The CyberWire Daily Podcast 3.7.19
Ep 795 | 3.7.19

Scope of APT33 attacks revealed. GandCrab criminals shift tactics. Slub malware uses Slack.


Dave Bittner: [00:00:04:08] The scope of Iran linked APT33 cyber attacks has been revealed. GandCrab criminals are using more sophisticated tactics. A new type of malware was using Slack to communicate. Chrome gets an important update. Huawei sues the US, and Germany sets tougher security rules for telecom companies. And people who invest in cryptocurrency often don't know what they're getting into.

Dave Bittner: [00:00:35:04] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero day vulnerabilities. With 24/7, 365 security operation center support around the globe, and over 300 security experts in house, Akamai surrounds and protects your users wherever they are. At the core, in the cloud, or at the edge. If you're going to RSA this year, visit Akamai in the north hall, booth 6153 to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai, intelligent security starts at the edge. Learn more at Akamai, that's A K A M A I, .com/security. And we thank Akamai for sponsoring our show.

Dave Bittner: [00:01:43:19] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 7th, 2019.

Dave Bittner: [00:01:51:15] Microsoft told the Wall Street Journal that an Iranian cyber attack campaign hit more than 200 companies over the past two years causing hundreds of millions of dollars in damages. The attacks targeted oil and gas companies and heavy machinery makers in a number of countries, including Saudi Arabia, Germany, the United Kingdom, India and the US. The group sent phishing emails to more than 2200 people at these companies. Microsoft attributes the attack to Holmium, also known as APT33. The group has been active since at least 2013, and has a history of going after organizations in the aviation and energy sectors.

Dave Bittner: [00:02:32:18] CrowdStrike says criminals using GandCrab ransomware have exhibited a recent shift in tactics. They're now using techniques more often associated with nation-state APT groups, such as manual lateral movement within networks. These observations are consistent with a recent advertising campaign by GandCrab's developer, PinchySpider, which was aimed at individuals with knowledge of Remote Desktop Protocol, Virtual Network Computing and corporate networking.

Dave Bittner: [00:03:01:17] The shift in tactics suggests that PinchySpider and its affiliates are hoping to maximize their revenue by launching the type of low volume, high return attacks used by sophisticated threat actors. This strategy, which the CrowdStrike researchers call "big game hunting", in which threat actors hack into an organization's network and manually deploy the malware. This method is far more effective at getting victims to pay up than widespread, untargeted ransomware campaigns, but it requires a great deal of technical skill.

Dave Bittner: [00:03:33:13] Threat groups using SamSam, BitPaymer, and Ryuk ransomware have been observed using these tactics very effectively. GandCrab differs from the ransomware used in those attacks however, because it requests a ransom payment for each individual infected machine, rather than asking for a lump sum in exchange for decrypting all of an organization's computers.

Dave Bittner: [00:03:56:08] Email account takeover is a tried and true method for bad actors to gain access to your data, and your network. Asaf Cidon is vice president of email security at Barracuda Networks, and he joins us with the details.

Asaf Cidon: [00:04:09:21] The most common way is to actually phish one of the employees, so to send an employee a phishing email with a link that looks like a sign in page to a real service, but in fact is just a website owned by the attacker. So a lot of folks would receive emails impersonating Microsoft Outlook or Gmail or perhaps Docusign or Dropbox. Another way is by basically buying their credentials from someone else. So once credentials are stolen, they then get sold often times in the black market, in the dark web, and so you have this multi-tiered economy of criminals where one set of criminals is just harvesting credentials, then they sell off the credentials to another set of criminals that then might pursue a much more targeted attack against a specific organization.

Dave Bittner: [00:05:05:14] Now if I fall victim to this, if someone takes over my account, would I necessarily know right away that something has happened?

Asaf Cidon: [00:05:12:04] No, not necessarily, and this is what makes these accounts so nefarious. Most employees don't actually notice that their account has been taken over, and, in fact, attackers take several steps to hide their activity. One common thing attackers do is they will set up a forwarding rule from that employee's mailbox to forward all the emails externally, so they don't even need to log in any more to that account, not to trigger any kind of suspicious IP log ins. Then, even when they launch an actual email campaign from that employee's account, sometimes they will actually delete those emails from the sent items email folder, so that the employee won't notice them and they might even delete any of the responses really quickly when they get received.

Asaf Cidon: [00:05:59:15] So we do hypothesize that some of these attackers actually run scripts on the accounts to immediately delete the emails from the sent items folder and immediately delete their replies to the attack. So that's the more sophisticated attackers.

Dave Bittner: [00:06:15:03] Is it a typical situation that an organization will have a not as stringent security when things are coming from inside the organization?

Asaf Cidon: [00:06:25:03] Absolutely. In fact, the vast majority of email security systems including the ones available on the popular email providers like Office 365, they don't even scan or even have the ability to scan for internal emails. So the common architecture of email security is they sit between the outside world and the mail server, so the only observed traffic from the outside coming in, or from the inside coming out, where they have no ability to peek into internal traffic.And so this is what makes these attacks highly successful is they're basically running unimpeded. There's nobody really inspecting emails coming from internal sources, so that's what makes these attacks really dangerous.

Dave Bittner: [00:07:14:08] What are your recommendations for people and organizations to protect themselves against these sorts of things?

Asaf Cidon: [00:07:19:20] From the most sophisticated side, there are actually now solutions that use artificial intelligence to detect anomalies in internal employee traffic, that basically learns over time what's a normal pattern of communication for an employee. How they normally communicate with colleagues, what IPs do they log into, what are the inbox forwarding rules they have on their account? And then we looked for any malicious activity or anomalous activity on any one of these signals.

Asaf Cidon: [00:07:52:24] Another good idea is to apply multifactor authentication. Unfortunately, multifactor authentication is not a full solution to this problem. We've actually seen attackers bypass multifactor authentication by harvesting the SMS code as well as the credential with a fake login page. But still, it makes the life of attackers harder and definitely a good idea to set it up on all the important email systems of an internal organization.

Asaf Cidon: [00:08:27:01] Finally, the last step is probably awareness. So you can run security awareness campaigns to actually simulate these types of attacks, and any time anybody that's doing any type of financial transaction or dealing with HR information, I would recommend the old fashioned way of person to person. You're about to send someone a file with a lot of W2s so it's probably not a bad idea just to verify the email actually came from them, or to get on the phone with them and verify that they actually need it, and to see if it's the correct email address right? So that's more internal procedures which is always really important as well, on top of all the security measures.

Dave Bittner: [00:09:11:08] That's Asaf Cidon from Barracuda Networks.

Dave Bittner: [00:09:15:23] Researchers at Trend Micro this morning described a new type of information gathering malware that communicates with an attacker via a Slack channel. The malware is spread through watering hole attacks, potentially targeting people who are interested in political activities. Once it finds itself on a system, it runs a downloader which downloads a back door. This back door embeds two authorization tokens allowing it to communicate with the Slack API. It then downloads a file from Github and parses it for commands. The output of each command is sent to a private Slack channel where the attacker can read it. The primary target of the malware appears to be the victim's personal communications and it goes after platforms like Twitter and Skype.

Dave Bittner: [00:10:02:02] The researchers have named the malware "Slub" because it makes use of Slack and Github. They don't know who is behind Slub because the attackers were very good at covering their tracks. Notably, the researchers haven't seen any related attacks in the past and they've been unable to find any similar malware samples. They believe with strong confidence that it was part of a possible targeted attack campaign, noting that the attackers, who were very sophisticated, "clearly showing a strong interest in person-related information."

Dave Bittner: [00:10:34:15] Google's latest Chrome update contains a patch for a high severity use after free vulnerability, that's being actively exploited in the wild. The bug is in the browser's Filereader API, which allows Chrome to access local files. Details of the flaw are being kept under wraps until enough users have updated, but Chrome's Security and Desktop Engineering Lead said in a tweet, "Seriously, update your Chrome right this minute."

Dave Bittner: [00:11:02:08] TechCrunch notes that Huawei filed its lawsuit against the US Federal government last night, claiming the ban on its products from government use is unconstitutional. Huawei is arguing that Congress violated the Constitution's bill of Attainder clause by specifically naming the company. The clause forbids legislation that targets a particular person or entity without trial. Most observers doubt Huawei will win the case.

Dave Bittner: [00:11:30:21] Earlier today, Germany's Federal News Agency set stricter security requirements for all telecom equipment vendors rather than singling out Chinese companies. Under the new rules, critical network equipment will only be used after examination and certification by Germany's BSI information security agency, which assisted in drafting the guidelines. A full version of the requirements will be published later this spring.

Dave Bittner: [00:11:58:15] Facebook has joined Google in rejecting an Australian regulator's proposal that the government oversee how major tech firms rank news articles and advertisements. The Australian Competition and Consumer Commission says that companies like Google and Facebook "increasingly perform similar functions as media businesses," so similar rules should apply. A spokeswoman for Facebook said, "the proposed level of regulatory intervention" was "unprecedented."

Dave Bittner: [00:12:28:22] The UK's Financial Conduct Authority published research today warning consumers to exercise prudence when it comes to cryptocurrency. The research consists of two surveys which found that "many consumers overestimate their knowledge of cryptoassets." They often perceive cryptocurrencies as a way to get rich quick, and feel like they're "investing in tangible assets." One of the surveys found that one in six consumers hadn't completed any research on the topic before buying cryptocurrencies.

Dave Bittner: [00:13:04:19] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys. Your employees, contractors and privileged users. In fact a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze computer network or system data, but, to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required, go to, that's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:13:00] And joining me once again is David Dufour, he's vice president of engineering and cybersecurity at Webroot and he is coming to us live from RSA Conference. David, having a good time out there huh?

David Dufour: [00:14:25:16] Yes, well you know, it can be a little hectic, especially once you're on day four. But yes, things are going pretty good.

Dave Bittner: [00:14:32:17] What are you seeing out there? What's your take on the show this year?

David Dufour: [00:14:35:05] Well I've got to tell you, David, I've got some really good news for your listeners because it seems like everything has absolutely been automated, integrated, simplified, and they're using pervasive, predictive zero trust AI threat detection security analytics and so it sounds like they're making it so we can stay connected longer, innovate faster and then stay online safely while we digitally transform our organizations. So I feel like we fixed it. It's over, we can just check off cybersecurity, it's done.

Dave Bittner: [00:15:12:04] I was going to say, no need for a conference next year right? We've got this solved.

David Dufour: [00:15:16:05] I've been talking to some folks and we're thinking next year we'll just have a big party as a kind of going away because we've got it figured out.

Dave Bittner: [00:15:23:23] Yes, that's good. Alright, besides all of those marketing messages, what's the real scoop? What's your sense of where we stand this year?

David Dufour: [00:15:33:20] Well there's a couple of things really sticking out because they're not on here, and we're not seeing a lot of discussion on block chain. The last few years there's been a ton of talk about block chain and things like that, so I think the lack of noise on that is interesting, and maybe people are realizing that's more of a management audit tool and not something that's in the near term going to be huge in security.

Dave Bittner: [00:16:01:07] Has it lost its buzzword status?

David Dufour: [00:16:03:19] Yes it has. For sure. Everybody's got their AI, NML, which is going to save the day, but some really interesting things that we're seeing in discussion, is a lot of talk about privacy versus security and how a lot of the things that are protecting our privacy online are affecting our ability with a lot of the tools we have to actually do security. So, for example, if you have a secure connection from your PC to a server, on the internet, your organization isn't able to look at that traffic, not in a way to see what you're doing, but in a way to see where you're going, and a lot of the tools need to be able to monitor that traffic to make sure the bad guys aren't injecting things in that network flow.

Dave Bittner: [00:16:59:13] So security giveth, security taketh away.

David Dufour: [00:17:02:15] That's exactly right and I don't know that there's really any answers, but it's nice to see a discussion around how do we find that balance of ensuring people have their privacy, because I'm a huge privacy advocate. But there's got to be some balance where we can ensure people have their privacy but we're also building the tools we need that'll protect us.

Dave Bittner: [00:17:22:21] Yes, it definitely seems like privacy is certainly getting a brighter light shown on it than it has in years past. I'm wondering, what do you see walking around in terms of diversity? People of color? Are we seeing a better representation there?

David Dufour: [00:17:37:19] You know, I've got to say we are. I've seen a couple of groups that are from different countries. African groups, and then folks from the Middle East, so we're seeing from different locations, some South American organizations as well. The countries have their booth. But in general, there's more diversity now. Am I going to say it's diverse, you know, this can be kind of a slanted show, but I've been going six years. They gave me a little thing for my badge that says Loyalty Plus, I guess I'm some RSA loyalty person now. And I've got to say, it's getting better. We have a long way to go though, but it's nice to see inroads being made and a lot of attention being paid to diversity.

Dave Bittner: [00:18:23:16] What is your sense in terms of overall tone? People's spirits? Do you sense that there's a feeling of optimism?

David Dufour: [00:18:33:08] Well I think there's more of a feeling of pragmatism, where I think a couple of years ago we were going to fix all the world's problems, but where we've landed now is, one of the things we can do, how do we do it better? How do we try to make things a little more simpler for people? But I think there's an idea around how do we start simplifying stuff for folks? So pragmatism with the hope of simplifying.

Dave Bittner: [00:19:00:10] And what are you seeing in terms of folks coming up to the Webroot booth and asking questions? Are you getting good leads, smart questions from people?

David Dufour: [00:19:07:24] So what's ironic, we don't get a lot of leads in terms of new business here. We have a lot of partnerships. It's good for meeting those folks. But we do get a lot of questions and it allows us to really put our finger on the pulse of what people are wondering about. And end point has been a really big topic. We had some EDR for a while where companies were focused on the detection component, but people are really looking for holistic solutions that actually remove a threat to get on the machine as well. So there's a lot of talk about good old tried and true end point technology, and then everybody wants to talk about threat intelligence. It used to be a big buzzword but it's kind of calmed down, but people are looking for quality threat data to do analysis again.

Dave Bittner: [00:19:56:00] Alright, well David, safe travels home, I hope you're able to kick your feet up and relax a little bit when you get there. But in the meantime, enjoy the rest of the show.

David Dufour: [00:20:06:06] Alright, thanks David, it's been great being on.

Dave Bittner: [00:20:12:22] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:20:25:11] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.