CyberWire Daily - Advice on secure telework. Magecart infestations. DNS hijacking with a COVID-19 twist and an info-stealer hook. Patch notes. The US 5G security strategy.
Episode Date: March 26, 2020NIST offers advice on telework, as does Microsoft. Things to do for your professional growth while you’re in your bunker. Magecart hits Tupperware, and they won’t be the last as e-commerce targeti...ng spikes. DNS hijacking contributes to an info-stealing campaign. Apple and Adobe both patch. The US publishes its 5G security strategy. And some thoughts on the value of work, as brought into relief by a pandemic. Thomas Etheridge from Crowdstrike on their 2020 Cyber Front Lines Report, guest is Michelle Koblas from AppDynamics on third-party risk management. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Things to do for your professional growth while you're in your bunker. Magecart hits Tupperware and they won't be the last as e-commerce targeting spikes.
DNS hijacking contributes to an info-stealing campaign.
Apple and Adobe both patch.
The U.S. publishes its 5G security strategy.
And some thoughts on the value of work.
of work. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 26, 2020. Remote work, for those of us who are happily able
to phone it in on the job, is very much the thing under the current state of pandemic emergency.
is very much the thing under the current state of pandemic emergency.
NIST has used its March ITL bulletin to offer some timely advice about secure teleworking.
The advice is pitched to enterprise IT organizations, not individual users,
but enterprises of many sizes will find it useful.
If you're not a big organization, you might take a look at Microsoft's Roger Halbier, who blogs a useful compendium of advice for smaller organizations and individuals.
One of the resources he links to is a Microsoft page designed for the end user,
the employee who's working from the home bunker.
The advice is organized under three headings.
Pick a good workspace, that is, find somewhere comfortable and private
and a place that doesn't lend itself
to shoulder surfing by, we had the example, your neighborhood busybody or voyeur with binoculars
and time on their hands. So don't sit with your back to a window, for example. For conference
calls or video meetings, be similarly aware of eavesdroppers or accoutreurs, if we may coin a
word for the audio counterparts of voyeurs.
Keep your family or other housemates away from your work devices.
Maybe they're well-intentioned, sure, but lead them not into temptation of viewing PewDiePie
or the site that blows the lid off the WHO cover-up.
Use only encrypted Wi-Fi for business.
The second heading is keep your data secure.
Use strong authentication to control access to your work device
and access the cloud by multi-factor authentication.
Maybe consider reviewing your passwords to make them a bit stronger.
Encrypt your local drives.
Ensure your device's software is up-to-date and properly patched.
This especially goes for the browser you use.
Store files in a secure cloud location and, wherever possible,
use the web version of your productivity software.
The final heading is Keep in Touch.
Stay connected to your organization's IT and security teams
and don't give in to the temptation to install and use shadow IT.
If you're a security professional with some enforced time at home on your hands,
here's something to consider.
The SANS Institute has a large number of online no-travel courses available for professional development and certification.
They're not alone either, although they certainly are well-known.
A number of companies and institutions are offering online training in cybersecurity.
Tupperware is the latest high-profile victim of the Magecart
online card skimmer. Malwarebytes found the malicious activity last Friday and notified
the company. As Computing sensoriously observes, Tupperware didn't do much about the issue until
Malwarebytes took their discovery public yesterday, but the houseware company now appears to have
cleaned its site of the skimmer.
Tupperware isn't the first and won't be the last victim of Magecart.
Criminals can be expected to target e-commerce sites at an increased rate,
a rate that's commensurate with the number of consumers driven from the malls to online shopping as they shop from home. You didn't think everything going on from home was work from home,
did you?
Bitdefender yesterday reported discovering an attack campaign that's changing DNS settings on home routers to redirect traffic to a site that purports to be an alert from the World Health Organization.
The bogus WHO note urges those redirected there to download an app that will give them
the latest information and instructions about coronavirus. Doing so, in fact, installs the OSCE InfoStealer. The attack begins by brute-forcing
vulnerable routers, mostly Linksys and D-Link devices, to get management credentials. The next
step is altering the router's DNS IP address and redirecting a specific set of pages or domains to the phony WHO site.
The malware is stored in Bitbucket, and tiny URL is used to conceal the Bitbucket link.
And the final stage is delivery of the malicious payload.
ZDNet lists some specific IP addresses to be on alert for.
In these times of increased uncertainty, it's important to check in on your third-party
suppliers to see how they're doing and what plans they've put in place to weather the storm.
Michelle Koblos is Director of Customer Trust at AppDynamics, a Cisco subsidiary.
I think that companies are doing a better approach to third-party risk management now
than they used to. Organizations have gotten smarter about how they're doing management of their third parties.
It used to be that when we first started this exercise, people would kind of just check
the boxes on, oh, vendor has X, Y, Z.
And now I find that companies are diving in a little bit more and going, what do I really
need to know about my vendors? What of my risk am I handing to them? And what do I need to pay
attention to, to what they're doing with my information? And what's happening from the
vendor side? Are they prepping themselves so that it's easier for them to demonstrate compliance,
to prove that they're doing what needs to be done? I think that vendors are doing a good job. I think that between the two, there's a lot of
give and take still that goes on. And it's a really hard exercise for a company to manage
their vendors and as a vendor to be managed. And companies have a lot of diverse vendors,
so they've got a whole bunch of vendors
out there that they need to manage. And they rely on questionnaires, somebody who's in their
environment looking at what's going on. The vendors on the other side are being slammed with
hundreds of different kinds of questionnaires and information, and they're
making a lot of information available and trying to put it all together. But it's a challenge on
both sides, I think. I think that we need to work towards a better exchange of information
and a more consistent methodology so that it's easier for all of us to work this out.
more consistent methodology so that it's easier for all of us to work this out.
In the real world, people still have to get business done. And so it seems to me like because of that, there has to be a little bit of messiness with this. There has to be
some give and take. How much of a reality is that?
That's the reality all the time, right? Using any third party is about risk,
and it's about risk management, and every organization has to factor in what their risk
tolerance is. So, you know, it's a trust relationship between an organization and
their vendors, right? You have to, first and foremost, make a decision. Do I trust somebody
with the data that I need to give them, with the data that I need to give them,
with the access that I need to provide them? What happens if it all goes wrong in some way?
And so the whole exercise is about understanding how much you can and then how much you can trust,
right? And that's about, you know, picking quality vendors, understanding who you're using, your customers or hundreds of times more worried about the data that you're getting than your customers are because they've got their data.
They're worrying about their data. You're worrying about everybody's data, right? It really behooves
vendors to remember that that burden is on their shoulders. That's Michelle Koblos from AppDynamics.
Adobe has patched a vulnerability in its Creative Cloud desktop application for Windows.
Exploitation of the flaw, rated critical, could result in file deletion.
And Apple has issued what Naked Security calls a Something-for-Everyone update
that fixes issues in iOS, iPadOS, macOS, watchOS, and tvOS.
in iOS, iPadOS, macOS, watchOS, and tvOS.
The White House yesterday released the U.S. national strategy to secure 5G.
Apparently, the strategy was ready to go Monday when the Secure 5G and Beyond Act,
which included provisions requiring the president to develop such a strategy, was signed into law.
The strategy defines four lines of effort. First, facilitate domestic 5G
rollout. Second, assess risks to and identify core security principles of 5G infrastructure.
Third, address risks to the United States economic and national security during development and
deployment of 5G infrastructure worldwide. And fourth, we've had a lot to say today and over the past two weeks about remote work.
Those of us who can do our jobs remotely are the lucky ones,
and we should spare a thought for those who aren't able to work at all.
These are hard times for the people whose jobs are being called non-essential,
and remember that the non-essential makes up the greater part of what we might otherwise call
civilization. Non-essential shouldn't and doesn't mean trivial, inconsequential, or unimportant.
There is dignity in all honest work. And spare a thought for those essential workers whose jobs
can't be phoned in.
We always think, and rightly, about police, firefighters, and first responders,
of the people providing health care, and of soldiers, sailors, airmen, and marines.
We think less often about those who keep utilities up and running,
and of sanitation workers and their jobs.
And here's another category of usually overlooked heroes,
the people whose essential work is supplying and operating grocery stores.
Let's not forget the work they're doing either,
from the farm to the checkout line.
Thanks to all of you.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Tom Etheridge.
He's the VP of Services at CrowdStrike.
Tom, it's always great to have you back.
You and your team at CrowdStrike recently published a report. It's titled the 2020 CrowdStrike Services Cyber Frontlines Report.
Take us through, first of all, let's start off, what prompted the creation of this report?
Thanks, Dave.
We produce this report annually. It's a summation of
some of the key findings and trends that we've seen throughout the course of the prior year.
In this year's report, we made an attempt at bringing in not just some of the themes and
findings, but we also tried to piggyback that with a number of prescriptive recommendations
and things that we would recommend to clients in order to improve their overall security posture
and be able to better detect and prevent these types of things from happening.
Well, let's go through it together. Can you share some of the highlights from the report?
Absolutely. First big theme was that about 36% of the
incidents that we investigated last year, we categorized into a business disruption category.
Most of those cases were ransomware, although we did see some destructive malware, malware
propagation, and denial of service attacks that really impacted organizations and their
ability to service clients. The second piece from the report was around the ability for organizations
to self-detect. We saw that almost 80, actually 79 percent of organizations and their IR teams
that we've engaged with were able to detect and respond to a breach without being notified by external parties, say law enforcement or the attacker themselves.
That was a good metric.
However, the bad metric that we reported on is that the dwell time for attackers in organizations increased from about 85 days to 95 days.
in organizations increased from about 85 days to 95 days.
And that's due in part by the advanced tactics and techniques that many of these adversaries are employing and the countermeasures that they deploy in order to remain hidden for
extended period of times in organizations' environments.
But was there anything coming out of the report that was unexpected?
Anything that surprised you?
One of the things that I'm certainly passionate about and something that we reported on in the report this year was
the increase in third-party service providers, managed service providers being a target for
many of the e-crime adversaries that operate in the ransomware space. And the advantage that the attackers were following this past year
was to really, rather than focus in on targeting a specific single organization, they would focus
in on a larger service provider or maybe managed service provider that serviced multiple customers
in a particular industry or vertical. And that actually provides the threat actor with
more of an attack surface in which to operate. It seems to me that this report is showing that
there's an increase in maturity here, that folks' ability to defend against these things is growing more sophisticated.
We're getting better. Dave, one of the things we reported on this year is, again, self-detection,
organizations being able to self-detect. Almost 80% of the organizations that we were engaged with
were able to understand quickly that they were having a problem. Some of that could be due in
large part to the fact that when you have a ransomware screen
splashed up in front of your computer, you pretty much know that there's a problem.
So self-detection is certainly a metric that we want to go up.
But more importantly, we want organizations to be able to understand faster that there is a problem during the staging of certain malware and ransomware
in an organization's environment before the ransomware is launched
and they get that screen splashed up on their system.
All right. Well, Tom Etheridge, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, Thank you. I approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.