CyberWire Daily - Curveball proofs-of-concept. CISA warns chemical industry. Military families harassed online. Phishing the UN. Fleeceware in the Play Store. Moscow says there was no Burisma hack.
Episode Date: January 16, 2020Proof-of-concept exploits for the CryptoAPI vulnerability Microsoft patched this week have been released. CISA warns the chemical industry to look to its security during this period of what the agency... calls “heightened geopolitical tension.” Families of deployed US soldiers receive threats via social media. Someone’s been phishing in Turtle Bay. More fleeceware turns up in the Play Store. And Moscow heaps scorn on anyone who thinks they hacked Burisma. Craig Williams from Cisco Talos on how adversaries take advantage of politics. Guest is Ron Hayman from AVANT on how companies might leverage Trusted Advisors to proactively prepare their security response. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Proof-of-concept exploits for the crypto API vulnerability Microsoft patch this week have been released.
CISA warns the chemical industry to look to its security during this period of what the
agency calls heightened geopolitical tension.
Families of deployed U.S. soldiers receive threats via social media.
Someone's been fishing in Turtle Bay.
More fleeceware turns up in the play store.
And Moscow heaps scorn on anyone who thinks they hacked Burisma.
Heaps scorn on anyone who thinks they hacked Burisma.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 16th, 2020.
CRN offers a rundown of opinion to the effect that reaction to CVE-2020-0601 has been overblown, and to be sure, the NSA-disclosed Windows crypto flaw is not apocalyptic,
but it's nonetheless one that should be patched without delay.
Some of those reactions seem to come down to,
well, if this bug is as serious as NSA says it is,
then why did NSA tell everyone about it instead of quietly putting it to use?
So, okay, persist in Fort Meade's skepticism if you must, but don't disregard the common-sense
precaution of patching the flaw. Microsoft classed the vulnerability as important,
even though Redmond had seen no sign of its exploitation in the wild.
Such exploitation has grown likelier. ZDNet reports that two
proof-of-concept exploits of the crypto API bug have already appeared, and they add that the
vulnerability is now being called Curveball. Others, following researcher Ken White, refer
to the vulnerability as Chain of Fools. We'll stick with Curveball, provisionally.
The first Curveball exploit was posted to GitHub by researchers from Kudelski Security.
It's a spoofing exploit that takes advantage of the way elliptic curve cryptography was implemented in Crypt32 DLL.
As Kudelski explains it in their blog,
We have been able to sign a certificate with arbitrary domain name and subject alternative names,
and it will be recognized by Windows Crypto API as being a trusted certificate. been able to sign a certificate with arbitrary domain name and subject alternative names,
and it will be recognized by Windows Crypto API as being a trusted certificate.
The second proof of concept was placed on GitHub by Danish security researcher Alipone.
It too presents a method of spoofing certificates.
The upshot of this is twofold.
First, the proofs of concept virtually ensure, as ZDNet puts it,
that the vulnerability will be exploited in the wild.
And second, this should be obvious, do apply the patch.
As the U.S. and presumably Iran continue to glare at one another with mutual suspicion in cyberspace,
no significant attacks from either side have come to public attention.
But the U.S. Cybersecurity and Infrastructure Security Agency, CISA, has cautioned the chemical industry that it could be subject to cyberattack and has offered advice on hardening itself
against the threat.
The warning is a follow-on to recent alerts during what CISA calls this period of heightened
geopolitical tension.
CISA doesn't cite specific indicators and warnings,
and it hasn't mandated any steps by industry,
but the advice the agency is offering the chemical industry would be sound at any time.
CISA recommends increased vigilance.
It also suggests that industry dust off its reporting procedures
and practice its incident response plans.
With respect to cyber threats, CISA recommends that critical information be backed up and
stored offline and that industry test its ability to revert to backups in the event
of a cyber incident.
It suggests that industry review its cybersecurity risk analysis and offers help to organizations
that want it.
Now is also a good time for cyber awareness training
and a particularly good time to look for and change any default passwords
that may have been left in the enterprise.
Patches should be brought up to date,
and both IT networks and industrial control systems
should be scanned for signs of vulnerabilities and malicious activity.
It would be good to update application whitelists and review accounts
to ensure that
they be given the least privilege necessary. And finally, both incident response and business
continuity plans should be reviewed and updated where necessary. There are countless options out
there these days when it comes to cybersecurity tools, and everyone says their tool is, of course,
the best. It can be impractical and daunting to wade through all of the available offerings.
The folks at Avant rely on a network of what they call trusted advisors
to help organizations navigate the field.
Ron Heyman is chief cloud officer and COO at Avant.
So a trusted advisor, when they come and work with you, they represent about 300 providers.
Now, obviously, not all of them will be security, but they have a portfolio of providers.
And what we like about this process is they can help you ethically pit the industry against itself and find the very best provider for you.
And the trusted advisor has access to, in the case of Avant, Avant's engineers, which we have 12 of.
And then they also have access to the engineering staff of the different service providers.
And so they're able to essentially do an RFP, get all the requirements, and then leverage our engineering team to figure out what the best two or three providers are that are laser focused in that particular area.
And then we bring them hand in hand with the trusted advisor to the customer. what the best two or three providers are that are laser focused in that particular area.
And then we bring them hand in hand with a trusted advisor to the customer and we let them pick out who they think is the best fit for them culturally or maybe based on price
or whatever it is that's making them make that buying decision.
I'm imagining that this could be particularly helpful to small and medium-sized businesses.
Is that an accurate assessment?
Yes, it is.
It's an underserved market, small and medium, especially when it comes to cyber and just IT in general.
And so we've seen a pretty big MSP movement.
But more important than the MSP movement is the managed security service provider movement, because that is something that these small and medium businesses can no longer afford to ignore.
Companies go out of business when they're without mail for a matter of days.
And we're seeing intellectual property and other things that are really important to the company and the brand image be at risk more consistently.
You've seen what's happened with ransomware.
It's been in the news a lot,
especially in local municipalities
and state and federal government.
But that's also happening quite a bit
in companies as well.
And when they lose access to their data,
to their intellectual property,
to all the things that give them
what they need to go out and do business,
you can imagine, you know,
that you're really putting that company at risk. So definitely small and medium businesses will
benefit from having access to these service providers. It sounds like an interesting value
proposition for sure. As someone who would engage with one of these trusted advisors,
for sure. As someone who would engage with one of these trusted advisors, how am I guaranteed that they're looking out for my best interest and not the folks on the other side of the equation,
the folks who are providing the services? Yeah. So that's a good question. And I think
you always have to make sure that whoever you're working with is a true partner,
a true trusted advisor. And trusted advisors, a lot of times,
the reason why they're there is because they have a really good relationship with the buyer and they
want to have a long-term, you know, they want to have a long-term relationship with them. So
they're there for the right reason, at least the ones that we work with. And they're incentivized
to try and help make the best possible decision for that customer, because if the
customer wins, then they win, and ultimately they get more business. That's Ron Heyman from Avant.
According to ThreatPost and Bleeping Computer, CoFence researchers determined that the United
Nations sustained a phishing campaign designed to deliver Emotet and the trick bot Trojan.
The campaign, which apparently was less than fully successful,
used emails spoofing the Norwegian mission to deliver a malicious Word document.
Sophos finds more fleeceware apps in Google's Play Store.
Fleeceware automatically charges subscription fees
if the user neglects to cancel when a trial period expires,
and users often find that breaking up is hard to do.
As the noted American philosopher Mr. Tom Waits put it in another context,
the large print giveth and the small print taketh away.
And finally, Moscow has delivered the usual informational counter-battery fire
in the Burisma hacking case.
Sputnik, a reliable Kremlin mouthpiece, poo-poos the whole episode as a self-serving conspiracy theory
launched by Hillary Clinton.
Or so says Sputnik.
The style of their debunking is worth noting.
It's tabloidesque, quoting tweets from people
represented as being ordinary patriotic Americans
who have wised up to Ms. Clinton.
The tweets are a fair representation of the kind of one-line zingers Twitter is structured to favor,
but they don't really amount to what you'd call an argument.
Ukraine's Interior Ministry isn't so dismissive.
They've asked the FBI for assistance in their own investigation of the Burisma incident.
Incident. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, always great to have you back.
You all recently published a report here.
It's titled, How Adversaries Use Politics for Compromise.
Take us through what's going on here.
What's one thing that's in common for most attacks that target the user?
Right.
I think if we sit back and let's look at this objectively and then we'll dive into why politics are being used.
But if you look at how users are targeted, particularly around the holidays, there tend to be certain things. Right.
If we look at the specific vectors, we'll see things like lottery type activity.
We'll see deals.
We'll see things like lottery type activity. We'll see deals. We'll see things around coupons.
We'll potentially see things around like urgent, right?
Like urgent, click here.
You may have won a million dollars.
Or urgent, click here to download your free copy of Star Wars episode, whatever.
Yeah.
I'm a huge fan.
That would work on me.
Yeah. You know, and so what they all have in common is they want people to respond emotionally.
Right.
Right.
And they want people to respond in a way that they're just going to click without thinking
about it.
You know, it's a lot like gambling, right?
If you look at the way gambling works in successful machines, they don't just say you want to
lose.
They want to imply you
may have lost, but you just lost, right? Like look at the spinner dial. It's right next to the win
sign. That's how close you came. And, you know, give you that feeling of, oh, well, if I just,
if I just try one more time, I'm going to get it, right? And so that's the kind of response
these scammers want. They want someone to not think about it, to not think logically, to take all these lessons that we've learned. If it's too good to be true, it probably is. Check the URL before you click on it. They don't want you to think about that. They want you to think, oh, whoa, that's somebody wrong on the Internet or that's something I need to win.
Right. Wind me up. Yeah. Right. And so if
we look at things that wind people up, say, you know, hypothetically this last quarter, there
might be, I don't know, one or two political things. Um, no, I mean, maybe, you know what?
I think I saw something on the news. We'll go with a hypothetical. Proceed. Yes. And so the natural evolution to this was to basically target politics.
And so we started looking around at different malware campaigns that had political drivers.
And what we found was just a truly astonishing number in both variety and amount.
astonishing number in both variety and amount. And the variety we saw was absolutely stunning and absolutely hilarious. I don't know if you've had a chance to look at the post,
but we had a dancing Hillary. We had a winking Putin. We, of course, had a truly astounding amount with negative commentary and implications around the U.S. president.
Right.
It's very strange why they would do that.
But there's something for everyone here, right?
Absolutely.
No matter your political persuasion.
If you're a Russian agent, if you're.
Yeah.
Something to get your motor running.
Right. And so that's exactly the goal, right? The goal is not to actually exchange political discourse,
which is what every, you know, non-technical American might want to do, right? They see
their political opponent and they immediately want to explain to you, hey, something's wrong
on the internet, right? We all know the famous XKCD comic.
Well, that feeling is a thing. We all have felt that, right? I mean, how many times have you been
sitting there in public and someone says something silly like, I don't run antivirus for my computer.
I don't believe in vaccines. And like your eye just starts to twitch involuntarily.
Right. For you, that's a trigger warning, right?
Yeah.
Your wife says, just step away, Craig, just step away.
Yeah, well, she'll change the subject and be like,
so do you want to take me to the gun range later?
I guess.
But so it's things like that that they want to respond.
They want to have people respond emotionally so that they don't follow best practices. And the reality is that type of thought process is involved as often, I think, as the deal process, you know, right? Like the gambling process, basically. I think they're very similar and they're probably connected at some psychological level that I don't know about because I didn't pursue that level of education.
So if anybody out there has any, I'd love to debate it on Twitter.
Of course, because that's where the best debates happen.
You know, it's Twitter or Reddit.
That's where you go for fun debates.
Right, right.
Where everyone's right and, you know, only downvote everybody you disagree with.
Now, what are you all recommending to protect yourself against this sort of thing when we're dealing with human emotional components? Well, so that's a really great question. And I think it
comes down to, you know, one of the things that we probably say a lot. And so I'll explain the
different levels to it. But the first one is, right, you've got to have a layer of defense,
right? Like anything else, there's not going to be one magic bullet. So I would say the easiest
layers are, you know, have something like a content blocker in place. And so if you don't want to pay for one through an antivirus,
you know, you can use our free open DNS service. You could use Google's safe browsing service,
something to take off that like highest layer of long-term lazy attacker, right? So let's knock
out like the 75% and then have something a little bit more advanced,
maybe something like an anti-spam solution,
an email security appliance, web security,
that knocks out that second level
of more dynamic content, right?
Those type of ads or pop-ups,
looks at file attachments, right?
Some sort of advanced malware protection system
like an antivirus engine,
be it ours or somebody else's,
just something out there to knock down those known binaries. And that'll cover you a pretty
reasonable amount just between those three. And I think the last one is really going to be,
I hate to say this, but it's user education. You've got to have people learn self-control.
And I know on the internet, that's much easier said than done. But the thing
is, people are constantly targeting the user. They're going to find a way to spin you up.
Absolutely. It's going to happen. If it's not politics, maybe it's religion, maybe it's gun
control, maybe it's healthcare, but they will find a way to spin you up and you've got to sit
back and realize I'm being manipulated. Right.
I think most adults would realize that that was happening in person and they would realize,
look, I don't need to engage with this person.
I don't know them.
They don't matter in my life.
It's not, I'm not voting here.
Right.
Yeah.
Right. I should just go on my way and get to work or whatever they're doing.
And people have got to take that life lesson that they've learned in person and apply it
to the online world.
Yeah. Keep that top of mind.
And it's especially true on social media.
I mean, people forget, but that's really what social media is,
is you're basically in public looking at other people's discussions
and conversations, and you can chime in or not.
And a lot of the time, or not, is probably the wisest decision.
Yeah.
The post is titled, How Adversaries Use Politics
for Compromise.
Craig Williams,
thanks for joining us.
Thank you.
Cyber threats are evolving
every second,
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're thrilled
to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. hacked. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.