The CyberWire Daily Podcast 9.27.21
Ep 1426 | 9.27.21

The EU ask Russia to knock it off, and specifically to stop with the GhostWriter. Zoombombing in Cambodia. Conti is back; Colossus is a new entrant in the ransomware field. Meng returns to China.


Dave Bittner: The EU publicly blames Russia for Ghostwriter and counsels Moscow to amend its ways. Finland's security services warn of foreign cyber-espionage and influence threats. Zoombombing at the highest levels in Cambodia. Colossus is the latest ransomware kid on the block. Conti is back, as predicted, and has hit a major European call center. Dinah Davis from Arctic Wolf on cybersecurity learning standards. Our guest is Otavio Freire from SafeGuard Cyber with insights on how to defend against nation-state actors and zero-day exploits. And Huawei's CFO is back in China.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 27, 2021. 

Dave Bittner: The European Union on Friday publicly attributed the Ghostwriter cyber-espionage and disinformation operation to Russia. The statement said, quote, "some EU member states have observed malicious cyberactivities collectively designated as Ghostwriter and associated these with the Russian state. Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles and the core functioning of our democracies." 

Dave Bittner: "These malicious cyberactivities are targeting numerous members of parliaments, government officials, politicians and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data. These activities are contrary to the norms of responsible state behavior in cyberspace as endorsed by all U.N. member states and attempt to undermine our democratic institutions and processes, including by enabling disinformation and information manipulation." 

Dave Bittner: "The European Union and its member states strongly denounce these malicious cyberactivities, which all involved must put to an end immediately. We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace," end quote. 

Dave Bittner: No immediate action was announced, but as the statement's final sentence warned, the European Union will revert to this issue in upcoming meetings and consider taking further steps. 

Dave Bittner: The attribution and warning didn't say which nations had received the attention of Ghostwriter, but as The Washington Post notes, the timing of the communique suggests concern for Germany, which held elections over the weekend. The outcome of that election seems to be that a center-left coalition led by Social Democrats with the smaller Green and Free Democrat parties will form the government that will succeed retiring Chancellor Angela Merkel's. 

Dave Bittner: Independently, Finland's security and intelligence service called out both Russian and Chinese cyber-espionage and influence operations as major continuing threats, Bloomberg reports. Cyber-espionage and ransomware are seen as especially acute threats, but the assessment also assigns a particularly high risk to Finnish information infrastructure from potential legitimate investments by authoritarian states. 

Dave Bittner: According to online tech publication Rest of World, Cambodian Prime Minister Hun Sen Zoombombed an online conference held by the country's banned opposition party to tell participants that their communications were being monitored. 

Dave Bittner: The leader said, quote, "I have been listening and have entered to listen many times already," end quote, taking an unusually hands-on approach to warning the opposition. He is said to have wagged his finger and cautioned the opposition to behave themselves and stop insulting him, should they expect to be permitted back into public life. 

Dave Bittner: Premier Hun Sen, a Khmer Rouge alumnus with all predispositions for social control and political repression that affiliation suggests, is believed to be working toward tighter control of Cambodia's internet. The prime minister said on his preferred Facebook platform that he'd previously attended 20 of the opposition's online meetings, explaining, quote, "this entry was just to give a warning message to the rebel group to be aware that Hun Sen's people are everywhere. Please be careful, and don't do any activities against the national interest," end quote. 

Dave Bittner: Cambodia's control over its domestic internet is regarded as likely to increase this coming February, when the country's national internet gateway comes online. The gateway will route all internet traffic through a single point, where a state operator will exert national policy by blocking undesirable websites and collecting user metadata. 

Dave Bittner: On Friday, ZeroFox discovered and described a new ransomware strain they're calling Colossus. Its one known victim is a U.S.-based automotive dealership group, and the attack is the now-familiar double extortion that both encrypts data and then threatens the public release. 

Dave Bittner: Colossus hasn't shown much disposition to chatter on the dark web, but its operation suggests familiarity with the ransomware-as-a-service criminal market. In particular, their communications with their victims have a familiar look, resembling as they do similar messages issued by Epsilon Red - also known as BlackCocaine - and REvil - also, of course, known as Sodinokibi. This suggests, ZeroFox suspects, that Colossus may be using a similar builder. 

Dave Bittner: A dump page for doxxing uncooperative victims has yet to appear, but ZeroFox expects one to surface shortly. 

Dave Bittner: The Record reports that the major European call center operator GSS has sustained an attack with Conti ransomware. The attack hit on September 18. GSS has taken down affected systems and is working toward a full restoration of normal services. 

Dave Bittner: Russophone security researcher Habr, disappointed with his treatment by Apple's bug bounty program and Apple's failure to respond, has published, according to Forbes, three zero-day vulnerabilities affecting iOS 14 and iOS 15. Habr says he disclosed the bugs to Apple's bounty program back in March. 

Dave Bittner: And, finally, the BBC reports that Huawei CFO Meng Wanzhou is back in China after reaching a deferred prosecution agreement with the U.S. Department of Justice. Justice agreed to defer prosecution in exchange for Ms. Meng's admission of having misled its partner, financial services firm HSBC, about Huawei's extensive and sanctions-violating involvement with Iran. 

Dave Bittner: The New York Times reports that Canadian citizens whom China had detained shortly after Ms. Meng's arrest were also released and had returned to Canada. Recall that Ms. Meng had been detained in Vancouver pursuant to a U.S. warrant and had been fighting her extradition to the States. Their arrests were widely regarded as intended simply to give China leverage in the Meng case. The Guardian quotes critics as calling China's actions "hostage diplomacy," which probably isn't a bad characterization. 

Dave Bittner: Zero-days are notoriously difficult to defend against since these types of exploits are developed to target vulnerabilities that are unknown to software developers. One of the ways to mitigate these types of attacks is to continuously look for potential vulnerabilities within the software that's being used. Otavio Freire is president, CTO and co-founder of SafeGuard Cyber, and he offers these insights. 

Otavio Freire: You've built a great piece of software or technology or infrastructure. And the bad guys - either it's organized hackers or up to nation-states - have figured out a way, a hole in that infrastructure that you did not know about and use it to exploit for espionage, for financial gain, for, you know, take a pick of malicious means. 

Dave Bittner: Is it fair to say that not all zero-days are created equal? 

Otavio Freire: Oh, absolutely. Absolutely. I mean, you know, take SolarWinds, right? I would almost put that in one extreme - very sophisticated operation, carried out, we now know, by a nation-state that, you know, took advantage of supply chain, figure out massive scale, you know, created a zero-day, if you will. 

Otavio Freire: The other extreme, you have some web kid (ph) in a browser that you go to a website, and it's exploiting some vulnerability - JavaScript or a browser - that does something to a targeted group of users. 

Otavio Freire: So absolutely. I think there's a continuum both of complexity, investment and outcome from zero-days. The fact there's a market for it - there was a working financial market that buys these zero-days. Governments buy these zero-days. You know, and the prices vary - right? - depending on their sophistication and complexity and operating system. The price that they can be purchased at is a proxy, almost, for the level of sophistication or the spectrum of sophistication out there. 

Dave Bittner: And how does an organization prepare against this? I mean, how do you dial in appropriate resources for this particular type of threat? 

Otavio Freire: Yeah. Well, it's important to point out the disparity between the sophistication of attack within any organization - right? - no matter how sophisticated. So it always is a - no matter the situation, it's a David and Goliath, I think, situation. I think we all need to understand that. That being said, organizations, you know, can always do better in terms of preparing for these attackers. 

Otavio Freire: I think the very first step is understand what your risk is, right? It is a hard thing to accomplish, actually, is a (ph) thing to say, but it's an important step because there are just basics that need to be done - you know, a good backup process, a good threat intelligence process built around your organization, like QMS system that takes into account the best practices of a cybersecurity program. You know, there are things that you can just do to make sure in case of a cyberattack that you're well prepared. And, you know, this all leads to some risk assessment that you can do to prepare for the case of a nation-state attack. 

Otavio Freire: I mean, of course, after the attack, a breach has occurred, well, it's just too late. So, you know, the hard work is creating that resilience, understand your risk level and then addressing it. 

Otavio Freire: So how do you prevent malware and ransomware from propagating their business? How do you - in case you are attacked through ransomware, now you're thinking - they have a chessboard - well, how to avoid data loss attached to a ransomware. 

Otavio Freire: And then how do I also protect the human attack vector from these nation-states attack? And if you watch the DBIR reports over the years, it's just social engineering and the human factor just kept arising as more of the means that you deliver things such as ransomware. So looking at your organization, understanding that the human is a potential attack vector. Humans are using communication channels, everything from email to something like we're on today here or, you know, a video-based collaboration tool. These are all means that these incredibly destructive tools of these nation-states, such as ransomware, can be delivered. 

Otavio Freire: So, you know, it's important to have a automated software that allows you to detect when these attacks are taking place and respond. But even more importantly, you got to think up the value chain and start with the risk - right? - to avoid you get to that point. But it is a complicated matter to defend against nation-states, for sure. 

Dave Bittner: That's Otavio Freire from SafeGuard Cyber. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it's always great to have you back. I wanted to touch today on something that I know you've been following, and this is learning standards when it comes to cybersecurity. What do you have to share with us today? 

Dinah Davis: Yeah, I was really excited that recently came out with an entire curriculum for teaching cybersecurity to kids from K all the way to 12. Really impressed with it. It splits up how they teach it into three main categories, which is, like, computing systems, where they talk about, like, networking and, you know, software updates and that kind of stuff; digital citizenship - and for that one, it's all about, like, cyberbullying, digital footprints, like, getting - you know, making sure they know and are aware of what it is to be online. 

Dinah Davis: And then information security is the last column. I was very excited about this. I've maybe posted a couple times to the Canadian government that they should get on this. 

Dave Bittner: (Laughter). 

Dinah Davis: I've also been a big believer in kids learning tech and computing really early. I feel like we teach our kids about physics, about biology and math so that they know when the doctors are talking or they go see a specialist or something it's not magic. It's science. It's based in reality. And with their worlds being so digital, I really think they should know it's not magic. 

Dave Bittner: That's interesting. So it's, in a way, demystifying some of the things that are going on behind the scenes. 

Dinah Davis: Exactly. They should understand that it's just algorithms that are working on their iPad, that it's not - you know, it can't do everything because a human had to program it to do that. 

Dave Bittner: It strikes me, along with what you're saying there, that, you know, we teach kids things like basic health and hygiene. And I wonder with computers and certainly their online networks and these being a primary way in which they interact with their friends, does this go along with that? Is this a basic skill that needs to be just a, you know, part of growing up that all kids really should have? 

Dinah Davis: I think so. And it's not just the technology. It is the security part. And I was really excited to see that they put the digital citizenship with it as well because that's also your privacy. And what you do online matters, and it will be recorded. And also just that you can have all of your stuff stolen, right? 

Dinah Davis: So, you know, we don't go out in the world and tell our kids to just walk across the street without looking both ways - right? - because they could get hit by a bus. Well, (laughter) the internet's not that different, right? There's some pretty crappy things that can happen to them online if we don't teach them what's safe. 

Dave Bittner: Do you think there's a component to this as well of, you know, bringing the parents up to speed and having them understand what part they play? 

Dinah Davis: Yeah, 100%. And, I mean, I don't know what the has in their settings, but I know that as part of their curriculum, it's teaching teachers how to teach this. So at the very least, it's pulling teachers in to get engaged and educated about it because if they're not educated about it, like, I mean, they're going to do things in front of the students that potentially are risky behaviors - like, not bad, but, like, you know, they could be using the same password and giving that password out to everyone, and then that's an OK thing to do. But it's not, right? 

Dave Bittner: Right, right. Wash your hands, right? Brush your teeth. 

Dinah Davis: Exactly. 

Dave Bittner: Don't reuse your passwords (laughter). 

Dinah Davis: Yes. 

Dave Bittner: Yeah. 

Dinah Davis: In my household, those are some hardcore things. 

Dave Bittner: Yeah. Boy, I'll bet all the kids love to visit the Davis family, right? 


Dave Bittner: Now, kids, before we eat dinner, I'm going to need you to show me your YubiKeys. 


Dinah Davis: I think my teenager daughter would kill me if I did that. 

Dave Bittner: I'll bet she would. All right. Well, Dinah Davis, thanks for joining us. 

Dinah Davis: You're welcome. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.