CyberWire Daily - Cryptojacking cyberspies sighted. Crooks mix banking Trojans and ransomware. Conti ransomware hits industrial IoT company. SCOTUS reviews CFAA. And predictions.
Episode Date: December 1, 2020Cryptojacking from Hanoi. Dormant networks rise again, for no easily discernible reason (but it doesn’t look good). A gang is hitting German victims with the Gootkit banking Trojan, and sometimes mi...xing it up with a REvil ransomware payload. Conti ransomware hits IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who’s tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/230 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cryptojacking from Hanoi.
Dormant networks rise again for no easily discernible reason, but it doesn't look good.
A gang is hitting German victims with a Gootkit banking trojan and sometimes mixing it up with an R-Evil ransomware payload.
Conti ransomware hits an IoT chipmaker.
SCOTUS reviews the Computer Fraud and Abuse Act.
A few predictions for 2021.
Ben Yellen on Congress passing an IoT security bill.
Our guest is Stephen Harvey from BitSight,
who's tracking the correlation between companies with strong cybersecurity and financial success.
And it may be back to school tomorrow in Baltimore County.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 1st, 2020. Vietnamese threat actors have returned to the news. Over the long weekend, Trend Micro researchers described a recently discovered macOS backdoor
they believe is associated with Hanoi's Ocean Lotus group.
And the Microsoft 365 Defender Threat Intelligence team
has found the group they track with Redmond's customary metallic name as Bismuth,
and which they associate with Ocean Lotus, APT32, actively deploying a Monero miner against its victims.
The development is interesting.
North Korea's Lazarus Group has long been an outlier among state-directed threat actors in that financial gain was a major
objective. It appears that Vietnam's services may be headed down the same path.
Spamhaus has found a suspicious awakening. 52 dormant networks based in North America
suddenly became active over the period of only a few days. All are physically hosted in Greater New York.
While inactive networks do come back to life from time to time,
the researchers find it suspicious that so many should re-emerge essentially simultaneously
without having any obvious mutual connections.
Each of the revenant networks was announced by a different autonomous system number,
revenant networks was announced by a different autonomous system number, a different ASN,
and those ASNs are themselves revenants, silent for some time. Spamhaus isn't certain what's going on, but it doesn't look good, and it advises all to be wary of these no longer quiescent
networks. A significant criminal campaign is underway against German Internet users.
Malwarebytes finds the campaign unusual in that the criminals are serving either the
Guttkitt banking trojan or R-Evil, also known as Sodinokibi ransomware.
As is typical, in this case, an infection begins with phishing.
The payload is usually Guttkitt, but they've observed a smaller number of R-Evil
infections. Malwarebytes explains, quote, the threat actors behind this campaign are using a
very clever loader that performs a number of steps to evade detection. Given that the payload is
stored within the registry under a randomly named key, many security products will not be able to
detect and remove it. However, the biggest surprise here is to see this loader serve our evil ransomware in some instances.
We were able to reproduce this flow in our lab once,
but most of the time we saw a good kit.
End quote.
Industrial Internet of Things chipmaker Advantech
has confirmed reports by Bleeping Computer and others that Advantech
has been the victim of ransomware. The strain is conti and the criminals stole data that Advantech
describes as confidential but low value. The attackers appear to have delivered their ransom
demand on November 21st. They began leaking data on November 26th. The criminals are making a big ask.
They want Advantech to pay them 750 Bitcoin, or about 12,600,000 US dollars.
If they're paid, they say they'll decrypt all affected data and remove any data they've stolen from their servers.
Says they. The hoods aren't necessarily promise keepers.
says they. The hoods aren't necessarily promise keepers. Advantech says it's largely restored its operations, but we've not heard what their plans are with respect to the ransom demand.
The U.S. Supreme Court yesterday heard arguments in a case challenging broad interpretation of the
Computer Fraud and Abuse Act. At issue in the case, Van Buren v. United States is, as SCOTUSblog puts it,
quote, whether a person who is authorized to access information on a computer for certain
purposes violates Section 1030A2 of the Computer Fraud and Abuse Act if he accesses the same
information for an improper purpose, end quote. These deliberations take time, but the Wall Street Journal says a decision is likely to
come in June. NetRix has offered some predictions for 2021, most of which represent reasonable
extrapolations of trends that have developed over 2020. The increase of ransomware, a shift in
criminals' interests toward service providers, cloud misconfigurations will account for a significant fraction of data breaches,
regulatory compliance and insurance combining to drive organizations toward best practices,
and pandemic-induced changes in the workplace will have a delayed effect on security.
Two of their predictions strike us as being at least as normative as they are predictive.
Organizations will be driven by calculations of risk and value
in managing their cybersecurity posture and investment.
Digital Shadows also foresees more aggressive extortion by criminals,
but they add a prediction that distributed denial-of-service attacks
will be used more often to hold organizations for ransom.
Blind spots that accompany the shift toward remote work
will be exploited in social engineering,
and the social engineers' lures will continue to dangle fish bait
cut from current events to lure the unwary.
Criminal markets will continue to thrive and to behave like markets,
even as law enforcement seeks to crack down on them.
Both the cops and the criminals will enjoy some success,
that is, and if you bet on form, that seems about right.
And finally, sorry kids, it's back to Zoom for you, at least if you're up there in Baltimore
County. The Baltimore Sun reports that Baltimore County Public Schools expect to be sufficiently
recovered from the ransomware attack they sustained last week
to be able to resume instruction tomorrow. The school district has been tight-lipped about
details, but they indicate that they have a process in place for bringing the students
and teachers back online. The ransom demand is unknown, but it's believed likely to be high.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I suppose that if I make the claim that companies with good cybersecurity practices
are generally more successful overall, with correlated financial success,
you'd likely respond with, yeah,
that makes sense.
Stephen Harvey is CEO at security ratings firm BitSight, and his team has been exploring
that very issue to see how much of a correlation, if any, there is between well-performing companies
with strong cybersecurity and financial success.
The step we've taken, and we announced this
about two weeks ago, was to actually work with an index provider, a company called Selective,
which is one of the leading index providers that's based out of Germany, to create a series of
indices in which they took out the low- BitSight rated companies and focused the index
on high performing BitSight rated companies.
And what they came back with was really exciting.
It was a demonstration, an empirical demonstration
that when you look back over time,
the value of highly rated companies
from a cybersecurity perspective outperform from a valuation the market.
So the indices that they created outperform the benchmarks by anywhere from 1.5% to 7%.
And 7% in finance is a huge outperformance.
There's that old saying that correlation is not causation.
You know, there's that old saying that, you know, correlation is not causation.
So how do you weigh in, you know, the various factors that may be responsible for these companies outperforming their peers?
Yeah, that's an interesting question.
I think it's a combination of things, Dave.
One is obviously a company with a high cybersecurity rating is going to have less breaches.
There's a huge multiplier effect when you look at low-rated companies in terms of the amount of breaches that they are likely to have,
and that does correlate directly to potential value.
Another area that is getting the attention of directors
is the notion that cybersecurity
is another component of governance.
And as you look at the governance standards of a company,
that cybersecurity is one of the key pillars
that should be assessed as part of that review.
And what we're seeing actually
is a very high demand at the moment
from boards to hire CISOs directly to the board or to start creating a subcommittee focused on cybersecurity because of the meaningful impact of cybersecurity to the company, but also because of this trend towards governance.
What are your recommendations for folks who want to explore this, who want to find out how this might apply to how they're approaching cybersecurity?
I would suggest people take a look at the indices that were rolled out.
This was made public,
and Solactive are actually now marketing these indices
to investment managers
with the idea that they're going to start investing in an index
that's tilted towards companies that perform well
from a cybersecurity background
with a proven outperformance
in the backtesting that Selective have done.
And I think that can be found on our website or Selective's.
So, you know, this is really groundbreaking.
And I, again, I use the word empirical.
It's empirical evidence that there is a correlation here.
That's Stephen Harvey from BitSight.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host on the Caveat podcast, which if you have not yet checked out,
what are you waiting for?
It's a good show.
It's a great show.
Ben, great to have you back.
An interesting article from CyberScoop. This
is written by Tim Starks, and it's titled, After Years of Work, Congress Passes Internet of Things
Cybersecurity Bill, and It's Kind of a Big Deal. What's going on here, Ben? It's kind of a big
deal. I mean, first of all, it's a big deal when Congress passes anything. So, you know, let's
raise our glass to that. Yeah, that's not what we sent them to
Washington to do, is it? No, they should be, you know, puffing their chest at a high-profile
congressional hearing about something insignificant, not actually doing things to address problems.
So, yeah, you know, I think we should be happy that they passed something in the first place,
regardless of what it is. The substance of law is really interesting. It is a bill that sets a baseline for the internet
of things. So these internet connected devices that you have to have a baseline level of security
in order to contract with the federal government. And the federal government kind of does this
in a lot of different contexts to try and set minimal standards for federal contracting in hopes that companies, you know, in trying to obtain these federal contracts will adopt these practices more broadly.
And they're also, as part of this law, going to encourage vulnerability disclosure policies so that organizations can work with experts, security researchers,
to fix any software flaws that might arise.
So the story of how this bill came into being enacted,
it was a three-year effort started in 2017,
ran into some opposition from the United States Chamber of Commerce
because they thought this might be too much of a burden on particularly small businesses.
And I don't know if you've heard, but the U.S. Chamber of Commerce has some sway in
the United States Congress.
Sure.
But there were some enterprising lawmakers in both the House and the Senate.
This was a bipartisan effort.
They were able to neutralize the U.S. Chamber of Commerce to get them to not oppose the
bill, even if they were directly supporting it.
And a couple of legislators were able to get it across the finish line. The House passed its version in September, and the Senate
just agreed to it by unanimous consent. And to talk about how bipartisan this was, this is a bill
that was drafted in part by Representative Robin Kelly, who is a very progressive Chicago Democrat, and was
co-sponsored, at least in the last year or so, by Mark Meadows, who is now President Trump's
chief of staff. And she was able, the two of them were able to work with one another to get this
done. So this is sort of the rare cybersecurity policy victory that's certainly worthy of
celebration. So I mean, it's the general notion here that if we require this in government contracting, that it'll
be in the company's best interest to have that sort of sprinkled out throughout all
of their products, that it'll make its way into the consumer and B2B space as well?
Yeah, absolutely.
So the federal government has done this with things like Energy Star ratings.
You want to encourage companies to produce things that are energy efficient. So you require, you know, in all government contracting,
that companies that want to work with the federal government institute those types of policies.
And yeah, the idea is, you know, you give them some incentive to adopt safer cybersecurity
practices for IoT,
then these are going to become more widely adopted.
And it's going to have downstream effects for organizations that aren't interested in federal government contracts.
So in some ways, you could see this as a small step because it only applies in the relatively limited world of, you know, federal
procurement. But I think it sort of trickles down into the industry the way it's done in other
contexts. How interesting that, you know, cybersecurity seems to consistently be one of
the few areas that can get bipartisan support and actually move things through the process. You know, these gears that are all full of sand right now in Congress,
somehow these seem to make it through.
Yeah, you know, I'm very cynical about these things.
I think I always hope that lawmakers can make progress
before things get polarized.
You know, if you have a really polarizing figure
who comes out in support of something,
that might lead the other side to be against it.
So for the purpose of cybersecurity, it's kind of better for these things to happen under the radar, where it's not like there's a major push by President Trump to get this enacted into law, because that might engender some opposition among congressional Democrats.
Right, just because it's him.
Exactly, exactly.
We all have those tendencies.
I mean, if it's a person that we don't like proposing something,
we're naturally going to want to oppose it.
So I think what's been good about cybersecurity policymaking
is it has kind of gone under the radar,
and it's avoided some of these higher-profile political battles
that have ground Congress to a halt.
Interesting, yeah.
All right, well, Ben Yellen, again, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
We'll leave the light on for you. Listen for us on your Alexa smart speaker, too.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.