CyberWire Daily - Coronavirus fraud booms; prosecutors are taking note. Stolen data on the dark net. Software updates affected by pandemic. A new Mirai variant is out. A DDoS that wasn’t.
Episode Date: March 23, 2020US prosecutors begin to follow through on their announced determination to pay close attention to coronavirus fraud. Data stolen from Chinese social network Weibo is now for sale on the black market--...at a discount. The pandemic affects scheduled software updates and sunsets at Google and Microsoft. A new Mirai variant is out in the wild. And a DDoS attack in Australia turns out to be just a lot of Australians in need of government services. Mike Benjamin from CenturyLink on threat actors using 3rd party file hosting, guest is Andrew Peterson from Signal Sciences on top application security attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. prosecutors begin to follow through on their announced determination
to pay close attention to coronavirus fraud.
Data stolen from Chinese social network Weibo
is now for sale on the black market at a discount.
The pandemic affects scheduled software updates
and sunsets at Google and Microsoft.
A new Mirai variant is out in the wild.
And a DDoS attack in Australia turns out to be
just a lot of Australians in need of government services.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, March 23, 2020.
U.S. federal prosecutors are taking the Attorney General's advice on getting serious about
investigating COVID-19 fraud seriously.
The U.S. Department of Justice announced yesterday that it had undertaken its first enforcement action against online coronavirus scams. coronavirusmedicalkit.com, that was offering World Health Organization COVID-19 vaccine kits
for just $4.85 shipping and handling. And that would be a bargain, except that there is no
vaccine, still less a vaccine kit, and the World Health Organization isn't distributing anything
of the kind. Connoisseurs of fishing expeditions will note that the website, which the Department of
Justice is queuing up for a wire fraud indictment, asks people to enter their credit card information
on the site. It's simple and easy, but it's also fishing, and you don't have to be Sir Isaac Walton
to figure out what comes next. A federal criminal investigation into alleged wire fraud continues.
The injunction is intended to prevent harm to potential victims.
The announcement quoted the U.S. attorney for the Western District of Texas as noting the action's consistency with Attorney General Barr's memorandum urging that priority be given to prosecution of coronavirus-related online crime.
There are also some cooperative state and federal law enforcement
efforts in progress. State Scoop reports that the U.S. Justice Department and the Commonwealth of
Virginia have formed a task force to investigate coronavirus fraud. It's particularly important
at times like this to verify that appeals from businesses, charities, and government agencies
are in fact legitimate, that the appeals are in fact coming from the real organizations,
and that those organizations aren't selling snake oil.
There's always a bull market in snake oil at times like this,
and fishing is going like gangbusters.
And there's always a bull market on stolen PII.
It's a criminal evergreen.
Information from 538 million users of the Chinese social
network Weibo is now for sale online. ZDNet, which has seen the black market advertising for the data,
says the information offered includes real names, site usernames, gender, and location. About a
third of the affected users' phone numbers are also for sale. Still, the data are less valuable than they might have been.
Passwords aren't included, which accounts for the data's low, low price of roughly $250 American.
The coronavirus pandemic is having an impact on software updates.
According to Forbes, Microsoft has decided to extend security support for Windows 10 by six months,
out through October 13th of this year.
Redmond's intention is to ease the burden on customers who have other things to deal with these days,
beyond upgrading to a newer OS.
Google's planned upgrades to Chrome are also being affected, in this case put on hiatus.
Mountain View says its priority is to ensure Chrome continues to be stable, secure,
and work reliably for anyone who depends on it.
If any fixes are necessary,
Google says the ones affecting security will get first call on their resources.
They're also making changes to their planned upgrades.
Chrome 81, released last week, will remain in beta, bleeping computer reports.
Google will skip Chrome 82 altogether and move on to Chrome 83.
By some accounts, nearly 40% of successful breaches occur at the application layer,
but investments in securing that layer continue to lag.
Andrew Peterson is founder and CEO at Signal Sciences,
a company that's looking to close that
gap. We caught up at the RSA conference. So it's interesting with the rise of this
conversation around zero trust networks. So many people have focused on the authentication side of
what that story is. And to us, zero trust at its core is whether or not it's an internal application
or an external one from a web perspective, Because a lot of people are still, look, when you're building internal applications
within a company, a lot of times you're building it as a web-based application, right? So you're
accessing that internal application with your web browser. And historically, you've never used a
WAF on that. That's always been behind a network, you got a VPN, you're inside. But to us, it's like,
look, if you have somebody that's an authenticated internal user
sending even OS top 10 attack types,
SQL injection or cross-site scripting or whatever
on those internal apps,
you got to be more worried about that
than even your external apps.
Because those internal ones,
especially if you get access to it,
you're going to have user credentials and user control
to be able to access all sorts of things that in many ways are actually way more harmful or potentially more valuable
to that attacker than something that they could access via a customer-facing website.
That's a big area that we've been talking to a lot of the analyst community and a lot
of our customers about.
If something hasn't been in the budget for protection in the past, it's got to be something
new that people are thinking about. So we're saying, look, whether or not it's an internal application
or an internal one, that philosophy around zero trust,
it's use the same approach that you're using on external things
for internal applications.
It needs to apply in this web protection space as well.
How do you help your customers when they come to you
and they say, listen, I've got,
here's my budget and I've got to figure out how I'm going to allocate, you know, what gets what
percentage of what, you know, and how do I help me understand how to throw the correct amounts of
money at the different tools, one of which could be yours. What's that conversation like?
It depends on the customer, first of all, right? And they tend to fall into two buckets, one of which could be yours. What's that conversation like? It depends on the customer, first of all.
And they tend to fall into two buckets.
One where it's a company that's probably
just starting to make investments in security tools.
And then the other would be an enterprise
that's been doing it for a long time.
So the new customer group where they're trying to say,
hey, look, I'm making a budget from scratch
or I know that I need to make more of an investment
on the security side, that's great.
And we're seeing that more and more. There's more companies earlier on that are making
earlier investments in security. And the question then with them is, well, what are the most
important assets you have? And those companies, they tend to be cloud native. They fall into that
bucket of modern software or modern technology companies where the whole value of their
technology is actually the software, right? Right, right. Looking at the big picture, as you look towards the future, not just within your own
products, but within the whole vertical of cybersecurity itself, what sort of things
are you looking toward? How do you see things playing out?
I've been lucky to have some conversations with a bunch of folks
that are really forward thinking, right, in this area. And so we certainly have our own views,
but I like to validate that with other people on the market. And I think one of the consistent
things that I've heard from CISOs about what they think that the, especially the defensive world,
needs to be able to move forward is kind of two different things. One is when one person gets attacked,
we need to make sure that everybody else
becomes more protected instead of more vulnerable, right?
And so the message there is essentially like,
if an attacker is able to find one CVE
and they're able to exploit that,
typically what happens is they use that same CVE
on everybody else and immediately everybody else
is less safe
rather than more safe after that attack has occurred.
Even after you do analysis on it
and we can give reporting and we can name the CVE
and we call it all that,
that's something that attackers are always going to have
the advantage on defenders
until we can get into a situation where,
hey, the moment that one person gets attacked
and we can identify that attack pattern,
that we can actually make everyone safer at the same time.
So surprise, surprise, this is kind of a core value
of what we do, at least, at Signal Sciences.
But I think you're starting to see this
at other types of security companies as well,
is that they're leveraging this cloud backend system
where you can have a bunch of technology
that's deployed within a bunch of different infrastructure
and once you identify an attack
that's happening in one place,
the whole network gets stronger
and the whole network gets smarter
and that's immediately, right?
That's not like, hey, we're going to do an FSISAC
and we're going to share information after the fact.
We're going to do it actually in an automated fashion.
And figure out a way where all these different systems
can talk to each other,
can exchange that information
in a Rosetta Stone for this sort
of stuff, right?
It's not a silver bullet, right, by any means.
But I think it is the way that
if we're seeing so much of what
the attackers are doing is using automation
as a means of being able to get the other upper hand,
we as defenders need to be able to use
automation to be able to counter that.
So it's essentially, to me, it's the only way that we can really sort of try to scale
our defensive efforts is, yeah, is that concept is, hey, if one person gets attacked, everybody
else should become stronger rather than become weaker in the process.
That's Andrew Peterson from Signal Sciences.
A new variant of the Mirai botnet has been exploiting Leland DVRs
and Zyxel network-attached storage devices.
Both Leland and Zyxel have issued fixes,
but unpatched devices remain vulnerable.
Palo Alto Network's researchers first described the Zyxel issue last Thursday.
Researchers at Kihu360's NetLab found the similar Leland vulnerabilities, which they disclosed Friday.
Palo Alto calls the botnet Mukashi.
ZDNet reports that the Leland bugs may have been under exploitation since last August
and have figured in distributed denial-of-service attacks.
Australia's Minister for Government Services says the country's MyGov website had suffered a successful distributed denial of service attack, but quickly recanted.
It was just thousands of Australians seeking COVID-19 relief, news.com.au reported.
A ZDNet op-ed complains that Canberra has again underestimated the requirements of offering government services online.
Canberra has again underestimated the requirements of offering government services online.
In this case, last week there were 95,000 people visiting myGov to seek information and services as the country prepares further measures to weather the coronavirus pandemic.
The site, the Minister for Government Services, is only designed to handle 55,000.
So it's not malicious outsiders, but another case of meeting the enemy and finding
he is us. The stress on myGov drove people, many of them people whose employment has ended or is
at risk during the pandemic, to seek help in person at center-link offices. That didn't go
well either. Not only are the offices working with reduced staffing, but the waits would have
been long in any case with lines stretching around city blocks.
It's difficult to know how well people were keeping their distance,
but from the photos in the Sydney Morning Herald,
it looks as if they're generally standing a lot closer than the recommended two meters.
Stateside, people are saying stand six feet apart,
but that's just because six feet is easier to visualize than 6.56168 feet.
Not because North American viruses give you a half foot's worth of leeway.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's the head of Black Lotus Labs at CenturyLink.
Mike, it's always great to have you back.
One of the things you and your team have been tracking is how some of the threat actors have been using third-party file hosting
to do some of the things that they do.
Can you give us some information here?
What are we looking out for?
Yeah, and I'd say that this isn't the newest
behavior change, but we haven't talked about it in mass as an industry. So we thought it was
something interesting that would be topical to discuss. And realistically, what we're seeing
is that many of us have learned to trust these third-party central services. So for instance,
Dave, as you and I are talking here today, I had to include a third-party JavaScript library in my browser that's hosted on one of these well-known public cloud services.
My computer now trusts it.
And when we're looking at links in our browsers, we're looking at files we download, we've learned over time that some of those big names in the industry are trustworthy.
In fact, quite frankly, they have amazing security teams.
They do a really good job at removing things. But all the better for now the actors to put files there for a very short
time period, deliver it to a small number of people, and abuse that trust. And so the simple
act of looking in a browser URL bar to see that, hey, that's a major brand I know, and that really
is their domain, is something that we've taught people.
Now we've allowed actors to put their own malicious files
on those very domains.
And so it's not just an act of making sure the domain is trustworthy,
but even just making sure that the person who sent it
is really who it should be,
making sure it's something you actually expected.
Now, is time a factor here,
where the bad guys are putting their files up
knowing that they're going to be discovered and removed quickly
so they have a certain window of time to take advantage of?
Yeah, so for a long time, they were actually hosting the primary file
of their malware on some of these providers.
And over time, the providers have gotten very good at deleting them,
allowing them, or even blocking them on upload. And so that time-based aspect definitely is a component of it.
So now we see the actors shifting to putting only their first-tier downloaders on those things.
Now there's scripts they can obfuscate and modify more readily over time,
making it much more difficult for the hoster to detect in real time that it's malicious.
And so that lightweight Maldoc, that lightweight PowerShell script,
whatever that may be, that can now be permitted for download
for a longer time period, allowing them a little bit more leeway
in their campaign time.
What sort of technology is available in terms of protecting users
from themselves when it comes to this sort of thing?
I mean, I can imagine, as you say,
some users will see a trusted name,
they'll click through.
Is there a second line of defense
that an organization could have in place?
Well, we go back to traditional security controls,
content filters, sandboxes, endpoint agents,
anything that's going to be able to detect and block
either in real time or relatively quickly after download, be able to remove the host from the environment or sandbox the file inside the file system.
All of those things can be effective, as they have for a number of years.
But realistically, what we're trying to convey is make sure that people know what that threat is, be aware of it, be cognizant of yet another thing they should be thinking about.
threat is, be aware of it, be cognizant of yet another thing they should be thinking about,
and realize that just because the domain name may be trusted, the entirety of the URL may not be something you expect to go to. I know I use some of those services for my personal email and other
things. That doesn't mean that everything at those domains should be something I should be clicking
on or interacting with. And even on top of that, we do see the actors making use of some of the mass
mailing software out there that's very popular with the most reputable brands for their customer
contact, their email marketing campaigns. What a great way to bypass mailing software that's
looking for things to block than using a very trusted service. So just keeping in mind that
this is an avenue actors are using, and then going back to making sure the efficacy of those normal controls that we've all been focused on for a number of years are there and
effective and installed and monitored. All right. Well, Mike Benjamin, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.