CyberWire Daily - Bad Woodcutter is still bad, but not invincible. CactusPete is in Eastern European networks. Exploiting COVID-19. Celebrity endorsements (not).
Episode Date: August 14, 2020An update on Fancy Bear and its Drovorub rootkit. Karma Panda, a.k.a. CactusPete, is scouting Eastern European financial and military targets with the latest version of a venerable backdoor. How crimi...nals and terrorists exploit COVID-19, and how law enforcement tracks them down. Caleb Barlow from Cynergistek covers security assessments and HIPAA data. Our guest is Ryan Olson from Palo Alto Networks on the 10th Anniversary of Stuxnet. And those celebrity endorsed investment scams aren’t actually endorsed by celebrities, and they’re not actually good investments. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/158 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. known as Cactus Pete, is scouting Eastern European financial and military targets with the latest
version of a venerable backdoor, how criminals and terrorists exploit COVID-19, and how law
enforcement tracks them down. Caleb Barlow from Synergistech covers security assessments and HIPAA
data. Our guest is Ryan Olson from Palo Alto Networks on the 10th anniversary of Stuxnet.
And those celebrity-endorsed investment scams aren't
actually endorsed by celebrities, and they're not actually good investments.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
August 14th, 2020. We spoke yesterday about the joint alert NSA and the FBI issued concerning a new malware toolset operated by Russia's Military Intelligence Service, GRU.
To recap briefly, the advisory described Droverube in English, that's woodcutter, which is malware deployed by APT28.
And APT28 is, of course, Fancy Bear.
Droverube is a multifunctional Linux malware toolset consisting of an implant coupled with a kernel module rootkit,
a file transfer and port forwarding tool, and a command and control server.
So far, it seems that Fancy Bear is Droverube's only user.
Both NSA and the Bureau offer advice
on how to detect the malware and protect against it. The warning is being taken seriously,
as the register puts it. Four words you don't want to see together are Fancy Bear Linux rootkit.
Researchers at security firm Kaspersky have published an update on the activities of Cactus Pete,
also known as Karma Panda, which we prefer because we like animal names,
a Chinese APT that's using a new form of the Bisonal backdoor against defense and banking targets in Eastern Europe.
Bisonal isn't new.
As ZDNet reports, it's been under active development for a decade.
But it continues to evolve, and it's the latest evolution that's drawn the attention of researchers.
Its ability to handle Cyrillic script suggests that its activities extend east through Ukraine, Belarus, and Russia.
The effort Kaspersky describes is a cyber espionage campaign,
but it might also represent reconnaissance and battle space preparation for
more damaging attacks. Karma Panda has earlier been active against Japan, South Korea, and the
United States. Researchers at Cisco Talos say the group is run by the Chinese government.
Fortinet's semi-annual global threat report notes that while it should at this point be obvious to everyone that the dramatic increase in remote work brought about by COVID-19
has created opportunities for cybercrime and espionage,
nonetheless, they can't talk about threats in 2020 without discussing how the pandemic has shaped them.
As they say, quote,
Predictably, cybercriminals of all shades, from opportunistic phishers to scheming nation-state actors, found some way to exploit the pandemic for their benefit.
Organizations around the world were suddenly confronted with a situation where they had to support a majority of employees working from home. an unprecedented opportunity to break into enterprise networks by targeting weakly protected
home networks, consumer devices, VPN connections, and video communication and collaboration tools.
And it's not just the expanded attack surface, it's also the anxiety over the virus that's
rendered people susceptible to social engineering tailored to that anxiety. Two such cases are worth a look. In the first case,
a cooperative enforcement action conducted with Vietnam's Ministry of Public Security,
the U.S. Justice Department has moved against online COVID-19 scammers based in Vietnam.
The Justice Department obtained a temporary restraining order against three residents of
Vietnam, whom prosecutors allege
to have engaged in a wire fraud scheme seeking to profit from the COVID-19 pandemic. Prosecutors
say the three ran more than 300 websites that fraudulently offered products for sale when
pandemic-driven demand rendered them scarce to the point of practically unavailable. You know,
those sorts of things. Hand sanitizer,
disinfecting wipes, products like that. Thousands ordered the goods but never received them.
A U.S. district judge has ordered an emergency temporary restraining order whose effect has
been to disable the websites. Further action against the alleged fraudsters can be expected.
Further action against the alleged fraudsters can be expected.
That's a traditionally criminal motive for COVID-19 fraud.
The other COVID-19 fraud is still criminal, but less traditional.
U.S. authorities have also taken action against online COVID-19-themed fraud committed to benefit of Islamist terror groups seizing millions in Bitcoin.
The groups that benefited from the fraud include ISIS, the al-Qassam Brigades, seizing millions in Bitcoin. The groups that benefited
from the fraud include ISIS, the Al-Qassam Brigades, and Al-Qaeda. The Department of
Justice says it's issued three forfeiture complaints and one criminal complaint.
ISIS was the group that allegedly ran the COVID-19-themed scam, selling cheap knockoffs
of personal protective gear through facemaskcenter.com.
Unlike the straight-up crooks in Vietnam, ISIS apparently delivered at least some of the goods.
But as the Justice Department notes, they weren't the FDA-approved N95 respirator masks the dealers said they were.
Both the Al-Qassam Brigades and Al-Qaeda were simply making direct appeals for Bitcoin donations.
They assured their donors that altcoin donations were untraceable and therefore safe,
and there's a good chance they themselves believe this.
Al-Qaeda included a telegram-based Bitcoin laundering service in their offering.
Cryptocurrency isn't, of course, necessarily untraceable,
but it's acquired a kind of totemistic status in the charities established to support terrorists.
The Justice Department used tools from the blockchain company Chainalysis to trace the funds.
As Chainalysis says with understandable pride,
their tool enabled the Feds to uncover who sends funds, who helps launder funds,
the goods and services they buy with the funds,
and more. And finally, InfoSecurity magazine reports that Britain's National Cyber Security
Centre, a GCHQ unit, has seen so many bogus endorsements for investment scams fraudulently
imputed to celebrities that it felt it's necessary to warn people that
no, neither Ed Sheeran nor Sir Richard Branson are actually offering you
a foolproof way of doubling or tripling your money.
Or more.
NCSC has taken down more than 300,000 URLs used to run the scams.
Of course, someone's making money.
The funds the marks click through
in order to place their investments.
Scammers have made out quite well from them.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa We could go skating. Too icy. We could book a vacation. Like
somewhere hot. Yeah, with pools.
And a spa. And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat
South packages, it's easy to say
so long to winter. Visit
Transat.com or contact your Marlin travel
professional for details. Conditions apply.
Air Transat. Travel moves
us.
Conditions apply. we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Time flies, as they say, and it's hard to believe it's been just about 10 years since the world learned about Stuxnet, the malicious computer worm believed to be responsible for causing substantial damage to Iran's nuclear program. Ryan Olson is vice president of Palo Alto Network's Unit 42,
and he joins us with thoughts on Stuxnet, as well as the 2020 Unit 42 IoT threat report.
So late last year, Palo Altoworks acquired a company called Zingbox.
And Zingbox was an IoT-focused company.
They collect a lot of data in the past around the types of IoT devices
that they had seen inside of networks,
as well as the vulnerabilities that those devices had.
And based off that data, we collected it together and did some analysis.
And that's really what led to the report.
So it was the sudden influx of a whole bunch of data specifically related to IoT as well as a lot
more expertise in the world of IoT. And we saw an opportunity to start talking more about the fact
that there are a lot of threats related to all of these tiny computers spread out around the world.
Yeah. Well, let's go through some of the key findings together. What sort of things came to the surface here?
So there were a few things that were especially interesting to us.
And one thing to keep in mind is a lot of the data that Zingbox had acquired that we were working with was related to medical IoT.
So lots of devices in hospitals and other sort of medical environments, although it was more broad than that.
Enterprise IoT was also encompassed in the report.
There were a couple couple really interesting findings. And the one that was
most interesting to me was the number of medical IoT devices that were running outdated software,
software that was no longer supported, and specifically operating systems. So what we
saw was Windows 7 went out of support earlier this year. That meant 83% of the devices, medical IoT
devices that we were looking for, and specifically imaging devices, things like x-rays and other
systems that do medical imaging, were running one of these out-of-date, out-unsupported operating
systems. Which means Windows 7, Windows XP, those are the big ones, 83% is a pretty significant
proportion of them. And that means they're not getting updates anymore.
But also, those devices are all pretty old.
Like if you imagine a computer, a Windows computer that's still running Windows XP,
it's got to be relatively old getting deployed out into the world.
And it comes with a lot of vulnerabilities.
And because of that, we tend to see lots of old malware
just sort of bouncing around inside of these networks.
Configure is one that we still see inside of hospitals, spreading from device to device,
even though the vulnerability that it exploited was from 2008.
Right. Well, take us through some of the threats that you were tracking here.
When the bad guys are coming after IoT devices, what sort of things are they doing?
The main thing that we've been tracking is the exposures that are happening for these devices.
So how are they configured? What kind of vulnerabilities exist inside them? We
categorize these all as security issues. So in a lot of cases, the issues that we found were
related to passwords, default passwords that are left on the devices, as well as network
exploitable vulnerabilities where someone could execute some sort of code on the device. But most of the actual attacks that
we saw that we identified were commodity malware that was spreading around infecting Windows
systems, as well as devices that were simply being taken over and being used for things like
cryptocurrency mining, cryptojacking, oftentimes we might refer to it that way. So not super significant impact against the devices themselves,
but that I think has more to do with the fact that the people who launched those attacks,
whenever they did so, they did so indiscriminately, where a worm is spreading around,
just sort of trying to hit every single device that might contain a vulnerability,
spreading around, just sort of trying to hit every single device that might contain a vulnerability.
Or worm like the kinds of router worms that we've seen in the past, like Mirai, where they spread to as many Wi-Fi routers as possible, take advantage of them through either vulnerabilities in the
routers or network-connected devices or default passwords, credentials that are left on the
devices and are unchanged. But I think that tide is going to shift as more attackers realize the resource that could
be potentially available to them through these IoT devices as they continue to proliferate
inside of networks.
Well, my pal Joe Kerrigan, who works at Johns Hopkins, he says, you know, says that over
on the hospital side of things that, you know, when a doctor or a surgeon is faced
with a choice between medical care and security, medical care wins every time. And there's no
discussion, you know. So, I mean, that's the reality of it. And so that's the, I guess that's
the framework within which the security folks need to operate. Yep. And that's what we should expect.
And that is is it is different
when if you're if you've been working in information security and your entire focus is
just on the information and the systems themselves um once those systems are more interacting with
the real world um it changes everybody's concept of of what happens and this is one of the reasons
that um stuxnet which were coming up sort of on the 10-year anniversary
of that huge attack,
was so significant in changing the way
that people thought about what was possible
from an attack perspective.
The fact that someone or a group could write malware,
which would spin up centrifuges and then spin them down
and surreptitiously destroy
them over time to degrade the Iranian nuclear capability like this was science fiction until
10 years ago but it became very possible and I'll say Stuxnet is one of those few
pieces of malware that if you were to ask and I might be a little skewed on this but not a random
person on the street, but certainly more people
know about Stuxnet from a malware perspective than any other piece of malware I've ever mentioned.
Because it was, and a lot of that was because it crossed that cyber physical barrier. It wasn't
about destroying information. It wasn't about stealing your data. It wasn't about corrupting
your data. It was about breaking things. And I think that makes attacks a lot more real for people.
And that's entirely the world of IoT. It breaks things. Things break when that makes attacks a lot more real for people. And that's entirely the world of
IoT. It breaks things. Things break when IoT systems don't work anymore. That's Ryan Olson
from Palo Alto Networks. There's an extended version of our interview available on CyberWire
Pro. Check it out on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's great to have you back.
I wanted to touch today on security assessments,
particularly as they apply to things like planning and budgeting,
some of the stuff that you deal with from time to time. What can you share with us?
Well, you know, I think the first thing we have to think of, Dave, in all of this is
how do we think about security assessments differently in this world of COVID, right?
And so my answer to your question would totally change from the last six months. And, you know, I always like to start thinking about this by realizing that the adversary is human.
And they, too, have been impacted by this.
You know, they're trying to find a quiet place in the house to work away from the family.
And remember, their budget has probably also been impacted.
It's not like targeting travel sites is probably going to do
you any good in the middle of this. Well, here we sit, you know, we're a couple months in now.
And is it fair to say the transition is done, that we're kind of, we're settled in for the
longer haul now, that it's time to calibrate and set the standards for this new normal?
I think that's exactly it. And I think we have to stop thinking about,
oh, what happens when we all get back to the office?
And I think we have to accept this as the new normal.
And I'll do one of the things security guys should never do
and use a medieval castle analogy, right?
So, you know, it's like we had the medieval castle,
we spent extra money on the alligators and the moat
and the archers on the wall,
and COVID started and we just told everybody, run, in the moat and the archers on the wall.
And COVID started and we just told everybody, run, get the hell out of the castle as fast as you can and social distance. So we're all now running around. The princess has got the jewels around
her neck and she's running around the forest. So what this ultimately means, though, is that
a tax surface has totally changed. You know, the workstation your employee's using
wasn't sanctioned by the company.
It was set up in a hurry.
It's a shared workstation that their kids play games on in the evening.
The VPN was poorly configured,
and no one really knows how it terminates.
The home router's full of vulnerabilities,
and there's probably Bitcoin mining on the side
and hasn't been updated since it was purchased.
So, you know, the point is there's a
whole new slew of vulnerabilities that are going to make it much easier for the adversary. And here's
the really hard thing for security professionals. Your security assessment now actually needs to
look at the home network. Well, where do you begin? Because everyone, I assume everyone's home network
is a little bit different. So rather
than, you know, being able to standardize on one thing at the office, it's a whole series of one
offs. Well, okay. So there's a couple of things actually you can do. First of all, consider paying
for the router. And better yet, like a lot of, you know, a lot of companies got out of paying for your home network connection.
And most, you know, ISPs, you can rent the home router.
And I would actually think that maybe that's a good idea, right?
You know, go rent the router from Comcast because all you got to do to update it is go take it into the office and they'll give you a new one, right, if you're renting it.
Mandate that employee workstations you control. So it doesn't
mean you can't do BYOD, but you have to have your security platform on top of that workstation that
your employees are using. And lots and lots and lots of education. You know, it is not appropriate
to be at home using the same workstation that Junior plays Fortnite on
to also go access medical records. That's just a bad idea.
You mentioned your medical data. What about HIPAA considerations? How does that come into play?
Well, I'll tell you now, my companies had to deal with this as an example, right? We
generally speaking don't access patient records, but we do a lot
of privacy monitoring. So when we're chasing down a case, you know, we potentially run across
inadvertent use of medical records, which ultimately means our people are seeing medical
records, right? So, you know, we used to mandate that this work was done 100% in the office. Well,
guess what? It can't be done in the office anymore. So we worked with clients
and let them know what we were doing.
We put in place new levels of VPN protection,
end-to-end encryption.
We ensure that that workstation that is being used on
is one that we control.
And we actually took precautions
to make sure we understood
what was the environment you're working in at home.
You know, are you in a place
where you can actually close the door?
And, you know, even in some cases,
you know, take a picture of it,
send it to us and make sure we can check it out, right?
And, you know, it sounds like a bit of a patchwork,
but just by asking those questions,
you start to instill the right culture.
So, yes, I mean, you know, you also have instill the right culture. So yes, I mean,
you also have to understand, particularly with HIPAA, is regulators have largely put a lot of
the restrictions around telemedicine aside, and that was the right thing to do. And now we need
to figure out how to get it back under control. But guess what? The genie's out of the bottle
and it's never going back in. This remote work thing
is here to stay. Telemedicine is here to stay. In fact, telemedicine probably accelerated by 10
years, which is great. Now we need to secure it. Yeah. People are demanding it. They like it.
Absolutely. Yeah. Yeah. All right. Well, interesting insights as always. Caleb Barlow,
thanks so much for joining us. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.