The CyberWire Daily Podcast 7.19.22
Ep 1622 | 7.19.22

Espionage and cyberespionage. Albania's national IT networks work toward recovery. Malicious apps ejected from Google Play. White House summit addresses the cyber workforce. Notes on cybercrime.


Dave Bittner: A Cozy Bear citing. Shaking up Ukraine's intelligence services. Albania's national IT networks continue to work toward recovery. The U.S. Justice Department seizes $500,000 from DPRK threat actors. The FBI warns of apps designed to defraud cryptocurrency speculators. A White House meeting today addresses the cyber workforce. Ben Yelin looks at our right to record police. Our guest is Tim Knudsen, director of product management for Zero Trust at Google Cloud, speaking with Rick Howard. And another trend we'd like to be included out of.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 19, 2022. 

SVR cyberespionage exploits penetration-testing tools.

Dave Bittner: Palo Alto Networks' Unit 42 reported this morning that the Russian threat actor Cozy Bear is leveraging trusted, legitimate cloud services in its campaigns - the better to avoid detection. It's worth noting that Cozy Bear is associated with the SVR Foreign Intelligence Service and also known as Cloaked Ursa, APT29 and NOBELIUM. Their two most recent campaigns have used Google Drive cloud storage services, and when this is combined with encryption, malicious activity is more difficult to detect. The most recent campaigns have had diplomatic themes, feigning an agenda of an ambassadorial meeting, and are believed to have targeted Western diplomats between May and June of 2022. The documents suggest the target to be either foreign embassies in Portugal or foreign embassies in Brazil. The payload is carried in a link to a malicious HTML file that drops Cobalt Strike. 

Dave Bittner: Cobalt Strike is, of course, a legitimate penetration testing tool that's often abused by threat actors. It's not the only such tool that's being misused this way. See Unit 42's earlier post describing the SVR's use of the less-well-known Brute Ratel tools in similar campaigns. 

Shaking up Ukraine's intelligence services. 

Dave Bittner: The replacement of both the head of Ukraine's SBU intelligence service and the country's chief prosecutor indicates the extent to which Kyiv is troubled by the problems of disloyalty in the security and intelligence services. The SBU - like its Russian counterparts, the FSB and SVR - is a successor organization to the old Soviet KGB, with all the liabilities that come with that heritage - corruption, cronyism and, perhaps most significantly, susceptibility to compromise by its Russian counterparts. The Telegraph describes some of the specific incidents that prompted the suspensions. And its account points out the difficulties involved in reforming a service with deep institutional roots and a questionable cultural heritage. Contentious Ukrainian domestic politics further complicates efforts at reform. 

Albania's national IT networks continue to work toward recovery. 

Dave Bittner: The Register follows developments in the large-scale disruption of Albanian networks that began over the weekend. The e-Albania portal has been particularly disrupted by the attacks. And that disruption has been especially painful given Albania's closure of many in-person services back in May, judging the new online service platform to have rendered the older services redundant and unnecessary. The disruption offers an object lesson in the importance of redundancy and the availability of manual backups to provide continuity of service during emergencies. There's no attribution of the attack so far, but the Register, on the basis of a little circumstantial evidence and a lot of a priori possibility, suggests that there may be a Russian hand behind them. 

Malicious apps ejected from Google Play. 

Dave Bittner: Zscaler describes its identification of three familiar strands of malware that have made a reappearance in Google's Play Store. The security firm's researchers found numerous apps hosting Joker, FaceStealer and Coper. Google has ejected the infested apps from the Play Store, and Zscaler advises that users take the usual precautions when they consider installing an app. 

US Justice Department seizes $500k from DPRK threat actors.

Dave Bittner: The U.S. Justice Department has announced the recovery of some $500,000 from North Korean state-sponsored cybercriminals who targeted health care organizations with Maui ransomware. U.S. Deputy Attorney General Lisa Monaco cited the operation as an instance of a renewed focus on clawback operations and as a positive example of close private sector cooperation with law enforcement. While the recovery is welcome, CNN points out that the amount is small relative to the hundreds of millions Pyongyang's hackers are believed to have stolen in recent years. 

FBI warns of apps designed to defraud cryptocurrency speculators.

Dave Bittner: The U.S. FBI late yesterday warned that cybercriminals again have altcoin speculators in their sights. The bureau says it's observed cybercriminals contacting U.S. investors, fraudulently claiming to offer legitimate cryptocurrency investment services and convincing investors to download fraudulent mobile apps, which the cybercriminals have used, with increasing success over time, to defraud the investors of their cryptocurrency. Losses have, in some cases, run into the millions. The approach trades upon the victim's greed and their desire for convenience. Who wouldn't want an app to help navigate the go-go world of crypto investing? Some of the apps represent themselves as being connected to legitimate - or at least formerly legitimate - exchanges. The FBI warns users to exercise due skepticism about offers of trading apps and urges financial institutions not only to caution their customers about the risks of large financial transfers, but also to be alert for criminal impersonation of their brand. 

White House meeting today addresses the cyber workforce. 

Dave Bittner: As you may have heard, there are about 700,000 unfilled jobs in cybersecurity across the United States. In an effort to address that shortfall, the U.S. national cyber director, Chris Inglis, has convened what the White House describes as a National Cyber Workforce and Education Summit today. The summit has three goals. First, address the need to create and prioritize new skills-based pathways to cybersecurity jobs. Second, take advantage of the opportunity to build pipelines for historically untapped talent, including underserved and diverse communities. And finally, to discuss how investing in cyber training and education will enable Americans who comprise the lifeblood of our economy, including those building the next generation of our nation's infrastructure, to be successful in our digital economy, and to empower society to harness cyber capabilities to achieve our individual and collective aspirations. It includes a number of senior government leaders, as well as leaders from the private sector, especially - but not exclusively - the cybersecurity industry and university leaders. One of the companies who's participating, Fortinet, has taken the opportunity to announce an offer of free training it's making available to schools. 

Another trend we’d like to be included out of.

Dave Bittner: And finally, hey, everybody, here's a story we don't fully understand or know how to classify. But since it goes on online with only financial ramifications IRL - as the kids say - here you go. Make of it what you will. But apparently, there's a pay pig thing going on in cyberspace. It seems, if Business Insider is to be believed - and why shouldn't they be believed? - a kind of transactional relationship in which men with money give that money to women who insult them online. That is, the men are paying for the thrill of being verbally disrespected and denigrated. That's the extent of the exchange. The findomina, as they're known, insults the pay pig, who then sends in money for the privilege of the experience. 

Dave Bittner: Yes. We get it. The jokes practically write themselves, as do the stern deconstructive lectures about relative empowerment. But we'll leave it as an exercise for you, gentle listener, to think up your own punch lines or seminar topics or keynote speeches. The whole phenomenon seems entirely consensual, and it's hard to say what law might be broken here. Our guess is that no law is being broken. But perhaps we've been unduly influenced by the legal opinion Slippin' Jimmy McGill offers in the Hoboken Squat Cobbler episode of "Better Call Saul." We'll close by quoting the wisdom of Samuel Goldman. Include us out. 

Dave Bittner: Tim Knudsen is director of product management for Zero Trust at Google Cloud. Back at the RSA Conference, my CyberWire colleague Rick Howard met up with Tim Knudsen. Here's their conversation. 

Rick Howard: Hey, everybody. This is Rick Howard. I've - we're running around RSA, and I happened to bump into Tim Knudsen. He is the Google Cloud director of product management for Zero Trust, and it is my pet peeve of things to talk about. So I thought I would drag him in here and see what he has to say. And from our preliminary conversations, Tim, you said you were trying to address some of the pre-misconceptions or some misconceptions about Zero Trust. So what is the very biggest one that you're trying to talk about here at the conference? 

Tim Knudsen: Yeah, well, there's actually three. But let's start with the first one, which is one that I call that - it's around to do good Zero Trust does not mean you have to do everything Zero Trust to start. OK? Because the idea about Zero Trust is - I mean, I think of it as a movement. It's a set of principles. It's an architecture. It's not necessarily one product, nor is it one solution. 

Rick Howard: Yeah, I call it a strategy. It's a... 

Tim Knudsen: There you go. 

Rick Howard: Right? 

Tim Knudsen: So my point is, you know, there's this misconception that you have to do all - a full lift and shift - to get to good Zero Trust. And my argument is, anything that you can move to Zero Trust - be it contractors, a portion of your workforce, a set of devices - is an incremental step in the right direction. 

Rick Howard: Yeah, so don't take the - don't try to boil the whole ocean. This is common, right? This... 

Tim Knudsen: Bingo. 

Rick Howard: Yeah. Do little small steps, and every little bit you do makes it better, right? 

Tim Knudsen: Exactly. 

Rick Howard: So what's the biggest thing people are trying to get over? What's the big hurdle that people trying to implement Zero Trust are doing? What's the thing that they stumble on? 

Tim Knudsen: Well, one thing that's commonly an issue is yet another agent. 

Rick Howard: Yeah (laughter). 

Tim Knudsen: All right? It's a practical problem. It's a real problem. It's fully legit. Now, of course, the way to, you know, to work around that is to really to think about, well, what are the actual apps that are best suited or have the highest need or urgency for Zero Trust? Oftentimes, those are browser-based applications for which, you know, browser-based Zero Trust access is a fine solution if you can find the technology that will give you that, that'll also combine browser-based proxied access with all of the fine-grained controls you need based on the context, be it identity, whatever you know about the device, other risk scores or signals you're collecting. So that's the thing that I have many, many conversations about. 

Tim Knudsen: Now, the thing is, again, that's a great way to get started easily. But oftentimes, we're working with people, and there's many enterprises that have - I call them multi-generational IT landscapes - right? - which is really a nicer way of just talking about, you know, there's apps of all ilk. Right? And some of them are still the fat client, you know, client server, legacy style. So browser-based will not solve all. But, going back to my first point, starting is getting on the path of good Zero Trust. 

Rick Howard: Can I rephrase that a little bit and just say that what we're looking is for material apps, apps that connect to your material data that we should - that's the ones you should be working on again. The other stuff might come later, but we don't have to hit those right away, right? 

Tim Knudsen: Exactly. 

Rick Howard: Right? So you said there were three misconceptions. We talked about one. What's the second one? 

Tim Knudsen: Second one is - and this is a little bit contrary to my first point, but roll with me on this one. 

Rick Howard: OK. I'm with you. 

Tim Knudsen: And that is, it's, you know, just worry about - we'll call it the north-south of the front end, and you can deal with the back end later. 

Rick Howard: Sure. 

Tim Knudsen: The reality is, I think everyone is probably in some form of a digital transformation conversation - right? - which means you're modernizing some or many apps, which means, you know, you're not building a monolithic app. You're building a composite, distributed - whatever you want to describe a type of app that's probably using some hyperscaler services in there, you know, from someone like, you know, Google or others. And you know what? You need to also think about every leg of that communication, much like you're thinking about just the device-to-app communication to begin with as well. So my point there is, over time - and that's going to be a sooner rather than later - you need to think about how you secure with Zero Trust or apply Zero Trust policies and principles across all legs of the communication. 

Tim Knudsen: That's why, you know - Gartner got it right. Right? They first talked about SASE. Then, they're like, hey, hold on, there's just the security portion called SSE, or security services edge, which is great. Then, they've now talked about this thing called CASB, or the bride of SASE, right? The whole point is talking about the other side of the equation, which is the back end. 

Rick Howard: So is that part of the take the smaller bites first because we had the big SASE thing, but now we're going to break it into little pieces, then get it all right? Is that what we're doing here? 

Tim Knudsen: Yeah. I mean, it's a progression. 

Rick Howard: Yeah. 

Tim Knudsen: All right. 

Rick Howard: So what's the big - where's it going to go? Where is the future of Zero Trust? What are we looking at here? 

Tim Knudsen: So I think there's two - like, if you want to ask where I - when I look at my crystal ball, what do I see? Right? So I... 

Rick Howard: All right, Mr. Wizard, put your... 

Tim Knudsen: Yeah... 

Rick Howard: ...Hat on. 

Tim Knudsen: ...So I see two things. Right? 

Rick Howard: OK. 

Tim Knudsen: OK. So number one's a short-term thing, and number two is a longer term thing. Short-term thing, number one, and that is, I think that many organizations are now looking at combining, you know, these two transformations, right? One is the need to move to Zero Trust, and it's going to be more centered around device-to-app along with how they can look at other modernization transformation efforts. And the reason being goes all the way back to our first point, which is the app workloads that matter and how they, you know, are typically web-based, and looking at those as well as an increase, of course, of utilizing SaaS to modernize how - you know, the productivity of the enterprise, right? And they're looking at that and saying, OK, if I go with it down that route, what does that mean now to how I can simplify my devices, my - you know, my fleet there and how I can bring this all together into an integrated view of both modernizing how I work, and also with that, taking advantage of technologies to bring that up to a zero trust standard along the way? That's short term. And I call it out because, you know, I think a lot of this initial move towards zero trust was more, like, lift and shift from, you know, VPN... 

Rick Howard: Right. 

Tim Knudsen: ...Your remote VPN access to more granular context-aware access. Now it's, how do I combine them together to do a better outcome overall? Second one is a little longer term, and it goes back to my point about, you know, combining north, south, east, west, front and back and whatever you want to describe it as. That is going to be the convergence of being able to combine the two together. There will no longer be, I expect, in 3 to 5 years, a distinction. I think you're going be thinking about it across all legs - north, south, east, west. You'll be looking for one way to have a singular policy that works across everything, context that you can apply across everything. That in - the teams will be all working, you know, in a unified fashion to make this happen. 

Rick Howard: We started our zero-trust journey around 2010 or so, right? It's kind of when we all started talking about it. When do you see it as being just a normal thing that everybody does? Is that two years away, five years away? 

Tim Knudsen: Well, if you measure it as it's a conversation why - for which you no longer have to explain why, and it's all about just what and how, we're there now. 

Rick Howard: Yeah. So everybody's got it, and now we're just moving towards it. 

Tim Knudsen: Well, everybody knows what it is and why they should do it. 

Rick Howard: (Laughter). 

Tim Knudsen: Now, where they are on that transformation path or that journey or whatever word you want to apply to it, that's a different, you know, topic. But there's no longer any - the why conversations. 

Rick Howard: Yeah. 

Tim Knudsen: It's mainstream. 

Rick Howard: Thanks for coming out and explaining what zero trust is to you. Thanks. I appreciate it. 

Tim Knudsen: No worries. 

Rick Howard: All right, man. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting, I guess you'd call it a press release from the EFF, the Electronic Frontier Foundation. The article is titled "Victory: Another Court Protects The Right To Record Police." What's going on here, Ben? 

Ben Yelin: So there have been a bunch of challenges in most of the judicial circuits across the country. The one in this article refers to the 10th circuit. But we've had decisions at the appellate level in the first, third, fifth, seventh, ninth and 11th circuit. Isn't that kind of weird that it's all the odd circuits... 

Dave Bittner: (Laughter) It's not... 

Ben Yelin: ...Until this current article? 

Dave Bittner: ...As weird as the fact that you have them all memorized. But go on (laughter). 

Ben Yelin: Yes, memorized. Of course, that's it. So there's this question of whether states can pass laws forbidding people from recording police interactions. 

Dave Bittner: Right. 

Ben Yelin: The fact that people do record interactions with police on their smartphones has been a boon to people who want to foster police accountability. 

Dave Bittner: Yeah. 

Ben Yelin: We would've - not have had George Floyd protests if we had just relied on the word of law enforcement. It was the video that caused those protests... 

Dave Bittner: Right. 

Ben Yelin: ...The fact that it was something people could see with their own eyes. Law enforcement understands that they're going to get pushback if every type of episode like that is recorded. And in their defense, some of the video footage is and could be misrepresented to make them look bad, even if, you know, perhaps the viewer of the video didn't understand the full context. 

Dave Bittner: Right. It might not tell the whole story. 

Ben Yelin: Right. So that's certainly a consideration. 

Dave Bittner: Yeah. 

Ben Yelin: I think what the courts are saying in all of these appellate jurisdictions is recognizing law enforcement's interest and protecting its own safety, that certainly does not supersede the First Amendment rights of speech and expression, which manifests itself in somebody taking out their camera and recording. These efforts, at least at the state level, are not going to stop. I know there's a proposed law in Arizona - and there's been a major debate about it - that would criminalize people filming law enforcement interactions. 

Dave Bittner: Right. It was like a eight-foot distance or something like that. 

Ben Yelin: Yeah. Which might not seem large - but if they're around the corner, and the eight foot is the difference between you being able to record and not record, that's certainly going to be an item of difficulty. That's going to inhibit your ability to record the interaction. The appellate courts are recognizing that videotaping law enforcement is a form of expression. It's a form of getting your voice heard, publishing something that you've seen with your own eyes. You know, it's not somebody - it's not like somebody is trespassing on somebody else's physical property. 

Dave Bittner: Right. 

Ben Yelin: It's generally something that's in public view. The Electronic Frontier Foundation and the ACLU and other groups have rightfully made the case that it has improved police transparency and accountability. And once we see sort of this uniform application among circuit courts across the country, it makes it more likely that the Supreme Court isn't going to mess with this. They're not going to supersede the near-unanimous holdings of all of these federal circuit courts. 

Dave Bittner: Is that only for the folks who are within these appellate court districts? 

Ben Yelin: For now, it is, yes. But that covers a large portion of the country. 

Dave Bittner: Right. 

Ben Yelin: I noticed the fourth district was not on there, and that's where we live, here in Maryland. It was not on that list. 

Dave Bittner: (Laughter) Come on, Ben. 

Ben Yelin: I know, but I'm sure some case is going to come up. One of the states that's in the Fourth Circuit is going to try and pass a law. There's going to be a challenge to that law. Somebody is going to get arrested... 

Dave Bittner: Yeah. 

Ben Yelin: ...Prosecuted, and they'll come up with a constitutional claim. And the Fourth Circuit might go a different way than the other circuits, but I think the trend is pretty clearly in one direction here - protecting the right of people to record the police. 

Dave Bittner: Yeah. All right. Well, I mean, I'm - personally, I'd categorize this as good news. 

Ben Yelin: Yeah. I mean, I think it's good news for transparency and accountability and in not restricting people's constitutional rights. So it's something where it's affirming to see that so many courts agree with our civil liberties instincts here. 

Dave Bittner: Yeah. You know, I agree with the notion that there should be a reasonable amount of distance that you keep between, you know, law enforcement, who are busy doing their work... 

Ben Yelin: Right, and that could be a public safety issue. 

Dave Bittner: Right. But I guess what I wonder about, particularly in the case that you mentioned where - or the one we talked about earlier, with the 8-foot distance - what if I'm standing 20 feet away, and a police officer closes that distance to make it smaller than 8 feet? 

Ben Yelin: Right. 

Dave Bittner: Right? I didn't move (laughter). 

Ben Yelin: Right, but they were the ones who lessened it. 

Dave Bittner: Right. Right. Yeah. 

Ben Yelin: I mean, yeah, that could be a complication with that. 

Dave Bittner: Yeah. 

Ben Yelin: There are a couple of other interesting complications here. One is the police department in the case they reference here tried to use qualified immunity, which protects law enforcement unless they did something particularly egregious. 

Dave Bittner: Right. 

Ben Yelin: And it's really important that this court has said that qualified immunity doesn't apply to a situation where somebody is taking out a video and recording. Another thing they mentioned in this article that we talked about a long time ago is on-duty officers playing loud, popular music to try and get copyright claims filed against the video by the producers of this music. So, you know, police will do anything to try to shield themselves if they think a video could potentially be damaging. So it's good to see courts try to take a stand on this. 

Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.