CyberWire Daily - Cyber support for a kinetic conflict. Cyberespionage. Spyware in Chrome extensions. Criminal phishing bypasses defenses. Proposed revisions to Section 230. Zoom and encryption.
Episode Date: June 18, 2020Sino-Indian conflict extends to cyberspace. InvisiMole connected to Gamaredon. Spyware found in Chrome extensions. Phishing around technical defenses (and some criminal use of captchas). The US Justic...e Department releases its study of Section 230 of the Communications Decency Act. Zully Ramzan from RSA on privacy and security in a post-COVID world. Our guest is Michael Powell from NCTA on the importance of the UK cybersecurity sector. And Zoom decides to make end-to-end encryption generally available. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/118 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Sino-Indian conflict extends to cyberspace,
Invisimol connected to Gamerodon,
spyware found in Chrome extensions,
fishing around technical defenses and some criminal use of CAPTCHAs.
The U.S. Justice Department releases its study
of Section 230 of the Communications Decency Act.
Zuli Ramzan from RSA on privacy and security
in a post-COVID world,
our guest is Michael Powell
from the UK's Department for International Trade,
and Zoom changes their tune
and makes end-to-end encryption available for everyone.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Thursday, June 18, 2020.
As expected, there are signs that the Sino-Indian border skirmishing, already a bloody series of small unit engagements with casualties on both sides, may be accompanied by cyber operations.
There are reports of Chinese distributed denial-of-service attacks against Indian targets.
Times Now says the attacks are thought to emanate from Chengdu,
headquarters of PLA Unit 61398.
Invisimol, a cyber espionage group discovered in 2018 but active at least since 2013,
is known to have operated against Eastern European military and diplomatic targets,
including targets in Russia and Ukraine.
The group appears to collaborate with Gamerodon.
ESET researchers report finding that Invisimol has used Gamerodon's.NET downloader, MSIL-Terodo.
Only a small set of Gamerodon's victims were prospected by Invisimol,
which suggests that the stealthier, more sophisticated Invisimol
makes highly selective use of noisy Gamerodon's target list.
It also uses Eternal Blue and Blue Keep exploits for lateral movements
once it's in the targeted enterprises.
Gamerodon has been linked to Russia.
Invisimol has hitherto been more elusive, but the connection to Gamerodon is suggestive,
at least.
Reuters reports that Awake Security has found a massive spyware infestation among Chrome
extensions.
Google removed 70 of the extensions from its store after they were notified of the problem
last month.
The extensions, which were for the most part offered free of charge,
represented themselves as able to warn users of questionable websites,
or to convert files to different formats.
What in fact they did was capture browsing histories and data
that ultimately provided the extensions operators with credentials for accessing various business tools.
Why Google itself didn't detect and remove the malicious extensions is unclear.
It's also unclear who was behind the malicious extensions.
As the Reuters piece points out,
the operation could equally well be the work of criminals or nation-state espionage services.
Checkpoint describes a phishing campaign directed toward acquiring
Microsoft Office 365 credentials. It made heavy use of redirection. The phishing emails weren't
particularly polished. They told recipients they had some voicemail waiting for them,
but the use of hijacked servers and domains were. The criminals used an Oxford University email
server to send their messages. The recipients
were directed to malicious sites in a hijacked Samsung domain hosted on an Adobe server. The
goal was to steal targeted network access credentials, and the hijacked servers and
domains facilitated the passage of the phishing emails through enterprise security systems.
Remember the high-minded chatter in the underworld early
in the pandemic about how criminals should restrain themselves for the sake of the common good?
Right. We didn't believe it either. But anyone still persuaded that cybercriminals have trimmed
their attacks out of public-spirited responsibility during the COVID-19 pandemic will be disillusioned
by a digital shadows study of criminal forums.
There's more criminal-to-criminal business than the underworld can handle, and the gangs are
scrambling to find moderators who can keep up with demand. One example of their findings comes from
the English-language forum Nulled, which is looking for two new trials monitors to keep pace with the
forum's growth. The Nulled community is especially growing rapidly during COVID-19,
and so it needs additional assistance.
So what does a moderator do for a cyber mob?
Digital shadows explain that the typical criminal forum,
whether it speaks English, Russian, or any other language,
is organized as a pyramid.
An administrator sits at the top, exercising general directions.
Beneath the administrator are moderators who handle day-to-day operations.
As Digital Shadows puts it,
taskings vary, but moderators enforce forum rules, answer questions, organize content,
and watch for crook-on-crook scams.
Not just anyone has what it takes to be a moderator.
They should, the one ads say, be friendly and approachable people who know how to use their initiative.
Nulled explains that they should be able to maintain peace and order in the shout box
as they find and expel spammers, leechers, and multis.
They should be mature and handle situations professionally,
be good at making unbiased decisions, and above all,
treat each member equally. And people like that are hard to find. Ask any HR department.
The UK has a strong presence on the global cybersecurity stage with a healthy ecosystem
of universities, government organizations, and private sector security companies. Michael Powell
is cyber representative to North America for the UK's Department for International Trade,
and he offers these insights.
We recently published a report in January put together by the Department for Digital, Culture, Media and Sport.
And at the moment, we've estimated the size of that market to be around 8.3 billion pounds.
And that's a 46% increase since we last assessed the market in 2016.
And that is just for pure cyber businesses.
So it doesn't include defense or any of the other areas of security.
And so who are some of the leaders there in the UK in terms of some of the organizations that we would know about, you know, the household names when it comes to cybersecurity?
Yeah, absolutely.
So Darktrace, obviously a very popular solution globally.
And then the likes of Glasswall, you may have come across Garrison Technologies, Nominet.
So some fairly global brands. But then you also have presences there from IBM, from Northrop Grumman, from Raytheon.
So some of the large US defense contractors you'll be very used to seeing in the press here in the US.
And so what is your advice for organizations here in North America
who want to establish a working relationship with companies in the UK?
That's exactly what we're here to do as UKDIT.
So my advice to them is to reach out to us as UKDIT.
That's exactly what we are here to do.
And we can assist them with either the G2G connections
or the commercial connections that they need
if they're considering either setting up an office or working collaboratively with somebody
in the UK sector. Do organizations find that this could be a first step into a larger
exploration of European markets in general?
We think so, yes.
I mean, we have the ongoing topic of Brexit,
which I'll avoid, but absolutely, yeah.
Being in London, you know,
you're still geographically very close to Europe and you're in the right time zone to do business there.
So we have historically found,
because of the similarities between the UK
and the US market,
the UK market is a really good landing pad for US companies that then want to consider expansion
into the rest of Europe as well. And being English speaking, it helps a little bit with that
first journey. Are there any common misperceptions that you find organizations have when it comes to
getting started with these things?
I think there's a expectation in both directions. So we support both trade and investment
that the two markets are so similar
that they could be trivial.
I would say whilst, yes, they share a language
and we clearly share a lot of similarity,
as I've just said,
the markets are actually very different.
The reasons that people buy, the motivations can be different. So actually, it's understanding that whilst they're
similar in a lot of ways, there are differences. And when it comes to marketing your solution,
there'll have to be a slightly different way that you go about doing that.
What are some of the differences?
I know you'd ask me that. So I would really just say
it's for me, what I've seen, it's around buying. In the US, people are very used to being sold to.
So when I provide advice to UK businesses, I tell them, you know, be bold, be very clear what your
solution does, ensure that you can differentiate it in 90 seconds from everybody else's solution,
ensure that you can differentiate it in 90 seconds from everybody else's solution,
and get ready to actually have 100 conversations, and perhaps 10 through one of those will play out.
I would say the sell in the UK is often far more relationship driven. So it will be ensure that you're attending the right forums, show that you're present, show that you are a thought leader,
and demonstrate that you are there. And you're not just there to sell to the market, but you're attending the right forums, show that you're present, show that you are a thought leader, and demonstrate that you are there. And you're not just there to sell to the market, but you're also
there somehow to contribute to the market itself. And having that presence over a period of time
will then sort of engender a trust in your organization, which means
you're far more likely to be successful in the UK market.
which means you're far more likely to be successful in the UK market.
That's Michael Powell.
He's the cyber representative to North America for the UK's Department for International Trade.
It turns out that CAPTCHAs, those I'm-not-a-robot questions
designed to keep bots out of sights, can be used for evil as well as good.
The good guys use automated tools to detect malware,
and Ars Technica reports,
citing Microsoft discoveries, that some criminals are now using CAPTCHAs with their maliciously
crafted Excel files in order to help them steer clear of automated defenses.
The U.S. Justice Department yesterday issued its review of Section 230 of their Communications
Decency Act. Section 230 has generally served to shield Internet platforms
from various forms of civil and criminal liability.
The department recommends four categories of reform
that it says would bring the balance of various interests into line
with the ways the Internet has evolved since the law was passed in 1996.
The revisions would incentivize online platforms to address illicit content,
denying Section 230 protection to genuine bad actors, carving out exceptions for terrorism,
child abuse, and cyber-stalking, and for case-specific carve-outs that would remove
protection from platforms that knew, in a specific case, that third-party content was illicit.
The proposed revision would also clarify federal civil enforcement capabilities,
promote competition, and would help in, quote,
promoting open discourse and greater transparency
by replacing vague terminology and defining good faith.
Zoom, hearing the customers speak, has decided to reverse itself.
The company will henceforth offer end-to-end encryption
to all users of its remote conferencing service.
And finally, we note with respect and condolences
the passing of Dame Vera Lynn,
who died this morning at the age of 103.
Famous as the force's sweetheart,
whose songs, especially We'll Meet Again,
comforted British soldiers, sailors, and airmen during the Second World War.
Dame Vera returned to the public eye two months ago
when she offered similar encouragement to people struggling with COVID-19,
the measures being taken to control it.
So we spare a thought for a life that was as well-lived as it was long.
well-lived as it was long.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does
all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private
by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off is to go to joindeleteme.com slash N2K at checkout. The only way to get 20% off is to go to joindelete.me.com slash N2K
and enter code N2K at checkout.
That's joindelete.me.com slash N2K, code N2K.
And joining me once again is Zulfikar Ramzan.
He's the chief technology Officer at RSA.
Zuli, always great to have you back.
I want to touch today on your thoughts on what it's going to look like when we come out of this COVID situation.
How are we going to approach privacy and security when we're on the other side of this?
You know, first of all, Dave, I think that there's this interesting notion. If you think about COVID-19, it has been the single greatest accelerant of digital transformation in recent
times. It's really forced people to embrace digital technologies. People have supplanted
their physical presence at work with video conferencing and collaboration tools. Classrooms
have been replaced by distance learning environments. Movies are now much more streaming to our homes
at a greater level of frequency than we've had in the past.
Checkout lines at the supermarket are being sidestepped
by people who are using on-demand grocery services
and so on and so forth.
Even our social interactions have shifted.
Under lockdown conditions, we're conducting lunches,
happy hours, playdates.
We're having birthday parties and even funerals through virtual means.
And so I think even though we've already known we could do
many of these things for a long time,
people are now availing themselves to digital capabilities
and their benefits given this broader context.
And these changes in my mind are just the beginning.
So I think it's going to set the stage for a world
in which technology plays a much more prominent role.
And that means areas like digital privacy and digital risk become more, I guess, involved in increased notion that we have to consider.
Well, what specifically do you think we're going to see going forward when it comes to privacy?
So first of all, I think there's a big question around the notion of individual privacy, especially in a health context versus systemic risk.
And so today, and I'm sure it's true for each of us,
our interest in the health status of any individual
and the impact it can have on an overall system
has never been greater.
Now, in the future, I think we're going to see
more and more of the people will be required to prove
or provide some form of attestation
about the state of their physical health.
That could happen in different settings.
And already we're seeing in some countries and some places where you can't board an
airplane without having a temperature check done.
You won't be able to come to work without, again, doing something similar along those
lines, or maybe even providing some type of attestation that you've been vaccinated
eventually when a vaccine becomes available against COVID-19.
Now, these scenarios, again, these are not dream scenarios. We already are seeing
many of these scenarios come up. And what that means is that there's a question now about
all this data that's being gathered about individuals and the implications that could
have for data privacy. All of a sudden, organizations might have health data about me.
And that data could be potentially very damaging.
There's a question of, in my mind,
not just privacy, but fairness.
And these notions are often conflated.
Privacy is about the data that's being collected,
how it's safeguarded.
Fairness is really about how that data is being used.
And I think, in my mind, I truly worry
that we could be in a situation
where that data could be misused or abused
if not cared for correctly.
Well, and how do we ensure that we don't inadvertently leave people behind, people who might not have access?
If we're shifting to a scenario where more and more of our day-to-day lives are reliant on technology, I can envision that there are whole groups of people who would have trouble getting access.
Absolutely. I think that's going to create a set of concerns.
I mean, even there's been a lot of work in the media recently around the idea of Bluetooth contact tracing.
And the challenge of Bluetooth contact tracing, one of the challenges is that not everybody has a Bluetooth phone
or has a mobile phone that they're willing to allow in that process, even if they have the capabilities.
And for these technologies to be successful in any way, shape, or form,
you need a critical mass of data.
And I think that you're absolutely right.
These are fundamental issues that are going to come up over and over again.
The good news is that there's been a lot of work in epidemiology
and other fields around how we can implement these types of
mechanisms without digital technology. And so the idea of contact tracing, for example,
has been around for decades. It's not new at all in the context of immunology and epidemiology.
What is new maybe is trying to use digital technology to accelerate or make it more
widespread. And so I think at the very least, we will have fallback mechanisms in key areas. But that's not, it's not always a good replacement in either case. And I
think we have to struggle with how we can, how we're going to manage society in this future world.
Yeah. All right. Well, Zubikar Ramzan, thanks for joining us.
Absolutely. Thank you, Dave.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time and
keep you informed. Listen for us on
your Alexa smart speaker, too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next
generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.