CyberWire Daily - COVID-19 as both incentive for remote work and phishbait. Offshored trolling. A list of “digital predators.” US Senate doesn’t extend domestic surveillance authority.
Episode Date: March 13, 2020COVID-19 significantly increased remote working, and the pandemic is now a favorite lure in the phishing tackle of both intelligence services and criminal gangs. Russian trolling has been off-shored, ...setting up shop in Ghana and Nigeria for running influence operations against the US. Microsoft issues an out-of-band patch. Reporters Without Borders publishes its list of “digital predators.” And the Senate doesn’t renew US domestic surveillance authorities. Thomas Etheridge from Crowdstrike on the impact of ransomware, guest is Josiah Dykstra from NSA on Cloud Vulnerabilities from an NSA viewpoint. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
COVID-19 significantly increased remote working,
and the pandemic is now a favorite lure in the fishing tackle
of both intelligence services and criminal gangs.
Russian trolling has been offshored, setting up shop in Ghana and Nigeria for running influence operations against the U.S.
Microsoft issues an out-of-band patch.
Reporters Without Borders publishes its list of digital predators.
And the Senate doesn't renew U.S. domestic surveillance authorities.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Friday, March 13, 2020.
The COVID-19 pandemic is generating two immediate security effects.
First, it's dramatically increased the incidence of telework, and this, as The Washington Post and others point out,
brings with it an expanded opportunity for cyber attack and a relatively unfamiliar set of security challenges.
Some service providers who provide the infrastructure necessary for remote work, Verizon among them,
who provide the infrastructure necessary for remote work,
Verizon among them, are reassuring their customers that they're prepared to help them accommodate the surge in demand
that's accompanied the pandemic.
Other outfits are offering free remote access and security services
to organizations whose IT and security resources
are being stressed by coronavirus remote work pressure.
Second, both criminals and nation-state intelligence services are exploiting
public concern about the pandemic to send phishing emails. ZDNet offers a summary of Russian, Chinese,
and North Korean organizations using coronavirus-themed vectors to install malware in their targets.
Fortinet, Sophos, Proofpoint, KnowBefore, and Recorded Future are among the security firms who have been tracking criminal activity related to the coronavirus.
Recorded Future reports that many criminal attacks arrive as convincing spoofs of trusted sources, like the World Health Organization and the U.S. Centers for Disease Control.
Researchers have also seen a surge in the registration of domain names that suggest a connection to the disease.
And these, of course, lend themselves to use in fishing and waterholing campaigns.
Bloomberg Quint offers some examples of the fish bait.
Here's one sample which researchers at BAE provided.
Please kindly download the updated attachment for your knowledge. Please go through the cases to avoid potential hazards.
the updated attachment for your knowledge.
Please go through the cases to avoid potential hazards.
Those of you who are accomplished textual critics of spam will recognize that the sample bears the familiar textual stigmata of the genre.
The repetition of an ingratiating please,
the appearance of the adjective kindly,
the high-minded admonition for your knowledge,
the urgency hinted at by the adjective updated,
and of course the eccentric capitalization of potential and potential hazard. You can't hear
the capital P, of course, but I can see it and take it straight from me, it is there in all its
typographic glory. And ransomware gangs are hitting public health agencies at a time when the
availability of their services and information are in high demand.
Mother Jones describes one such attack in Illinois.
The Champaign-Urbana Public Health District,
which serves more than 200,000 people in the central part of the state,
was hit Thursday morning with NetWalker ransomware,
which the News Gazette says is a relatively little-known strain.
The site is expected to be down for at least two weeks, and this is obviously
an inconvenient time for it to be out of service. The criminal activity is by no means confined to
American targets or the English language. It's showing the usual global opportunism and has been
found in many countries around the world. It would be nice if we could always rely on clumsy prose to betray fishing,
but unfortunately even criminals can become better writers,
perhaps by investing in some online tools like Grammarly.
And government trolls are even better than hoods at slinging the lingo.
The St. Petersburg troll farms, for example, have long shown a slick facility with American English
that does their language teachers credit.
They've also apparently expanded overseas.
Russian trolling has been offshored, in part at least, to operators in Ghana and Nigeria, CNN reports.
Researchers at Clemson University informed CNN's investigation.
They say it's election season influence and it's very much in the Russian style,
disruptive and racially themed.
And CNN says some of the operators, many of them Ghanaian or Nigerian, tell them that,
sure, they're working for Russia. A number of the trolls are organized by a front organization,
Eliminating Barriers for the Liberation of Africa, or EBLA for short. Russian oligarch
Yevgeny Prigozhin, sometimes referred to as Putin's chef
and regarded as the organizing spirit behind St. Petersburg's Internet Research Agency,
is believed to be behind EBLA too, but he didn't respond to CNN's request for comment.
This week, according to The Hill, several members of the U.S. Congress called on the European Union to sanction Mr.
Prigozhin for his activities.
Microsoft yesterday issued an out-of-band patch for a vulnerability hinted at but not
addressed on Patch Tuesday.
It fixes a server remote code execution issue in the way Microsoft's server message block
3.1.1 protocol handles certain requests.
3.1.1 protocol handles certain requests. Reporters Without Borders has published its selection of bad cyber actors, digital predators it calls them. These range from companies to gangs
to government agencies to intelligence services to semi-official political units. InfoSecurity
magazine notes the announcement was made in conjunction with yesterday's World Day Against
Cyber Censorship.
Reporters Without Borders divides the bad action into four categories.
Harassment, state censorship, disinformation, and spying or surveillance.
Some of the actors are state intelligence services and their contractors.
These are Russian, Iranian, Algerian, Venezuelan, Saudi, Egyptian, and Chinese agencies.
Others are political groups, often affiliated with current incumbents. Iranian, Algerian, Venezuelan, Saudi, Egyptian, and Chinese agencies.
Others are political groups, often affiliated with current incumbents,
and some represent organized criminal groups, like the Mexican drug cartels.
The companies mentioned in dispatches tend to be either lawful intercept vendors or exploit brokers whose wares reporters without borders say
have found their way into the hands of repressive regimes.
The offenses alleged against them fall into the fourth category, spying or surveillance.
The U.S. Senate did not pass the revisions to domestic surveillance authorities and the Foreign
Intelligence Surveillance Act the House sent it earlier this week. The measure did have bipartisan
support in both houses, but it faced significant opposition as well.
The opponents, in general, thought the measure did not go far enough in reforming FISA and domestic surveillance.
The domestic surveillance program, effectively dormant since NSA shelved its implementation early last year
and generally regarded by observers as having seen relatively indifferent success, will thus sunset over the weekend.
Congress will have an opportunity to revisit the issues when it returns from its recess.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Josiah Dykstra.
He's a technical fellow in cybersecurity at the National Security Agency.
His work at NSA has included penetration testing, malware analysis, as well as network operations
and digital forensics for cloud computing environments. He's a popular speaker at events
like RSA and Black Hat and author of the book Essential Cybersecurity Science. Josiah Dykstra
joined us in our studios.
In October, NSA launched this new organization called the Cybersecurity Directorate. And the goal of this organization is to prevent and eradicate cyber threats to national security
systems, including the Department of Defense networks and the defense industrial base who
supports everything that we do in national security. One of the goals for this organization is to collaborate with industry
and to put out public guidance outside of our secure facilities
that can help both DOD and the general public be more secure online.
Cloud computing is something that, as you might expect,
is a big part of the Department of Defense.
NSA uses a lot of cloud computing.
And as people consider and adopt
more of these cloud services, we wanted to make sure they were doing so considering the appropriate
risks. And so we undertook this document that we put out about a month ago to help people
understand that, yes, cloud is a very powerful, useful capability, and we encourage people to use
it. And at the same time, we want to make sure they
consider the risks and mitigate those appropriately when they go to implement.
Well, let's walk through some of the things that the document covers here.
Take us through, what are you trying to get across to people?
So there's four main areas of vulnerabilities that we want people to consider as they move to
the cloud. And these are vendor agnostic. It doesn't matter which cloud service you're using.
And they're not in response to any particular threat, but it is threat informed.
So all the things that we see in our world helped us put together this document.
I'll also say that we collaborated with industry in making sure that we were talking about
the right things in the appropriate ways to help people be the most effective that they could be.
So the four areas that we highlight that we want people to consider
are misconfigurations in their cloud services,
the implementation of good access controls,
the situation of shared tenancy in cloud services,
and supply chain vulnerabilities.
Now, the first two are definitely the most common.
Misconfigurations and access controls gets a lot of people into trouble,
and it has led to lots of data breaches.
And we hear lots of stories of open S3 buckets, misconfiguration errors.
Yes, they show up in the press all the time.
It's very unfortunate because it's an easy, comparatively easy thing to fix.
So that we wanted to highlight first and foremost.
The other thing that I'll
say is I think that's not only a technical problem, but a human problem. As many things are
in technology, having the appropriate training for your technical people is a very important way to
mitigate those misconfigurations. One of the things that you touch on here is that notion of
defense in depth, of having multiple layers to protect against these sorts of things.
Defense in depth is a long-time concept in the Department of Defense.
We've talked about this for decades.
Cloud computing is just a new technology that applies the same or needs the same concepts. And so whether it's different layers of technological control or different
sort of trade-offs between the cloud provider and the cloud consumer, all of those same principles
apply in cloud computing. So of the things that you listed at the outset here, I think the one
that I probably feel like I know the least amount about is the shared tenancy vulnerabilities.
Can you describe to us what's going on with that
one? Yes. I will start by saying that this is a very sophisticated kind of attack and not as
prevalent as things like misconfigurations. That being said, it is a very real vulnerability that
people adopting cloud need to think about. What shared tenancy means is in many cloud services,
the data that you have and the processes that you run
sometimes execute on the same physical machine
or on the same infrastructure of the cloud provider.
And that is a risk area
because other people on those shared resources
have at least the potential of accessing your data in a malicious kind of way.
Generally, the way clouds are implemented, this is very secure. The cloud vendors are very
motivated to try and make sure that tenants can't interact with each other. But the risk
is a possibility, and so we want to make sure people understand that.
What are the take-homes here in terms of the message that NSA wants to get out to people for best practices for securing their cloud infrastructures?
What are the messages that you really think are important here?
So first, I think cloud is a very useful and powerful capability.
There's no reason that we think you should avoid it, but we just want to make sure that it is risk-informed decision-making.
Whether you're at the top making sort of corporate strategic choices or at the bottom doing technical implementation,
we want to make sure you don't forget about some of the very prevalent and common mistakes that
can be made and the vulnerabilities that can rise that are different in cloud than if you just have
servers in your basement. And so as you go about thinking about, should I pick vendor A or B?
Should we put this sensitive data in the cloud or not? How should we do encryption? These are
the things we want to make sure every consumer is thinking about in their adoption. It's interesting
to me as NSA has started this initiative with more communications with the public, with being more outreach with documents and publications like this.
I think a document like this coming from the agency has a certain amount of gravitas, if you will,
demands a certain amount of attention that perhaps coming from other organizations it might not have.
There are definitely many people doing cloud security guidance. Vendors, other parts of the government. We did think it was important for us to lend our
weight behind this because it is a very important problem. And it's the first of many. In fact,
NSA has been doing collaborations a little bit more behind the scenes for quite a while.
The fact that we've now begun to do them very publicly is an acknowledgement that the threats
are worse, that other people have important insights that we need to collaborate with them on.
And so this is the first, I hope, of very many that NSA will release.
And I would say watch our website and our social media for the next upcoming ones.
Our thanks to Josiah Dykstra from the National Security Agency for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Security Agency for joining us. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Tom Etheridge.
He's the VP of Services at CrowdStrike.
Tom, it's always great to have you back.
I wanted to get some insights from you with the things that you and your team at CrowdStrike are seeing when it comes to ransomware and how that is impacting your clients around the world.
Excellent. Thank you, Dave. Great to be back. The number of ransomware cases that we saw
last year increased substantially. About 36% of our overall responses last year were what we call
business disruption type events. Certainly looking at metrics for this type of event, most people focus
on the actual ransomware payment and the cost that that has on the organization. And one of the
things I think is important to talk about is the unknown costs or looking at the cost of ransomware
in aggregate across the market. That's something that's really important to be discussing.
Well, let's dig into that.
How do you measure those things?
One thing that we will try to look at is what are the costs to businesses from downtime?
What are the costs in terms of communities and municipal government organizations and school districts that are unable to function for a period of time.
What is the downstream impact from being out of business for a period of time create for the community,
for citizens of a particular community or students at a particular school district?
And those are really hard costs to aggregate and think about.
And those are really hard costs to aggregate and think about.
But overall, these things need to be factored in to ransomware in particular.
And when you do that, you start to increasingly think that this is more of a national security issue than something localized to a particular school district or small business.
Yeah, it's an interesting insight.
I mean, it makes me wonder if you can do that calculation. Let's say even though we're doing regular backups and so we know that we're covered
in terms of that, but at some point somebody has to do the math to figure out how long is that
restoration going to take us. Absolutely. Some companies we know for sure have gone out of business due to impact from a ransomware event.
There's certainly public reporting around probably the largest and more well-known ransomware outbreak with the city of Baltimore.
particular ransomware case, certain real estate deals were put on hold because the city could not process title transfers or didn't have the insight into know whether or not liens on properties had
been paid off. Those types of impacts really are, although they're difficult to manage, certainly
something that organizations should take into account when they're looking at the overall
impact of ransomware. And the one
thing that's intriguing as well is what is this going to do to the municipal bond market? Still
to be determined, but as trust might be eroding in many state and local organizations where they
just are unable to prevent these types of attacks, there may be some downstream impacts over time to
the municipal bond market and the confidence that the stakeholders have in that space.
You mentioned the possibility that this could be considered a national security issue.
In your mind, how would a national response play out? What would it look like?
One, I think, again, getting better reporting
on the effects of ransomware in the aggregate, not just looking at it from a ransomware payment
perspective, but maybe thinking about some of these downstream impacts or tangential impacts
of cost by organizations being hit by ransomware, whether organizations going out of business,
records being lost, services unable to be provided or delivered, looking at what kind of public
policy that can be discussed or implemented to draw attention to the issue, and then again,
providing better tools and expertise at the state and municipal
level so that many of these organizations that do not have the funding in place or lack the
critical expertise and resources to respond to these events have backups off-site that can be
leveraged to have the kind of technology input to work on better networking infrastructure,
better tooling to be able to detect and prevent these types of attacks from happening.
Those are the things that organizations need to be paying attention to.
All right. Well, Tom Etheridge, thanks for joining us.
Thank you. Sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening. We'll see you back here tomorrow. Thank you. Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.