The CyberWire Daily Podcast 11.20.18
Ep 729 | 11.20.18

Nation-state cyber campaigns: North Korean, Iranian, Russian, and unknown. Social media outages.


Dave Bittner: [0:00:03] Nations are behaving badly. But from the point of view of cyberespionage, they're doing well. The Lazarus Group is back robbing banks in Asia and Latin America. Russia's Hades Group, known for Olympic Destroyer, is back too. Gamaredon and Cozy Bear have returned - respectively pestering Ukraine and the U.S. Iran's OilRig is upping its game with just-in-time malicious phishbait. And it's not you - Facebook has been down.

Dave Bittner: [0:00:38] It's time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself - no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [0:01:43] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 20, 2018. This week, it seems as if it's nation-states gone wild. Several state-directed threat actors have returned to action this week in prominent ways. They're back in familiar but upgraded forms, as the offense-defense seesaw swings up on the offensive side.

Dave Bittner: [0:02:12] North Korea's Lazarus Group is back, for example, hitting financial institutions in Asia and Latin America. They're making improved use of backdoors. TrendLabs thinks, on the basis of the loader component's service creation time, that the backdoor for Pyongyang was installed on the victims' machines on September 19. The code's been improved. But the attack technique, TrendLab says, is a lot like the one BAE Systems took apart and analyzed back in 2017. As usual with the Lazarus Group, the motive is financial. And this latest campaign follows on the heels of the wave of attacks on ATMs we saw develop over the last two weeks.

Dave Bittner: [0:02:54] Another Russian threat group, the Hades APT, is also back. Hades was responsible for the Olympic Destroyer wiper campaign that targeted the South Korean-hosted Winter Olympic Games. Researchers at Check Point say that Hades has added anti-analysis and delayed execution as well as a single-stage dropper to its repertoire, which suggests that the group is learning from and reacting to the measures used against it earlier in 2018.

Dave Bittner: [0:03:23] Three things are worth noting about Olympic Destroyer. First, it was a wiper - intended apparently for disruption, probably as a form of retaliation for the exclusion of Russian athletes who were caught doping. Second, it was used in such a fashion as to make it practically inevitable that the Olympic Committee, the South Korean government and South Korea's allies would immediately suspect a North Korean cyberattack. But this turned out not to be the case. Third, contrary to what its name might suggest, Olympic Destroyer has surfaced sporadically since the games - prospecting targets not necessarily involved with the Olympics or indeed with athletics at all.

Dave Bittner: [0:04:04] The Pterodo backdoor campaign, reported by Ukraine's CERT, was initially characterized as a nation-state attack that seemed to be targeting what Russia calls the near abroad - that is the formerly Soviet, now independent republics. Preliminary and circumstantial but nonetheless persuasive evidence has led observers to conclude that Pterodo is indeed a Russian operation. Pterodo is associated with the Gamaredon threat group, widely believed to be a unit of Russia's FSB. It seems so far to have been used principally for battlespace preparation, at least in the attempt seen in Ukraine.

Dave Bittner: [0:04:41] Coincidentally or not, the newly reawakened Cozy Bear, also generally regarded as an FSB or possibly SVR unit, has deployed improved phishing techniques against U.S. targets. Both the FSB and SVR are descended from the old Soviet KGB. If you're looking for rough American equivalents, they would be the FBI and CIA since the KGB had both domestic security and foreign intelligence functions. In this case, they've refined their techniques. As WIRED observes, Cozy Bear has the reputation for upgrading older, in many respects forgotten, attack code in the hope that the newly effective malware will pass unnoticed. In this case, that code is a Trojan called Cannon, which uses email to communicate with its command-and-control infrastructure. That's old school, and it's working for them in part because it's unexpected. This latest Cozy Bear phishing expedition has spoofed U.S. State Department emails.

Dave Bittner: [0:05:43] A hearty congratulations to Ronnie Tokazowski from Flashpoint. He accepted the prestigious JD Falk award from the Messaging, Malware And Mobile Anti-Abuse Working Group, on behalf of the Business Email Compromise Working Group. Tokazowski helped create the group back in 2015. Since then, they've helped stop millions of dollars in wire transfers, taken down thousands of romance accounts and contributed to well over 100 arrests. Ronnie Tokazowski joins us today.

Ronnie Tokazowski: [0:06:12] Initially when we started, our approach was just to take a look at the phishing emails and try and attack it from that perspective. So we wanted to go ahead and give law enforcement a good spot to where we could give them the intelligence that they needed in order to pivot off for their investigations - as well as try and figure a good way to help stop this. And as we started operating and kind of looking at the different types of fraud, it started to bleed out really quickly. And that's where it started including other things - such as like romance scams, real estate scams, lottery scams. So in working together on this - both good or bad if you want to have it that way - that was where we started to understand that there was a lot more to this type of fraud than just an email and a mule account.

Dave Bittner: [0:06:51] Can you describe to me - I mean, what was the back-and-forth, the cross-specialty education that went on between the tech folks and the law enforcement folks? I suspect you all had specific skills to bring to the fore.

Ronnie Tokazowski: [0:07:04] Yeah. And that's very much how we wanted to model it. So take me for example. I'm a malware analyst. I'm done reversing, and I've worked in threat intelligence. Likewise, we have some people with different walks of life who wanted to go ahead and wanted to take out romance scams. And you have law enforcement who are the ones who can arrest the people.

Ronnie Tokazowski: [0:07:21] So some of that collaboration was working directly with law enforcement to say, hey, we identified this actor. You may want to go ahead and go forth and just kick off your investigation on that. And the way - and one of the ways we like to look on the list is that it's something where I can't go arrest somebody, and law enforcement doesn't have the intelligence. So we need to be able to work and collaborate together on that to make it better and start making a difference in the industry.

Dave Bittner: [0:07:47] Take us through the process. I mean, how does a scam come to your attention? And then how does it work its way through the group?

Ronnie Tokazowski: [0:07:54] Yeah, so the way it usually works is we would go ahead and have different individuals who may receive a phishing email to their organization. So with the list and everything, once we get those emails, everybody works together to try to fight it from a different way. So for example, someone may be able do something with the headers. Someone may be able to do something with email sender. Or someone may be able to do something with a certain piece of the malware that's associated with that.

Ronnie Tokazowski: [0:08:18] So that's kind of been the approach - is to just try and attack the phishing emails from several different angles as opposed to just one different angle. And that's very much how we've operated - not just with the emails but also with the other aspects of the list as well.

Dave Bittner: [0:08:32] It sounds to me like - in addition to all of the good that you all are doing, that it sounds like you're having a good time doing it.

Ronnie Tokazowski: [0:08:40] Oh, yeah, very much so. Some of the successes that we've had on here, we've actually been able to watch what the actors do based on our list and some of the actions that we've taken. And one good example of that is that a lot - it's also caused confusion within a lot of the actors. So in one case of that, it was where one of the romance accounts got closed.

Ronnie Tokazowski: [0:09:00] And the response - they ended up reaching back out to the victim. And they said that they didn't know if it was like another hacker who got access to their account - or they didn't know if ISIS was involved. And that's a story that they were trying to say - that's how they're trying to tell one of the victims that their accounts were closed.

Dave Bittner: [0:09:16] Now, do you have any general advice for folks who are out there, in business and personal, to help protect themselves against this? With the unique insights that you gained from working with this group, are there any basic tips you have for folks?

Ronnie Tokazowski: [0:09:29] Yeah. So I would say basic tips is just be aware. With romance scams, usually people will try and approach you through social media - try to build a relationship like that. So just being aware of that type of scam is one to help protect yourself. Additionally for your larger organizations who may be dealing with wire transfers, have different protections in place. So if you have to wire out $50,000, for example, then have that be signed off by one person. If you have to wire out $100,000, have two layers of protection where it says sign at. There's also cases where the actors will try to apply under those amounts.

Ronnie Tokazowski: [0:10:05] So by being able to know that, hey, this person shouldn't be wiring money out - or maybe something as simple as picking up the phone call - or picking up a phone and calling and saying, hey, did you actually send me this email? That goes really far. And very much to what I know law enforcement has said over the years, if you see something, say something. And that's another good way to help identify a lot of these types of fraud.

Dave Bittner: [0:10:25] That's Ronnie Tokazowski from Flashpoint, describing his work with the Business Email Compromise Working Group.

Dave Bittner: [0:10:34] Palo Alto Networks has been evaluating the Iranian threat group known as OilRig, also tracked as APT34 and sometimes as Helix Kitten. OilRig is seen principally as a cyberespionage outfit. And it's been active largely against regional rivals in the Middle East. Researchers are struck by the way in which OilRig has been testing the malicious documents it uses as vectors for the BONDUPDATER downloader. Once they're satisfied, they deploy the documents in the wild. The testing is quick. SecurityWeek calls it just-in-time creation of malicious Word and Excel files. The final test document was created less than eight hours before the delivery document was put into final form. That delivery document was used to hit targets within twenty minutes of its creation.

Dave Bittner: [0:11:22] The goal of preliminary testing seems to be the evaluation of likely antivirus detection rates. BONDUPDATER itself has some interesting domain generation algorithm functionality. Other organizations have been tracking OilRig - FireEye and Booz Allen Hamilton among them. Booz Allen's Dark Labs has looked at BONDUPDATER the associated POWRUNER backdoor. And they've discovered three additional malware variants as, well as network infrastructure, that makes OilRig a potential threat to organizations anywhere.

Dave Bittner: [0:11:56] If you've been having trouble getting on Facebook or Instagram, it's not you. It's them. The services have been suffering widespread outages beginning about 7:40 am Eastern Standard Time - that's Baltimore time for those of you living on other continents. Service seems to be back for now - at least intermittently in our neck of the woods - but the problems are persisting elsewhere. This is the second significant service disruption in as many days. Yesterday, it was Messenger. They're working on it. At this point, the outages seem to be accidents. If you're interested in venting, everybody seems to have taken to Twitter to do so. And various adult sites report a spike in traffic as frustrated Facebookers seek elsewhere for diversion. Come on, everybody. Go out and take a walk or something.

Dave Bittner: [0:12:44] And finally, two quick notes for our listeners - we'll be observing Thanksgiving this week, so there will be no daily news briefing or daily podcast on Thursday or Friday and no Week That Was this Saturday. The "Hacking Humans" podcast is taking a break this week as well. Everything will return to normal Monday.

Dave Bittner: [0:13:02] After the Thanksgiving holiday, we'll be rolling out a new format for our email. We've redesigned it, the better to avoid falling into spam traps or becoming inadvertently enmeshed in the array of anti-phishing measures increasingly deployed. You've seen some of these changes already with our addition of inline links to our summary. When the redesign is complete, you'll see fewer links to suggested reading in the email itself. That selected reading will remain present in its entirety on our website, posted, as always, with the appropriate daily news briefing.

Dave Bittner: [0:13:33] We hope you find the new format more user-friendly. We'll announce the date of the rollout as it approaches. As always, thanks for subscribing and reading. And if you don't subscribe to the daily news briefing, why not? I mean, the price is right. It's free, so line up and sign up today.

Dave Bittner: [0:13:55] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated, online, comprehensive view of all the day's tech news. And now they also produce the Techmeme "Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, Techmeme "Ride Home" is the podcast for you. We're fans, and we think you'll like it, too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the "Internet History" podcast. The "Ride Home" distills Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m. - great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the Techmeme "Ride Home" podcast. And we thank the Techmeme "Ride Home" podcast for sponsoring our show.

Dave Bittner: [0:15:03] And joining me once again is Malek Ben Salem. She's a senior R&D manager for security at Accenture Labs. Malek, it's great to have you back. Interesting topic you bring up today, and that is skill squatting with Amazon Alexa. What are we talking about here?

Malek Ben Salem: [0:15:18] Yeah. Hi, Dave, great to be back. So skills, as most people know, are apps that are developed specifically for Alexa. Now, skill squatting is an attack that - whereby an adversary can misdirect Alexa to apply or use the wrong skill. So think about cases where, you know, the user would like to launch, let's say, the AmEx skill, the AmEx app, that they use to access their AmEx account. There may be another skill deployed by the attacker that sounds very similar but is spelled differently. So if the user calls that skill, Alexa may misdirect them to the wrong app. And therefore, you know, the adversary can use that app to harvest certain credentials for those users.

Malek Ben Salem: [0:16:14] So it's similar to the type of attack where you type the wrong website and the adversary directs you to another website that looks very similar to what you're accustomed to seeing. And they harvest your password or, you know, online credentials. This is a very similar way of doing the same thing, just through that voice interface.

Dave Bittner: [0:16:36] Yeah, that's interesting. I can imagine also what - if you're dealing with - as Amazon Alexa has to, dealing with folks with all sorts of different regional accents.

Malek Ben Salem: [0:16:47] Absolutely. Yeah. And that's what makes this attack very interesting is because now the adversary can predict what types of errors Alexa could make based on people's accents. And therefore, they can take this attack to the next level by ensuring that an entire region - let's say, an entire region in the U.S. with a certain accent - you can predict how certain words would be pronounced and how Alexa might misinterpret them. And you can develop skills that take advantage of that misinterpretation and direct an entire group of people in a certain region to a certain skill that they didn't want to use at all. You can also do it based on gender.

Malek Ben Salem: [0:17:41] You know, there are things that - words that Alexa misinterprets based on whether the user is female or male. You know, those studies have been done. So the researchers from the University of Illinois have done those studies on how Alexa misinterprets certain words based on the user's accent or based on their gender. So that creates, basically, an entire - it takes the attack to the next level - right? - where it can be scalable for the adversary.

Dave Bittner: [0:18:13] Now, what sorts of things can Amazon do to protect against this? Can they verify or, I guess, repeat back to you the site that they think you want to go to?

Malek Ben Salem: [0:18:23] Well, one thing they can do is make sure that any skills go through a certification process before they get published to prevent that skill squatting. They can do a phoneme-based analysis for that skill to understand how it gets invoked and whether there are any similar apps that would sound similar to that skill that are available.

Dave Bittner: [0:18:48] Well, it's interesting information. Malek Ben Salem, thanks for joining us.

Malek Ben Salem: [0:18:51] Thank you, Dave.

Dave Bittner: [0:18:57] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [0:19:16] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [0:19:25] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.