CyberWire Daily - Cyberattacks in Norway under investigation. Developments in the criminal marketplace. Scammers do TikTok. Disrupting school, from Florida to Northumberland.
Episode Date: September 3, 2020Updates on cyberattacks against Norway’s parliament and the Hedmark region. A popular TikTok page is infested with scammers. Magecart’s Inter scanner gains criminal market share. Thomas Etheridge ...from CrowdStrike on the many potential benefits of outsourced threat hunting. Our guest is Lauren Bean Buitta from Girl Security on closing the gender gap in national security. Heading back to school in Miami? Not so fast, kids. And in Northumberland? Same goes there. (That’s Northumberland, England, by the way, not Northumberland, Pennsylvania.) For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/172 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on cyber attacks against Norway's parliament in the Hedmark region.
A popular TikTok page is infested with scammers.
Magecart's inter-scanner gains criminal market share.
Thomas Etheridge from CrowdStrike on the many potential benefits of outsourced threat hunting.
Our guest is Lauren Bean Buida from Girl Security on closing the gender gap in national security.
And are you heading back to school in Miami?
Not so fast, kids.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, September 3rd, 2020.
The cyber attack Norway's parliament sustained last week has been followed by a second series of attacks directed against public employees in the Hedmark region. The attacks on the parliament involved unauthorized access to email accounts of members and employees, according to the New York Times.
The campaign was well distributed across party lines, with members of Labour, the Conservatives and the Centre Party affected.
Norway's PST Police Intelligence Agency is investigating.
way's PST police intelligence agency is investigating. So far, the origin and motive of the attacks on parliamentary email are unknown, but a hostile intelligence operation hasn't been
ruled out. The headmark attacks, on the other hand, are being attributed to foreign swindlers,
News in English reports. While scrutiny of TikTok has concentrated on the platform's
potential national security threat, Tenable finds that TikTok's loose moderation practices may have made it an actual haven for criminal activity.
Tenable researchers say that TikTok's popular For You page is infested with fake mobile applications, diet pills, dropshipped goods, fake gift cards, and other scams.
pills, drop-shipped goods, fake gift cards, and other scams.
Researchers at RiskIQ say they found MageCard's InterSkimmer active in more than 1,500 sites.
The InterSkimmer kit is now a popular criminal-to-criminal product.
The Miami-Dade School District attempted to open online learning Monday, but with decidedly mixed results, WPLG reports. The district seems to have
faced a cascading series of problems, some glitches, some attacks, and has responded with a mix of
remediation and delegation of improvisation to individual teachers. Miami-Dade County Public
Schools Superintendent Alberto Carvalho said the problems Monday arose from what he called the catastrophic failure of a Cisco software connectivity switch, which required an upgrade.
They worked with Cisco overnight and had the switch issue resolved Tuesday.
When school opened Tuesday, however, students and parents were effectively blocked from accessing distance learning resources by a distributed denial-of-service incident,
which Superintendent Carvalho characterized as an attack.
The district has been working with its internet service provider, Comcast,
to resolve the attack.
The district has been paraphrased in local media as saying that its cyber wall held,
which is probably true enough, but also beside the point,
since a DDoS attack is generally used to keep people out
and not unless it's being used as a misdirection to break into an enterprise.
The Miami-Dade school police are investigating
and doing so in conjunction with both the FBI and the Secret Service.
Miami-Dade had contracted with the company K-12 for its distance learning services
and the board is now looking into the $15.3 million contract Miami-Dade had contracted with the company K-12 for its distance learning services,
and the board is now looking into the $15.3 million contract and asking what would seem to be obvious questions like who actually signed that contract.
The Miami Herald says it was a no-bid contract
and that the superintendent's signature isn't on the actual contract itself,
so who actually bought the services?
And of course, people are upset about the service's lack of resilience.
The district will be busy looking into these matters for some time to come.
These observations are not intended to pile on to Miami-Dade,
which is surely having more than its fair share of trouble this week,
but rather to take note of how difficult it is to improvise a comprehensive system of delivering kindergarten through high school education when you're under
pressure of time and working under inevitably unfamiliar circumstances. Improvisation is going
on, however, and much of it seems to be the work of individual teachers who've set up Zoom and other
remote collaboration tools for their students.
And yesterday, the district delegated authority to improvise.
Teachers in grades 6 through 12 will now have the ability to create their own classroom by way of Microsoft Teams.
This is surely to be applauded, but it's also surely destined to come up short for a lot of kids,
and not only for those who are reluctant to be in school in the first place. If there's a general lesson to be learned here, it's the importance of testing and exercising
contingency plans. Again, this isn't to pile on to Miami-Dade, but risk managers might take note.
The challenges of distance learning aren't confined to primary and secondary education,
nor are they confined to North America. In the UK,
Northumbria University has shuttered its Newcastle-upon-Tyne campus because of a major
cyber attack it sustained. Computer Weekly reports that the university said that an unspecified
cyber incident had caused significant operational disruption. More than that, Computer Weekly
couldn't say. They tried calling the
university, but the phones were all down. InfoSecurity magazine said this morning that
while the university hasn't said what hit it, the incident looks like ransomware to them and to
others. The story is still developing. And to return to Miami-Dade, Superintendent Carvalho
has said earlier this week that the cyber attack his
school sustained appeared to come from both foreign and domestic sources. That's to be expected in a
DDoS attack. The bots, after all, really don't pay too much attention to their nationality or home
of record. But a root cause may be very close to home. This morning, WPLG reports police arrested
a 16-year-old high school junior who admitted to
setting up the DDoS attack that took the district offline. WPLG gives the kid's name. We won't,
because as bad as the behavior is, he's only 16, and they say he has no prior criminal record.
The student at South Miami Senior High School, go Cobras, by the way,
confessed to orchestrating eight distributed denial-of-service cyberattacks
designed to overwhelm district networks,
including web-based systems needed for MySchoolOnline.
He's been charged with computer use in an attempt to defraud,
that's a felony,
and with misdemeanor interference with an educational institution.
The district thinks there might be other people involved, and it wants any other perpetrators
to know that they're going to be tracked down and apprehended, and that this time,
it won't be detention.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Girl Security is a nonprofit organization whose mission is to close the gender gap in national security through learning, training, and mentoring support for girls.
Lauren Bean Buida is founder and CEO of Girl Security, which she founded in 2016.
We have three kind of pieces to our model.
We call it our C model, which is securing with information, empowering with training, and advancing with mentoring. All of our content
is developed by women national security practitioners. So we develop learning modules
on the different national security topics, like national security decision-making,
national security ethics, and then topical themes like
cybersecurity, terrorism, immigration. And we typically deliver those in the classroom
with teachers and schools across the U.S. And then for those girls and young women who are
interested in careers, we onboard them into our mentor network. And so they commit to six months
of really wonderful and supportive mentoring with
women mentors who represent many diverse pathways in national security. And then they kind of
continue through their career. So we pair them with a woman one step ahead of them in their
career. So as they move through, if they move through college, if not career, they're connected
with women who are one step ahead of them, who can kind of set the road way for them so they know what to expect and how to position themselves better. Well, and you've
been at this for a few years now. How do you measure the success along the way? Have you had
a long enough view of that pipeline to see how it's working out? I think we have. I mean, I always
kind of joke it's like asparagus takes seven years to grow. And it's also a really bad funding pitch because, you know, we're working on the long term, right?
But this is similar to STEM. So we, you know, measure retention or measure success by retention
of partners, whether it's schools or girl youth organizations, and then the retention of those
relationships year over year, we have 100% retention. We measure it kind of by geographic metrics, right?
So we're working with girls in communities across 20 states.
So there is this kind of vast interest generally in national security and what's happening
in the news.
And then, of course, following those mentees who are now in college, some of whom have
started careers, as they move through
those pathways to, of course, measure points of attrition or other types of impediments that they
confront as women in still a very male-dominated field. You know, I would imagine a number of our
listeners would be interested in your organization from a couple different directions. I mean, we've
got young women who are coming up
who are students.
Certainly we have professionals who have daughters
who are interested in it as well,
but also a lot of folks who have experience
in national security.
In terms of outreach for those folks,
what's the best way for them to get in touch?
The best way is our website, which is girlsecurity.org.
There, girls and young women can register to be mentees.
Practitioners can register to mentor. We also have more public events. Of course, in the pandemic,
everything's virtual. So we'll have more events that are available to others outside of our kind
of traditional network. All of that's on our website as well. That's Lauren Bean Bueta from Girl Security.
You can find out more about them at girlsecurity.org.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Thomas Etheridge.
He is the Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
I wanted to touch today on threat hunting
and your take on how teams can make the most of threat hunting.
You've got a few tips you want to share. Certainly. So CrowdStrike's a huge proponent of
engaging in proactive threat hunting across client environments. Endpoint detection technologies
are advancing to the point where we're able to see and prevent a lot of known,
and in some cases unknown, but suspect threat actor activity. But doing active threat hunting
is something we strongly recommend and encourage most organizations to invest in. And if you can't
afford it internally, then there are certainly outsourcing options that are available,
some of them exceptional in terms of providing really rich threat hunting capability
that integrates threat intelligence and large data sets to make sure that you're getting that rich visibility
across your environment and can take advantage of the speed of alerting to try to stem the tide of threat actor activity.
So for an organization who's not yet doing threat hunting, how do you make the case for
the value proposition there? How do you convince them that this is money well spent?
Our philosophy on threat hunting is that it's critical to ensuring that you have a comprehensive approach to securing
your environment. We always talk about threat detection and endpoint security as being a team
activity. It's not just about a technology solution. It requires people and processes as well.
Threat hunting is very, you know, consider proactive targeting, targeted searches
across your environment to make sure you understand the difference between what is normal
and what should be expected in your environment and things that are not normal or unsuspected
in your environment. One of the advantages of threat hunting is that if you're doing it properly and at scale,
the ability to actually catch an attack scenario early in the stages of the attack goes up
significantly.
And CrowdStrike always talks about the speed at which we're able to detect and respond
and remediate events, the 110-60 rule.
Threat hunting provides that early stage detection, in many cases,
at the early stages of an attack so that organizations can better and more efficiently
respond to threats before they become a big problem. A good example of the benefit is
what our Overwatch team has done. In the first half of last year, we were doing about four advanced ransomware
campaigns per month. That's what we were seeing in our threat hunting platform. So far this year,
we're looking at a little more than double that, so about nine per month. So the increase in that
type of activity, the objective of threat hunting will be to identify that activity before ransomware
gets deployed. And if you can do that, the likelihood of mitigating the impact to your
organization goes up substantially. When an organization is looking to get started at this
and they're shopping around with other companies who can provide threat hunting, what are some of
the things they should be looking for?
What are the things they should be asking
in order to make sure that it's a good match?
What we talk to clients about, Dave,
is kind of what's the overall methodology for threat hunting.
Our methodology, we define it as search.
Sensing, enablement, analyzing, reconstructing, communication, and then honing. Searching and
sensing really is about what's the data set that you're looking at for your threat hunt.
CrowdStrike threat hunting looks at over 3 trillion events a week. We're looking at millions and
millions of endpoints, and we're categorizing activity
across 100 different event types.
So having a broad sense of data that you're looking at is really critical.
Enabling and kind of enriching that content through additional intel is also critical.
So understanding and providing context as to what you're looking at through
integrated intelligence and looking at data in context, I think, is really important.
In terms of analyzing that, threats happen every day, 24-7, 365. Your threat hunting team,
if it's not in-house and can't be operating around the clock, 365, 24 by 7, you should look at outsource providers that can provide that threat hunting capability.
In terms of being able to provide very prescriptive advice, that's also critical.
So taking an alert and being able to provide actionable data as part of that so that the response team can quickly respond is very, very essential.
And then lastly, being able to communicate that event to those folks that can respond
and then take the lessons learned and embed that back into the overall threat hunting process.
So at CrowdStrike, we are doing about 650 unique learning opportunities every single week from threats that we're seeing in our threat hunting activity.
And it drives about 30 percent new threat hunting techniques that we deploy every single year.
All right. Well, Thomas Etheridge, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, it tastes great, and it's less filling.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
I'll be off tomorrow back here next Tuesday. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.