CyberWire Daily - COVID-19’s effects on cyberspace: disinformation, espionage, data theft, fraud, and extortion. Also far greater remote working.
Episode Date: March 16, 2020COVID-19’s effects on cyberspace: disinformation, espionage, data theft, fraud, and extortion. Also far greater remote working. David Dufour from Webroot on their 2020 Threat Report, guest is Simone... Petrella from CyberVista on cybersecurity skills. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
COVID-19's effects on cyberspace, disinformation, espionage, data theft, fraud, and extortion.
Also, far greater remote working.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 16, 2020.
Today's news is largely about the opportunistic exploitation of coronavirus
fears by various threat actors. First, there's an ongoing Chinese disinformation effort to blame
the COVID-19 coronavirus strain on a U.S. biological warfare program. With insinuation
and implausible insistence, Foreign Ministry spokesman Zhao Lijian tweeted Friday
that the U.S. Centers for Disease Control's inability to unambiguously identify a U.S. patient zero
in some way suggested that the U.S. Army brought the disease to Wuhan,
the city where the outbreak was first noticed.
CNN reports that the U.S. State Department summoned the Chinese ambassador to
Washington for addressing down over the foreign ministry's remarks. In this case, the probable
goal is opportunistic, deflect blame and discredit an international rival. An epidemic traceable to
Wuhan is embarrassing to Beijing, calling into question public health and perhaps sanitation policies and practices.
But why the U.S. Army? Well, the last international military world games,
an international athletic competition designed to foster goodwill among the world's military
services, was held in Wuhan during October of last year, and there was a U.S. team there.
And that's the bodyguard of truth this particular lie
is receiving. The conspiracy theory will have few takers among serious people,
but Russia today is enjoying the diplomatic dust-up.
In other respects, the COVID-19 pandemic continues to provide raw material for both state-directed
and criminal campaigns. The technique has generally
been to couple spoofing with coronavirus-themed fish bait, as BAE Systems noted this weekend in
an infographic display of recent activity. Some of the threat groups BAE calls out include
Transparent Tribe, Gamerodon, Mustang Panda, Operation Lagtime IT, and Sandworm, Olympic Destroyer.
Transparent Tribe is a Pakistani operation going after Indian targets,
using malicious XLS files to deliver the Crimson remote-access Trojan,
all the while posing as an Indian training company.
Malware Bytes has also seen a surge in coronavirus-themed phishing by Pakistan's APT36,
and they too report that it's pushing the crimson rat at Indian targets.
The Russian operators behind Gamerodon are impersonating the Ukrainian foreign ministry
with the Terado backdoor, delivered via malicious Microsoft Word files.
And the GRU's sandworm is not to be left out.
It's spoofing Ukraine's Ministry of Health to distribute a.NET backdoor.
Mustang Panda, a Chinese operation, is using bogus news articles to push the Cobalt Strike stager.
Operation Lagtime IT, also a Chinese APT,
is spoofing the Mongolian Ministry of Health to distribute a poison ivy stager.
And parties unknown have been impersonating the U.S. Centers for Disease Control, pushing the Remco's rat.
NBC News summarizes some of the operations FireEye and CrowdStrike are seeing.
CrowdStrike are seeing, Russian services working against Ukraine, North Korea against South Korea,
and Chinese services against targets in Southeast Asia, especially Vietnam.
Some of the phishing is unusually persuasive, researchers at Recorded Future told NBC.
Quote, these lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups, and then target
people based on, this seems like a really interesting thing offering me more information
in a time that has so much information, end quote. Workforce development firm CyberVista has been
exploring innovative approaches to help close the cybersecurity employment gap, as well as keeping
current employees informed on the latest developments.
Simone Petrella is CEO and founder of CyberVista,
and we caught up at the RSA conference.
So the Choose Your Own Adventure was really to give people
an interactive way to think about training
and get a little bit of a taste of the experience
of what it's like to do an assessment first,
really get results in real time that then demonstrates where,
from a personal plan perspective, you need to train.
And the way that we would start is you would take about an hour-long test,
but you would get real-time results based on your performance on that
that would break down the
actual skills gaps that you have in your knowledge, which we then could use to compare to either the
role that you are currently in to establish if you are appropriately performing at that level,
or can actually compare that against aspirational roles to identify what training or upskilling is required to move someone to that next level.
And so really it allows a lot of personalized pathways based on the results.
And that's what we do with a lot of our customers and companies.
When you're hearing with folks across the industry and they're coming to you and expressing the things that they think are working and the things that they're frustrated with when it comes to training in general, what sort of stories are being told to you?
What's not working is the cost model of the way that we train today, for sure.
what we hear from employers is that not only is it costly,
but it's impossible to tie the training or the career development opportunities that they give to staff
back to what they're actually doing in their employment spaces.
So it's being utilized as a retention tool in many cases,
and there are things that are effective as retention measures,
but it's not actually meeting the organizational need to have qualified people
in those positions. So there's like kind of a gap in the return on investment in the expenditure
you make on employer programs, especially in, you know, security training, and what that means
when you bring them back into the workplace. Yeah, I mean, it strikes me that everyone's trying to do more with less, of course, and maximize what their employees are achieving in the workplace.
But I don't suspect there are many employees who say to themselves, oh, goody, more training that doesn't have directly to do with the things that I do day to day.
And so often security is kind of one of those side things.
I do day to day. And so often security is kind of one of those side things. I'm curious from a culture point of view, do you have any advice for companies of how they can establish a culture
that places value on these things in a way that the employees are going to buy in?
Yeah. First and foremost, it needs to be a culture and an expectation of accountability
that's set at the top of the organization. Employers really have to take charge of solving this problem. This is not
going to come out of academia. It's not going to come out of companies, even like mine, that are
doing training and education development. They really have to take the lead in investing the
time, the prioritization, and the resources in defining what they need so that
companies can come up with solutions that actually meet that kind of new economy skill requirement
for us within the security space. That's Simone Petrella from CyberVista.
Criminal gangs are also using COVID-19 as fish bait, fearware, the Independent calls it, quoting Darktrace and other security firms.
And the criminals are doing so in predictable ways, with phishing, fraud, and ransomware, mostly.
The relative novelty of the topic lends itself to crafting emails that bypass some of the common spam filters many people have in place.
The coronavirus is a popular topic of discussion in the cyber underworld,
where criminals interested in exploiting current fear are buying commodity tools they can easily repurpose for their campaigns.
Little technical skill is involved in using such off-the-shelf malware.
Ransomware operators, a significant subset of the cyber underworld,
are also using the pandemic as an opportunity to hit health care organizations responding to the virus.
It's consistent with general criminal practice.
Find a victim that really depends on the availability of their data.
Last week, a public health authority in central Illinois was hit. More recently, a major provider of coronavirus testing, University Hospital Brano in the Czech Republic,
was also a ransomware victim.
CyberScoop reports that the incident is still under investigation
and it's not yet clear how extensive or disruptive
the effects of the attack will prove to be.
But there's a clear lesson in such attacks
that should shape our expectations.
Data is valuable during crisis response,
and when data is valuable, it draws the attention of criminals.
What others see as crisis and misfortune,
the criminals simply see as opportunity.
There's much advice on offer about securing telework.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA,
recommends virtual private networks, VPNs,
with advice on how to use them securely and effectively.
This is important because as VPNs rise in importance,
they become attractive targets for criminals.
CISA recommends updating VPNs and associated systems used for remote work
so they've got the latest patches and sound security configurations.
Employees should be warned to
expect more phishing attempts. Security teams should dust off their plans for log review,
attack detection, and incident response and recovery. Use multi-factor authentication
and strong passwords. And before it becomes a problem, test the limitations of your system
and plan for higher usage. You can find CISA's recommendations online.
On that last point, the increased traffic the Internet will have to carry during the
pandemic, the Washington Post offers some grounds for measured optimism.
In the U.S., at least, and much the same is no doubt happening elsewhere, major ISPs have
put measures in place to accommodate increased demand.
But prepare to avoid some higher bandwidth applications if you run into problems.
Be content, for example, with audio as opposed to audio and video when audio alone will do.
That hardly seems like too much of a sacrifice for most organizations.
Are people in fact using VPNs more?
According to an Atlas VPN report, they are.
There's been a global surge in VPN use.
Italy leads with a 112% increase in VPN usage last week.
The U.S. is second with a 53% spike.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the vice president of cybersecurity and Engineering at WebRoot.
David, it's always great to have you back.
You and your team recently published your 2020 threat report.
Take us through what were some of the findings here.
Yes, great to be back, David.
As you say, we came out with our threat report.
A lot of findings I think people are not going to be surprised about.
Phishing remains to be a big deal, ransomware. But there are some things where we're seeing
really targeted attacks on certain Windows versions and things like that.
Well, let's go through some of the details. What did you find?
So, phishing sites, we saw actual phishing grow at about a 640% increase
over last year.
And what that equates to is we're now seeing almost 1%
of all websites on the internet have phishing URLs.
So somewhere embedded in those websites,
we're seeing phishing URLs.
And so it's continuing to become a prolific problem.
It's very common everywhere. And I think
we're all familiar with phishing, but it's something we got to stay vigilant with.
In that prevalent because it works, I suppose.
Well, it really does work. And one of the big things we're seeing about a quarter,
about 27% of those phishing sites, they're implementing SSL or TLS so that if you have an HTTPS connection,
and I know you and I have talked about this before, but it's super important that people
don't trust that beautiful green lock in the browser. You want it, but if you, so if you don't
have it, you should be wary. But just because you see that green lock, that doesn't mean that
you're actually safe. The ph fishers are able to get out
there. There's really been a proliferation of the ability to get SSL certificates in the fishing
sites. Almost any good fisher is using those now. What other things did you cover here in the
report? A couple of them super, super important around Windows 7. Microsoft's not supporting that, haven't been
for a while. We've seen 125% uptick in attacks directed specifically at Windows 7 machines.
So older machines, a lot of manufacturing, we're seeing a lot of manufacturing where they don't
necessarily upgrade the machines or even update them. So a lot of folks, if you're running older
versions of Windows, you have to be very, very cognizant of what's going on,
which kind of leads into our final point on consumers
remaining to be nearly twice as high in infection rates than businesses.
And we're seeing a lot of that simply because consumers are using machines longer.
This is really an interesting stat, actually, David.
Most machines that get infected,
more than a third of them are infected at least three times.
And 10% of the machines that we see that are infected
get infected six times or more.
Now, what does that mean?
That probably points to bad practices
by those folks using those machines,
clicking the links, the phishing links,
things like that when they come in.
So really, across the board,
if you've got older machines,
make sure you're updating them
and then really pay attention to what you're doing.
And somehow we have to start educating the consumers more.
Yeah, it seems to me like it's easy to have this philosophy
that if it ain't broke, don't fix it,
particularly when it comes to, I can see home users, a lot of my friends and family,
everything seems to be working fine.
But I suppose these days you've got to keep going with those updates.
You absolutely do.
And unfortunately, when an operating system is no longer supported,
you do need to think about getting a new machine,
even if it's doing what you need, if that machine is doing something important to you,
like you're banking on it or things of that nature. Yeah. So I suppose even, you know,
gifting your loved ones a new computer for a birthday or for the holidays or something like that, that could be a way that you can help keep them secure and up to date. That's absolutely
correct. Because as we
always say, David, there's three real things you want to do with any machine to stay, you know,
the minimum, which is, you know, have an antivirus, make sure you're backing up. But that third one
is make sure you're patching and getting someone a newer computer ensures they're getting the latest
patches for that operating system, which really does provide that number one protection from
exploits and things like that.
All right. Well, David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.