The CyberWire Daily Podcast 9.13.21
Ep 1416 | 9.13.21

The continuing problem of Meris and its bot-driven DDoS. Mustang Panda visits Indonesia. DPRK’s social media battlespace prep. Al Qaeda marks 9/11’s anniversary. And REvil seems to be back.


Elliott Peltzman: The Meris botnet continues to disrupt New Zealand banks and has turned up elsewhere, too. Mustang Panda compromised Indonesian government networks. North Korean operators are using social media to soften up their prospective targets. Al-Qaida sympathizers marked the 20th anniversary of 9/11 by calling for - what else? - more 9/11s. Malek Ben Salem from Accenture on deep unlearning. Our own Rick Howard is in, talking about the latest episode of "CSO Perspectives" on adversary playbooks. And REvil seems to be back in business after taking what some of its hoods call a break.

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire Summary for Monday, September 13, 2021. 

Elliott Peltzman: The Meris botnet-driven distributed denial-of-service attacks organizations sustained over a week ago have proven surprisingly difficult to remediate. After a week full of fitful apparent recovery, banks in New Zealand continued to experience service disruptions through the weekend, The New Zealand Herald reports. KrebsOnSecurity, which was also affected for four days by the botnet, has an account of how Meris exploited vulnerable MikroTik devices to jam networks in several countries. The bad news is that inexpensive gear continues to ship with default insecure states. The good news, Krebs argues, is that for all of the inconvenience this botnet has just caused, in general, this form of DDoS has grown less dangerous as security firms have learned to cope with it. 

Elliott Peltzman: Recorded Future reports that the Chinese cyber-espionage unit Mustang Panda has compromised, quote, "the internal networks of at least 10 Indonesian government ministries and agencies, including computers from Indonesia's primary intelligence service, the BIN," end quote. PlugX malware hosted inside Indonesian government networks were still communicating with their command-and-control servers at least as recently as this July. Recorded Future notified Indonesian authorities in June of their discovery, but the authorities have been, perhaps understandably, tight-lipped in their response. The campaign is believed to have been in progress since March of this year.

Elliott Peltzman: North Korean cyber operators associated with Kumsong 121 threat group are using a social media campaign as preparation for spear phishing and smishing attacks against South Korean targets, the Daily NK reports

Elliott Peltzman: Social media are used to establish rapport with the targets, who are eventually asked to review a column on DPRK affairs the attackers claim to have written. That document carries the malicious payload. The campaign seems noteworthy in the amount of effort being expended in cultivating a degree of trust in the prospective victims. In this respect at least, Kumsong 121 seems to be taking a page of the kind of careful cultivation of agents long practiced by espionage services - gain their trust. Habituate them to doing you small good offices and accepting small good offices in return. In this case, however, the good offices remain small. No one's asking you for the secret war plans. They're just wondering if you'd be so kind as to look over an op ed they wrote and tell them what you think. Once they've opened the document or followed the link, they're pwned. 

Elliott Peltzman: Over the weekend, SITE Intelligence Director Rita Katz followed by al-Qaida sympathizers writing in the online publication Wolves of Manhattan. They call for more attacks like those of 9/11 and are emboldened by the U.S. withdrawal from Afghanistan, which they see as a validation of al-Qaida's original strategy. Quote, "as soon as the U.S. announced withdrawal from Afghanistan, al-Qaida began transforming its media structure, emulating ISIS, creating dozens of media groups, each with a different mission, all serving the overarching goal of strengthening al-Qaida," end quote, Katz tweeted. How effective such online influence and inspiration will prove to be remains, of course, to be seen. The Taliban are generally regarded as allies of al-Qaida. ISIS is thought to be a rival. The Taliban is expected to present as moderate a face online as is consistent with its program. Neither al-Qaida nor ISIS are likely to be so nuanced, relatively speaking. 

Elliott Peltzman: According to BleepingComputer, the REvil ransomware gang is back in operation, emerging from its brief occultation without even a gesture in the direction of rebranding. The gang's Tor payment and negotiation site and its data leak sites came back online and became accessible last week on September 7. A day later, it was again possible to negotiate your ransom with them in the old, familiar way. And on Saturday, the gang had posted a fresh set of stolen data on the dump site in its now familiar double extortion move. There had been a great deal of speculation concerning what was going on with REvil when they dropped off the cyber map. Were they feeling the hot breath of the law down their neck? Unlikely, given their Russian base of operations and the Russian organs' tradition of indulging criminals who concentrated on targets in Russia's adversaries, but certainly within the realm of possibility. 

Elliott Peltzman: Was it one of the periodic exercises in rebranding that criminal gangs undergo for various reasons? Was it a split with remnants of the gang going off on their own? The former persona that represented REvil to the world was known simply as Unknown, a nom-de-hack and not a declaration of ignorance. Anywho, Unknown disappeared when REvil evil went into occultation and is not somewhere in the wind in parts unknown. A successor representative popped up when the gang's servers came back online. He or she simply goes by REvil. REvil posted some information that indicated that Unknown had vanished, perhaps arrested. But others who appear to be in a position to know are chatting to the effect that there was nothing so exotic going on. Everyone was just chilling for a while. 

Elliott Peltzman: An apparent spokesman for the gang was observed by BleepingComputer, chatting that they were simply on a break. In full, the operator said, quote, "nothing happened. Took a break and continued to work, adding. "I advise you to take breaks, too." So come on. It's not like the hoods have to make rate at a pick-and-stow station in an Amazon warehouse or something. You need a break - you take a break, apparently. And the heck of high traditions of crime with a capital C. Did Mr. Capone chill whenever he felt like it? Not really, although we admit our knowledge of Big Al is based mostly on watching "The Untouchables." What performance metrics are they using in the underworld these days, anyways? Kids nowadays. 

Dave Bittner: And I am pleased to be joined once again by Rick Howard, the CyberWire's chief security officer and chief analyst. Rick, I noticed that there is a lot of activity over on the "CSO Perspectives" podcast this week. What is going on? 

Rick Howard: Indeed, that's true, my friend. We have lots of plates spinning on tall, skinny sticks this week, all right? 

Dave Bittner: (Laughter). 

Rick Howard: And so far, none of them have crashed to the floor. The first is that we're publishing our last episode of the season, season six for the "CSO Perspectives" podcast. And if you recall, we published our last episode the week before the Labor Day break, talking about a concept called adversary playbooks. And while they're essential to our first principle intrusion kill chain strategy, for this last episode, I invited Ryan Olson, the VP of threat intelligence Unit 42 at Palo Alto Networks to the CyberWire Hash Table because he and I were partners in developing that idea. So we talked about how it started, how it morphed over time and the current direction that Palo Alto Networks is taking it. 

Dave Bittner: All right. Well, that is over on the Pro side of things. But on the public side, the ad-supported side, there is an episode from season two that's coming out. What's that one about? 

Rick Howard: Yeah, this is a good one. We invited three CISOs and one CIO to discuss how they run their internal security operations centers. We have Don Welch, the Penn State University CIO, Helen Patton when she was still the CISO for Ohio State University, Bob Turner when he was still the CISO for the University of Wisconsin at Madison, and finally, Kevin Ford, the current CISO for the state of North Dakota. 

Dave Bittner: One more thing. You know, this past weekend was the 20th anniversary of 9/11. You were at the Pentagon on that day. And you have prepared something special for our listeners. What can you share about that? 

Rick Howard: Yeah. Two years before that horrible, horrible day - OK? - the army stationed me at the Pentagon to be what was essentially the network manager for the Army Operations Center. It's a place that coordinated global operations for the United States Army. So you might say I had a bird's-eye view of when the entire war on terror began. 

Dave Bittner: Wow. 

Rick Howard: So as a bonus episode for both the "CSO Perspectives" shows, the subscription-based pro side and the ad-supported side listeners will be able to download that special edition where I talk about my personal story on that day and some of the implications to the Army and to the country 20 years later. 

Dave Bittner: Yeah. I have to say, I've had the opportunity to listen to it. And it is absolutely riveting. I can't recommend it enough. So please, listeners, do check that out. It's really worth your time. Yeah. 

Rick Howard: That was very nice of you to say. 

Dave Bittner: Well, Rick Howard, always a pleasure speaking with you. Take care, my friend. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the technology research director at Accenture. Malek, it's always great to have you back. I want to touch today on a topic that I know is of interest to you. You know, we talk about deep learning. But today, you wanted to bring us up to speed on deep unlearning. What's going on with that? 

Malek Ben Salem: Yeah. Thanks, Dave. And I'm always glad to be back. So as you know, deep learning is a branch of machine learning, which is completely based on artificial neural networks. Deep unlearning is a new research area. And the reason for its emergence is because it turned out that these deep learning models that we create or these deep neural networks have the capacity to leak some information about the data that they learned from or even to bias the outcomes that - or the decisions that they make based on the data that they learn from. So in order to make them - to improve their accuracy and to make them more generalizable to data that they have not seen before, and more importantly, to reduce the risk of them leaking private data, sensitive data, we need this process of unlearning (laughter), having them forget what they - you know, what they learned or what - the data that was used for training them. 

Dave Bittner: Now, I have to admit, as a longtime "Star Wars" fan, this reminds me of what Yoda said to Luke Skywalker, which is, you know, you must unlearn what you have learned. So I can't get that out of my mind. So is this a matter of once these systems have used that data to develop the processes that they will then use - that that data is no longer of use to them, the original data that they trained on? Is that what we're talking about here? 

Malek Ben Salem: To a certain extent, yes. I don't even want them to be... 

Dave Bittner: (Laughter). 

Malek Ben Salem: ...To be generalizable, so that they're not... 

Dave Bittner: Yeah. 

Malek Ben Salem: ...Dependent on that data that was used to teach them or to train them because that has the effect of making them just, you know, perform well on data that is very similar to what they've seen before, but not perform as well on data that they have not been exposed to. And also, you know, as I mentioned, there are some privacy attacks against these deep learning models, one of them being what is known as the membership inference attack, where the adversary does not even have to have any knowledge about the inner parameters of the machine learning model or the deep learning model. But they can extract some information about the data that was used to train that model. And if that data is sensitive or contains some private information, some PII data, then, you know, there's that risk of PII leakage. 

Malek Ben Salem: So it's important to have this in mind and build these models, you know, with that understanding. If there are, you know, generally two techniques to deal with this that fall under this deep unlearning umbrella, one of them is looking at methods or a method called SISA. This was developed by researchers from the University of Toronto and Wisconsin-Madison where different versions of a model are trained on non-overlapping subsets of the same data set. And then during inference, they can become, you know, they can combine the predictions from each model via majority vote. And this makes it possible to remove selected training examples and retrain only the model associated with their subset. 

Malek Ben Salem: Another approach for dealing with this is removing the impact of a training model on a model's weights after it's been trained if its lost function meets certain mathematical conditions. So, you know, this is still in early research phase, but I think knowing the - in light of the new privacy regulations - right? - such as GDPR, which requires or which has this right-to-be-forgotten clause, there may be requirements for or there may be cases where companies are forced to retroactively remove the influence of specific data from trained models. And these techniques will be one way of achieving that outcome. 

Dave Bittner: It's interesting. Now, I mean, do you envision this becoming sort of a standard operating procedure that, when you go through the process of training a system, this will be part of it? 

Malek Ben Salem: I think this will be after the fact, after training the model. There's one technique that prepares the data set beforehand. There's this other technique that is basically after the fact, once the model is trained, it removes the impact. But I definitely think that one or the other would be part of the standard procedure if we want to ensure that these models are privacy preserved. 

Dave Bittner: All right. Well, fascinating stuff. Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.