CyberWire Daily - Cyberespionage and influence operations. Big botnet assembled in less than a day. Monetizing stolen paycards through online games. Amazon nudges developers. Report on Huawei. Phishing notes.
Episode Date: July 20, 2018In today's podcast we hear that the US Intelligence Community remains convinced the Bears are up to no good. Finland experienced elevated rates of cyberattack during the Helsinki summit, mostly Chine...se espionage. The hacker "Anarchy" assembled an 18,000-member botnet in less than a day, using known vulnerabilities. Crooks monetize stolen credit cards through online games. Amazon works to induce better AWS configurations. Annual UK report on Huawei is out. Phishing campaign notes. Zulfikar Ranzan from RSA on cyber risk quantification. Guest is Mark Peters II, author of the book Cashing in on Cyber Power. For links to all of today's stories, check out our CyberWire daily news brief. https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_20.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. intelligence community remains convinced the bears are up to no good.
Finland experienced elevated rates of cyber attack
during the Helsinki summit, mostly Chinese espionage.
The hacker Anarchy assembled an 18,000-member botnet
in less than a day using known vulnerabilities.
Crooks monetize stolen credit cards through online games.
Amazon works to induce better AWS configurations.
The UK's annual report on Huawei is out.
And we've got some phishing
campaign notes.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, July 20th, 2018.
The U.S. intelligence community remains convinced that the threat of Russian cyberattacks is real and imminent.
Director of National Intelligence Coats reiterated this conclusion at the Aspen Security Forum this week.
Speaking of influence operations, he said,
It's undeniable that the Russians are taking the lead on this.
Basically, they are the ones that are trying to undermine our basic values,
divide us with our allies. They are the ones that are trying to wreak havoc over our election
process. We need to call them out on that. It's critical that we do so and then take steps to
make sure that they're not able to do this with an election coming up. End quote. The U.S. Department
of Justice has also announced its intention of alerting the public when foreign attempts to influence or interfere with elections are detected.
As often happens during high-profile events,
Finland experienced heightened cyber attack rates during the Russo-American summit.
This is the conclusion security firm F5 reached this week.
As with earlier U.S.-North Korean meetings in Singapore,
IoT devices were particularly targeted. There's an apparent shift in which parties were interested,
however. This time, the espionage attempts seem to have come largely from China.
The Kim-Trump meetings attracted more Russian attention, with the bears snuffling around
Singapore. A large 18,000-strong botnet was swiftly assembled by a malware author
who goes by the nom-de-hack Anarchy,
probably the same individual also known as Wicked.
He or she exploited routers using the well-known vulnerability CVE-2017-17215.
What's disturbing is not the negligible damage, but the ease and speed
with which Anarchy pulled the botnet together. What Botmaster Anarchy, or if you prefer Wicked,
was up to with the escapade isn't entirely clear. He was certainly counting coup and doing some
chest thumping, according to a report in Bleeping Computer. But again, the swift growth of his bot herd is disconcerting.
You ever play Clash of Clans?
Well, sure you do.
You might as well admit it.
There's no shame, and we're not here to judge.
Have you ever bought gems or spellbooks?
Sure you have.
You've got a credit card, haven't you?
Or maybe you've got your parents' credit card.
You're still staying at home.
Alas, real bad guys are infesting Clash of Clans and not only the village and the builder base,
but other games as well, with Clash Royale and Marvel Contest of Champions
also being mentioned in Dispatches. Security firm Chromtech, well known for their exposure
of misconfigured AWS S3 buckets, reigns on our gaming parade with this bit of news.
Criminals are using popular online games to launder money.
They purchase in-game stuff with dirty money and then resell their stuff,
often in the form of player profiles, for legitimate money in various third-party gamer markets.
So, here's some gamer social responsibility for you. If you're
wheeling and dealing in-game currency, potions, and even dark elixir, you may be serving as an
unwitting money mule for the cyber mob. By the way, our Clash of Clans desk tells us that you'll
get the most bang for your buck if you level up giants, stealth archers, and barbarians first,
Get the most bang for your buck if you level up giants, stealth archers, and barbarians first.
But we suspect their analysis will be controversial,
if only because of the bias it displays in favor of ground units and against dragons.
Talk amongst yourselves.
To return to Chromtech's investigations,
they continue to note that people still don't configure their Amazon Web Service S3 data buckets in a way that
would render them inaccessible from the bigger internet. We mentioned earlier this week their
disclosure they'd found exposed U.S. voter information in a bucket left out by the robo-calling
firm RoboSent. They also found an unsecured MongoDB database left open by the criminals
who compiled it, presumably inadvertently.
The criminal exposure of personal information is regrettable, but their self-exposure is not,
so good hunting, police. But one does hope that legitimate users of cloud services get some help
working more securely. To that end, Amazon is experimenting with two tools, which they're calling Tyros and Zelkova, that may help developers avoid AWS misconfiguration.
Tyros maps network connections and thus can display unexpected and unintended access from the Internet.
Zelkova benchmarks S3 buckets against other elements of an enterprise's infrastructure and helps reveal how permissive
an AWS configuration is in comparison to the rest of the infrastructure.
Both tools are intended to show you misconfigurations before they bite you.
The UK government's Huawei Cybersecurity Evaluation Center reports that Huawei products
had underlying engineering issues that affected national security,
but that these seem to have been mitigated.
Huawei is spinning the report as good news.
That the British government has an organization
whose job it is to keep an eye on whether Huawei
might prove a security problem is instructive,
indicating both awareness of risk
and the degree to which British infrastructure
is entangled with the Chinese company.
Finally, you may have received scam emails with dubious attachments that appear to come from
British universities. An ongoing criminal campaign spoofs emails from their domains.
We've been noticing them. Our gunnery desk keeps getting emails from the University of Wales St.
Our gunnery desk keeps getting emails from the University of Wales St. David Trinity inviting them to open the attached invoice.
They thought at first it was a really aggressive fundraising campaign,
but no, it's a scam.
Tell every member of your clan.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Zulfiq Ramzan he is the chief technology officer at RSA
Adele Technologies business Zuli welcome back we wanted to talk today about cyber risk and
quantifying that risk what do you have to share with us today yes you know that's a huge problem
and I talked to a lot of our customers they're interested in the idea of trying to mitigate or manage their risks fundamentally. But at the same time, very few
of them have a consistent and rigorous view of what that means. And so I'll give you one example.
I was talking to the CISO of a major hospital, and they were telling me that their biggest risk
was ransomware. And to a certain degree, ransomware is an issue they have to deal with, but
ransomware itself is not actually a risk.
Ransomware is a class of threat.
If that threat were applied to a particular asset and took advantage of a vulnerability on that asset and resulted in a loss for the organization, it's the amalgamation of all those elements.
The likelihood that the event happens and the overall likelihood of the loss that occurs as a result of that happening, that together really constitutes risk.
And until you think about risk more holistically,
it's hard to actually do anything that's going to be meaningful in terms of mitigating it.
So in that situation, ransomware is the problem that could cause, for example,
the hospital to not be able to treat patients.
That's the true risk.
Exactly. You have to look at both together
because what happens is if you don't ask yourself, you have to ask yourself two fundamental questions.
Number one, how likely is an event to happen? The second question is, what is the actual loss
that could occur if that event were to happen? That loss might be the initial loss. For example,
there may be a patient loss. There could be the loss in terms of the actual ransom you have to
pay out. But there are also secondary losses as well. Like, for example, the cost of re-imaging systems or
doing forensics works or hiring incident response teams, or in some cases, bringing in outside legal
counsel. And we actually had one customer a while ago who spent about $30,000 in ransom payments.
But if you looked at the overall loss of ransomware for that organization,
it was almost $4 million when you counted all the
things I just mentioned earlier. So what are your recommendations? I mean, how do we do a better job
communicating that this is the way it needs to be approached? That's a great question. I think
fundamentally, the first recommendation is ultimately, when you think about businesses
and what they're trying to achieve, it's very different than what a security practitioner
tends to talk about. Security practitioners tend to talk about threats a lot. The reality is that
businesses care about risks fundamentally. And so the first thing you have to do is, number one,
draw a distinction between what's possible versus what's probable. Many threats are possible in the
environment. A small number are actually going to be probable threats you have to worry about.
And then consider the loss associated with those threats. The second piece of advice I have is to avoid trying to aim for perfection.
Look, there's nobody who can quantify cyber risk perfectly.
That's just not going to happen.
But what we can actually hope to do is have a consistent and rigorous framework that accounts
for many of the elements that talks about risk in the same way across different parts
of the organization.
It's as if somebody were to tell you, would you get on a plane if you found out that the
engineers who designed that plane didn't have a common definition
of terms like mass or acceleration or velocity? The answer is probably no. The same thing should
apply to cyber risk. We have to have a constant and consistent definition of what it means.
And then finally, the third element that I talk about is the idea of focusing on VIA,
which is visibility inside an action. If you're trying to mitigate risk,
you have to be able to measure and assess your risk. And that requires having visibility into
your environment because you can't measure or assess what you can't see. But visibility on its
own, while necessary, is not sufficient. Visibility can lead to this data landfill problem very
quickly. What you then need to do is be able to glean insights from that visibility through
analytics, be able to identify what it is that matters most. And then finally, you have to be able to take a set of actions
against those insights. And it's those actions that ultimately will end up mitigating your risk
and you come back full circle through that loop. The goal for organizations should be to go through
that loop as frequently as they can and try to tackle a little bit along the way each time
as part of their overall journey and being able to manage their digital risk.
All right. Zulfiqar Ramzan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. My guest today is Mark Peters. He's the author of the recently published book
Cashing In on Cyber Power. He
currently works in the United States Air Force as a career intelligence officer with over 21 years
of experience there. His book, Cashing In on Cyber Power, analyzes over 10 years of cyber attacks,
seeking to understand where state and non-state actors use those tools to generate economic
effects through today's cyber-connected world.
When I started out doing my research, I was actually looking for how people would do
an identity-based attack in cyber, how they'd look at, you know, kind of a character assassination
through cyber. And that really wasn't working, and it really wasn't supported very well.
So I started looking at the traditional military analysis of strategy for the dime aspect of the diplomatic information, military and economic look, and to see where the different characteristics
were. And I thought, you know what, it might be easier to do an economic based attack than it
would be to do a military or information or some other type of attack in cyberspace. So I looked
to see if I could find enough data to actually compare those numbers in a useful fashion. So take us through, what did your research uncover? So actually most of the attacks,
and this was looking at, I used the Center for Strategic and International Studies, the CSIS
guys, they did a look at cyber attacks or significant cyber attacks since 2006. So I
started out using their characterization to identify attacks.
And it really uncovered that most of the attacks for this period from about 2006 to 2015, or at
least once I was able to uncover and get useful data on, secondary sources of data, were mostly
still in the information sector. And then after the information sector came economic as a secondary source, information economic, and then diplomatic was the third.
Now, when you compare what's going on today in the cyber domain to what has happened historically throughout time, how have things changed and how much are they just new versions of old tactics?
of old tactics? The numbers have gone up significantly because I was trying to look more at the functions and the actual delve into which techniques they were using. I didn't really
get into a lot of those numbers. What I found in going through is I picked up a couple of
interesting items to also do case studies on. The ones I wound up doing case studies on
was the Kodan company in Australia lost some IP to China doing gold detectors.
was the Kodan company in Australia lost some IP to China doing gold detectors.
I looked at some TTP data losses for Japan that actually slowed their engagement with that process.
And then I did get a look at the initial Ukrainian cyber attack in 2015.
When it comes to this notion of disproportionality,
I think many people would agree that the cyber realm is an area where, certainly compared to having a
military, you can get a strong outcome through less investment than, you know, in terms of
influence on a global nature, you can get a lot done without spending a lot of money.
I think that all depends on how much influence you want to have and what impact you want to have.
The criminal actors actually did have more economic attacks than the state-based actors overall. And I think, you know, if a state
wanted to go out and steal all the money from the ATMs, they could do it with significantly
lower investment than the criminals are. But I don't think that's in their best interest or shows
the best reactions to them in the long run, right? You don't want to be known as the state that
stole everybody's ATMs. What do you suppose we're headed when it comes to international norms in
terms of both diplomacy and economics and how that would bleed over into the military?
I think like a lot of things, it'll probably stay fuzzy for a while. A lot of the work I did was
with the interdependence by Joseph Nye, who's been a big, and Kehan had been the big proponents of that, or the
big initial movers in that area. And that means that the more channels and the more dependent we
get on somebody else, the more these little movements, even in that cyberspace, have effects
on everyone else in that space. So as more people depend on it, and we talk about just basic
internet connections, we talk about an internet of things and possibly even a concept of a global cyber commons, the more difficult it will get to
establish those red lines because everybody will be depending on it. Or the easier that you take
everything down, your entire economy is going to collapse or everybody's going to be upset.
You look at getting snow in Maryland and how easy a couple inches of snow shuts down the whole city if you kind of expand that analogy to a cyber a couple little things done by a state
and a cyber if they shut down major portions of that economy people are going to complain fairly
quickly and what would your advice be to policymakers having done the research you did
in writing the book what would you share with them i would show they just need to continue
looking at the area they need to continue looking at a bunch of different aspects of the area.
We tend to over-focus on like the CVE and the OWASP and to look at what the actual technique
is and how to stop an initial malware attack without taking that expanded view to broaden
out, look at kind of the strategy and the trends for where things are going. If you look at more
of a strategy-based aspect, we get a better look at maybe how we need to prepare
and how we need to plan,
where we can set those red lines
based on the fact that we know what our strategy,
we know what our desired goals are, the objectives,
and then we can move out from there.
It seems to me like it's been a real interesting shift
over the past couple of decades
about how much of the world economy
depends on the cyber domain.
And, of course, with that, part of that evolution has been the cropping up of these bad actors,
you know, criminals working there, but also the ability of nation states to leverage that space as well.
I think that's a true factor, and I think we don't actually look at all the aspects of cyber we can get.
I had written an article in the development of this book talking about how we could use cyber tools to generate better sanction effects.
When we talk about doing economic and financial sanctions, we're still doing a lot of those through the paper aspect and identifying things.
When we look at that, if we had the ability or we had the cyber tool, we could go out and maybe block a bank and then use that money to support the people we said we were going to support along the way.
You know, there are other aspects to it.
There are other things that we can do with those cyber tools, but we're focused on using them in the military, not that whole government kind of approach.
That's Mark Peters.
The title of the book is Cashing In on cyber power.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.