News Wrap: Emotet’s Return, U.S. Vs. Snowden, Physical Pen Testers Arrested

Threatpost editors discuss the return of Emotet, a new lawsuit against Edward Snowden and more.

From the re-emergence of an infamous malware, to a new lawsuit against Edward Snowden, Threatpost editors Lindsey O’Donnell and Tara Seals break down this week’s top news. Top stories include:

  • Emotet, the notorious banking trojan, is back after a summer hiatus.
  • The U.S. sued Edward Snowden over his new memoir, alleging he published the book in violation of non-disclosure agreements signed with both the CIA and NSA.
  • Two pen testers arrested and jailed for breaking into Iowa courthouse during a physical pen testing exercise.
  • Next week, Tara Seals will host a Threatpost webinar, “AI and Cybersecurity: Tools, Strategy and Advice” with a panel of experts from Pradeo, Embedded Knowledge and ZeroFOX.

Listen to the full podcast below, or download directly here.

Below find a lightly-edited transcript of the podcast.

Lindsey O’Donnell: Hi, everyone. Welcome back to the Threatpost news wrap for the week ended September 20. You’ve got Lindsey O’Donnell here with Tara Seals with Threatpost today to talk about the biggest news of the week. Tara, how’s your week been so far?

Tara Seals: Oh, it’s been pretty good Lindsey. You know, busy as always, security never sleeps apparently.

LO: Well, I know I’m sure you’ve been very busy preparing for – you actually have a webinar next Wednesday, is that right?

TS: Yes it’s coming up. And it’s on artificial intelligence and where it fits into cyber security.

LO: Yeah, that looks like it will be pretty good. I feel like AI has been at the center of cyber security in terms of tools for protecting against threats. But now, as we start to see, you know, black hats starting to leverage it as well that’s worrisome, and there’s a lot to unpack there.

TS: Yeah, for sure. Well, so I have three really great panelists and, I’m excited to hear what they have to say on the on the topic and they’re all taking a different tack. So we’re definitely going to cover the adversarial aspect of it. So you know how black hats are also using AI and how that’s contributing to this cat-and-mouse game, which is the age old security story of course, vendors trying to keep up with attackers as a byproduct of that, it’s forcing artificial intelligence to develop more quickly, maybe then it might have otherwise. And then we’re also going to have a lot in terms of where we’re seeing AI being utilized now, what’s hype and what isn’t, and also where we can expect it to evolve to in the future, what sorts of solutions and different types of products, as well as how it will interface with human resources as well.

LO: Right. Well, I’m sure that whole topic around AI and the workforce to is going to be a big topic of discussion as well. I think there’s just a lot there and sounds really exciting.

TS: So yeah, I know it should be really, really good. I’m looking forward to it. So it’s 2pm ET on Wednesday, next week, September 25.

LO: Great. Well, to all our listeners, make sure to mark your calendars and I’ll be sure to include a registration link in our article for this podcast as well. But yeah, I’m definitely excited to listen to that. So going back to this week, big news this week, Emotet is apparently back and that malware has been on hiatus since I think it was earlier in June. So a while but it’s now back and being spotted in campaigns. I feel like a bunch of researchers were kind of expecting that to happen though.

TS: Yeah, I think didn’t you do a video interview actually kind of covering Emotet and its various vacillations and how it had disappeared from the radar screen. But very much expected to return right?

LO: Yeah. So I was actually talking to Sharon DeGrippo with Proofpoint back at Black Hat. And I recently published the video interview of that. But she was mentioning we were talking kind of about the ebb and flow of malware variants and families and how summer going away summer coming onto the scene and summer just disappearing. But she was saying that they’re almost dropping off as the threat actors behind the malware variants, so on vacation, funny enough, so she was saying that the Emotet group probably was on summer vacation, but she was predicting back in August that they were probably going to come back and sure enough, that sounds like this week. that is exactly what people started seeing happen.

TS: So yeah, I love it. They did and so I wrote a story by basically on the return of humans had talking about how you know they took a summer vacation. A four months long summer vacation, and then you know came back kind of with a vengeance, and with some evolutions, and it’s been the most had tactics as well, which are kind of interesting.

One of which, for example, they’re starting to take over existing email threads basically. So if you have correspondence that you’ve been having with someone that you know that’s legitimate correspondence, Emotet can actually go in, find one of those messages and reply to it. So you think that it’s just one more part of an ongoing conversation thread, and your suspicions might not be raised when the person on the other end asks you to take a look at an attached document. So that’s a pretty savvy technique that was only found in something like 8 percent of Emotet campaigns before the summer hiatus and now it accounts for almost 25% or a quarter.

LO: That’s definitely a newer track and it sounds like it’s very sneaky too so, they have also been, I feel like they’ve been evolving to a bunch over the past year or so. So, you know, it sounds like they’re constantly kind of picking up these new tricks and tactics. Did they have any indication of kind of the targeting there and who specifically was being targeted?

TS: Well, you know, it’s kind of a spray and pray type of thing, because with the way that they propagate, the malware is basically via email, right? So they infect somebody, and then they gather the person’s contact list, and then they spam everybody on the contact list. So that’s kind of the propagation angle. So it’s very much just sort of opportunistic and can be targeted at anybody really, you know, the most recent one – you see it globally – but the most recent one started out I think they said, in Sweden, I believe I don’t have it in front of me. No, I’m sorry, in Germany, Poland and also and Italy. And then shortly after that it popped up in the US as well all using the same types of wars. So all parts of the campaign but different areas of the globe and certainly not discriminatory in terms of who the targets are.

LO: Well, that will definitely be something to keep our eyes on in the coming few months, especially today. We’re kind of on this break and sounds like they are coming back on full force.

TS: So yeah, I think it’s kind of funny that you, you know, people forget that this is a full time job for these guys, right? The guys and gals, they they go to work every day and they take vacations too. And they probably have, you know, over time, allotment and everything else. Now a four months summer hiatus. Now, that’s something that I would like to implement here in the US, but I don’t think we’re going to get that anytime soon.

You have some interesting stories this week too Lindsey like you wrote about, for example, Edward Snowden is back in the headlines. Which I thought was interesting.

LO: Yeah, he is, essentially what happened was that the US filed a lawsuit against him. And you know, when I first saw that I was kind of when I read the headlines, I was like, what, what is this, like what has happened, but it’s actually for his new memoir, which is not what I thought it would be about, I guess the lawsuit revolves around his book, which is called “Permanent Record.” And that was published on Tuesday. So it outlines kind of his life and his story behind the 2013 incident. What the US said in their lawsuit was that he published the book in violation of non disclosure agreements that were signed with the CIA and with the NSA. And what it sounds like just reading between the lines is that they’re just trying to kind of seize any proceeds going from his memoir. And, they named the publishers of the book as defendants and ordered them to freeze any assets that were related to the book. So sounds like they’re dinging him for his memoir. The lawsuit also alleged that Snowden gave public speeches on different matters that were also in violation with his non disclosure agreements, just makes you wonder kind of what he had in place for non disclosure agreements with the US government. I feel like they can’t really do too much about him right now. So they’re really kind of aiming for those publishing companies and trying to freeze those assets in the only way they can really.

TS: Yeah, there are a few different things that stick out to me here, first of all, is, you know, I think you mentioned in the article, somebody from the ACLU pointed out that there’s nothing in the book that hasn’t already been published in newspaper accounts and the like. So, first of all, the cat’s already out of the bag. It’s not exactly, you know, government secrets anymore, right. There’s that part and I don’t know the veracity of that claim. You know, maybe he did put new information into the book that wasn’t known about that that incident before. But the other thing is, you know, the government’s doing him a favor, right? Basically saying, you know, I think he tweeted out this is the book government doesn’t want you to read, which obviously is gonna be like, Well, I have to go read it right now.

LO: It’s so funny you say that because and you mentioned his attorney Ben Wizner was the one with the director of the ACLU speech privacy and technology project and he actually said in his statement, it was almost like a little like snarky a little bit. He was like, Mr. Snowden hopes that today’s lawsuit by the US government will bring the book to the attention of more readers throughout the world not really hiding it between the lines there but anything that’s going to it’s some needed publicity, I guess, but.

TS: Well, and even if the judge decides that the publishing companies have to have to abide by this, this freezing order. You know, there will be enough books out there in circulation I’m sure copies will go up on, you know, the black market, like the internet and people will be photocopying it and everything else. I’m not sure that the government’s efforts are going to results that they’re hoping. Right?

LO: Yeah, for sure. Well, I am interested in reading the book kind of learning more about it.  And then another interesting article I wrote about actually, just yesterday on Thursday was – this was less kind of hard news – But it was more about physical pen testers because I don’t know if you have been following that news. But there was a case on September 11, where two hackers were arrested and jailed for breaking into the Iowa courthouse during what turned out to be a pen tester exercise. And they were two physical pen testers who were hired by the Iowa judicial branch to make sure that the courts’ data was secure. And that they weren’t able to bypass like physical protections put in place by the bank. But what happened was that there was miscommunication and different interpretations around the scope of the agreement. So the two contractors who worked with a security firm called Coalfire ended up getting arrested and it was a whole mess. And but now it sounds like both of the entities involved, so Coalfire and the Iowa judicial branch, have come out and said, this was all a big misunderstanding, they were part of a physical pen test. And, we apologize about this, and we’re working together to try to figure this out. But it just goes to show first of all, it made me curious about physical pen testing. And second of all, it was really interesting to learn more about kind of there are kind of different interpretations in terms of scope, when it comes to physical pen test agreements, much like there are kind of bug bounty in-scope vulnerabilities and responsible disclosure agreements. So I thought that was kind of an interesting piece of it too. And I actually went and talked to Chris Pritchard with Pen Test Partners, who works as a physical pen tester. And he had a lot of really interesting kind of information about his own day to day work, performing recon, kind of scoping out entry options and looking at how he can physically breach organizations.

TS: Yeah, I was reading that story. And one of the things that I left out to me was, you know, when he talks about how you know, so a company will hire him basically to see if they can break in right and get past, social engineer the security staff or whoever’s in charge of preventing access to people that are unknown, correct? So when he was talking about how he gets nerves, you know what ahead of an assignment and having to be that person that’s going up there trying to get by with a fake ID badge or trying to, talk somebody into believing some trumped up story about how he has to gain access to the vending machine because he’s there to, repair it or whatever. It is fascinating, fascinating theme I thought.

LO: Yeah, no, and it is interesting. I mean, even though this is a simulation, the fact that he was saying that physical pen testers do get nervous, and they do really want to try to think in the mindset of someone who would be trying to get into an organization because at the end of the day, you’re really trying to help them understand what their weak points are. And a couple of other things that kind of stuck out to me when I was talking to Chris was that he was mentioning that there are different things that he notices even when he’s preparing for entering a building. For example, he will  take note of what people are wearing in an office because if you’re a very dressed down office space and the dress is casual and someone walks in and they’re wearing  fancy clothes, then you’re going to obviously take note of that. So that was one thing he noticed. Another thing he took note of was obviously the surveillance devices or any locks. And he also said that I asked him kind of what the hardest kinds of organizations to perform a physical pen test engagement were and he actually said airports which was kind of interesting, because I guess just that the knowledge, there’s such a stigma around having high security there, makes kind of that level of nerves go up for a physical pen tester in order to perform that engagement.

TS: I think anybody that you know, appreciates Homeland Security and stay on the right side of the law. Doesn’t want to tangle with TSA, for example, you know, and I mean, I would be, you know, I’m kind of a rules and regs girl, and I would feel very nervous trying to, it’s just that’s a different order of magnitude. Right?

LO: Absolutely. I would be very nervous as well, just with the security teams. They’re on the next level. Yeah. And tend to be armed and those types of things. Yeah.

TS: Well, one of the questions that I had was do they actually use any cyber security aspects when they do this? Like, for example, I don’t know plant malware on the network or try to physically surveil by hacking the security cameras or anything like that.

LO: It really depends on the assignment and Chris was telling me that the final task is kind of the first thing that’s agreed upfront. And that could be getting a red folder from the finance office or it could be actually like plugging into the network, plugging in a USB or something looking for vulnerabilities that could compromise the company and trying to see just how far you can get in actually attempting that simulation of a breach. So there definitely is some type of technology aspect and cyber security aspect to it. But I think that is probably after you have gotten through the surveillance camera or like any sort of locks on the door, or getting past different security systems or security guards. So I think it’s kind of a combination of both of them.

TS: Really interesting stuff.

LO: Yeah, yeah. And I guess my final point would be that he said that he was always on the lookout for a challenge which is when an organization employee would challenge him as someone who shouldn’t be in the office after noticing that he is an intruder. And he said that challenges are really difficult for employees and just kind of regular, you know, organization employees, because it’s essentially going up to a stranger and confronting them, which makes a lot of people uncomfortable. So Chris’s recommendation for challenges is that if you’re an employee and you see someone who’s kind of sticking out or who is new in your office, to confront them in a kind of a non aggressive way. And ask them a question that not like, Who are you? But it might be like, oh, like, you know, What are you here for, and then go and verify that information. And he was saying that the more questions you ask like, the more likely it is that the intruder would trip up or like make a mistake. So and once they do slip up, he was saying that you can go and notify the right people in your organization. So yeah, it was a really interesting article array, lots to learn there, and really enjoyed talking to Chris.

LO: Well, Tara, I think we should probably wrap up. But thank you so much for coming on. It was great talking to you and kind of touching base at the end of the week.

TS: Yes. Thanks so much for having me, Lindsay and have a great weekend.

LO: Thanks, you too.



Suggested articles