The CyberWire Daily Podcast 1.18.22
Ep 1496 | 1.18.22

A new member of the Winnti Cluster is described. Cobalt Strike used against unpatched VMware Horizon servers. Ukraine blames Russia for what seems to be a destructive supply chain attack.


Dave Bittner: A new Chinese cyberespionage group is described. Cobalt Strike implants are observed hitting unpatched VMware Horizon servers. Ukraine attributes last week's cyberattacks to Russia. Microsoft doesn't offer attribution, but it suggests that incidents were more destructive than ransomware or simple defacements. The U.S. warns of possible provocations. Ben Yelin looks at a bipartisan TLDR bill. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on the ongoing threat of phishing. And the REvil arrests in Russia may have been for leverage.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 18, 2022. 

Dave Bittner: Trend Micro yesterday reported on an elusive threat actor it calls Earth Lusca and that it's been tracking since the middle of last year. Earth Lusca is assessed as a Chinese group - part of the Winnti Cluster, although it represents a distinct operation. Its interests include government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations and the media - all predictable espionage targets. 

Dave Bittner: But Earth Lusca's activities are mixed. They also extend to some apparently financially motivated operations against gambling and cryptocurrency outfits. Whether that's a central purpose of the group or whether it represents an APT side hustle is unknown. Trend Micro's technical analysis of the group's activity describes its infrastructure, a distinctive strain of malware, and its extensive social engineering. 

Dave Bittner: Researchers at Team Huntress, following up on warnings from the U.K.'s NIH, have confirmed that unpatched VMware Horizon servers are now being actively attacked with Cobalt Strike implants. This activity amounts to exploitation of Horizon itself and not the abuse of web shells that were observed earlier. 

Dave Bittner: Ukraine has now attributed last week's cyberattacks to Russian operators, and Kiev has found some support for its conclusion among other governments. Microsoft on Saturday released a report on the malware used in the attacks. It was a wiper that represented itself as ransomware. NATO considers its options for defense, deterrence and response. 

Dave Bittner: Kiev has accused Russian services of carrying out last week's cyberattacks with some possible assistance from Belarus. Ukraine's Ministry of Digital Transformation said this weekend, quote, "Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace," end quote. Kiev's view is that the operation is a continuation of a hybrid war Russia has waged against Ukraine since its 2014 invasion of Crimea. 

Dave Bittner: Ukraine's State Service for Special Communications described the attacks as hitting 70 government sites or resources, 10 of which were subjected to unauthorized interference. But the service claimed that no personal data was leaked and that most affected sites were quickly restored to normal. The state service added some details about how the attackers obtained access to the sites. It was a supply chain attack. Quote, "the attackers hacked the infrastructure of a commercial company that had administrative access to the web resources affected by the attack," end quote. Which commercial vendor was hit remains unspecified. 

Dave Bittner: It's worth noting that a supply chain attack through M.E.Doc tax preparation software was used in 2017's NotPetya attack, which has been generally attributed to Russian intelligence services. The cyber operations, coming as they do as Russian troops are reported to have marshaled in assembly areas near the Ukrainian border have been received by NATO as battlespace preparation. The U.S. has said that the cyberattacks have the hallmarks of a disinformation operation intended to afford Russia a pretext for military action. 

Dave Bittner: White House press secretary Jen Psaki went on the record concerning the possibility of false flags during Friday's daily media brief. Here are her remarks, as recorded by C-SPAN. 


Jen Psaki: As part of its plans, Russia's laying the groundwork to have the option of fabricating a pretext for invasion. And we've seen this before. We saw this before leading up to 2014, just to note, including through sabotage activities and information operations by accusing Ukraine of preparing an imminent attack against Russian forces in eastern Ukraine. 

Jen Psaki: And the Russian military plans to begin these activities several weeks before a military invasion, which could begin between mid-January and mid-February. Again, we saw this playbook before, including the widespread effort to push out misinformation, not just in Eastern Europe but around the global community. 

Dave Bittner: Ukraine's Ministry of Digital Transformation agrees that the cyberattacks represented, at one level, disinformation in the service of influence operations. Quote, "its goal is not just to intimidate society but to destabilize the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government," end quote. 

Dave Bittner: False flags and disinformation are a longer game. But Friday's cyber incidents may have had some more immediate effects. The cyberattacks may have been intended to provide cover for other, more destructive operations. Microsoft said on Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper - that is, malware whose intent was the destruction of data - not their temporary denial, as in a conventional ransomware attack, or their theft. 

Dave Bittner: The operation is being called WhisperGate, and Microsoft has given the threat actor behind it the temporary tracking identifier DEV-0586. The attack is, Microsoft says, a two-stage operation. Stage one overwrites the master boot record to display a faked ransom note. Stage two of the attack installs a file-corrupter malware. That malware is still undergoing analysis. 

Dave Bittner: Microsoft has provided a set of indicators of compromise organizations can use to assess their risk. To return again to NotPetya, that earlier incident also involved the use of a wiper dressed up as ransomware. So this, too, would be out of a familiar playbook. 

Dave Bittner: Website Ukrinform reports that NATO, having condemned last week's cyberattacks, is working with closer cooperation on cyberdefense with Ukraine. According to Reuters, the U.S. has offered Ukraine whatever it needs to recover from those attacks. And Interfax-Ukraine says that Franco-American talks have addressed common preparations to render such aid to Kyiv. 

Dave Bittner: Russia denies any involvement in the cyberattacks and disclaims any intention to invade Ukraine. Kremlin spokesman Dmitry Peskov said in a CNN interview, quote, "we have nothing to do with it. Russia has nothing to do with these cyberattacks. Ukrainians are blaming everything on Russia, even their bad weather in their country," end quote. 

Dave Bittner: That said, Russian President Vladimir Putin has given the U.S. and, by implication, NATO, a soft deadline for meeting Russia's demands. It's set to expire roughly on January 20. He's outlined three demands, Russia Matters reports. Demand No. 1 - no more NATO expansion eastward, especially to Ukraine and Georgia. Demand No. 2 - NATO withdraws military infrastructure placed in Eastern European states after 1997. And demand No. 3 - U.S. and NATO deploy no strike systems in Europe, such as intermediate and short-range missiles that would be capable of striking targets in Russia. 

Dave Bittner: Should the U.S. refuse - and it would be expected to formally accede to or reject the demands - Russia Matters describes the Kremlin's probable next move. Quote, "this written refusal to honor Russia's demands could then be used in a rhetorical battle on the international stage over which side is to be blamed when Russia subsequently claims it has been compelled to act vis-a-vis Ukraine and the West, be this via the deployment of nuclear attack systems along Russia's western frontiers - including Kaliningrad, as well as Belarus - the deployment of systems in Cuba and Venezuela and/or another intervention in Ukraine," end quote. 

Dave Bittner: The CyberWire's continuing coverage of the crisis in Ukraine can be found on our website. 

Dave Bittner: In response to an increase of governments requiring people to obtain and, under some circumstances, present evidence of vaccination against COVID-19, criminals are selling fraudulent PCR and test certificates. Check Point says the bogus certificates are, for the most part, being distributed by the Telegram messaging app and that some regions have seen increase in such fraud of up to 600%. 

Dave Bittner: And finally, U.S. officials have said, according to The Record, that one of the members of REvil arrested last week by Russian authorities may have been responsible for the ransomware attack on Colonial Pipeline last spring. Trustwave back in November reported that Eastern European cybercriminal circles were beginning to wonder whether the safe haven they'd so long enjoyed were about to be closed to them. 

Dave Bittner: Those worries are probably as premature as hopes for a new age in Russo-American cooperation, a false sunset to go with a false dawn. The Kremlin's withdrawal of what amounts to a letter of marque is likely, Cybereason told IT Pro, to be purely tactical, designed to darken counsel while Russia pursued its interests in Ukraine. Impunity can be restored as easily as it's withdrawn. And besides, there's no real risk of extradition to the U.S. so a sabbatical in Club Fed seems unlikely in the extreme. 

Dave Bittner: The National Cyber Security Alliance is a nonprofit public-private partnership promoting cybersecurity and privacy education and awareness. The organization dates back to 2001 and focuses on bridging the gaps between private industry, government and the public at large. Lisa Plaggemier is interim executive director of the National Cyber Security Alliance, and I caught up with her recently for insights on the state of phishing. 

Lisa Plaggemier: I think there's definitely greater awareness. We did a lot of speaking events. We - you know, we get invited by corporations and organizations of all sizes, so to speak, during Cybersecurity Awareness Month in October. And just anecdotally, from the companies that I was speaking to, we also surveyed a lot of their employees during one of the talks that I gave. There was a chance for audience participation in a couple of poll questions. And I see a big difference between people - I'll say people of working age - and their awareness of phishing. And, you know, most of these people, especially if you're at a large American company or even a small- or medium-sized company these days, you're being sent simulated phish by your employer. And so that does a lot to raise awareness. 

Lisa Plaggemier: I have a 20-something who's in her first job out of college, and she is so pumped when she recognizes all of those simulated phish that her employer sends her. And they have a contest. They have a leaderboard. You get a gift card to their company stores so you can get yourself some swag. She tracks that. I mean, she's excited by that, and she also likes the way, I think, that it makes her feel. It makes her feel smarter than a bad guy because she can spot these things. And I would hazard a guess that a couple years ago, when she was in college, she could have cared less, and it just wasn't top of mind for her. 

Lisa Plaggemier: So I think the more companies that run simulated phishing programs that do it in a way that encourages your employees, that makes them feel good about what they've learned, that makes them feel smarter than a bad guy - I think that's all really positive, you know, as opposed to running a program that's more punitive. So if you treat it like training, not like human penetration testing, I think it can do a lot to raise awareness. 

Lisa Plaggemier: I've also noticed that people seem less inconvenienced by security than they have in the past. I think with this increasing awareness of things like phishing has also come an increased awareness that, hey, you know, sometimes, security is a little bit inconvenient or it might take me a few extra seconds to check an email or use multifactor authentication, but I'm OK with that because it's all about being more secure. 

Lisa Plaggemier: I think a couple of years ago, I just - you know, because I work in security, I'll have, you know, friends that will always like to gripe to me about, you know, oh, my company turned on MFA or this e-commerce site turned on MFA, and I have to use it - or a financial institution - and they like to complain about it. I don't hear that so much anymore. And I know that's completely anecdotal. But that's just the general feeling that I get. 

Dave Bittner: Yeah. You know, it strikes me - like, I sometimes use the analogy that, you know, you can do all the right things. You can wash your hands. You can, you know, wipe down surfaces with antibacterial things. But every now and then, you're still going to get a cold, and that's just sort of the way it is. But you can't be fatalistic about this. You still have to do those basics, and you're going to be better off for it. 

Lisa Plaggemier: You don't stop doing those things because what you're doing is mitigating your risk. You're reducing your risk. If you did none of those things, then your risk would be much higher of getting sick. So it's really about risk management. 

Dave Bittner: That's Lisa Plaggemier from the National Cyber Security Alliance. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security but also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from the folks over at The Washington Post. This is written by Cristiano Lima. And it's titled "No One Reads the Terms of Service. Lawmakers Want to Fix That with a New TLDR Bill." Ben, what's going on here? 

Ben Yelin: So we've talked many times on this podcast and on "Caveat" about how nobody reads the EULAs. They're too long. They're 300 pages. 

Dave Bittner: Yeah. 

Ben Yelin: It's written in legalese. Nobody understands them. Members of Congress want to do something about that, and this is a bipartisan effort. So there was a bill introduced in the House called the TLDR Act. You and I were very curious as to how they would make this TLDR - which, of course, is too long; didn't read - into a legislative acronym. And they did not disappoint. 

Dave Bittner: (Laughter). 

Ben Yelin: The act may be cited as the Terms of Service Labeling, Design and Readability Act, which... 

Dave Bittner: Nice. 

Ben Yelin: ...Frankly is brilliant. I would like to give a Nobel Prize and Pulitzer Prize to the legislative staffer who came up with that because that is... 

Dave Bittner: Well-done. 

Ben Yelin: ...Absolutely fantastic. So the purpose of the bill would be to require companies to have terms of service that are readable and easy to understand for the average user. And then another part of the bill would require these companies to disclose whether they had been hit by recent data breaches and make very clear what sensitive personal data they are allowed to collect. 

Ben Yelin: So this is the House bill. The Senate counterpart - this is a Senate bill proposed by Democrat Ben Ray Lujan of New Mexico and Republican Bill Cassidy of Louisiana. It's largely identical, but they didn't come up with a brilliant acronym for their piece of legislation. So if I'm a member of Congress, I'm advocating that we adapt the House version because how much better could it be than having a TLDR Act? 

Dave Bittner: Let me ask you this. So as a lawyer yourself, isn't the whole notion of legal jargon in direct tension with the idea of having a version of that that is easy to read and understand? 

Ben Yelin: Yes. I think there's parts of EULA's terms of service that need to be written out in 300 pages because at some point, the lawyers are going to be poring over them. The problem is it's not the lawyers - you know, we don't call our attorney and have them read the terms of service before we press the I agree button. At least most people don't do that. 

Ben Yelin: And I think the purpose of this legislation is to decouple the actual legalese, the very complicated terms, you know, that dictate whether the company is liable, when they're liable, you know, what liability they're disclaiming - decouple that with something that's just very easy for the average consumer to understand. 

Ben Yelin: You know, I certainly think it is in the interests of consumers and therefore in the interests of members of Congress to make these more readable for people so they know exactly what they are agreeing to. That doesn't mean you completely displace the 300 pages of legal jargon. It just means the company has to summarize that in a way that's readable, understandable for the average consumer. 

Dave Bittner: Do you think that is ultimately achievable? 

Ben Yelin: I do. I do. You know, this might be a part of a larger piece of legislation. If there is ever data privacy legislation, you know, some sort of breach notification law, maybe they would tuck this in as a rider to that bill. But I could certainly see this as something that Congress would have the fortitude to do, you know, given that it has bipartisan support. They've held a lot of hearings, you know, over the past couple of years about some of the abusive practices of these tech companies. So it's certainly an area ripe for regulation. 

Ben Yelin: So I would not be surprised at all to see a version of this get enacted. And, you know, I think it would make life a little bit easier for most of us who don't take the time to actually read through those terms and conditions and give us some sort of meaningful consent when we agree to the EULA when we download that new application. So, yeah, I think the chances are decent that this could actually turn into a law. And, you know, fingers crossed because I think it's a really good idea. 

Dave Bittner: All right. Well, time will tell. Ben Yelin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.