CyberWire Daily - Cyberespionage and influence operations against prospective members of the incoming US Administration. Cold chain attacks. TrickBoot. Vasya, what do you do for a living?
Episode Date: December 3, 2020Chinese intelligence services are prospecting think tanks and prospective members of the next US Administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary..., pre-US election suppression, TrickBot’s back. Holiday shopping season is bot-season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and SaaS apps. And suppose you’re a cybercriminal...we know, but suppose. What do you tell your sweetie you do for a living? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/232 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chinese intelligence services are prospecting think tanks and prospective members of the next U.S. administration.
Spear phishing the vaccine cold chain.
Expect vaccine-themed phishing.
After a temporary pre-U.S. election suppression, TrickBot is back.
Holiday shopping season is bot season.
Consumers are thought likely to get upset about smart device privacy in 2021.
Awais Rashid from Bristol University
on privacy at scale.
Our guest is J.P. Perez-Echigoyen
from Monapsis
on the risk associated
with interconnected cloud
and software as a service apps.
And suppose you're a cyber criminal.
We know, but suppose.
What do you tell your sweetie
you'd do for a living?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, December 3rd, 2020. William Evanina,
director of the U.S. National Counterintelligence
and Security Center,
has called attention to Chinese espionage
and influence operations
directed against prospective members
of President-elect Biden's incoming administration.
The BBC quotes Evanina as calling the efforts diplomatic influence plus or on steroids,
and Cyberscoop notes that those around the new administration are among the targets.
Evanina's remarks follow this week's joint warning from CISA and the FBI that unnamed
foreign services are
attempting cyber espionage against think tanks. Why think tanks? In the U.S. political system,
think tanks not only contribute advice to policymakers and legislatures, a quasi-academic
function, but they also play the role that a shadow cabinet plays in countries with parliamentary
systems. Senior executives,
presidential appointees at the assistant secretary level, are often drawn from think tanks. So an
interest in both influencing and collecting against think tanks is entirely foreseeable
as adversaries develop their espionage target lists. IBM has observed a spear phishing campaign against an important but easily overlooked
link in the COVID-19 vaccine development and distribution supply chain, the cold chain that
ensures the safe preservation of vaccines in temperature-controlled environments during their
storage and transportation. The actors behind the phishing, IBM say, impersonated a business executive from Hare Biomedical, a credible and legitimate member company of the COVID-19 vaccine supply chain. Program, the European Commission's Directorate General for Taxation and Customs Union, as
well as organizations within the energy, manufacturing, website creation, and software and internet
security solution sectors.
These all figure in the cold chain supply chain, but they have much wider activities
than that.
It's unclear who's behind the campaign, but IBM observes that the focus and care on display in the phishing effort
and the absence of any obvious cash-out potential
suggests nation-state espionage as opposed to criminal activity.
The attacker's goal, the researchers think,
may well be credential harvesting and thus battle-space preparation for future campaigns.
As the report puts it,
quote,
Moving laterally through networks and remaining there in stealth would allow them to conduct cyber espionage
and collect additional confidential information
from the victim environments for future operations.
End quote.
Criminals can be just as opportunistic as intelligence services.
As COVID-19 vaccines approach approval in widespread
administration, criminal social engineering can be expected to follow the news. Security firm
KnowBefore warns that vaccine-themed phishing should be expected.
TrickBot has been up and down, driven down by U.S. Cyber Command and a Microsoft-led industry consortium prior to the U.S. elections.
It's now returning.
Researchers at the security company Eclipsium say that new capabilities,
wrapped up in the toolset they're calling TrickBoot,
represent a significant evolution that targets firmware and offers the capability of bricking affected devices.
Researchers have observed what they take to be preliminary reconnaissance.
The report is intended to be alarming, and indeed, it is.
The researchers note that TrickBot has been a favorite of criminals,
as well as some of the murkier state-connected operators from Russia and North Korea.
They think the reconnaissance means that adversaries leveraging TrickBot now
have an automated means to know which of their latest victim hosts are vulnerable
to UEFI vulnerabilities, much like they added capabilities in 2017 to exploit Eternal Blue
and Eternal Romance vulnerabilities. Bots are seeing widespread use in criminal
attempts to take advantage of online shoppers during the holiday season.
Barracuda reports detecting a staggering number of bots and bot-driven attacks.
The leading bad bot personas they're seeing are Headless Chrome, Yerba Software, and M12Bot.
E-commerce platforms can reduce the risk to themselves and their customers, Barracuda says,
by using web application firewalls and ensuring they're properly configured,
ensuring that those security solutions include anti-bot protection
and applying credential stuffing protection to help prevent account takeovers.
WatchGuard has joined those offering predictions for 2021, and one of their major predictions is that consumers will revolt over smart device privacy issues during the coming year.
After all, who wants to worry about what they're saying in front of the vacuum cleaner?
So maybe you've asked yourself a question like this.
If I turn to a life of crime, what would I say when people ask me what I did
for a living? Or maybe you're asking for a friend. Since our editorial staff is for the most part
stuck at home and binge-watching episodes of Law & Order in all three of its principal variants,
they would have guessed that professional criminals identify themselves as being in the import-export business,
or they'll call themselves investors or entrepreneurs, our staff's particular favorites.
But that's just an initial naive take.
Digital Shadow's Photon research team has poked around in Russian cybercriminal chat rooms,
so the rest of us don't have to,
and they offer an interesting window into a frequently overlooked challenge of the whole cybercriminal chat rooms, so the rest of us don't have to, and they offer an interesting window into
a frequently overlooked challenge of the whole cybercriminal lifestyle. What do you tell your
significant other you do for a living? And even worse, what do you tell your significant other's
parents you do for a living? Some forum participants advise their brothers in crime,
and it does appear to be overwhelmingly a bunch of bros,
to just stonewall, tell them nothing.
But that's probably not going to work for very long.
One of those offering advice said he usually told people he'd been unable to find work
since he was released from prison.
But that seems unlikely to satisfy Katerina's parents.
Some offered responses that digital shadows called facetious,
Maybe those don't work so well either.
Maybe significant other's mom asks you to fix that old car that belonged to significant other's great-grandmother,
and then where are you?
Out of luck is where.
So perhaps the best reply is something vague and preferably IT-related.
Bad guys and gals commiserating with their perplexed brethren
say they've had some success with telling people
they work in search engine optimization,
online advertising, information security,
website design, software development, information security, website design, software
development, IT journalism, programming, or server administration. But even this has its downsides,
especially as the general population grows progressively more tech literate.
As one criminal shares, I used to answer that I'm a programmer, an IT specialist, but now every taxi
driver out there is interested in what field of IT you're in
or what type of programmer you are.
Well, you can always fall back on investor or entrepreneur.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
J.P. Perez-Echigoyen is CTO at application security firm Onepsis.
He joins us with thoughts on the risk associated with interconnected cloud and software-as-a-service apps.
So today what we find, we are wrapping up 2020,
and we are finding an even more interconnected landscape
in terms of applications, right?
Companies that still operate on-premise,
still have their data centers, their cloud services,
private clouds, and all of that interconnected,
but also running with SaaS applications,
all of them sending data back and forth and being able to operate in this new context, right?
So ERP, CRM applications, BI, BW, supply chain, logistics, operations, all of these applications are ensuring
that organizations are able to fulfill their purposes
and really to deliver what they need to deliver to us as consumers.
It's all more and more interconnected than ever, right?
Well, and so in your mind,
what are the key considerations that people need to keep in mind as they're either moving to the cloud or continuing to operate in the cloud?
What are some of the things that they need to keep top of mind?
Yeah, I think the key part there is to understand that when we move to the cloud, it's not somebody else's problem. It's not that, hey, I offloaded a lot of my workloads
to a cloud vendor and now I don't need to take care of security.
I don't need to deal with risk here
because it's all my provider's responsibility.
Well, you know what?
It's still on your responsibility
because the responsibility on the data who ensures that the data is safe is still on the customer, on the company.
So companies operate by managing a lot of different business processes and data, including personal data, including a lot of regulated data.
And in order to make sure that that's secure,
they need to be able to put the right controls in place.
So going to the cloud, going to a more interconnected world,
it's really about, sometimes it's hard to believe
that it's about the basics, or at least it starts with that.
Making sure that the settings and the configurations and the
patches and really the authorizations, the basic authorizations
to how to access those applications, especially in companies
that have thousands of employees now remote
being able to access those systems. So what we are seeing more and more
in organizations is really,
like, just start with covering the basics,
start covering the configurations, the integrations, the authorizations,
all of that, that helps significantly reducing risk.
That's JP Perez-Echigoyen from Onapsis.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Professor Owais Rashid. He is the Director of National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at the University of Bristol.
Professor Rashid, it's great to have you back again.
Today, we want to touch on this notion of privacy at scale.
What can you share with us today?
So, we rely on digital technologies for our daily lives on a regular basis.
And it has not been any more obvious than now in the pandemic where we have been able to, in many cases, engage in work, engage with others around the world, and utilize services through online infrastructure.
So digital technologies play a big, big part in our daily lives.
And certainly, for example, there has been a recent report from the UK that digital sector
is worth more than £400 million a day to the UK economy.
Of course, we benefit from all these services, but equally, as these services are very much data-driven,
there are increasing concerns about privacy violations or how that data that is actually
collected by these services is used. And this may be from, you don't have to go far, you can look at
sort of any major news outlet, and every couple of days, you know, there are questions about,
you know, are your smart homes spying on you or what kind of activity tracking can go on through
mobile apps or through smart speakers or smart devices and smart assistants.
So the question really we must ask is, how do we actually provide privacy on a large scale
in this kind of digital infrastructure on which we rely, but without also potentially impinging on privacy of individuals and the information that they would like to keep private about themselves.
Well, this is a fascinating topic for me personally.
What sort of proposals are out there for maintaining privacy at scale?
So one of the key things is that we need to rethink
what our data innovation model is.
And at the moment we think that, well, many people think that
to get value out of data, one must actually collect all data.
And there are some key advances in privacy enhancing technologies out there,
which are designed to actually get value from data without actually revealing all the information
about an individual or a particular setting that people may not want to reveal. So,
you know, a good example of this is differential privacy, where an algorithm will actually enable to get particular
value out of the data, but without revealing all the details in a way that you can't construct
an individual's data within that data set from the output that you have received from
the algorithm.
You know, again, personally, it's my perception that there's been a good bit of
hand-waving when it comes to privacy at scale. You'll hear people say, well, we simply can't do
that at scale. We can't provide that amount of privacy at scale. And, you know, it strikes me
that we shouldn't be satisfied with that. If someone were building a factory or a manufacturing
facility and they said, well, you know, this river next to our factory, we simply can't ensure that we don't pollute that river and still operate at scale.
That wouldn't be acceptable to us.
And yet we have these conversations that somehow operating at a certain scale and privacy might be mutually exclusive.
Yes, and I think that's exactly the kind of conversation that we need to
potentially challenge. And I'm reminded of this interesting piece on the Privacy Project website,
which had a heading which said, we read 150 privacy policies and they were an incomprehensible
disaster. And let's not forget that strides have been made. So, for example, we have a number of
privacy regulations. We have in Europe, for example, the GDPR, which requires organizations
to demonstrate how they are taking particular actions around privacy. But the question we have
to also ask is, how can we actually really ensure that the requirements that we are expecting as a society can be evidenced in the systems.
And it's also a big challenge for infrastructure providers.
You know, even if they want to challenge, the infrastructures are complex.
How do they actually evidence these kind of compliance with particular regulations and
actually really show that they actually give operationalization to particular requirements.
And I think there is also the flip side of it as to how the user feels empowered or disempowered with regards to privacy.
And a great example of this is under GDPR, we have now this sort of cookie law,
where when you go onto a website, you have to actually say what cookies people are accepting or rejecting.
And there is a really massive divergence into how different websites implement it.
So on some websites you go, they will go, well, we start with everything is rejected, you opt in.
Other websites will start with everything is accepted, you have to individually opt out.
But also the interfaces vary so much.
And, you know, I am a computer scientist, you know, I understand technology and even a lot of it at times can be quite incomprehensible to people who are actually technology experts.
And, you know, you think about, you know, this is meant for, you know, all citizens from all backgrounds.
And, you know, we all have to be able to understand what is going on and be able to make informed decisions.
But it also becomes a really complex task.
You know, every time you go to a new website, you go, oh, no I have to do this again. It is very disempowering. It almost leads to this
dejection by the users that not much can be done. That's why we come back to this thing that we have
to start by asking the question, what do we need to do to build privacy into the core of our
infrastructures, into the software systems and services that we are deploying,
what are the common building blocks that we need, so that they can then be leveraged to provide these services,
because it also makes the job of the infrastructure providers easier,
but it also actually takes the burden away from the users to constantly have to, you know,
deal with this, confronted with this issue of, you know, what do I do here?
All right. Well, Professor Awais Rashid, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Expert recommended to stop the pain.
Listen for us on your Alexa smart speaker, too.
Recommended to stop the pain.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.