The CyberWire Daily Podcast 8.9.22
Ep 1637 | 8.9.22

Cyberespionage against belligerents' industry. Tornado Cash sanctions. Data breaches at Twilio and Klayvio. Intercept tools and policies in Canada.


Dave Bittner: Tracking apparent Chinese industrial cyberespionage. Tornado Cash sanctions. Twilio discloses a breach. Social engineering exposes data at Klaviyo. Microsoft's Ann Johnson previews the latest season of Afternoon Cyber Tea. Joe Carrigan tracks the growth in cryptojacking. And what might the Mounties be monitoring?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 9, 2022. 

Cyberattacks against Russian (and Ukrainian, and Belarusian) targets.

Dave Bittner: Malwarebytes reported last week that an unknown threat actor was deploying an attack tool the researchers called Woody RAT against Russian targets. Woody RAT has a range of capabilities, including writing arbitrary files, staging and executing other malware strains, collecting information from infected devices and deleting files. The researchers conclude, this very capable RAT falls into the category of unknown threat actors we track. Historically, Chinese APTs such as the Tonto Team, as well as North Korea with Konni, have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor. Other activity against industrial targets in Russia, Ukraine and Belarus is being tracked by Kaspersky and others. Circumstantial evidence points to TA428, a Chinese threat actor also known as Colourful Panda and Bronze Dudley. Kaspersky concludes, a Chinese-speaking group is highly likely to be behind the attacks. We can see significant overlaps in tactics, techniques and procedures with TA428 activity. The attack analyzed used the same weaponizer, which embeds code of a CVE-2017-11882 exploit in documents, as in earlier TA428 attacks that targeted enterprises in Russia's military industrial complex. Some indirect evidence also suggests a Chinese-speaking group very likely being behind the attack. This includes the use of hacking utilities that are popular in China, such as Ladon, the fact that the second stage CnC server is located in China and the fact that the CnC server registration information includes an email address in the Chinese domain specified in the administrator's contact data. And the timing of the activity shows the characteristic 8-to-5 workday, Shanghai time, that's marked the clock-punching diligence of Chinese cyber operators in the past. These incidents suggest that, however closely aligned Russia and China might be, espionage services will collect against belligerents wherever their announced sympathies may lie. 

Treasury elaborates on sanctioning of Tornado Cash.

Dave Bittner: The U.S. Department of the Treasury has elaborated on the sanctions it imposed yesterday on Tornado Cash, a cryptocurrency mixer Treasury connects to money laundering. Treasury says that Tornado Cash has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group. The Lazarus Group, of course, is the North Korean cyber operations group that has for years engaged in cybercrime designed to fund Pyongyang's weapons programs and to mitigate the crippling effects of sanctions on the North Korean economy. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the statement, despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them. Tornado Cash's assets are blocked, and U.S. persons are prohibited from doing business with the mixer. 

Twilio discloses data breach.

Dave Bittner: Twilio, which TechCrunch describes as a communications giant whose platform enables developers to build voice and SMS features into their apps, has disclosed a data breach. They say, on August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems where they were able to access certain customer data. The company is working directly with affected customers, and it still has the incident under investigation. CyberScoop reports that Twilio is heavily used by political campaigns. 

Klaviyo discloses data breach.

Dave Bittner: In another incident traceable to credential theft, BleepingComputer reports that the email marketing firm Klaviyo has disclosed a data breach. The firm wrote on its blog, on August 3, we identified a Klaviyo employee's login credentials had been compromised as a result of suspicious activity from our internal logging and a user report. This allowed a threat actor to gain access to the employee's Klaviyo account, and as a result, some of our internal support tools. Klaviyo, much of whose business is focused on cryptocurrency, explained that the attacker seemed interested in two classes of information. They said the threat actor used the internal customer support tools to search for primary crypto-related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers and some account-specific custom profile properties for profiles in those lists or segments. All of these accounts have been notified with the details of which profiles and profile fields were accessed or downloaded. 

Dave Bittner: The threat actor also viewed and downloaded two of Klaviyo's internal lists used for product and marketing updates. These exports included information such as name, address, email address and phone number. The download did not include any passwords, password hashes or credit card numbers. The download also did not include any account data for subscribers who have a Klaviyo account. All impacted individuals have been notified. 

Dave Bittner: BleepingComputer says that it's aware of evidence that threat actors are actively looking for the data stolen in the breach. For now, it's likely that the data will be used either by those who stole them or sold to other criminals in the C2C market. Eventually, the information will probably simply be dumped online, but this incident is too young for that to have happened yet. 

RCMP says it used spyware, but not Pegasus.

Dave Bittner: Sometimes spyware really is lawful intercept technology, at least when it's not being abused, so parliamentary testimony by Canadian security officials would maintain. Global News reports that Mark Flynn, Royal Canadian Mounted Police Assistant Commissioner responsible for national security and protective policing, told members of House of Commons Ethics Committee yesterday that between 2002 and 2015, the RCMP used Canadian-made technology to covertly access electronic information. He told the committee as encryption started to be used by targets that we had judicial authorization to intercept, we were unable to hear the audio, hear the phone calls or see the messages they were sending. That is when we developed the tool and technique to make it possible to intercept those communications. We have evolved in the use of the tools as individuals evolved in the ways they communicate. The House of Commons Ethics Committee was conducting an inquiry into the use of surveillance tools against cellphones. Mr. Flynn also stressed to the members that hostile foreign states were certainly using tools at least as powerful, and that members of Parliament should understand that they themselves are the targets of foreign surveillance efforts. 

Dave Bittner: Specifying Canadian-made rules out, of course, NSO Group's Pegasus, which is made by an Israeli company. POLITICO reports that Public Safety Minister Marco Mendocino said that intercept tools were not tools of either first resort or convenience, rather were tools of investigative necessity. He said the widespread use of encrypted communication poses a challenge for law enforcement, and spyware is used to frustrate the efforts of sophisticated criminal organizations. 

Dave Bittner: And it is my pleasure to welcome back to the show Ann Johnson. She is corporate vice president of security, compliance and identity at Microsoft. But in addition to all that, as if that weren't enough, she is host of the podcast "Afternoon Cyber Tea." Ann Johnson, welcome back. 

Ann Johnson: Thank you, Dave. It's always great to be on. 

Dave Bittner: You know, you are just about to kick off season six of your "Afternoon Cyber Tea" podcast. Before we dig into what's to come with this season, can you give folks who might not be familiar with the show a brief little overview of what the show is all about? 

Ann Johnson: Absolutely. "Afternoon Cyber Tea," which is, as Dave mentioned, going into season six, is a podcast that we started to try to bring cybersecurity to, as I say, the masses. So we invite industry leaders. We invite up-and-coming professionals. We invite folks that have even an academic view of the cybersecurity industry. And we talk about what's relevant today, what's top of mind for executives at companies related to cyber. And we always leave the episodes with practical advice for our audience - things that you can do today to improve the security posture of your organization. 

Dave Bittner: You know, one of the things that I really appreciate about the show is that this is a podcast that folks who are in cybersecurity on the technical side - they can share with their friends, their family, their colleagues who may be interested in cyber but not necessarily steeped in it day by day. 

Ann Johnson: Yeah, that was our goal. We really - it is not a show that if you're a deep cyber practitioner and you want deep cyber expertise, we have some episodes that get a bit more technical. But it really is more on the business and industry trends and the up-and-coming and attacks and things that are happening side so that you can share it with your parents, you can share it with your partner, you can share it with your kids, whoever. And they can learn a lot just about the industry as a whole. 

Dave Bittner: Well, you are just kicking off Season 6 of "Afternoon Cyber Tea." Can you give us a little bit of a preview? Who do you have lined up this season? 

Ann Johnson: So we are launching with the extraordinary M.K. Palmore, who is now at Google. But he has had just this amazing career in the FBI. And he was in the military and with Palo Alto and is just this incredible, really well-respected industry expert. We're talking about cyber. We're also talking about Cyversity, which is a diversity initiative that he has been involved with for many years. We have up and coming the incomparable Ira Winkler, who's going to be on the show. He is going to be talking about securing the metaverse. I'm really excited about that conversation. We have - Sounil Yu is going to be on the show. He is going to be talking about the paradigm shift that he sees in cybersecurity and how we need to start thinking about cyber in a very different way. And we have our own Michal Braverman-Blumenstyk, who leads the Microsoft Israeli Development Center all up. But she is also the CTO for the cybersecurity business at Microsoft, and she is this incredible expert. 

Ann Johnson: So those are just a few of the guests. We have a few more that we're rounding up, and I am absolutely thrilled about the guests that we have up and coming. One that I didn't mention, by the way, or a pair of them is we have Dave DeWalt and Jay Leek, who are going to come in and talk about the trends, right? The industry has changed a lot just in the past two months. So they're going to talk about the change in the industry from an investment standpoint. 

Dave Bittner: You know, as you head into your sixth season here, have - has anything changed since you started? Has your approach - have you refined anything along the way? 

Ann Johnson: You know, this is a really friendly podcast. It's not a gotcha podcast. So we've maintained that ethos with the podcast. But I will tell you that one of the things that we have refined is that making sure that we always have an industry up-and-comer on the show, making sure that we're talking about a wide variety of topics so we appeal to a lot of folks. You can find a little bit of everything with regards to the podcast. And just for me - right? - this was the first podcast I hosted. I had been a guest on many, but I hadn't been a host. So I've refined my own style and how I interact with my guests. It's really been a fun experience, Dave. And we've seen just a significant increase in listenership and people who subscribe. So we believe we're hitting the mark, but we're always looking for feedback. And we take that feedback very seriously and incorporate it in the show as we go. 

Dave Bittner: Well, the podcast is titled "Afternoon Cyber Tea" and definitely worth your time. Please do check it out. Ann Johnson from Microsoft, thanks so much for joining us. 

Ann Johnson: Thank you, Dave. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, a couple years back, I remember when cryptojacking was really - seemed like it was on its way up. And there were a lot of folks saying that cryptojacking was going to be the thing because it was kind of nonconfrontational, right? 

Joe Carrigan: Yes, right. 

Dave Bittner: Like, they thought - compare cryptojacking and ransomware, which were both kind of in parallel ascendancy at the time, but it didn't really work out that way. It seems like the ransomware folks, you know, upped their game, started going after bigger targets. I came across this article. This is from, and it's titled "Cryptojacking Cases are Rising Globally, Why So And Should This Worry You?" What's going on here, Joe? 

Joe Carrigan: So cryptojacking - if I can go down to the base level and do the explanation of what it is. Basically it's, without permission, you are mining cryptocurrency - proof of work cryptocurrency on somebody else's computer. You know, the idea of mining cryptocurrency with proof of work is that this is a hard math problem, and it requires a lot of processing power. To do that, it can be expensive, so why not offload that to some unsuspecting person and have them pay for the electricity and I just get to keep the cryptocurrency? That would be 100% profit, right? 

Dave Bittner: Mmm hmm. 

Joe Carrigan: SonicWall researchers have observed that cryptojacking incidents rose by 30% last year - or in the first - I'm sorry - in the first half of this year, over the same period last year, to 66.7 million attacks, which is a lot. An interesting statistic in this article is that the financial sector has suffered the greatest increase here of 269% year to date, and they suffer about five times as many ransom - I'm sorry - cyberattacks or these cryptojacking attacks as the retail industry, which is second. So it's interesting to me that these guys are hitting finance companies more than they're hitting retail because I would think finance companies would be harder to get into than a retail company. 

Dave Bittner: I would agree. I wonder, do finance companies have more available computational power sitting around? 

Joe Carrigan: They might. That's a good point. They might have that. They might have the - they might actually have some kind of computer sitting around with a bunch of graphics cards sitting in them. And graphics cards are very good at mining particular cryptocurrencies. I mean, the best thing to mine a cryptocurrency is an ASIC. If you have a cryptocurrency like bitcoin, it can be mined with what's called an application-specific integrated circuit - nothing faster than that. But most cryptocurrencies, including bitcoin, can be mined on graphics cards. It is generally not cost-effective, but again, if you're not paying for the electricity, it's 100% profit. 

Joe Carrigan: So there are some theories in the article as to why this is happening and why these cryptojacking attacks are on the rise. The researchers attributed the rise to a crackdown on ransomware attacks, which we've seen here recently. There are governments that have stepped up their ransomware awareness and enforcement efforts. The attack against the Colonial Pipeline resulted in a recovery of 70% of the net proceeds of that because the affiliate program - not the actual ransomware gang but the gang that brokered the access - left their keys out on a server that the feds got access to. And the feds just transferred all the bitcoin to themselves, which was a way to recover it. So they're also going around arresting these people, which is happening. And, you know, criminals don't want to get arrested, so they're opting for the quieter life. Also, in a ransomware attack, the article notes that you have to make it clear to somebody that they've suffered a ransomware attack and then demand the ransom and then begin the communicating. But in cryptojacking, you just - you're very quiet, and the victim may never be aware of it. The researchers are saying that they don't want the heat. You know, they don't want the law enforcement coming after them. So they say the lower risk is worth sacrificing the higher payoff. 

Joe Carrigan: Now, I have my own theories as to why this is on the rise recently. And my theory centers around cryptocurrency prices. People like mining cryptocurrencies. And if the cryptocurrency price drops like it has with bitcoin - and just about everything out there, really - it's gone down about two-thirds. Bitcoin was trading at like $60,000, and as of this recording, it's somewhere in the $20,000 range, I think anyway. I haven't looked at it recently, but it's gone down a lot. That's the point. You still want to mine your cryptocurrency and get the rewards and hope that it goes back, or maybe you're liquidating everything as you get it; I don't know. But now you cannot pay for the electricity with the cryptocurrency that you're mining. So it has become not profitable to actually run a mining rig. So I think people are actually out there looking for other ways to mine cryptocurrency. And, like I described earlier, this 100%-profit model is very attractive. If I can get somebody else to pay for the electricity, it's all profit. Also, it's far less destructive and thus far less attention-gathering, which is what the article mentioned. I think that has a lot to do with it as well. If... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Somebody finds out they're the victim of a cryptojacking attack, they're probably just going to uninstall the software and move on, right? 

Dave Bittner: Right. 

Joe Carrigan: It's kind of a nuisance-level attack. It's not going to - you know, there's no government in the world that's going to go, all right, well, let's see if we can get that money back for you because first off, the amount of money that you're getting from any individual victim is going to be very, very small. Recovery is not going to be worthwhile. Compare that to a ransomware attack where you're talking about millions or tens of millions of dollars. That can be - that might be something that a law enforcement organization might be like, OK, we're going after that one, if for no other reason to demonstrate to people that they can't just get away with this. 

Dave Bittner: Right. Right. I would suspect also - because so much of this can be automated, you know - if they're out there looking for vulnerable systems and they have bots that are running around, you know, searching and poking and prodding and trying to install things and then, as you say, you know, in the middle of the night, the machine sitting on your desk at the office when you're at home asleep... 

Joe Carrigan: Right. 

Dave Bittner: ...Comes to life and starts mining cryptocurrency and then is done by the time you come in in the morning, there's a good chance you may not even know. 

Joe Carrigan: Right. And if these guys are smart enough to lay that low, they may be able to mine cryptocurrency on the machine for years. 

Dave Bittner: Right. Right. All right. Well, interesting development - again, kind of different from, I guess, my own expectation or my... 

Joe Carrigan: Right. 

Dave Bittner: It's different than how things were going. I guess I'm a little surprised that cryptojacking is on the rise again. But as this article explains, there's some good reasons for it, kind of makes sense. 

Joe Carrigan: Yep. 

Dave Bittner: Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.