, will this happen again? Did I get everything? And so you're spending a lot of energy and a lot of cycles trying to make sure that you've done everything you can to prevent it. And then your folks are wondering, could it happen again? 

Dave Bittner: Well, what sort of advice do you have for folks to make sure that they've got these things covered? 

David Dufour: Well, you know, back in the Stone Ages, David, back in the '80s and '90s when I first started in this industry, we spent so much time protecting against environmental disasters. We'd have multiple setups. There was no cloud. And we would spend a lot of time testing failovers, testing recoveries. And people just have lost sight of that. They don't spend the time that we used to. I guess when you spend, you know, $20 million on a computer in the '80s, you're going to take the time to verify that it'll roll over. But now things have gotten so, you know, grand but less expensive that they just - we assume failover. So you need to take that time to ensure you can recover from things. 

Dave Bittner: Yeah. It's interesting 'cause I - it strikes me that so many people, they cut these corners because they think it may give them some sort of competitive advantage. And maybe they're just playing the odds, the - you know, whistling past the graveyard that it's not going to happen to us. But then when it does, boy, it can sure seem to be shortsighted. 

David Dufour: You've nailed it 'cause it is shortsighted. And if you get away with it, then I guess it's OK. But I think somehow as an industry - we talk about this a lot, but how do we get folks to consider - you know what? - their posture, their defensive mechanisms that are in place really protect this company? And it's a cost of being a good company with a good reputation, so you want to do it, rather than the stockholders always wanting - you know, if it's a public company - always wanting, you know, your low EBITDA and you're hitting your margins and all that. Like, how do you add that value in and convince people how critical it is? 

Dave Bittner: Yeah. Yeah. 

David Dufour: And I did not answer your question. I put it out there as I don't know. 

Dave Bittner: (Laughter). 

David Dufour: I mean, but it's something we got to do. 

Dave Bittner: No. I mean, I - it's not an easy question, but certainly, if you're the person standing in front of the board of directors and saying, boy, I really thought we'd - you know, we were just crossing our fingers and hoping we'd be lucky, that's a hard conversation to face. 

David Dufour: That's exactly right. And then you don't want to be the board that the security guy has a bunch of I-told-you-so emails that said, I tried to bring this up, but you wouldn't listen. 

Dave Bittner: Right. 

David Dufour: Like, there - do you know what I mean? So it's - we got to figure out some way to make this an equitable thing that people value so it actually adds value to an organization's bottom line... 

Dave Bittner: Yeah. 

David Dufour: ...And not a monetary value as much as this is a reassurance-type thing. 

Dave Bittner: All right. Well, David Dufour, thanks for joining us. 

David Dufour: Great being here, David. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.