The CyberWire Daily Podcast 2.22.22
Ep 1520 | 2.22.22

Escalation in Russia’s hybrid aggression. APT10’s espionage against Taiwan’s financial sector. Developments in the C2C market. Jamming your teen’s Internet access.


Dave Bittner: Russia escalates its hybrid war against Ukraine with cyber implications for the rest of the world. Xenomorph banking trojan hits European Android users. APT10's months-long espionage campaign against Taiwan's banks. Hive ransomware's flawed encryption is good news. TrickBot's place in the C2C market. Joe Carrigan shares the latest evolution of business email compromise. John Pescatore's Mr. Security Answer Person returns. And there's a right way and a wrong way to keep your teen offline.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 22, 2022. 

Dave Bittner: More Russian troops move into Ukraine in what Russia represents as a calming peacekeeping move but which most other governments are calling aggression. Here's a quick overview of the hybrid war and its broader implications for cybersecurity.

Not quite “shock and awe.”

Dave Bittner: It's not the shock and awe predicted in some quarters, and in fact, Russia's Foreign Ministry has continued to deny that it's not sure if it's really happened at all. But Russian President Vladimir Putin did announce in his major speech yesterday that he had authorized the dispatch of peacekeeping troops into the eastern Ukrainian regions of Luhansk and Donetsk. Kremlin spokesman Dmitry Peskov expressed the facially implausible hope that Moscow's recognition of the two regions Russia wishes to detach from Ukraine would help restore calm and that Russia remained open to diplomacy with the EU and the U.S. The relatively gradual and for all that violent escalation may be intended to divide Western council and mute some of the response the action will summon.

False flag provocations and disinformation..

Dave Bittner: Russia said early yesterday that it had killed five saboteurs who attempted to cross into Russia near Rostov, the Guardian reports. Interfax said Russian forces also destroyed two Ukrainian army vehicles that crossed the border in a failed attempt to come to the saboteurs' rescue. Ukraine denied the claims, which indeed seem preposterous. 

Dave Bittner: The principal line of disinformation Russia has pursued with respect to Ukraine is to accuse Kyiv of genocide against ethnic Russians. It's an absurd claim that's gained little traction abroad, as the Atlantic Council argues. But its principal audience may be a domestic Russian one. 

Dave Bittner: And who is really beating the war drums in eastern Ukraine? Why, the House of Windsor, of course, and Russian TV will hip you to this if you, like the Telegraph, have been watching. This particular explanation - and it's really worthy of the late Mr. Lyndon LaRouche, which the outlet Russia 1 offers - runs like this. Prince Charles and Prince Andrew need something to distract the public from recent royal scandals - hence, Ukrainian aggression against Russia because nothing says, hey, there's nothing to see on that Lolita Express than, you know, Ukrainian plans to attack Russia. We leave the assessment of this analysis as an exercise for you, dear listener. 

Sanctions and the prospects of continuing diplomacy.

Dave Bittner: Syria and presumably Belarus appear to be in Russia's corner. Syrian Foreign Minister Mekdad said his country's government supports Russia's move and will cooperate with the two breakaway regions. But most other governments have condemned Russia's recognition of Donetsk and Luhansk and the dispatch of Russian troops to the Ukrainian territories. TASS quotes an aggrieved Russian Foreign Minister Lavrov, who says the itch to punish Russia is familiar and enduring. Quote, "we understand that now our colleagues are seeking to put all the blame for the breakdown of the Minsk agreements on Russia. Our European, American and British colleagues will never stop and rest content until they use all the possibilities for the so-called punishment of Russia. They are already threatening with possible hellish sanctions or, as they say, mother of all sanctions," end quote. So they're used to this in Russia. We would like to suggest to Mr. Lavrov that, given what his stooges have been saying about the Prince of Wales, you ain't seen nothing yet, but he'd be used to that too. 

Dave Bittner: The U.N. Security Council held an emergency meeting last night to consider Russian actions. Separately, U.N. Secretary General Antonio Guterres called Russia's action a violation of the territorial integrity and sovereignty of Ukraine and inconsistent with the principles of the Charter of the United Nations. NATO's Secretary-General also condemned Moscow's recognition of the two regions as independent republics. Quote, "I condemn Russia’s decision to extend recognition to the self-proclaimed Donetsk People’s Republic and Luhansk People’s Republic. This further undermines Ukraine’s sovereignty and territorial integrity, erodes efforts towards a resolution of the conflict and violates the Minsk Agreements, to which Russia is a party," end quote.

Cyber operations during hybrid warfare, and the difficulty of containing them.

Dave Bittner: Reuters reports that the U.S. and the U.K. on Friday publicly attributed recent distributed denial-of-service attacks against Ukrainian banks and government websites to Russia. Australia joined in this attribution shortly thereafter and promised cyber support to Ukraine as it resisted further Russian activities. Western governments are on alert for Russian cyberattacks on their own assets, and the Independent says that British defense secretary Ben Wallace suggested to the House of Commons that the U.K. was prepared to undertake offensive cyber-operations against Russia should retaliation become necessary. 

Western organizations and their exposure to cyber threats from Russia's hybrid war.

Dave Bittner: The risk of Russian escalation in cyberspace during its hybrid war is generally regarded as high. The Harvard Business Review summarizes how businesses ought to prepare for this threat in the near future, and Moody's Investor Service has issued a new research report that emphasizes the difficulty of such conflict remaining confined either geographically or economically. Quote, "Given the digitization of and interconnectedness of global markets such attacks could have economic implications across geographies and sectors," end quote.

The Russian suppression of (some) ransomware gangs.

Dave Bittner: Friday’s Aspen Institute conference on Russian Aggression Toward Ukraine asked, among other things, what should be made of the recent Russian moves against its domestic ransomware gangs. The panelists who discussed the arrests and announcements were skeptical, seeing the moves as tactical, and not as representing some new-found respect for legality. The gangs are reversible, deniable assets, and the privateers can be expected to return once Moscow decides that their return is in Russia’s interest. 

Dave Bittner: There is, of course, no lack of ordinary criminals ready to take advantage of the fear and unrest that accompany a war. Accenture reports an uptick in Ukrainian-themed offerings, especially offers of purported personal information of Ukrainian citizens, and expects it to continue. Some of the cases it cites, like WhisperGate, have clear connections with Russian intelligence services. Others seem to be the usual opportunistic work of gangs. 

Dave Bittner: According to Accenture, quote, "As of February 11, 2022, ACTI assesses it is likely that as intelligence warnings and postings related to Russia and Ukraine increase, deep web actors will continue to increase their offerings for databases and network accesses relevant to the Russia-Ukraine conflict in hopes of gaining high profits. Global events occasionally serve as motivating factors for malicious actors to claim they are selling important and relevant data for profit, regardless of whether such data is genuine or even exists," end quote. 

Xenomorph banking Trojan hits Europe.

Dave Bittner: ThreatFabric researchers yesterday released a report on a new banking Trojan they're calling Xenomorph. It shares some features with the Alien Trojan, but ThreatFabric regards it as a distinct strain of malware. Xenomorph resembles its related Android banking malware functionally, too. It seeks to get over the fence into the Google Play Store by misrepresenting itself as a productivity app. In this, it has had some success, even as user reviews continue to warn that the apps carrying the Xenomorph payload are malicious. The Trojan has been most often found afflicting European users. 

APT10 has been engaged against Taiwan’s financial sector for months.

Dave Bittner: The Record shares the results of a CyCraft investigation that found a months-long campaign against Taiwan's financial sector. China's APT10 is being held responsible for the incident, which CyCraft characterizes as espionage. The campaign, Operation Cache Panda, was interesting in the misdirection it employed. It allowed itself to look like a conventional credential-stuffing effort, when in fact it exploited a vulnerability in the web interface of a security tool, planted a version of the ASPXCSharp web shell, and then used a tool called Impacket to scan a target company’s internal network. APT10 is also associated with the names Stone Panda, Potassium, and Cicada. 

Hive ransomware has a flaw in its encryption.

Dave Bittner: Bravo to researchers at South Korea’s Kookmin University, who have found a flaw in Hive ransomware's encryption algorithm that can be exploited to enable victims to recover their files.

Trickbot in the C2C market.

Dave Bittner: Trickbot, for all of its recent activity, may soon have run its course. Advanced Intelligence says that Trickbot's criminal affiliate users are migrating to Conti's services, and that Conti intends to replace Trickbot with a spinoff successor. 

Don’t try this at home, Dad.

Dave Bittner: And finally, are your kids spending too much time online, too many in-game purchases? Are they learning bad language and picking up ways that just aren't right? Are they, above all, staying up late at night gaming, chatting or looking at the unedifying content that - let's face it - represents the bulk of the internet? Don't be ashamed. We've all been there. Some of our colleagues have reverted to locking basements, unplugging modems and putting them them under parental pillows, confiscating monitors and storing them in undisclosed locations. You know the drill. One gentleman in the French commune of Messanges down in Nouvelle-Aquitaine was driven to take matters even farther. A mobile phone carrier told authorities it had noticed odd signal drops affecting service in Messanges. The authorities of the ANFR found that it was a jammer and that it operated from midnight until 3 a.m. local time. 

Dave Bittner: Using some detection tools and a little shoe leather - and I'll admit to not knowing the French idiomatic equivalent of fox hunt - the authorities traced the jamming to a private home where the dad was jamming the internet to keep his teenaged son offline during bedtime. His son had become addicted to social media during COVID sequestration, and the father was at wit's end. Sure, it's a technical violation of French law. The father faces a 30,000 euro fine and maybe even a jail term of up to six months, ZDNet reports. But it's hard not to sympathize at least a little. After all, we're all in this together. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

John Pescatore: Hello, and welcome back to Mr. Security Answer Person. I'm John Pescatore. Let's get into our question for this week. Cybersecurity asks, (reading) I work for a medium-large retail company, and I've known our CEO since before he got the CEO job. We had lunch together recently, and he asked me an interesting question. A board member wanted to know why we called it cybersecurity since nothing else in the business or in the media ever mentioned anything cyber anymore. The board member jokingly suggested that maybe we should call it crypto security, since cryptocurrencies does seem to come up a lot. So my question - should we call cybersecurity something new so we can better capture management attention? 


John Pescatore: Hold on a second. I have to clean up some sprayed coffee that just got on my desk. The short answer is, no, we shouldn't change the term cybersecurity to something new. Though crypto security is kind of tempting, I have to admit. But we should change it back to something old. Before we drill down, in the interest of full disclosure, a while back, I did an Ask Mr. Security Answer Person segment where I weighed in against brand freshening in our profession. I was actually against changing information security to cybersecurity back when it happened. In fact, I've done entire hour-long webinars just on that topic. Let me give you the elevator pitch of why I feel that way. 

John Pescatore: Our profession started out as information security. There were no computers, but there was still lots of information, mostly in hard copy form. Security was mostly about physical access control - making sure only authorized people could read documents to provide confidentiality. But integrity was in there too, with notarization and watermarks, as well as availability via carbon copies and the like. Important to note - it was not called file cabinet security or paper security. The focus was on the valuable part - the information. When the mainframe came into more widespread use by businesses in the mid-'60s, you began to see the term computer information security used. But the focus was still on access control - digital safeguards to assure confidentiality by only allowing authorized computer users to access the information. The computers are locked down in the basement. There were no external networks, and there were no real external attacks. We weren't worried about the computers. So information security remained the dominant term. 

John Pescatore: Flash forward to 2001, as business use of the internet exploded. We're still calling what we did information security. But that year, the Code Red and Nimda worms took advantage of numerous critical vulnerabilities in Microsoft Windows, SQL Server and the IIS web server and gained mainstream press coverage by wreaking havoc on corporate networks in the internet overall. But those are really denial of service attacks, not breaches. No information was exposed. The computers and networks were brought down. Slammer and Blaster in 2003 continued this trend, and people began to say, why do we call this information security? 

John Pescatore: The issue is not the information. It is keeping all those computers and networks safe. Business use of the internet was still growing exponentially, and everything was being called cyber this or cyber that. And voila, everyone switched from calling it information security to cybersecurity for two reasons, really. The first is simply brand freshening, trying to make something old more exciting. More disclosure - I'm reading this in a building in a planned community called Maple Lawn that for hundreds of years was known as Scaggsville. The second reason is the one that will finally get us back to answering your question. 

John Pescatore: In the digital world, protecting information is really, really hard. Encryption and strong authentication are required to do so. But implementing those has a lot of impact on IT and users and many business flows. Protecting networks and computers may seem hard, but it is way less work overall than securing digital information while still allowing the business to do what it needs to do. It didn't take long for cybercriminals and nation-state attackers to start going after information. But the really badly needed controls and processes - persistent encryption and strong authentication - were nowhere to be found. That needs to change. 

John Pescatore: So that's my answer. Let's change cybersecurity back to information security to both freshen up our brand - heck, I bet your CEO doesn't even know we used to call it infosec - and to convince management to back the changes needed to protect critical business data from breaches, ransomware and all forms of attack. Multifactor authentication, persistent data encryption and privilege minimization are at the top of the list of the necessary changes we would like management to back. By the way, have you thought about what you'll say when they ask you, how can we secure the Metaverse? 

Automated Voice #1: Mister... 

Automated Voice #2: Security... 

Automated Voice #3: Answer... 

Automated Voice #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, "Mr. Security Answer Person." 

Automated Voice #1: Mister... 

Automated Voice #2: Security... 

Automated Voice #3: Answer... 

John Pescatore: Person. 

Dave Bittner: "Mr. Security Answer Person" with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send in your questions for "Mr. Security Answer Person" to 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, we cover a lot of scams over on "Hacking Humans." And there was a public service announcement from the FBI that came across my desk recently. And this had to do with a particular kind of business email compromise that's making the rounds here. What's going on here, Joe? 

Joe Carrigan: So business email compromises - like, I call it the king of social engineering attacks, right? The reason I call it the king of that is because it is so wildly successful, and these guys make huge payouts. 

Dave Bittner: Yeah. 

Joe Carrigan: They get - they make bank. We've seen losses in the millions of dollars from business email compromise. 

Dave Bittner: Right. 

Joe Carrigan: And basically, how that works is somebody compromises the email account of somebody high up in an organization and then asks somebody lower in the organization to transfer a lot of money out to an account they control, all while telling the person they're talking to to keep it quiet because it's secret and intonate that they need this done quickly. There's always the artificial time horizon. The key part is don't tell anybody about it, right? 

Dave Bittner: Right. There's some secret business deal. 

Joe Carrigan: Yeah. 

Dave Bittner: And we don't want to screw it up. So let's just keep this between the two of us for now. 

Joe Carrigan: Right. That - first off, that should be a red flag. 

Dave Bittner: Yeah. 

Joe Carrigan: Whenever you hear that, that should be something you should be concerning yourself with. The new angle here is once they've compromised the email account, they really have a lot of access, right? And if they've compromised something with a single sign-on thing kind of account going on like a lot of organizations use, they may also have compromised the teleconferencing application that is used. So they may call a meeting or inject themselves into a meeting. 

Dave Bittner: So, like, a Zoom meeting. 

Joe Carrigan: Yeah. Like, think Zoom. 

Dave Bittner: Right. 

Joe Carrigan: And then when they get on the meeting, they're going to have a still picture of the person. Let's say it's a CFO of a company. They're just going to have a still picture of the CFO that they've probably copied directly from the company's website. 

Dave Bittner: Right. 

Joe Carrigan: And they've put it up as the image. 

Dave Bittner: Right. 

Joe Carrigan: And the thing about this in Zoom is when I go into Zoom, I can change my name to say just about anything. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? So that's what they do, and the picture - and this can - it's really easy to impersonate somebody. Then they say, I'm having trouble with my audio and visual. I can hear you guys just fine, but I can't say or you can't hear me, and my camera doesn't work. There's some technical difficulty... 

Dave Bittner: Sure. Sure. 

Joe Carrigan: ...Which is a ruse. Or they'll say, my camera isn't working, but I do have audio. And they're saying in this article that they'll use deepfake audio, which could be a number of things. I know that you're dubious of that claim. 

Dave Bittner: I'm glad you brought that up because I am skeptical of deepfake audio and anything that requires real-time interaction. 

Joe Carrigan: Right. 

Dave Bittner: So I don't see deepfake audio as being a thing for some - any sort of real-time conversation. But what this story made me think about and I think is plausible is I could have deepfake audio that said something like, hang on, hold on, I'm having trouble with my audio here. Hold on. This isn't - you know, something like that that doesn't require any interaction is just enough so that the person on the other end hears the voice they're they're expecting to hear... 

Joe Carrigan: Right. 

Dave Bittner: ...And then the audio drops off, and they type, sorry about that. Let's just do this over text. I don't have time for this crap, you know. And Bob's your uncle. 

Joe Carrigan: Right. And that's what they're doing is they're using this kind of like as a second vector for convincing people that they are who they say they are when, in fact, they're not. 

Dave Bittner: Right. 

Joe Carrigan: And they're seeing an increase in effectiveness. You and I talk about this all the time on "Hacking Humans." If you get an email from your CFO that says transfer the money, that merits a phone call. Right? But if you've heard from the CFO first, someone you think is the CFO in what you think is a legitimate meeting and that person tells you I'm going to send you an email with some banking information, I need you to transfer this much money to that account, and I'll repeat that in the email. And then you get an email from the CFO's email address that says this. I think you're a lot more likely to believe that this is legit. 

Dave Bittner: Yeah. 

Joe Carrigan: I talk about adversarial thinking and how - I like to think that I'm pretty good at it, and that makes a lot of people look at me and go, you're just a horrible person, Joe. 

Dave Bittner: Puts a bit of a target on your back, Joe (laughter). 

Joe Carrigan: Right. Why would you think like that? Because this is the way bad guys think, right? You've got to think, if I was a bad guy, how would I scam me out of a million dollars? I would pose as this guy. And you've got to think as a person in an organization that I'm concerned this might be fraudulent, I want to actually go talk to the CFO or make a phone call to the CFO's office or do something. You have to have that kind - that channel of communication open as a matter of corporate policy. And people have to be able to ask these questions to validate it. And management has to be receptive to these kind of questions. 

Dave Bittner: Right. Right. 

Joe Carrigan: Because management that isn't receptive to these kind of questions is a risk, a business risk. 

Dave Bittner: Right. Yeah. Why not? You know, there's no downside to that extra call... 

Joe Carrigan: Right. Absolutely. 

Dave Bittner: ...When there's big dollar dollar signs on the line. 

Joe Carrigan: Yep. 

Dave Bittner: Yeah. All right. Well, again, this is a note from the FBI over from their IC3, the Internet Crimes Complaint Center. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.