CyberWire Daily - Advice on Supernova and encouragement to patch Sudo. NetWalker taken down. Influencers tighten a big short squeeze. And charges are brought in a 2016 case of alleged US voter suppression.
Episode Date: January 28, 2021Updates from CISA on Supernova. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short...-squeeze in the stock market. Thomas Etheridge from CrowdStrike on Recovering from a ransomware event. Our guest Zack Schuler from Ninjio examines the security challenges of Work From Anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/18 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates from CISA on Supernova.
U.S. Cyber Command recommends patching pseudo quickly.
U.S. and Bulgarian authorities take down the NetWalker ransomware as a service operation.
Influencers drive a big short squeeze in the stock market.
Thomas Etheridge from CrowdStrike on recovering from a ransomware event.
Our guest Zach Shuler from Ninjio examines the security challenges of work from anywhere.
And another influencer is charged with conspiracy to deprive people of their right to vote.
From the CyberWire studios at DataTribe, I'm Dave Bittner
with your CyberWire summary for Thursday, January 28th, 2021.
The U.S. Cybersecurity and Infrastructure Security Agency has published updated information on
several malicious artifacts affecting the SolarWinds
Orion product, which have been identified by the security company FireEye as Supernova. Supernova,
remember, isn't the malicious backdoor inserted into and propagated through the supply chain of
SolarWinds Orion platform. Rather, as CISA points out, Supernova is not embedded within the Orion
platform as a supply chain attack. Rather, it is placed by an attacker directly on a system
that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds product.
CISA's assessment is that Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.
Their malware analysis report includes descriptions and indicators of compromise
that security teams should find useful,
and as usual, CISA concludes its report with a long list of best practices,
briefly stated and easily understood.
U.S. Cyber Command strongly recommends that organizations patch the Baron Samadit bug
in sudo, disclosed this week by Qualys researchers.
Sudo, to recap, is a widely used, nearly ubiquitous, as Qualys puts it, utility found in Unix and
Linux systems.
Fixes for Baron Samadit are available, and Cyber Command thinks you should apply them.
A joint U.S.-Bulgarian operation has taken down dark websites
used by the NetWalker ransomware-as-a-service operation.
Bleeping Computer reports that it's not yet clear whether the FBI
or the Bulgarian National Investigation Service recovered decryption keys in the course of their operation.
NetWalker's choice of targets was opportunistically reprehensible,
even by criminal standards.
The ransomware's affiliates hit a lot of health care facilities.
The dark website taken over in the operation had been used by NetWalker ransomware affiliates,
the Department of Justice says, to provide payment instructions and communicate with victims.
All that's now gone. Visitors currently find a splash page telling them this hidden site
has been seized. Bravo, FBI and the National Investigation Service. This will put a crimp
in NetWalker for a while, but it's notoriously
difficult to drive a stake through the heart of a criminal network. NetWalker may be back,
but one hopes it stays down for a good long time. The rest of today's stories are tales of trolls,
influencers, and the direction of online crowds. Individual retail investors loosely organized around the Reddit forum
WallStreetBets drove shares of brick-and-mortar retailer GameStop very high, CNBC reports,
forcing short sellers to cover their bets at a very dear price. GameStop shares traded at $42.59
last Friday, and that already represented a considerable gain, and they'd reached $469.42
by 10 o'clock this morning and have since fallen off a bit. Some of the coverage manages to make
the Wall Street hedge funds caught in the short squeeze sound almost like the Bailey Brothers
building and loan in Bedford Falls. It's an interesting and unprecedented case in which a large swarm of individual investors,
mobilized by influencers and motivated at least as much by lulls and resentment as by the usual
fear and greed, show themselves able to move markets. In the case of GameStop, the Wall Street
Journal thinks the episode indicates a power shift in the investment world away from Wall Street and
toward Main Street. As the journal puts it, quote, war has broken out between professionals losing
billions and the individual investors jeering at them on social media, end quote. Social media have
now joined passive and quantitative trading among the forces disrupting traditional markets.
So is all this stuff illegal?
Probably not, although a lot of big players think it ought to be.
A great deal apparently hinges on whether the influencers urging investors on
constitute a group under Securities and Exchange Commission guidelines.
If they do, then they may have a problem.
If they don't, that is, if they're a bunch of people
woofing public information at each other, then it's hard to problem. If they don't, that is, if they're a bunch of people woofing
public information at each other, then it's hard to see what the legal problem is. But expect a
fair amount of lobbying of the new U.S. administration, urgent that there ought to be a law.
We should say that in this precise form, this episode is largely unprecedented.
From the historical perspective of, oh, the last two and a half weeks or so,
other stocks have been spontaneously pumped in social media.
The most recent such odd online stampedes happened earlier this month.
We've seen one case in which a similar name drove an unrelated stock share's price up.
When concerns of the privacy of WhatsApp surfaced,
Elon Musk tweeted,
Use Signal. That is, use the other messaging app that's not encumbered by Facebook.
This tweet apparently caused the stock of a very surprised Signal Advance to pop into triple unicorn territory.
Signal itself is not a publicly traded company, but that didn't deter enthusiasts from reading Use Signal,
company, but that didn't deter enthusiasts from reading Use Signal, not as privacy advice, but as a stock pick, and apparently Signal Advance was close enough. Oh, and just one more thing.
A man has been arrested in Florida on charges related to fraudulent attempts at voter suppression.
One Douglas Mackey, sometimes going by the nom d'influence Ricky Vaughn,
an apparent homage to the Charlie Sheen wild thing character in the movie Major League,
has been charged with conspiring to deny people the right to vote.
The alleged offenses actually occurred during the 2016 elections.
In that year, Mr. Mackey had established a Twitter following of some 58,000, which is pretty good.
The Department of Justice, in its announcement,
helpfully benchmarked Mr. Mackey's audience against other influencers
and says he did better than NBC News, Stephen Colbert, and Newt Gingrich.
The prosecutors say that between September and November of 2016,
Mr. Mackey, quote,
conspired with others to use social media platforms, including Twitter,
to disseminate fraudulent messages designed to encourage supporters of one of the presidential
candidates, simply called the candidate in the release, to text their votes in. You can't vote
by text. The tweets identified themselves as associated with the candidate's campaign, but obviously, since they were designed to convince likely candidate voters to think they'd voted when in fact they hadn't,
they were not in the candidate's interest.
NBC News identifies Mr. Mackey as a pro-Trump internet troll,
and if they're right, it would seem that candidate would have been the other candidate, the one who wasn't Donald Trump.
If he's convicted of conspiracy, Mr. Mackey could see a sentence of 10 years.
And remember, the alleged offense took place in 2016, not 2020.
The mills of justice grind slowly.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The global pandemic forced countless organizations to hastily adopt a work-from-home strategy,
the better to protect the health and safety of their employees.
It's quite likely the largest shift to work from home that we've ever seen. And as workers settle into this new reality, it's becoming
clear that for many, returning to the office every day no longer holds the appeal it once did.
But now that we're at the onset of widespread vaccine distribution and the real possibility
of relief, some are predicting that work from home could shift to work from anywhere.
Zach Shuler is founder and CEO of cyber awareness and education firm Ninjio,
who recently published a special report on work from anywhere cybersecurity.
Zach, welcome to the Cyber Wire.
Thanks so much for having me.
So let's start with some basic stuff here on this report.
First of all, what prompted the creation of the report?
Well, I think it's the fact that, you know, we were looking into the future
and, you know, everybody's working from home now. And we were thinking about, you know,
what's life going to look like after the vaccine is widespread and everything else. And we started
doing some research and the research showed that post-COVID, according to a PwC survey,
that almost 90% of executives say they expect many or most of
their employees to work remotely at least once per week and 72 said at least two days per week
and that overall three quarters of companies plan to shift some basic employees to a remote work on
a permanent basis after the pandemic and so you, we start really thinking about that and what that
looks like. And now that people, you know, it's post-COVID, you can go to Starbucks, you can go
to the library. There are a whole host of new security threats that now pop up. And so we want
to get ahead of the game, kind of cancel the word working from home and erupt the word working from anywhere
because that's where we see the future. Is your sense that the security folks are ready for this
or is this shift something that's on their radar, this shift to work from anywhere?
I don't think it is. And the reason that I don't think it is, is that, you know, every IT individual that I speak with, they're scrambling. They're trying to do more with less. Departments
have been downsized due to COVID and they've had to scramble just to get the working from home
stuff straightened out. And so, you know, they're concerned about employees' home networks and what those look like.
I honestly don't think the vast majority have had the time to strategically think about what it's going to look like when people start taking their devices all over the place. You know, people that would normally be in the office could now potentially be sitting in a hotel lobby doing their work.
I'm just not sure that they've thought about that.
So in your report here, what are some of the recommendations that you presented here for folks?
You know, if you are forced to use public Wi-Fi,
I would always go to an authority figure at the place that is delivering the Wi-Fi,
ask them very specifically, what is the SSID that
I'm supposed to connect to? And what is the password? And so you don't accidentally connect to,
you know, the wrong Wi-Fi. Then, you know, I think imperative is to use a VPN software,
you know, whatever is going across the public wire there is encrypted.
You know, next would be, you know, make sure you really look after your physical security and that your devices are kept close to you.
Maybe put on protection screens on your laptop that don't allow people to view the screen.
Be very careful when, you know, connecting to other foreign devices for
printing or scanning or anything of that nature. Zach Shuler is founder and CEO of cyber awareness
and education firm Ninjio. Zach, thanks so much for taking the time for us. Hey, thanks so much
for having me. I really enjoyed it. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Thomas Etheridge.
He's Senior Vice President for Services at CrowdStrike.
Thomas, great to have you back.
I wanted to touch base today on what happens when an organization gets hit by ransomware, what the recovery process is like.
When you're working with folks, what happens?
Can you walk us through what that's like?
Sure, absolutely.
What happens? Can you walk us through what that's like?
Sure, absolutely.
One of the things that we've been reporting on, and we published a blog on this recently, is the whole recovery process in general needs a little bit of an uplift. tearing down and rebuilding extensive infrastructure in order to recover from an incident,
including a ransomware incident, is a very costly and time-consuming effort. In many cases, organizations do not have a procedure or policy pre-planned for recovering from a ransomware incident.
for recovering from a ransomware incident. So one of the things we've been talking to organizations about currently is how do you embed intelligence into the recovery process,
understanding threat actor tactics and techniques, the type of malware they may be deploying to carry
out their financially motivated crimes, and how to recover from those incidents, organizations can be building playbooks
in order to respond to that without having to re-image hundreds, let alone thousands of endpoints.
So I suspect, I mean, if you can use that type of approach, you're going to be saving both time and money. Absolutely. The cost associated with
re-imaging and building from the ground up hundreds or thousands of systems and the impact
and disruption that has on business and operations is very, very impactful. One of the things that we've seen from a cost perspective is that the
time to re-image and rebuild hundreds, maybe thousands of machines could take months, and
the disruption to business and operations is very impactful. We're still, as we reported before,
in 68% of the cases we responded to in this year's Frontlines report,
the threat actor has made a second attempt at trying to regain access, infiltrate, and or ransom that organization.
So recovery is critical to making sure the right controls are in place and the systems are clean
and that the threat actor has been
removed from the environment. And when we talk about intelligence-led recovery,
we're talking about taking a tactical approach, using real-time response capabilities to reverse
malicious operations, kill bad processes, delete infected files, restoring registry keys to their original settings,
and removing any and all persistence mechanisms with speed and surgical precision allows for a
reduced time to recover from an incident. Now, do you find that folks are taking
the threat of ransomware seriously to the degree that it deserves? Are
folks still kind of, you know, whistling past the graveyard or is this getting the attention
it deserves out there? I think it's getting a lot of attention and I think it's getting
a lot of attention because it's been such a successful tactic deployed by e-crime threat
actors over the past year. We are seeing and
talking to a lot of organizations about how they can improve being able to prevent ransomware.
We focus in on ensuring they build a bulletproof backup strategy, making sure that organizations
have multi-factor authentication implemented for their backup systems, keeping a copy of backups
offline or in air gap networks, and then closely monitoring your backup solution for evidence of
data exfiltration. Certainly something we've seen attackers do over the past year is not just look
for that critical information within the core infrastructure, but also looking to delete
backups before deploying ransomware.
So really focusing in on having a solid, bulletproof backup strategy is critical.
Multi-factor authentication for internet-facing protocols, such as RDP and server message
blocks, implementing next-gen endpoint protection solutions that take advantage
of machine learning and artificial intelligence, and looking at your privileged account management
solution and making sure that you're rotating credentials and that you have good visibility
into expired accounts and managing your privileged accounts much more effectively. These are
things we see customers really focusing on to try to improve their capabilities to defend
against a ransomware attack. All right. Well, Thomas Etheridge, thanks for joining us.
Thank you, Dave. And that's the Cyber Wire.
And by the way, happy Privacy Day.
Do you know where your information is?
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Feel like a million.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Volecky, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.