CyberWire Daily - Another look at North Korean cyberespionage. Phishing with Google Docs. How Iran obtained US voter information. Election security enters its endgame.
Episode Date: November 2, 2020Another look at Pyongyang’s Kimsuky campaign. Phishing with bogus Google Docs. How Tehran got its hands on voter information. Rick Howard looks at containers and serverless functions. Malek Ben Sale...m shares the results of Accenture’s 2020 Cyber Threatscape report. And looking ahead to the election influence endgame. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/212 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another look at Pyongyang's Kim Suu Kyi campaign,
fishing with bogus Google Docs,
how Tehran got its hands on voter information,
Rick Howard looks at containers and serverless functions,
Malek Ben Salem shares the results of Accenture's 2020 Cyber Threatscape report,
and looking ahead to the election influence endgame.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, November 2nd, 2020.
Thank you. Their research follows up information developed and shared by CISA last week. Cyber Reason offers several new pieces of analysis, including descriptions of the KGH spy modular spyware toolset and the C-Spy downloader, both of which lend additional stealth to the group's operations.
The Kimsuki operators began working against South Korean targets, but their interests have expanded impressively.
Among the targets Cyber Reason identifies are pharmaceutical and biomedical research companies working on COVID-19 vaccines and therapies,
the UN Security Council, South Korea's Ministry of Unification, which works on inter-Korean relations,
various human rights groups, which usually take a jaundiced view of Pyongyang's dismal record,
the South Korean Institute for Defense Analysis,
various educational and academic organizations,
selected think tanks, government research organizations,
journalists who cover foreign relations and defense issues
affecting the Korean peninsula,
and of course, the Republic of Korea's military.
Kim Suk-hee has reached American targets as well.
While Cyber Reason thinks the evidence is short of dispositive,
they conclude that there are clues that can suggest that the Kim Suk-hee infrastructure
targeted organizations dealing with human rights violations.
Wired describes a new scam,
evidently the work of Russian organized crime,
that fishes victims with bogus invitations
to cooperate on Google Drive documents.
Essentially, it's Google Drive spam,
convincing in the same way earlier campaigns
that traded on fake Google Calendar invitations.
People are disposed to trust an invitation
to collaborate on a document.
While Google says it's doing what it can to suppress this campaign, it does note the
difficulty of providing foolproof protection from spam. So again, a cautious and skeptical user is
the best defense. If the document is unexpected, and if it looks nonsensical, decline the invitation.
and if it looks nonsensical, decline the invitation.
There have been follow-ups to earlier reports of hostile activity.
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have published a description of how Iranian threat actors used the Acunetix vulnerability scanner
to search websites for voter registration information.
Tehran subsequently used the information they obtained
from the scans to mount the bogus and implausible Proud Boys campaign of threatening emails,
which was quickly exposed and debunked. We say conventionally that the U.S. elections are
tomorrow. Strictly speaking, with widespread early voting, they've been in progress for some time,
but election day proper is tomorrow, and that's the day voting will be complete. Strictly speaking, with widespread early voting, they've been in progress for some time.
But election day proper is tomorrow, and that's the day voting will be complete.
Most observers think it unlikely that the vote itself is likely to be successfully manipulated by foreign actors.
And much of the disinformation surrounding the election,
like the rather bumbling Iranian attempt to discredit a campaign with forged threats we just discussed,
has probably already taken place.
So, the security of the vote itself seems unlikely to be compromised,
but there remain 11th-hour threats to the election.
It appears that the most probable cybersecurity incidents likely to arise in connection with the voting are disinformation efforts intended to exacerbate fissures in civil society
and retrospectively call the legitimacy of the results into question.
It's also possible, as Politico notes,
that various accidents, malfunctions, or misunderstandings
could be misread as cyberattacks.
For example, false rumors about the unreliability of new
and less familiar voting machines could gain currency.
Among those less familiar voting systems are ballot marking devices.
These have for some time been used to help people with disabilities vote,
people who, for example, have difficulty reading small print or have a hard time holding a pen.
These have been widely adopted in the state of Georgia, for example, and by a number of counties in Pennsylvania. Could such devices be hacked? Well, in principle,
sure, but likelier than hacking is the possibility of malfunction or, even likelier, people simply
finding them sufficiently unfamiliar to slow down the action of casting a ballot,
which voters could misinterpret as a failure or as evidence of
tampering. Election officials in most or all states are urging patience and skepticism.
People shouldn't expect official results immediately. These things take time.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show Rick Howard, the CyberWire's Chief Analyst
and Chief Security Officer.
Rick, great to talk to you again.
Hey, Dave.
On this week's CSO Perspectives,
you are tackling a couple of things,
secure containers and serverless functions.
Let's start off with some definitions here.
I'm going to go out on a limb here and say that when we're talking about containers,
we are not talking about those big crates that get shipped around the world on giant seagoing vessels.
We'll get to serverless in a minute, but let's tackle containers first.
Well, I think you're right about that.
I would say that's a general consensus for most people in the network defender world, including me, before I started working on this story.
I had this big idea what these things are, but I wasn't really sure how they fit into the security
world. And it turns out that these two concepts are the current state of client-server architecture.
I thought they were just some programming technique, but no, it's kind of the evolution of this idea that we've had in the computing world since the late 1960s.
And about every 10 years or so, the community levels up the model to something completely
different in terms of how we do it. It's basically the same idea though, client-server,
but much more efficient. I was thinking about this with my wife this morning. I was
remembering my first real big job in the Pentagon in the late 90s. I was the first time I got a
network management job, right? And I walked into the data center on my first day, and to my shock,
we had all the important applications running on one computer. It was email, databases, web server,
DNS, everything. So if the Windows server would have crashed,
we would have lost everything.
And I know that would never happen
on a Windows server back in those days.
But that's-
I was saying to myself,
please let it be Linux.
Please let it be Linux.
Please let it be Linux.
Right, okay.
So we changed all that.
And so basically,
instead of one big iron server,
one operating system,
we changed it to the same thing,
but one app per operating system on different machines. So instead of running one server, one operating system. We changed it to the same thing, but one app per operating system on different machines.
So instead of running one server running everything, we went to one server running a bunch.
I mean, a bunch of servers running a bunch of things.
And that was the standard model for most of us back in those days.
Yeah.
Right?
And then in the 2000s, virtual machines started to become stable.
So that was the big change.
CIOs could eliminate some of the cost
to all that big iron. They only needed one beefy big iron server with lots of RAM, CPU,
and hard drive space. But they would have multiple virtual operating systems running
partitioned away from each other. So if one crashed, the others would still function. So
that was a little bit better. In the later part of the decade, as cloud services started to come online,
CIOs could eliminate the big iron servers altogether.
They would put multiple virtual operating systems in the cloud environment,
still running one app per operating system, though.
But they didn't have to manage all that big iron anymore.
So that was better in terms of cost and efficiency.
Well, I can see where we're going in terms of the overall evolution and the efficiency,
but I'm still scratching my head when it comes to the use of resources.
I mean, what you're describing here, we're deploying a standalone operating system for every app that we're running.
That seems like a bit of overkill to me,
especially when you consider things like having to keep all of those independently operating systems updated with bug fixes and patches and all that sort of stuff.
Don't you end up sort of on the upgrade and patching hamster wheel, if that's your approach?
It's exactly right.
And, you know, it's the reason you still see some infamous Windows XP blue screens of death as you walk around airport terminals, right?
Because for those that don't know,
Windows or Microsoft ended the life of Windows XP back in 2014.
There have been five, count them,
five completely different operating systems since then, right?
But the application developers for the airport terminal apps
found it easier just to keep running the extremely old operating system rather than try to keep their applications
up to date, right? And so that was kind of the current state, but this is where containers and
serverless functions come in. This is the big innovation, right? So with containers, you build a
virtual standalone box of software that only contains the application, plus the software libraries you use to build it and some other knickknack binaries it requires, plus a couple of operating system pieces it depends on, and a couple of configuration files, and run it on a bare-bones kernel of an operating system, and that's it.
The box is hermetically sealed against any future operating system upgrades or patches.
And then every container you build this way shares the base operating system, this kernel,
but none of the other Flotsam and Jetsam features that always come along with the operating system package.
So this protects the container from, say, the most recent NVIDIA graphics driver patch designed to improve the gaming experience of seven-year-olds playing Fortnite.
Okay.
Right.
But that may cause your app to crash because you share some of the same software library.
Right.
Suddenly nobody knows when their flight's going to arrive at LAX.
That's right, because I'm killing the monsters inside of Fortnite, right?
Right, right.
So that was the giant leap in the client-server architecture idea.
Now you have one virtual operating system running in the cloud or your data center
and multiple lightweight software containers, each running the apps you want to deploy.
Okay, well, all right, that makes a lot of sense to me.
So let's swing back around and tell me what's going on when we're talking about serverless functionality then.
How can this stuff running on servers be serverless?
I know.
I've thought about that for many, many years, right?
So the serverless function name represents a bit of confusion here, right?
So, of course, there are servers in this evolution of client-server architecture.
They don't disappear.
They have to be running somewhere.
The point is they are serverless for the customer.
The customer doesn't have to manage the server and operating system at all.
The cloud provider does it.
Serverless functions take the idea of containers to the extreme.
Instead of maintaining an operating system and building your own containers,
developers write the code, the functions in other words,
and deploy them in the cloud provider system for future execution.
Hmm.
All right.
I guess I'm still trying to get past this not being semantics and smoke and mirrors.
I mean, it sounds to me like these are programming techniques.
And I see the value in sort of developers being able to kind of isolate potentially buggy code.
But what about the security implications here?
How does it affect that?
Well, I mean, you're spot on here, right?
Because the difference in this new kind of client-server architecture today, compared to how we wrote code before, is that these things take up internet real estate.
They essentially add more attack surface for a potential adversary to leverage and require the same first-principle cybersecurity protections that we would apply to any other digital asset within our organization.
They're exposed, or they're more exposed than they were in previous lifetimes.
All right.
Well, it sounds like you've got a great episode going.
This is a don't-miss episode of CSO Perspectives.
I know I'm going to be tuning in because it sounds to me like I've got a lot to learn
that I didn't know I had to learn, So I'm going to let you teach me.
It's CSO Perspectives as part of Cyber Wire Pro. Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Malek Ben-Salem.
She is the America's Security R&D Lead at Accenture Labs.
Malek, it's always great to have you back.
You all recently released the most recent version of your Cyber Threatscape report.
Let's go over that together.
What sort of things did you focus on in this round of the report?
Thank you, David.
Yeah, we just released our Threatscape report.
This is a report that focuses on the latest threat trends that our CGI analysts have observed.
And we've highlighted three major trends that we've seen over the year
of 2020. The first one is that sophisticated adversaries are masking their identities
with off-the-shelf tools. This is a trend that we've seen with a number of suspected state-sponsored and organized criminal groups.
They are using a combination of off-the-shelf tooling as well as open-source penetration testing tools at unprecedented scale.
And you may ask, why would they do that. And they're probably doing that, well, first because of tools are available
and easy to use, but also the main reason is to hide their identities.
So they look like folks of perhaps lower capabilities than they actually are.
Exactly. And our analysts have seen that with a group that Accenture refers to as Sour Face.
It's also known as Chafer or Remix Kitten.
They've been around since at least 2014, and they're known for their cyber attacks against oil and gas communications and transportation industry in the U.S., Europe, or Saudi Arabia.
And our analysts have observed that they are using the legitimate Windows functions
and freely available tools such as Mimikatz, which is very known for credential dumping.
What else have you been tracking?
A second trend that we've observed is that new sophisticated tactics are being used to target business continuity. in Outlook Web Access, and then uses these compromised systems as beachheads within a
victim's environment to hide traffic and to relay commands and compromise email and steal data.
In particular, the group that we've observed, which is operating from Russia and is known
which is operating from Russia and is known as Turla or Snake.
It has been active within the last 10 years and is associated with many cyber attacks.
Its target is really business continuity,
so bringing systems down and compromising email and stealing data.
And what's the third category that you've focused on here?
So the third main trend that we've observed is that ransomware seems to be growing.
It's feeding a new profitable and scalable business model.
As a matter of fact, there has been a 60% increase
in the average ransom payment, and that's across the first quarter of 2020. So this obviously
encourages these groups to expand their activities. Our analysts have observed that
one group was performing a recruitment campaign
on a popular dark web forum.
This is a group known as Sodino Kibi.
It's also known as Revel.
And so this basically demonstrates that this business is profitable,
it's scalable, and it will continue to be so over the next year.
Yeah, isn't it funny how a couple years ago we were speculating that perhaps crypto mining was going to take the place of ransomware.
That did not play out, did it?
I know.
No, it didn't.
It didn't.
And there is no need to, right?
Right, right.
If people continue to make the payments, then attackers will know, attackers will continue to take the easy way.
Yeah. Yeah, absolutely.
All right. Anything else in the report that you wanted to highlight?
Well, I think all of these trends basically emphasize the need for agile security, right?
Agile security, right?
Businesses need to be ready, need to be able to adapt quickly and to change their game quickly in response to the attacks that they're receiving.
And the fact that COVID-19 has radically shifted the way we work also, you know, drives a need for that security agility that is of utmost importance.
All right.
Well, Malik Ben Salem, thanks for joining us.
Thank you, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Oh, what a relief it is.
Listen for us on your Alexa smart speaker too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
called Security, huh? I join Jason and Brian on their show for a lively discussion of the latest
security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed
and check out the Recorded Future podcast, which I also host. The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at RecordedFuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.