The CyberWire Daily Podcast 10.12.21
Ep 1436 | 10.12.21

Espionage by password spraying, and espionage via peanut butter sandwich. Ransomware and DDoS warnings. Two journalists get the Nobel Peace Prize


Dave Bittner: Tehran is running password spraying attacks, especially on Thursdays and Sundays - more on the renewed popularity of DDoS attacks. NCSC warns British businesses against ransomware. Two journalists win the Nobel Peace Prize. Joe Carrigan shares his thoughts on GriftHorse. Our guest is Bindu Sundaresan from AT&T Cybersecurity on football season and cyber-risks. And watch out for small data cards in your peanut butter sandwiches, friends.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 12, 2021. 

Dave Bittner: The Microsoft Threat Intelligence Center yesterday released a report on DEV-0343, an activity cluster Redmond connects to Iran. DEV-0343 has been conducting password spraying attacks against more than 250 Office 365 tenants. Fewer than 20 of the attempts were successful. Targets include U.S. and Israeli defense technology companies, Persian Gulf ports of entry or global maritime transportation. The target selection is unsurprising as it's consistent with Iranian intelligence requirements. As Redmond puts it, quote, "this activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program. Given Iran's past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in those sectors, and we encourage our customers in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat," end quote. 

Dave Bittner: In the course of its campaign, DEV-0343 emulated a Firefox browser and used IPs hosted on Tor. It most often targeted Autodiscover and ActiveSync. Those of you interested in schedules and workplace customs in and around threat actors will take note that DEV-0343 was most active on Sundays and Thursdays between 7:30 a.m. Tehran time, when the factory whistle blew, and 8:30 p.m., which seems to have been quitting time. Microsoft uses the DEV prefix followed by a numeral to designate a threat actor that isn't yet fully classified. Once it's categorized and identified the actor, the company typically moves to one of its familiar elemental threat names. 

Dave Bittner: Microsoft also disclosed that in August, it successfully mitigated a distributed denial-of-service attack against an unnamed Azure customer. At 2.4 terabytes per second, the incident was, at the time, according to the Record, the biggest volumetric attack so far observed. The Meris botnet broke the record shortly after the attack against the Azure customer. Quote, "the attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan and China, as well as from the United States," end quote. Microsoft continued their account of the incident, quote, "the attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks - the first at 2.4 terabits per second, the second at 0.55 terabits per second, and the third at 1.7 terabits per second," end quote. 

Dave Bittner: Microsoft, who we note in a spirit of full disclosure, is a CyberWire sponsor, has in general seen a year-over-year rise in the number of DDoS attacks. While the attacks total throughput is down a bit, the number of attacks is up by about 20%. 

Dave Bittner: The BBC reports that the head of Britain's National Cyber Security Centre, speaking at Chatham House Cyber 2021, described Russian-tolerated criminal cybercrime, notably ransomware, as a threat to the security of British businesses. In this, as in other matters, the Five Eyes tend to see the threat landscape through similar lenses, with both Russia and China bulking large. The NCSC's director, Lindy Cameron, emphasized that ransomware, however, represented the most immediate danger. 

Dave Bittner: The Nobel Committee Friday announced that two journalists, Maria Ressa of the Rappler in the Philippines and Dmitri Muratov of Novaya Gazeta in Russia, would be awarded this year's Peace Prize. The Washington Post describes both journalists' critical engagement with their respective governments. Both, and especially Mr. Muratov, have worked at considerable personal risk. Congratulations to them. 

Dave Bittner: A Maryland couple have been charged with violations of the Atomic Energy Act. Jonathan and Diana Toebbe are said to have sold restricted data related to submarine nuclear propulsion systems to an FBI undercover operative they believed to be an agent of a foreign power. Jonathan Toebbe is an engineer employed by the U.S. Department of the Navy. The Toebbes are said to have asked for $100,000 in bitcoin - of course - in exchange for the restricted data they were offering. 

Dave Bittner: Restricted data is a term of art described in the U.S. Atomic Energy Act as, quote, "all data concerning design, manufacture or utilization of atomic weapons, the production of special nuclear material or the use of special nuclear material in the production of energy," end quote. Restricted data is not itself a classification, and data so marked may be controlled at any number of levels, running at least from the relatively low-level confidential classification up through top secret. The Baltimore Sun reports that the information was stored on SD cards, which were then hidden in a Band-Aid wrapper or a peanut butter sandwich - no word on whether jelly was included - before being deposited in what spies call a dead drop, which the FBI told them would be out in West Virginia. 

Dave Bittner: CBS News and others report that the FBI was tipped off by the unnamed foreign power. Who might that unnamed power be? There's reason to think from the internal evidence of the indictment that the unnamed power was itself an operator of nuclear submarines. There are six nations who operate nuclear subs - Russia, China, India, the UK, France and the US, with Australia to join the club as a seventh member in a few years under an agreement recently concluded with the US and the UK Assuming that a wannabe spy would be likeliest to approach a rival submarine power, that leaves Russia, China, India, the UK, and France. 

Dave Bittner: It's unlikely in the extreme that either Russia or China would tip off the FBI about anything. India might, but on the other hand, it might not. You'd have to be an extraordinarily stupid spy to offer American secrets to the British and think this would go unremarked. And so while stranger things have happened, we can probably rule out the UK, and, for that matter, Australia, since the Five Eyes generally see eye to eye. 

Dave Bittner: So France, maybe - it would still require a degree of cluelessness to approach a close US ally like France. But a newbie spy might well decide that was a good bet, especially given French irritation about the Australian agreement with the US and UK, which cut French builders off from a potential market. The timeline is not clear, but it's a nice theory. Dmitri Alperovitch, who's been tweeting about this a little, thinks on other evidence that it was France. Quote, "oh, and he told his fake handler that he wants to one day meet them in a cafe and have a bottle of wine. Case closed," Mr. Alperovitch tweeted. If it was the French, we hope the FBI said "merci" and sent over a nice bottle of bourbon. 

Dave Bittner: Are you ready for some football? That's American football for our international listeners, not the "Ted Lasso" football-is-life variety you all play in the majority of the world. I have been informed by loved ones who track such things that it is indeed football season. Bindu Sundaresan is director at AT&T Cybersecurity, and she reminds us that when it comes to the security of personal information, it's important to keep your eye on the ball. 

Bindu Sundaresan: When you have, you know, sports events, you know, the football season like we're talking about, it really does garner attention from the malicious actors. So you know, we all have to have our guards up and make sure that, you know, the information that we are sharing on social media, on, you know, ticketing platforms that we are using to buy these tickets are - you know, even at stadiums when we go to watch, you know, everything is automated today with every technology and innovation that we have. You know, think of it as yet another attack vector, an avenue for the malicious actor to use to go after. 

Bindu Sundaresan: How many of us, you know, truly use different user IDs and passwords for different things, right? Most of us don't. So you know, that's why we see an uptick in credential stuffing attacks. So what this really means is, you know, the credentials that you're using to watch, you know, the football games versus to shop online versus for your social media - if they're all the same, you know, anywhere where I could, you know, really get access to that, you know, credentials, I will now use it maliciously. And think about, you know, all of the, you know, websites that we, you know, go to as we are, you know, really looking forward to these games. And we're, you know, trying to get, let's say, tickets or, you know, posting on social media. You know, we fall prey to social engineering in the sense that really may not be thinking about it from a cybersecurity point of view. 

Bindu Sundaresan: But keep in mind that, you know, it is exactly that moment that the malicious actor wants to prey on, right? It is that - you know, you've let your guard down. You are not thinking about it as, like, cybercrime, you know, type of, you know, mode, right? All the security awareness and training that you've gotten, you know, at work and, you know, what you've read about, you know, sort of goes off - out the window when, you know, you are sort of being entertained and you're watching a game. 

Bindu Sundaresan: So you know, the key is, you know, even public Wi-Fi spot - hotspots, right? So, you know, we know that you're not supposed to connect to, you know, just public Wi-Fi hotspots and have all the, you know, transactions happen on guest Wi-Fi. But you know that. But then when you're at the stadium, how often are you thinking? You know, are you just going to be, you know, doing all types of transactions and, you know, on your mobile phone while you're watching a game at a stadium? Most likely... 

Dave Bittner: Right. 

Bindu Sundaresan: ...You are, right? So it is about being aware of how the malicious actor is looking to leverage any and all opportunity that they can. It happens. So it's key that, you know, with the new season and, you know, with all of us, you know, also coming off of the pandemic, you know, we are all ready, you know, for some entertainment and for, you know, sort of, you know, not being locked up, right? 

Bindu Sundaresan: So I think, you know, that's exactly the point where, you know, we become more vulnerable to data loss because all of that data that we are tracking, whether it is the performance of athletes, you know, using it for competitive advantage, you slowly, you know, sort of lose sight of the fact that it can be used for espionage and sabotage. And identity theft is becoming more and more prevalent because of all this information that is out there. 

Dave Bittner: You know, I think you bring up a really interesting point, which is that of trust. And I think many of us have kind of an inherent trust in our favorite teams. We feel an affinity for them. And so it's likely that if we get some sort of communication from them or maybe one of our favorite players, that could lead us to having our guard down just because of that affection we have for them. 

Bindu Sundaresan: Oh, yeah, definitely, right? And the thing is - you know, and you know, because I've been doing this for over 20 years, I have to say that, you know, security is people, process and technology, right? It is as much of, you know, psychology play as much as it is a technology play, right? So if I were to tell you, hey, you know, can you just share your date of birth, your phone number, you know, I'm not asking you for your credit card. And, you know, can you share enough of your personal information so that you can win a raffle where let's say, you know, you get to spend a day with your favorite player? How many of us will really refrain from doing that, right? 

Bindu Sundaresan: And, you know, you think about all these Facebook and, you know, social media games that we play, right? You know, funny pet names, favorite pet names, right? Where did you go to school, you know, which year were you born, right? All of this is a digital footprint of you, right? So when you're asked all of these pieces of information in the context of spending time with your favorite player, you know, you really don't even think again, right? It's key that we not only invest in secure payment system and, you know, we are really doing sort of two-factor authentication. You know, you're filtering emails, right? But in addition to that, the awareness of - would you even know how to spot a fake app? Would you know how to, you know, be able to really - you know, let's say you got a call that talks about, you know, you bought a ticket to your favorite game. And now - right? - we do have, you know, as a fan, we engage with these sports teams. And at the same time, the sports teams have to think about it in terms of cyber risk - you know, trust and resilience. 

Dave Bittner: That's Bindu Sundaresan from AT&T Cybersecurity. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We have been covering here on the CyberWire this campaign, this scam campaign called GriftHorse... 

Joe Carrigan: Right. Yes. 

Dave Bittner: ...Which the folks over at Zimperium have been tracking. Interesting story over on WIRED written by Lily Hay Newman that outlines it I recommend people check out. But I wanted to dig in with it with you as well. 

Joe Carrigan: Right. 

Dave Bittner: This is the kind of thing we cover over on "Hacking Humans" pretty regularly. What's going on behind the scenes here, Joe? 

Joe Carrigan: So what's happening is these guys, these bad actors - don't really know who they are - but they have used a development framework called Apache Cordova. And what Cordova does is it allows you to develop cross-platform applications. Why would you put a lot of energy into developing both Android and Apple iOS applications when you can just develop one application using standard web technologies like HTML5, cascading style sheets and JavaScript to essentially build a web-based experience for the user that translates across different platforms? 

Dave Bittner: OK. 

Joe Carrigan: OK? So that's the tool they're using... 

Dave Bittner: Right. 

Joe Carrigan: ...Is Apache Cordova, and it does just that. So it's a great tool for application developers. 

Dave Bittner: OK. 

Joe Carrigan: But because you're using a web-based technology, I can just put anything I want on the servers that the application accesses. Right? So the malicious code in this case does not actually exist in the app. From the perspective of the Google Play Store and from - and all the people that analyze the apps - and there's a bunch of them, and Zimperium is actually one of the people that looks at the apps before they get published - there's nothing malicious in the app, until the user activates the app, and the app goes out to a command-and-control server and downloads HTML and everything that it needs to show the user things. 

Dave Bittner: OK. 

Joe Carrigan: And that also enables new functionality. And behind the scenes, it has access to a lot of different pieces of information about you, like your Google advertising ID, the equipment ID number, the E-I - whatever that long string of numbers is that represents your phone uniquely. 

Dave Bittner: Right. Right. 

Joe Carrigan: It has access to that. It also has the capability of signing you up for premium services automatically, and it - well, not really automatically. It does ask you to claim your gift. 

Dave Bittner: Yeah. So let me just interject here... 

Joe Carrigan: Right. Yeah. 

Dave Bittner: ...Because it says, basically, you know, you go, and you download a - what you think is a benign app. 

Joe Carrigan: Right. 

Dave Bittner: You know - a translator app, heart rate monitor, that sort of thing. 

Joe Carrigan: Yeah. All the - and they have a chart of these apps on the Zimperium report. And it's... 

Dave Bittner: Yeah. 

Joe Carrigan: It's amazing. They have 200 apps that were equipped this way. 

Dave Bittner: Now, it says after downloading one of the malicious apps, a victim would receive a flood of notifications - five an hour... 

Joe Carrigan: Right. 

Dave Bittner: ...That prompted them to confirm their phone number to claim a prize. 

Joe Carrigan: Right. 

Dave Bittner: Joe, if my phone were pestering me five times an hour to claim a prize, I would take it out in the parking lot and run over it with my car. 


Joe Carrigan: I don't know which - this happened a long time ago. I got some app that started doing this to me. 

Dave Bittner: Yeah. 

Joe Carrigan: And first off, it was a nightmare to figure out which app it - was sending it to me because it was an older version of Android. Now it says, hey, this notification is from this app. 

Dave Bittner: OK. OK. 

Joe Carrigan: Right? And they have pictures of that. 

Dave Bittner: Yeah. 

Joe Carrigan: But back in the Android 2 days, that wasn't the case. I just got notifications on my phone - drove me batty. Hated it. 

Dave Bittner: Yeah. Yeah. So in this case, they get you to verify your number. But what you're really doing is you're signing up for a premium SMS service for $42 bucks a month... 

Joe Carrigan: Right. 

Dave Bittner: ...Or something or other. 

Joe Carrigan: Now, I think that's a little high and greedy, don't you? I mean... 

Dave Bittner: Who knows? Maybe they're fans of "The Hitchhiker's Guide." 

Joe Carrigan: Right. Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: But if you - these guys infected - or distributed 10 million copies of these things. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, if you can just go, like, a dollar a month, maybe that slips under the radar. 

Dave Bittner: Well, yes, but I think what they're counting on here is that most people - by the time someone gets their bill and reviews it... 

Joe Carrigan: Right. 

Dave Bittner: ...And then, you know, cancels or whatever, they've got their $42 bucks or whatever... 

Joe Carrigan: Right. And they just keep it. 

Dave Bittner: Yeah, exactly. So - but it's interesting to me, though, you know - Zimperium points out that this has been active since November of 2020. That's a long time for something to be... 

Joe Carrigan: Right. 

Dave Bittner: ...Hanging around in the Play Store at this scale. 

Joe Carrigan: Yeah. They were in there since November of last year, 2020. They were completely undetected by any of the antivirus companies out there. They had developed more than 200 of these apps, and they had that sophisticated architecture where they download the malicious code from a website. 

Dave Bittner: Mmm hmm, mmm hmm. 

Joe Carrigan: Right? And they had a no reuse policy to avoid the blacklisting of these servers or these strings. 

Dave Bittner: Right. They didn't reuse URLs. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: So they say that that level of sophistication - and when I say they, I mean, Zimperium says that that level of sophistication, the use of these novel techniques and the determination displayed by these guys allowed them to stay undetected for several months, for almost a year. 

Dave Bittner: Yeah, almost a year. 

Joe Carrigan: I mean, this was - this is a long-term campaign. They've got close to 10 million installs, and I don't know if they're counting that from the Google Play Store or from also third-party apps. Now, all of these apps have been removed from the Google Play Store. 

Dave Bittner: Right. 

Joe Carrigan: That doesn't mean there aren't more apps out there that they haven't found yet. There may be. But they can't make the same claim about third-party app stores, which is one of the things that I frequently tell people is don't use third-party app stores, and this is exactly why. 

Dave Bittner: Yeah. But - so let's talk about potential protection here because these were on the Google Play Store. So that's your... 

Joe Carrigan: These were on the Google Play Store, right. 

Dave Bittner: There's your walled garden. And you... 

Joe Carrigan: Yep. 

Dave Bittner: So you, you know, I think, rightfully have a sense that things are more secure there, that they've been through some sort of check before you can download them. So what do you do here? 

Joe Carrigan: First off, the risk is really kind of minimal from the American perspective, right? Forty-two bucks - maybe I lose it and just cancel the service, and I'm done. 

Dave Bittner: Yeah. 

Joe Carrigan: So it's not, you know, devastating or world-ending for us. But that may not be the case elsewhere in the world. 

Dave Bittner: Mmm hmm. 

Joe Carrigan: I mean, what do you do? I would say pay attention to your bill and fight every charge that you don't expect. 

Dave Bittner: Yeah. 

Joe Carrigan: Google's usually pretty good about refunding premium service charges. Apple's also very good about that. But this didn't affect any of the Apple store products, I don't... 

Dave Bittner: Yeah. 

Joe Carrigan: ...At least they don't say it did. 

Dave Bittner: I guess security awareness, too - I mean, these - and whenever you see one of these prize-winning things, it's - they're generally a scam. 

Joe Carrigan: Yeah, prize-winning - yeah. You won a prize. I mean, if you got an app that's sending you prize notifications all the time, uninstall the app. 

Dave Bittner: Yeah. 

Joe Carrigan: If it sends you one prize-winning notification, uninstall the app. That's my policy. 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: I don't want you to try to give me a prize. I just want you to deliver me functionality. I like apps that you pay for that you - you know, that you pay a one-time fee for to not have ads on it. 

Dave Bittner: Right. 

Joe Carrigan: I do that with a couple of apps I really enjoy. And I don't generally like the subscription model for phone apps. 

Dave Bittner: Yeah. All right. Well, again, the campaign is called Grift Horse, and the folks over at Zimperium have been leading the way on describing it. This article is from Lily Hay Newman over in WIRED. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Hah. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.