The CyberWire Daily Podcast 9.7.21
Ep 1412 | 9.7.21

A threat from Ragnar Locker. GhostWriter in the Bundestag. BKA bought Pegasus. Taliban sifts data for potential opponents. France-Visas hacked. Modified apps. Privacy notes. A TrickBot arrest.


Dave Bittner: There's no spectacular flurry of Labor Day ransomware, but Ragnar Locker threatens its victims. Berlin complains to Moscow about GhostWriter. Another Pegasus customer is disclosed. The Taliban is searching for data on potential domestic opponents. France-Visas are hacked. Modified apps are in circulation. Joe Carrigan unpacks a COVID-based phishing scam. Carole Theriault weighs in on the ransomware pay-or-do-not-pay discussion. ProtonMail answers a warrant, Apple delays CSAM screening and an alleged TrickBot coder is arrested.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 7, 2021. 

Dave Bittner: U.S. authorities warned that ransomware attacks could be expected to spike over the just-concluded Labor Day holiday. While cybercriminals have remained active, there seem to have been no spectacular new capers over a weekend largely devoid of unusual ransomware drama. Don't get us wrong; that's not a bad thing at all. 

Dave Bittner: But, of course, there have been some attacks that had an effect, and at least one high-profile incident has caused some disruption. Howard University in Washington, D.C., has canceled classes for today after detecting what appears to be a ransomware attack Friday. 

Dave Bittner: BleepingComputer does report one interesting development. The operators of Ragnar Locker ransomware have warned their victims, whom the hoods cynically refer to as clients, that they'll promptly dump stolen data, should they get a whiff of the victims going to law enforcement or indeed any third party for help. 

Dave Bittner: Quote, "so from this moment, we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police, FBI, investigators, we will consider this as a hostile intent, and we will initiate a publication of whole compromised data immediately. Don't think, please, that any negotiators will be able to deceive us. We have enough experience and many ways to recognize such a lie. Dear clients, if you want to resolve all issues smoothly, don't ask the police to do this for you. We will find out and punish with all our efforts," end quote. 

Dave Bittner: Should you be a victim of Ragnar Locker, or indeed of any other gang, don't be deceived. You're not in any meaningful sense their client. 

Dave Bittner: The German Foreign Ministry yesterday lodged a complaint with Russia over ongoing attempts to stage cyber-espionage and influence operations against the Bundestag during the runup to national elections, Deutsche Welle reports. The activity, which is reported to have successfully compromised some federal networks, is part of the long-running and often described GhostWriter campaign against Central and Eastern European targets. 

Dave Bittner: Deutsche Welle summarizes the ministry's conclusions and the reactions of Bundestag members, unhappy at what they regard as the government's failure to keep them apprised of the situation. 


Unidentified Reporter: The German government's communication network has been breached by hackers. The Parliament's secret supervisory body has been informed by the chancellery and security services, and they say it's not over. 

Armin Schuster: (Through interpreter) This is an actual cyberattack on the government's information network, and it's ongoing. 

Unidentified Reporter: The government has known about this since December. It spent weeks observing the cyberattack to learn more about the hackers' activities. Not even the agency responsible for intelligence services was informed. Delegates are angry about being left out of the loop. 

Burkhard Lischka: (Through interpreter) We would all understand if the chancellor's office said it needs to observe a critical issue a little longer. But the fact that no one said anything at all - on the contrary - means we are once again in a position to learn about such incidents from the media, which I think is absurd. 

Dave Bittner: That's Deutsche Welle. You can listen to the whole thing there. As the sound clip suggests, this isn't a fresh discovery, but the complaint to Russia is new, as is the acknowledgment of the possible extent of the compromise. 

Dave Bittner: The information GhostWriter obtained does not, by initial reports, seem to be highly sensitive, but its potential for disinformation and influence operations is regarded as significant. 

Dave Bittner: In an unrelated development, Germany's federal police, the BKA, are reported to have been among the customers of NSO Group, quietly purchasing its controversial Pegasus intercept tool. Tagesschau says that authorities will report on the purchase to a watchdog Bundestag committee today. There are no specific allegations of the BKA having abused the tool, but Pegasus has been in such bad odor due to its abuse by repressive regimes that suspicion inevitably accompanies its adoption by any law enforcement agency. 

Dave Bittner: Die Zeit reports that the capabilities of Pegasus outrun the kinds of surveillance permissible under German law. When the tool was purchased, German authorities are said to have insisted that only such functions as were compatible with the law would be activated, but Die Zeit says it's unclear not only how but even if such selective enablement would have been possible. 

Dave Bittner: Reuters reports that the Taliban is actively seeking access to the emails of former government officials and that Google has, temporarily at least, locked down access to such accounts. Google didn't directly confirm their move to deny the Taliban access to the accounts, saying only it was monitoring events and was taking temporary actions to secure relevant accounts. The concern over email accounts and other data belonging to the fallen government coming into the possession of the Taliban is that the information gained would be used to track and arrest former government officials or indeed anyone else of suspect loyalty. 

Dave Bittner: The Taliban's control over the country is now generally regarded as complete. Less than a week after the U.S. departure, the last stronghold of resistance, the Panjshir Valley, has been secured by the Taliban. According to The Washington Post, the National Resistance Front of Afghanistan, the anti-Taliban resistance organization that had held the valley against both Soviet and Taliban attempts to conquer it, confirmed that the Taliban was now in control of the region. 

Dave Bittner: France's Interior Ministry disclosed Friday that its visa platform, France-Visas, has sustained a cyberattack that exposed personal information of visa applicants. The ministry said it quickly contained the attack, and the information compromised was neither sensitive, as defined under GDPR, nor financial and that it would have been insufficient for the attackers to fraudulently obtain government services. 

Dave Bittner: Modified apps - legitimate applications criminals have copied and modified to deliver adware, spyware and other malicious payloads - are, according to security firm Pradeo, continuing to circulate. The problem isn't entirely new, but it's growing in prominence as some large trusted apps are copied and modified. 

Dave Bittner: Pradeo draws particular attention to bogus Netflix apps that are afflicting the unwary. Users should apply the usual skeptical cautions before installing an app. If the offer arrived by smishing, it's no good. If the offer looks too good to be true, you can bet it is, and so on. 

Dave Bittner: But they have some advice for app developers. Obfuscate and encrypt your code to discourage hackers. Enhance your app with tamper-detection features that will react appropriately at runtime to a code integrity violation. Your users will thank you. 

Dave Bittner: Privacy-friendly end-to-end encrypted email service ProtonMail has acceded to a legally binding order from the Swiss Federal Department of Justice, originating with Europol, that required it to turn over the IP address and certain device information used by a group called Youth for Climate, characterized as anti-gentrification activists, to access their ProtonMail account. The information surrendered led to the arrest of some members of the group in France, according to Hacker News. 

Dave Bittner: Various observers aren't happy about the company's action, which they regard as betrayal of the service's brand essence. ProtonMail, based in Switzerland, isn't happy about it either but explains that they had no choice. Founder and CEO Andy Yen tweeted, quote, "Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended, and we're required by Swiss law to answer requests from Swiss authorities." 

Dave Bittner: He added, "some thoughts on the French climate activist incident. It's deplorable that legal tools for serious crimes are being used in this way, but by law, ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally enforced," end quote. 

Dave Bittner: It's unfortunate that Youth for Climate technically broke Swiss law, he said, noting that ProtonMail's people are also activists at heart and that the company routinely fights such requests. But this time, he says, their hands were tied. 

Dave Bittner: Influenced by adverse reaction from privacy hawks, Apple has decided to suspend its plans to incorporate screens for child sexual abuse material, CSAM, in iCloud. The company told TechCrunch on Friday, quote, "last month, we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and limit the spread of child sexual abuse material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features," end quote. 

Dave Bittner: So Cupertino will take another run at the problem later, after discussion with those who have objected to the approach they announced in August. Apple has regarded the criticism as arising from a failure to communicate and that it could have been clearer about what it regarded as an important safety feature that posed no real threat to privacy. But critics have seen, at the very least, a slippery slope of best practices riding the toboggan toward full-fledged intrusive surveillance. 

Dave Bittner: A man suspected of writing code for the criminal enterprise that runs TrickBot has been arrested by authorities in Seoul on a U.S. warrant, the Record reports. The alleged criminal coder, referred to so far only as Mr. A, had been unable to leave the Republic of Korea for the past year and a half, stranded by COVID-19 travel restrictions.  

Dave Bittner: Mr. A is expected to contest extradition on the grounds that American justice would impose a disproportionate penalty on him should he be convicted. This is the second alleged TrickBot coder to be taken into custody, the first being Alla Witte, a Latvian national arraigned in a U.S. Federal District Court on June 4. 

Dave Bittner: For quite a while now, the accepted best practice on ransomware was to not pay the ransom unless there was no other option available - payment as a last resort, if you will. Lately, it seems, all parties advise a more practical approach. Our U.K. correspondent Carole Theriault addresses the ongoing dilemma of ransomware payment. 

Carole Theriault: So when you think about ransomware, if you put yourself in the situation where your data is locked or stolen and being threatened to be revealed or sold, what do you do? Do you pay the bad guys, or do you not pay the bad guys? And, you know, it seems very easy to answer, but actually, it's not. 

Carole Theriault: On the one side, the moral approach seems to be, of course, do not pay the ransom, guys. To my mind, every single action film that involved a kidnapping was a success if the hero got away without rewarding the bad guys for their bad behavior. Good guys don't give bad guys stuff. 

Carole Theriault: But what if you're responsible for the welfare of people? Perhaps you're a health center, government services, authorities. What if you get hit by ransomware and you can't actually get ambulances out to people, or people that are on benefits can't actually claim their checks? What happens then? 

Carole Theriault: According to Techtarget, of the 10 biggest ransomwares of 2021 so far, two of them were on public services. One was Buffalo Public Schools, where the private info of 34,000 students was at risk. And the entire school system was shut down for more than a week, which meant no in-class or remote learning for the kids. 

Carole Theriault: The other biggie was Ireland's Health Service Executive, HSE, which in May got hit by a massive ransomware attack. Getting operations back to normal has been no easy task. It wasn't until two months later that online registration for medical cards was restored. And additionally, health care centers were asking patients to bring in paper documents since computer records were inaccessible. 

Carole Theriault: And it seems like the market's kind of in flux because on one side you have insurance, cybersecurity insurance, which would have policies to cover you in case of a ransomware attack. On the other hand, you have governments considering banning companies from legally paying ransoms. 

Carole Theriault: Even at the highest levels, we don't agree. And this obviously benefits the hackers. According to a BBC article published earlier this year, hackers responsible for the Colonial Pipeline hack, DarkSide, made at least $90 million in ransom payments based on their bitcoin records. And that's a lot of Wonga. I mean, in short, right now, it is super messy. And the best thing to do is not get hit by ransomware - I know, easier said than done. But by putting in place all the things that you need to lower your risk to a ransomware attack, I say, the better. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting publication here from the folks over at INKY. And it's titled "Fresh Phish: Fake Mandatory COVID-19 Vaccine Form." 

Joe Carrigan: Right. 

Dave Bittner: Kind of stuff we cover over on "Hacking Humans," and I thought it's an interesting story to share here with our CyberWire listeners. What's going on here, Joe? 

Joe Carrigan: So I don't know about here at the CyberWire. You're a small business. But at Hopkins, I had to provide information that demonstrated that I had been vaccinated, right? A large employer - and a lot of employers are going to require this information from their employees as well. 

Dave Bittner: Right. 

Joe Carrigan: Well, these bad guys know that. So they are using that as a lure for a phishing email. And this email comes in - these emails are coming in from compromised external accounts. They're not coming from internal accounts. But because they're coming from the external accounts, they are getting through standard email authentication, like DMARC, right? They go right through. 

Joe Carrigan: And here's a sample of the email. 

Joe Carrigan: (Reading) Good morning, all. We are learning of a new strict requirement from the county with regards to COVID vaccinations. All employees are required to complete the COVID vaccination form and return it to HR as soon as possible. This is a mandatory requirement. 

Joe Carrigan: Then it goes on and on and on. But here's the hook. It says, (reading) it is mandatory that you complete this form by the end of today. 

Joe Carrigan: And one of the things we always say over on "Hacking Humans" and social engineering circles is that one of the biggest red flags you should look for is an artificial timeline... 

Dave Bittner: Right. 

Joe Carrigan: ...Time constraint. And this... 

Dave Bittner: Right, a call to action. Yeah. 

Joe Carrigan: Call to action. This is a call to action and a very short artificial time constraint. 

Dave Bittner: Yeah. 

Joe Carrigan: All right, so once you click on the link, you go to a credential-harvesting site that tries to harvest your Microsoft 365 credentials through an Outlook page that's really convincing, a very good site... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In terms of how well it's done. It's an absolutely evil site. But... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...It looks really authentic. 

Dave Bittner: Right. 

Joe Carrigan: Once you do that, to add insult to injury, it asks the victim to enter some more personal information, like your birthday and your mailing address, right? So not only is it credential-harvesting, but they're also getting some personally identifiable information. 

Dave Bittner: Right. 

Joe Carrigan: So maybe they can start building records they can sell to other people on the web for identity theft. 

Dave Bittner: Yeah. 

Joe Carrigan: Once you complete that portion, you're actually sent to a Santa Clara County government website that has a PDF about submitting a form that demonstrates you've been vaccinated. 

Dave Bittner: So a legit form... 

Joe Carrigan: A legit form, yeah. That's... 

Dave Bittner: ...Is the final step. 

Joe Carrigan: That's the final step. And that is to confuse the person and hopefully distract them from what they just did not realize that they entered their information improperly. 

Dave Bittner: Wow. Are there any tells here, anything giving this away that folks can look out for? 

Joe Carrigan: No. 1, it's coming from an email that's not internal. So it's not coming from your HR department. No. 2, when you click on the link, you're taken to a login site, which really shouldn't happen, right? You shouldn't be asked to log in. You're looking at your email already, even if you're looking at a web interface of your email, like the Outlook web client. 

Dave Bittner: Yeah. 

Joe Carrigan: You're already logged into that. So when you click on a link and you're asked to log in again, that should be a red flag. 

Dave Bittner: Right. 

Joe Carrigan: But it isn't. A lot of times, it's somebody going, oh, the system just glitched. I'll just enter my credentials again. 

Dave Bittner: Sure. Yeah. 

Joe Carrigan: A couple of things you can do as an enterprise to protect this - multifactor authentication, multifactor authentication and multifactor authentication. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? 

Dave Bittner: Right. Right. 

Joe Carrigan: And you, as a person, if you have a personal account, multifactor authentication. Always enable that. 

Dave Bittner: Yeah. 

Joe Carrigan: It makes this exponentially more difficult for these bad guys. If you don't have that enabled, then it makes it very easy for them. 

Dave Bittner: Also strikes me that if you have a password manager... 

Joe Carrigan: Right. 

Dave Bittner: ...It's going to point out that, hey, this isn't actually Office... 

Joe Carrigan: Right. 

Dave Bittner: ...That you're asking me to fill these credentials into. 

Joe Carrigan: Yeah, it won't even do it. 

Dave Bittner: Yeah. 

Joe Carrigan: If it's a browser-integrated password manager, it won't even enter the credentials. 

Dave Bittner: Right. 

Joe Carrigan: That's right. 

Dave Bittner: Right. All right. Well, interesting example of this, certainly playing off some of the topical stuff in the news here. 

Joe Carrigan: Yeah, they're always reading the paper, Dave. 

Dave Bittner: (Laughter) It's worth checking out. Again, this is from the folks over at INKY. And, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.