CyberWire Daily - Alleged Russian disinformation campaigns. Beijing’s cyberespionage hits the Vatican. Costly PII losses. VPNs and OT security. Big Tech’s day with Congress. Online bar exams. Snooping for the Saudis.
Episode Date: July 29, 2020Alleged Russian influence operations described by US intelligence services. “Ghostwriter” targets the Baltic region with anti-NATO false narratives. Chinese intelligence is said to have compromise...d Vatican networks. Loss of customer PII seems the costliest kind of data breach. VPN bugs represent a risk to OT networks. Big Tech comes to Capitol Hill, virtually. Michigan’s online bar exam knocked offline, briefly, by a cyber attack. Joe Carrigan on password stealers targeting gaming. Our guests are Troy Smith and Mike Koontz from Raytheon on defending communications operations across cloud platforms. And a superseding indictment for two ex-Twitterati charged with snooping for Saudi Arabia. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/146 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Alleged Russian influence operations have been described by U.S. intelligence services.
Ghostwriter targets the Baltic region with anti-NATO false narratives.
Chinese intelligence is said to have compromised Vatican networks. Loss of customer PII seems the
costliest kind of data breach. VPN bugs represent a risk to OT networks. Big tech comes to Capitol
Hill virtually. Michigan's online bar exam's been knocked offline briefly by a cyber attack.
Joe Kerrigan on password stealers targeting gaming.
Our guests are Troy Smith and Mike Koons from Raytheon on defending communications operations across cloud platforms.
And a superseding indictment for two ex-Twitterati charged with snooping for Saudi Arabia. From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire
summary for Wednesday, July 29th, 2020. Several interrelated Russian disinformation operations
are apparently in progress. Declassified U.S. intelligence describes the GRU's and SVR's
campaigns to spread disinformation about the
COVID-19 pandemic, the New York Times reports. The influence operations running from May through
this month have been staged for the most part through two news services, InfoRoss and One World
Press. 150 articles on the pandemic have been staged over that period.
According to the AP, two GRU veterans have been identified with the effort.
Apparently, the GRU's cousins in the SVR aren't on the sidelines either.
Its connections with the Strategic Culture Foundation are currently being looked at by the FBI.
Info Ross and One World's content is aimed at Western and in particular U.S. audiences. The pieces are written in idiomatic English and are designed to be run
through and amplified by other sites and outlets. The themes of the pieces are familiar. Russia is
helping other countries, including the U.S., with medical aid during the pandemic. COVID-19 may have been a U.S. biowar operation that ran away from its masters.
This one originated with China's intelligence services.
American blue cities have descended into chaos.
People are worried about Hunter Biden's sweetheart deal with a Ukrainian energy company.
This one's a useful twofer, a bad look for America, and a bad look
for Ukraine, neither of which countries have exactly been flavor of the month in Moscow for
some time, and so on. As usual, the stories surround the lies with what in this case amounts
to a thin bodyguard of truth. Social media platforms, especially Facebook, have been labeling obvious state-run news outlets like RT, that is Russia Today, and Sputnik, as such.
But it's tougher to filter stories fed through third parties, which is what InfoRoss and OneWorld do.
The AP likens it to money laundering, only with information instead of cash.
Content is cycled through other news sources to conceal their origin
and enhance the legitimacy of the information.
The strategy takes advantage of the long-standing,
but surprisingly seldom remarked derivative nature of much news reporting.
One World takes exception to those who've characterized it as a Russian influence tool.
They are, they say on their website, a global think tank,
and their response to the stories in AP and the New York Times runs under the headline,
One World's Response to Media Defamation.
Sharing One's Opinion Doesn't Make Them a GRU Agent.
Adding emphasis to the headline with an exclamation point.
Separately, FireEye's Mandiant unit outlies what it calls
the Ghostwriter campaign intended to influence audiences in Latvia, Lithuania, and Poland against
NATO. Ghostwriter is perhaps more obviously fraudulent than the efforts mounted through
OneWorld. Mandiant's report says it, quote, appears to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries, end quote.
Mandiant believes it's identified at least 14 inauthentic persona through which Ghostwriter
distributes its content.
There is, Mandiant says, no modal Ghostwriter operation, by which they mean that it's opportunistic
and willing to run with whatever seems to work.
But a Ghostwriter campaign tends to follow a general outline.
It begins by formulating a false narrative supported by fabricated source
documentation like phony quotations, doctored images, and bogus official documents. The second
phase is dissemination, which places stories in compromised legitimate news sites, op-eds,
blog posts, and direct email campaigns. Chinese intelligence services are said to have penetrated the Vatican's networks
in advance of diplomatic talks with the Holy See.
Recorded Future provides details of Beijing's Red Delta threat group
and its operations against the diocese of Hong Kong and the Vatican itself.
The campaign's goals are thought to be the extension of Communist Party influence
over the persecuted underground church
and collection against the Hong Kong diocese's potential connection with pro-democracy movements in the formerly autonomous city.
IBM looks at the cost of a data breach and finds that, on average, breaches wind up costing organizations $3.86 million.
Compromised employee accounts are the most common cause.
The study looked at the experience of some 500 organizations located around the world,
and it found that 80% of these incidents studied resulted in exposure of customers'
personally identifiable information. And of all types of information lost in incidents,
customer PII was hands down the most expensive to the organizations that suffered the breach.
Vulnerabilities in industrial virtual private networks are believed to be placing critical infrastructure at risk.
Clarity yesterday published an assessment in which it associated the pandemic-driven increase in remote work with a heightened risk of VPN exploitation.
Big Tech will testify before the U.S. House Judiciary Committee's antitrust subcommittee today.
Amazon's Jeff Bezos, Apple's Tim Cook, Facebook's Mark Zuckerberg, and Google's Sundar Pichai
appear today via socially distanced teleconference.
The hearings are focused on alleged anti-competitive practices,
but other matters are widely expected to come up,
and the Wall Street Journal has a summary of what to expect.
The hearings lack the usual drama of the rich and famous being grilled
in a small, hot, crowded, traditionally sanctimonious hearing room,
but that's the nature of congressional hearings during this time of the pandemic. Some of those who will appear, especially Zuckerberg and Cook, have been through the
experience before, but it represents a first appearance for Mr. Bezos, who nonetheless earned
a reputation for being able to stay on message when challenged. It's not just congressional
hearings that have moved online, so have some bar examinations.
Michigan is one of several states to have moved its bar exam online.
That exam was briefly disrupted yesterday, Bloomberg Law reports,
by a cyberattack on the ExamSoft portal used to administer it.
ExamSoft says it was a sophisticated attack on the login process and that no data
was lost, but the incident gave a lot of prospective Wolverine state lawyers a case of the yips.
With the continued migration to the cloud, many organizations find themselves operating
across multiple cloud services, often from a variety of vendors. Troy Smith and Mike Kuntz are with the
cybersecurity team at Raytheon, and they join us with insights on the approach organizations should
take to manage and defend communication operations across various cloud platforms. Troy Smith gets us
started. You know, traditionally, the time it takes to deploy a physical network can be very long, sometimes weeks, sometimes months.
The manual deployment of cloud-based networks can take anywhere from a few hours to multiple days.
And in both of those, there's a potential for human error in the process. So that kind of
addresses time and resources. The process of building virtual clouds was very expensive,
and fixed facilities were easy to target by adversaries. So there is a cost piece in there
as you frame out this problem. As cloud infrastructure technology has matured over the
years, millions of virtual machines have been created, accessed, and destroyed worldwide.
And tens of thousands of virtual cloud networks are built and destroyed daily. And the reason
for that is most of them lack the critical security protocols. Can you give me some insights
on what happens in terms of interoperability between different cloud providers?
I mean, is that an area where people have specific security vulnerabilities when they're trying to sort of sling data back and forth in between different providers?
Naturally, yeah, you're right.
That's Mike Koontz.
If you're able to deploy within a certain cloud, a specific one, and stay within a local region, you do have more options within a lot of the clouds to do a lot of different private things within the cloud's actual backbone, the CSP's actual backbone.
So every time you egress out of one of the services and have to transit and then move into another one, of course, you've got to take care with that.
And that's one of the elements that we kind of handle pretty well with the tool.
It's got pre-designed different packages out there already integrated in.
Maybe you want to stand up VPNs.
Maybe you want to do different types of things.
We've already got a lot of that figured out.
So you are right there.
If you're able to stay within one set CSP and specifically within a region,
a lot of times you have options to have your traffic not even exit the infrastructure of that CSP.
Do you find there's sort of a false sense of security for people who are getting started with these sorts of things that because it is so much faster and in some ways
easier to set up that, you know, they don't often or they don't always realize the security
implications of what they're setting out to do. Oh, absolutely. Absolutely. And, you know, because
as you know, a lot of times and most of the time, a good adversary is going to do his bad deeds in a way that you're not able to readily recognize it right away.
Yeah, so a lot of times people get these things out there.
They get everything deployed.
It's up and running.
They can go out and use their services, their user base is using their services.
Everything seems happy and fine.
And then you find out way after the fact when it's already very late, yeah, you've got some problems.
So, yeah, that's a very common issue for sure.
Our thanks to Troy Smith and Mike Koons from Raytheon for joining us.
And finally, you may have seen reports that two former Twitter employees under indictment won a legal victory over U.S. federal prosecutors by having charges dismissed.
Not so.
The Justice Department hasn't withdrawn charges against the former Twitter staffers Ahmad Abwamo and Ali Alzaburra.
Instead, Cyberscoop reports, it's issued a superseding indictment against them,
charging them with acting as an agent of a foreign government without notice to the Attorney General,
conspiracy to commit wire fraud and honest services fraud,
wire fraud and honest services fraud,
conspiracy is its own distinct crime, so that's not a typo,
money laundering, destruction, alteration, or falsification of documents relevant to a federal investigation,
and aiding and abetting.
The defendants are alleged to have done these things on behalf of the Kingdom of Saudi Arabia,
and they're alleged to have snooped on a former associate of murdered journalist Jamal Khashoggi.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
We have been tracking this meow attack, as it's being called,
and I wanted to get your take on it.
First, can you start off? Just give us a brief description of what's going on here.
So what's happened is, as of this recording,
they have, researchers have identified over 1,800 databases, cloud databases.
These are databases like Elasticsearch and MongoDB,
and these are open and accessible on the internet.
And somebody is going around finding them
and wiping them out,
taking all the data and destroying it.
They're not leaving a ransom note.
They're not doing anything other than just
taking the database down.
Actually, they're not even taking it down.
They're just destroying the data that's in the database.
Mm-hmm, Mm-hmm.
Emptying it or, yeah.
Right.
No more database.
No more database, right?
No more data, I guess.
Everything you had is gone.
Yeah, no more data.
Yeah.
And it's permanent, apparently.
Hmm.
And so what's the speculation here?
What do we think's going on?
Well, my speculation, and this is only my speculation, is that this is somebody who
believes that they are doing something right and justified.
There are a couple of indicators of this.
One, this has been a problem for a long time with these data breaches happening because people are putting these databases out on the internet with no security on them, right, which is a bad thing to do.
You shouldn't do that.
There may be use cases, however, where Which is a bad thing to do. You shouldn't do that. There may be use cases, however,
where that's a good thing to do.
You may want to give access to a certain data set
without requiring authentication to it.
There are tons of research cases
where I can see that being beneficial.
And if this attack finds those,
it can destroy valuable data
that is supposed to be free and available, right?
Right.
But when you think about databases like Ars Technica talks about, a UFO VPN database that was destroyed that had all kinds of details.
There had been a disclosure about it that had account passwords in plain text, VPN sessions and secret tokens, all these things in that database that
were destroyed. It's probably too late, but it actually does those users some good in taking
their data and removing it from them, from UFO. I'm not saying this is the right thing to do.
I'm not saying this is the way you go about fixing this problem. But I think what we're
looking at here is someone who kind of views themselves as a caped crusader trying to help people out.
Vigilante justice.
Exactly.
Vigilante justice.
You have your data out on the internet?
Not anymore.
Not if I have anything to say about it.
So what do you suppose the endgame is on this?
Is this hopefully gets the word out to folks who are running these databases that
they need to secure them or they will have issues here? Yeah, that's kind of the upside. I mean,
I don't want to say that this is going to have an upside because this activity is malicious and
illegal, certainly. But if you don't have any risk of having your data destroyed when you put it out
there like this, then you're more likely to
do it. Now there's a risk that your data will be destroyed. So this does put an economic force into
play for better security. I'm not sure. In fact, I don't. I don't agree with the way this is being
done, but the economic force is a good thing. Interesting. Well, as we're recording this,
Interesting. Well, as we're recording this, they've hit over 1,800 unsecured databases, and it'll be interesting to see if they continue along or if folks figure out ways to maybe tamp them down.
Oh, my money is on they'll continue.
That's where my money is.
Yeah, yeah. Always the optimist, Joe. Always the optimist.
Yeah, that's right. All right. Well, Joe Kerrigan, thanks for joining us. My pleasure, yeah. Always the optimist, Joe. Always the optimist. That's right.
All right. Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.