CyberWire Daily - Cyberespionage and international norms of conduct in cyberspace. DarkSide establishes storage options for its affiliates. TroubleGrabber in Discord. Unapplied patches.
Episode Date: November 16, 2020Nation-states continue to probe COVID-19 vaccine researchers. The Global Commission on the Stability of Cyberspace proposes international norms for promoting stability in cyberspace. DarkSide ransomwa...re-as-a-service operators sweeten their offer with storage options. TroubleGrabber is stealing credentials via Discord. SAD DNS code pulled from GitHub. Betsy Carmelite from Booz Allen with a forward-looking view of 5G. Rick Howard takes a look at SOAR. Many patches remain unapplied, and CMMS wants US Defense contractors to move toward positive security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/221 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nation states continue to probe COVID-19 vaccine researchers.
The Global Commission on the Stability of Cyberspace
proposes international norms for promoting stability in cyberspace.
DarkSide ransomware as a service operator sweetened their offer with storage options.
Trouble Grabber is stealing credentials via Discord.
Sad DNS code pulled from GitHub.
Betsy Carmelite from Booz Allen with a forward-looking view of 5G,
Rick Howard takes a look at SOAR,
many patches remain unapplied,
and CMMS wants U.S. defense contractors to move toward positive security.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, November 16, 2020.
Late Friday, Microsoft said it had detected further activity by nation-state threat actors against companies involved in COVID-19 vaccine research.
Strontium, Zinc, and Cerium were the groups named by Redmond.
Microsoft favors elemental names for threat actors.
Others call Strontium Fancy Bear, familiar as a unit of Russia's GRU,
and Zinc is well known as the Lazarus Group, the premier North Korean cyber espionage outfit.
Sirium is also attributed to North Korea. Redmond's statement is at least as much a
denunciation as it is a report. Microsoft used last week's Paris Peace Forum
to call for international restraint in cyberspace,
particularly with respect to activities
that put biomedical research at risk.
At that forum, the Global Commission on the Stability of Cyberspace
also released its final report on advancing cyber stability,
which computing characterizes as a proposal
for a Geneva Convention for cyberspace,
and which the Register points out will require a lot of bilateral work before the eight principles the GCSC proposes approach reality.
The report advances four principles.
First, Responsibility. Everyone is responsible for ensuring the stability of cyberspace.
responsibility everyone is responsible for ensuring the stability of cyberspace
next restraint no state or non-state actor should take actions that impair the stability of cyberspace next requirement to act state or non-state actors should take reasonable and
appropriate steps to ensure the stability of cyberspace and respect for human rights efforts
to ensure the stability of cyberspace must respect human rights and the rule of
law.
On the basis of those principles, the Commission proposes eight norms of conduct for cyberspace.
They generally advance confidence-building among nations, including potential adversaries,
and they seek to implement versions of the norms of discrimination and proportionality
that have traditionally shaped the laws of armed conflict.
They would also enjoin responsibility for cyber hygiene and control of non-state actors
that would be consistent with traditional principles of sovereignty.
The Global Commission on the Stability of Cyberspace was organized by the Hague Center for Strategic Studies
and the East-West
Institute. It's a non-governmental organization funded by numerous governments, corporations,
and organizations. Its partners who provide the largest contributions include the governments
of the Netherlands, Microsoft, Singapore's Cybersecurity Agency, the Ministry of Foreign
Affairs of France, the Internet Society, and affiliates.
DarkSide, a ransomware-as-a-service gang, has let it be known that it's established a distributed storage system
to hold and leak data obtained from ransomware victims.
Leaping Computer says that researchers at darknet monitoring shop Kilo
found the discussion and associated offers on a Russophone hacking forum.
Bank Info Security reported last week
that DarkSide had established an affiliate program.
The gang sees distributed storage as a sweetener for its affiliates.
The gang says it intends to host the service in Iran
or other unrecognized republics
to lend it even more resilience
than its distributed
architecture already provides. Netscope has described TroubleGrabber,
a credential stealer that infests the Discord gaming community platform. The malware spreads
through Discord attachments and reports stolen data back to its masters through Discord messaging.
Netscope sees this as another instance of an inevitable trend,
criminals abusing cloud apps.
There's a social engineering dimension to the phenomenon
since users tend to put trust in such apps,
and it's precisely such trust the attackers seek to exploit.
We noted last week that researchers at the University of California, Riverside
and Tsinghua University in Beijing We noted last week that researchers at the University of California, Riverside,
and Tsinghua University in Beijing warned that a revival of DNS server cache poisoning could be in the offing, and that they had a proof of concept,
side-channel attack DNS, or SAD DNS, to prove it.
Since then, the researchers have said they pulled the code for SAD DNS from GitHub,
lest it fall into the wrong hands.
We hope they got it locked down before the hoods noticed.
The SANS Technology Institute's Internet Storm Center got thinking
and asked, perhaps in a Bishop Berkeley mood,
if no one talks about a vulnerability anymore, does it still exist?
Their answer is the firmly realistic, heck yes of the blog post from Sands says,
They found about a hundred highly dangerous vulnerabilities long ago patched, other vulnerabilities that didn't disappear just because we don't talk about them anymore.
They found about a hundred highly dangerous vulnerabilities long ago patched,
still gurgling around in the wild.
They post a list of the top ten, and it's disturbing enough in its own right.
Two of the bugs on the list are, as one would imagine, Bluekeep and Heartbleed,
and their presence shows, quote, that even very well-known vulnerabilities are sometimes left unpatched for years on end, end quote.
So again, do apply the patches your systems need.
And finally, Cybersecurity Maturity Model Certification, CMMC,
which affects U.S. defense contractors and has been approaching for some time,
will come into force at the beginning of December.
Breaking Defense summarizes the new certification requirement as a move away from self-attestation
of progress toward vulnerability reduction and toward positive verification that a company
has met appropriate NIST standards.
Homeland Security Day quotes NIST fellow Ron Ross as saying, quote,
We literally are hemorrhaging critical information to our adversaries,
explaining that CMMC is aimed at stopping the bleeding, end quote.
Those seeking Pentagon contracts in the future,
and that will be about 1,500 vendors in fiscal year 2021,
need to demonstrate compliance with NIST and Department of Defense standards,
not just pay lip service to progress towards compliance.
Katie Arrington, CISO for the Office of the Assistant Secretary of Defense for Acquisition,
sees CMMC as representing progress toward establishing a level playing field for companies
that bid on defense contracts.
Contractors should pay heed.
As Arrington put it, quote,
we mean it, end quote.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is the CyberWire's Chief Analyst and Chief Security Officer, Rick Howard.
Rick, always great to have you back.
Thanks, Dave.
You know, one of the things that gets harder for me,
the older I get, is keeping up with all of the acronyms
and abbreviations and names of things.
You and me both, my friend.
I mean, I know it's the same in every industry,
but boy, it sure does seem like cybersecurity is proud of all of these things.
And then this week on CSO Perspectives, you were taking on the topic of SOAR.
And I'm going to go out on a limb here and say that you haven't recently picked up the sport
of paragliding. Although it is an aspiration for me, yes. All right. Very good. We'll just
check your insurance before you go. Well, what's going on here with SOAR?
All right.
So SOAR stands for Security Orchestration Automation and Response.
And Gartner tends to coin these things, okay?
And they did this back in 2017.
But security leaders and pundits like John Olczyk over at CSO Magazine,
they started talking about the concept as far back as, oh, 2015 or so.
And the problem we're trying to solve here
is how to automate the handling of all the messages,
alerts, and intelligence products
we are receiving in the SOC
from the technology within our security stack.
What's happened over the last few years
is the SOC analysts are overwhelmed
with the volume of these things that have exploded exponentially in recent years.
Well, what is the cause of that?
I mean, why all of a sudden are the SOCs getting overwhelmed with all this information?
Well, there seems to be some disagreement about that.
But my own personal theory is that at least a contributing factor was when the entire network defender community started to implement the intrusion kill chain prevention strategy. So before Lockheed Martin published their famous
paper in 2010, most of us were using a strategy called defense in depth with mostly three
prevention tools. We all had firewalls, intrusion detection systems, and antivirus systems.
After the publication, vendors came out of the woodwork to provide prevention and alerting tools
for each phase of the intrusion kill chain.
So as a result, many small organizations today have at least 10 security tools in their security stack.
Medium-sized companies have about 50, and large Fortune 500 companies or big governments have at least 100.
So this is a far cry from the three that we all managed before the paper was published,
and all of them are spewing alerts and messages into the SOC.
Well, help me understand here.
So are the SOAR devices helping the SOC analysts process all this stuff,
all the telemetry they're getting from all these devices?
That's right.
So most times SOC analysts are just manually deciding
to either ignore the messages or delete them
or save them for future reference
or pass them up the chain for further consideration.
So SOAR tools help automate those decisions.
But I will say that there isn't universal agreement
from the CISO community that SOAR tools are necessary. Some say, why do you need a tool to do that? Why don't you just
tune the security device to not send all those unneeded messages? So I was talking to Rick
Doughton about this. He is the CISO for Carolina Complete Health, and he's a regular visitor to
the CyberWire's hash table. It lets you not effectively use the tools you have.
It kind of covers up for the fact that, well, I put in this email gateway and I just, you
know, left the default settings on and it does, it blocks spam and it helps, you know,
find, you know, bad links and malware and stuff, you know, but I get all this extra
things to it.
So I'll add a SOAR tool that'll kind of clean it up instead of looking at it
and how can I use it to its potential.
So you have a lot of tools
you're using 20% of their potential
because you don't want to dig into it
and having something kind of
pick up all the slack
to kind of like normalize it
so a human doesn't get bombarded.
I agree with Rick to a point.
If you are just trying to reduce
the noise volume in your SOC,
there might be a cheaper way to do it.
But if you're
using SOAR tools to help with infrastructure as code projects or your DevSecOps projects,
SOAR tools might be a nice lever to pull to help you on your way. And we're going to talk about
all of that in this episode of the CSO Perspectives. All right. Well, you can check that out and much
more over on CyberWire Pro. That is on our website, thecyberwire.com.
It's CSO Perspectives.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your and joining me once again is Betsy Carmelite she's a senior associate at Booz Allen Hamilton
Betsy it is always great to have you back I wanted to touch base with you today about 5G
and where we stand right now the deployment in the United States and some of the things that you're tracking there.
What do you have to share with us today?
I wanted to start with some of the foundational points about 5G as we do see its popularity increase and enterprises and consumers anticipate the gains from 5G networks.
There are really three main concepts for enterprises to understand as this 5G adoption takes hold.
First, 5G is really the convergence of the physical device realm and the digital environment at scale.
That's really important, both at the consumer level and at the critical infrastructure level.
Secondly, because of this convergence in scale, security really has to be part of the design of 5G.
Because any breach or attack, and we'd be looking at high-impact, high-probability events across this ecosystem, would really affect multiple components of the 5G ecosystem.
We'll touch on a couple of these threat scenarios in a moment.
We'll touch on a couple of these threat scenarios in a moment.
And lastly, 5G may be popular and gaining popularity, as we see from advertising,
prevalence of discussion in the media.
But 5G is really at its nascent stage right now.
And we're looking at pervasive adoption in the coming three to five years.
Yeah, you know, I really wanted to touch with that specific point on you,
because, you know, I'm on the verge of upgrading to my first 5G device.
But, you know, the reviews that I'm seeing on the consumer side of things, the folks in the tech world are saying, you know, it's not quite there yet.
We're not seeing those promised high speeds and, you know, maybe it's yet to come, but the excitement seems to be waning a little bit.
Yeah, I would say that that's an opportunity.
And what this means is that we have time to get the security application of 5G right, get it right now to get ready for what's on the horizon.
So we've seen statements from the White House earlier this year that malicious actors are already seeking to exploit 5G technology.
And that is a target-rich environment because of the scale of the devices 5G will connect
and the amount of data that will be transmitted.
So this is an opportunity now to get this right
and get it secure.
So what are some of the specific technologies
that are going to make this transition possible?
And how is that going to affect organizations and their ability to use it?
I wanted to touch on a couple of these technologies.
And they also demonstrate where new components from 5G come into play,
as well as a couple of threat scenarios that could impact organizations' use of 5G.
First, I'm going to touch on MEC, which is Multi-Access Edge Compute.
And MEC distributes data and computation-intensive tasks to resources to the radio interfaces.
The radio interfaces are the standard frameworks for communication
between wireless devices and base stations through radio waves.
So rather than relying on traditional remote centralized cloud computing environments,
the MEC works closer with those radio access networks.
The benefit there is that MEC increases streaming and processing efficiency,
decreases congestion on the broader mobile network,
which is one of the things that many people are looking forward to, as you mentioned.
And it brings higher performance capabilities to less powerful devices like virtual reality, video analytics, and connected vehicles.
What are the threat scenarios we're looking at possible to imagine?
For instance, a disgruntled employee who might want to modify data that's being processed on an industrial manufacturing mech deployment, maybe at an autonomous smart factory.
If that data modification falsely indicates more resources are being consumed than they really are, this could cause additional perishable materials to be ordered, could result in waste, and increase operating expenses.
And in this case, mitigations could be to conduct validation to ensure the data being processed is the same data that was reported from the smart sensors in the factory,
or use a privately hosted Mac instance that's not shared to reduce chance of unauthorized access to the Mac.
So really, I mean, it strikes me that what we're looking at is an enabling technology with a lot of
potential. Perhaps a little patience is in order here, but there's good things to come.
Yep, that's right. That's right. I think for the future, next steps in looking at resilience of 5G, to make all these components work together and ensure the security and effective policies for 5G deployment, all of this, again, is still a few years away.
It's really going to take public and private industry cooperation.
We've already seen CISA release its policies on 5G, and that cooperation should foster a collaborative partnership across industry.
There are so many technologies, new and existing, to Department of Defense doing, pilot the technologies,
get messy with them, and determine what does the practical application of 5G look like?
Where will it work? Where is the environment right? Where did we get it wrong? Really
recommending moving into real-world testing and away from the five-year research study.
At Booz Allen, we're doing the same thing, and it's really best practice for any company
to do real-world testing around this technology.
All right. Well, Betsy Carmelite, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep
you informed. It's fresh and clean as a whistle. Listen for us on your Alexa smart speaker too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest
security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.