CyberWire Daily - Cozy Bear: quiet and patient. Counting the costs of cyberespionage. Iranian influence campaign sought to inspire post-US-election violence.
Episode Date: December 23, 2020Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all the data they collect? An Iranian influence cam...paign sought to foment US post-election violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cozy Bear lived up to its reputation for quiet patience,
counting the cost of the SVR cyber espionage campaign.
What do intelligence services do with all that data they collect?
An Iranian influence campaign sought to foment U.S. post-election violence.
Joe Kerrigan looks at social engineering aimed at domain registrars.
Our guest is John Worrell from Zero North on the importance of security champions and a last look ahead at 2021.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, December 23, 2020. Security firm Checkpoint has published an
interesting account of the SVR's sunburst operation against SolarWinds Orion, with particular
attention to the campaign's evasiveness, which they found effective. The
researchers call it the art of tactical retreat and see similarities to the ways in which malware
goes quiet to avoid being exposed in a sandbox. It's also more reason to regard Cozy Bear as the
quietest and most patient of all Huggy Bear's big brood. Fancy Bear? Noisy and impatient.
Cozy Bear is just right.
It will prove difficult to arrive at an accurate accounting
of the damage and exposure associated with the SVR's
successful cyber espionage campaign against U.S. targets.
Recall that among Cozy Bear's take were a number of FireEye red-teaming tools.
Security company Qualys says it's found more than 7.5 million vulnerabilities
associated with those tools among its customer base.
And remember, none of the stuff taken from FireEye was a zero-day.
Knowing one's own networks is a challenge, evidently, of Delphic proportions.
Those curious about what an intelligence service
might do with all the information they collect will find Foreign Policy's history of Chinese
exploitation of its take of U.S. data instructive. Beijing's big espionage success was its penetration
of the Office of Personnel Management and its use of the data it extracted to roll up the CIA's human agents collecting against China.
The damage to U.S. intelligence was severe, the human cost heartbreaking.
Whatever the SVR has obtained from its quiet, months-long shuffle through American networks,
via SolarWinds, Orion Platform, and other points of entry,
it's likely to amount to a great deal more
than what Beijing got from OPM. With this in mind, a Council on Foreign Relations essay argues that
U.S. defensive and significantly offensive cyber capabilities remain under-resourced.
The Washington Post has an unpleasant story about an information campaign Iran mounted earlier this month.
The FBI says Tehran was behind an online effort to incite violence against officials in the U.S.
who publicly attested to the integrity of the November elections.
The U.S. Cybersecurity and Infrastructure Security Agency has released a draft of the National Cybersecurity and Protection System Cloud Interface Reference Architecture.
It will be open for comment until January 29th.
We don't want to bury the lead, really,
but we'd like to wrap this last regular daily podcast of 2020
with a final look through the glass and darkly into 2021.
By consensus, in 2021, expect more pandemic stress,
expect remote work to become so deeply ingrained
that it will be hard for many to imagine returning to their old workplace,
and expect the bears to snuffle here, there, and everywhere.
When investors look at the coming year,
what trends are they alert for in cybersecurity?
We asked Joaf Liderstorff of YL Ventures what he thought the coming year, what trends are they alert for in cybersecurity? We asked Yoav Liderstorff
of YL Ventures what he thought the coming year would bring and how that would affect what
investors would be looking for. In large part, he sees investors looking to the most pressing
needs enterprise will face. Quote, we see hackers exploiting new work-from-home vulnerabilities
with attacks focused on supply chains, hospitals, insider data
exfiltration, cloud apps, and code. Investors will continue to look for technologies that address
these specific markets or close remaining gaps in cybersecurity, like XDR, which brings AI to
threat detection and response and works across endpoints, networks, and cloud. But what is
emerging now is to use security as a business
enabler by moving it downstream to the code with DevOps-ready tools for developers to build in
security for authorization, data protection, and access. Also looking outward, software-as-a-service
app security is more important than ever and still presents interesting opportunities,
as well as cybersecurity management platforms
to help address the operational complexity of cybersecurity programs.
Enterprises across the board are allocating significant resources towards software development.
This widening attack surface is driving demand for solutions that can help security shift left,
implementing security measures directly into the software development lifecycle.
Application security is increasingly being owned by developers, So, customer demand will tend to flag investor interest. The massive and successful penetration of U.S. government networks by Russia's SVR
has already had an effect on
investment in the sector. Bloomberg notes that the incident has extended a moderate bull run in
cybersecurity stocks, with analysts seeing an increase in security spending that augurs a
powerful and long-term demand tailwind for the sector. So finally, what do we wish for as we arrive at the last issue of our ninth year of
publication? To all people of goodwill, we wish that all will be well and that all manner of
things will be well. But since goodwill isn't universal, we have a few more specific wishes.
To CISA, we wish all success in mopping up the U.S. government's networks after the SVR hack.
we wish all success in mopping up the U.S. government's networks after the SVR hack.
To the FBI, we wish many good callers of bad actors.
And to NSA and U.S. Cyber Command,
we wish, above all, good hunting.
Bring home lots of virtual bear skins in 2021.
Oh, and while you're at it,
throw in some digital panda pelts
and maybe some kitten fur as well.
We know you've got it in you.
But in the meantime, may all manner of things be well, and we'll see you in the new year.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Application security automation and orchestration platform provider Zero North
recently commissioned a survey exploring the notion of security champions within organizations
and how they may serve as a bridge between security and DevOps teams.
John Worrell is CEO at Zero North.
We look at the AppSec market and how it's evolving with DevOps.
You dig in not too far
and you find these security champions
in a lot of organizations.
And to us, they're really the linchpin
of how well security and DevOps
can actually work together.
We did a survey about six or eight weeks ago.
Ponemon Institute conducted the survey for us
about this cultural divide between
security and between the DevOps teams.
And it's frightening in many ways.
No one really understands who owns what when it comes to cybersecurity and applications.
People don't actually like working with each other.
The DevOps team doesn't like working with security and vice versa.
Do you have any sense for what is at the root of that divide?
Where did it begin?
I think it began with just the historical cultures of each organization.
Quite honestly, the DevOps team, the whole development model,
has evolved to be so fast, so quick, so modern.
And the AppSec market is really stuck in the same model it was using 15 years ago,
which is if you're going to secure code, you have to run a tool and look at the results
and then go chase down the results and fix it.
The challenge with a tool-based model is that it is very slow,
and the benefit of DevOps is it's very fast.
So you have this major conflict between organizations that are just approaching this
from a different perspective from their historical basis.
So when we're talking about security champions, what are we talking about here?
How do you define that?
So in many organizations, there is someone who works for the chief information security officer.
And it's a centralized corporate function.
And they are basically embedded with DevOps teams. And their goal is to help the DevOps team do a better job
of shipping secure applications. It can start with simply understanding what applications are
in planning so that they can start participating in meetings about how to architect the code in
a secure way, how to make sure that developers are trained properly on security for that particular application,
and how to look at policy for the application. Does this application have PII? Does it have
healthcare data? And what's the level of security or governance standards that we want to put on
this application? They also play a critical role when vulnerabilities are found through tools
of really trying to understand which vulnerabilities matter.
And this is one of the challenges where we're kind of sending these champions into a gunfight with a knife, and they're really not armed well to take advantage of that because there are just so many vulnerabilities coming out of these tools.
But they try to interpret those results for the developers to say, you know what, this one looks like it's really important.
Fix this one first.
We'll let these others go for now. Very manual, very labor intensive. But they're there with the developers trying to help them figure out how to best
prioritize the vulnerabilities. And at some point, they're part of the team that says, yes,
we can ship this or no, we can't ship this. Well, give me some insights there. I mean,
what sort of tools are available in order to automate these processes
and what are the benefits that come from that?
So instead of having different people run tools,
having developers kick off scans
when they're checking in code,
that can happen automatically.
Developers don't have to worry about it.
Security teams don't have to worry about it.
In modern DevOps pipelines,
you're going to see between four, five, six,
even nine different tools being run from a security point of view on that pipeline and instead of
having all the results from these multiple tools manually correlated that's automated through a
platform so again saves a lot of time and a lot of labor what's most valuable is that when you
can start automating the scanning process, you can start finding vulnerabilities much sooner in the software development lifecycle than if you are relying on manual processes.
And, you know, we know this from the quality days of Toyota back in the 1970s with car manufacturing.
It's like a thousand times more expensive to fix the defect in the car after it's left the lot, as opposed to fixing it right then and there on the assembly line.
And the same cost model applies here.
I think some of the data we've seen is if it cost you $100 to fix it while the developer still has his hands on the code before it's even gone to the repository,
it's 15 times once it goes through QA, and it's 100 times more expensive
once it's actually out in the wild.
And when you think about those costs, there is a very, very significant productivity increase
in development that is here.
This is not security.
This is just productivity and development by having security automated and orchestrated
throughout the pipeline.
That's John Worrell from Zero North.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is joe kerrigan he's from the johns hopkins university information security institute also my co-host over on the hacking humans podcast hey joe hi dave
uh interesting story came by this is over on zd net and um the the title is a go daddy staff
fall prey to social engineering scam in cryptocurrency exchange attack wave what's The title is GoDaddy Staff Fall Prey to Social Engineering Scam in Cryptocurrency Exchange Attack Wave.
What's going on here, Joe?
So what has happened is these attackers have said to themselves, you know, we spend a lot of time impersonating domains.
What would be a better way to do this?
What if we actually got control of the actual domains for a cryptocurrency exchange?
But Joe, I have my domain locked.
Well, that's a good point, Dave. Maybe we can find a way to unlock it by calling up your registrar
and telling them that we need to unlock it for transfer or something and make some changes to it.
And that's what happened here. These guys effectively for a very short period of time, thankfully, lost control or had some changes made to their DNS records.
They think that people, their customers were phished.
They think they know in one case they had some internal email accounts compromised.
They were able to stop any, nobody lost any cryptocurrencies is the end of the story here, which is good, right?
These guys realize what's going on. These two exchanges, one of them is called Liquid and the
other one is called NiceHash. I'm not really familiar with either one of these exchanges,
but they were both able to prevent anybody from getting further access and then reaching out to
GoDaddy and saying, hey, why did you guys make these changes? And GoDaddy was like,
oh, we will undo those immediately. So the cryptocurrency exchanges had their own
systems in place to alert them to changes, I suppose, at the domain level. They knew about
it pretty quickly. And the attackers were not able to get in. And one of these guys
froze their wallet.
So they couldn't even access the wallets.
So the currency was safe.
Imagine being a customer of that exchange. And all of a sudden, they say, our wallets are frozen right now.
We can't do any transactions.
You're like, I have so much money here.
Is this a scam?
Yeah.
That was probably a very harrowing 24 hours for a lot of people.
But everything's back to normal now, so we can all breathe a sigh of relief,
especially if you hold cryptocurrency on one of these exchanges.
Yeah, and from the social engineering aspect of it,
this seems to me to be a tough one to contend with
because you can have multi-factor for your accounts, but there's always that human side where if you can get a human on the line and at a place like GoDaddy and somehow appeal to them, convince them that you are who you need to be for them to, you know, just do me a favor here. I'm
doing my best. Oh, that didn't work. You know, and these scammers, they know how to push those
buttons. Right. If they can get into GoDaddy and change the domain registration, then they can
convince you that you as the user of the exchange that you're logging into the legitimate site,
and then they can turn around and log into the other site, to the legitimate site somehow, and maybe the IP address,
then they can do whatever they want. I'm sure that was their vision here.
Right.
To move the cryptocurrency out of these exchanges into their own wallets.
Yeah.
Fortunately, that did not happen, but it is social engineering almost all the way down.
Yeah, it's interesting because, you know, you and I over on Hacking Humans, we talk all the time
about, you know, being extra careful about checking to make sure that that domain name is legit. Well,
what if it is legit? It's actually the domain, you know, somebody compromises the registrar.
Yeah, if someone compromises the registrar like they did here, everybody's got a problem. But fortunately, these guys immediately realized what was going on,
these two exchanges, and they rectified the situation and took the necessary actions
internally to make sure their customers weren't damaged, which is great. They did a good job.
I wonder if your GoDaddy or one of the other companies that's in this line of business,
how do you contend with this? How do you-
It's all about process.
Yeah?
Yeah, you have good processes in place.
You examine what the actual process is
and you don't let someone short circuit that process
and you make sure that they follow it.
Mm-hmm, mm-hmm.
Again, though, it's that human,
hey, can you do me a favor?
Right, exactly.
It's our desire to want to help people
that gets us into so much trouble. Jeez, I'm going to lose my job if I don me a favor? Right, exactly. It's our desire to want to help people that gets us into so much
trouble. Jeez, I'm going to lose my job
if I don't get this worked out, you know, Joe.
Can you just, I know you're not supposed
to do this, but can you just make
an exception just for me? Yeah.
I'll bake you some cookies. Yeah.
Ooh, cookies, Dave.
Right?
Actually, I'm not
really susceptible to that because my wife makes really good cookies.
Okay.
All right.
Well, we'll come up with something else.
Yes.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
There's no place like home for the holidays.
Listen for us on your Alexa smart speaker, too.
This is our last daily podcast briefing for the year.
We'll be taking a break over the holidays
and we'll return January 4th.
In the meantime, we'll be sharing highlights
from past shows in our main CyberWire podcast feed,
along with episodes of CSO Perspectives, our CyberWire Pro exclusive podcast hosted by Rick Howard.
2020 has been a heck of a year, and I'm sure I speak for many in saying I'll be glad to have it behind us.
Despite the challenges, there have been a number of good things about 2020,
among them, for me, the opportunity to work with our growing team here at the Cyber Wire.
Before we sign off for the year, a few words about them.
First, my fellow podcast hosts and on-air partners,
Joe Kerrigan, Ben Yellen, and Kirill Terrio,
bringing their personalities, insights, and expertise to our shows.
It's my pleasure to share the mic with all of you.
Rick Howard joined us this year as Chief Analyst and Chief Security Officer,
as well as host of our CSO Perspectives podcast and our quarterly analyst webinars.
And it's been great having access to the wealth of knowledge and experience he brings to our team.
Our sales and client services team are Bennett Moe, Gina Johnson, and Nick Vilecki.
They make sure our advertisers are happy and getting the value they expect from our shows. Our sales and client services team are Bennett Moe, Gina Johnson, and Nick Vilecki.
They make sure our advertisers are happy and getting the value they expect from our shows,
and they do it with integrity and professionalism.
Our development team are Chris Russell and Puru Prakash, who not only keep our in-house content management system up and running with our endless list of feature requests,
but this year also built our CyberWire Pro offerings.
No small feat.
Stefan Vaziri led the product development and management
of CyberWire Pro.
Jennifer Iben and Kelsey Bond are producers
for our shows, keeping the pipeline of
guests and partners full while
wrangling our editorial calendar.
They also take care of our social media
and events. Elliot Peltzman
joined us this year as audio editor
and has made all of our shows sound better than ever.
He wrote us some kick-ass theme music, too.
Our editorial team are Tim Nodar and our CyberWire editor-in-chief,
John Petrick, who gather the day's news and distill it
into the newsletters and podcast scripts I have the distinct pleasure
of reading and sharing with you every day.
We're thankful
for the team at DataTribe who provide us with invaluable guidance and mentoring as our scrappy
little startup grows. And of course, all of our partners and sponsors, without which we could not
do what we do, and all of you for listening. We truly appreciate that you find the work we all do here valuable and continue to support us.
Last but not least, thanks to our CEO and executive editor, Peter Kilby, whose steadfast leadership has kept us on the right track despite the significant headwinds that 2020 threw at us.
Being the boss is often a thankless job, and I know I speak for the entire team when I say how much we appreciate everything he does to support all of us every day. Have a safe, healthy, restful Christmas and holiday break,
and we'll look forward to seeing all of you back here next year.
On behalf of all of us here at the Cyber Wire, I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to Thank you.