CyberWire Daily - Cyberwar, cybercrime, and hacktivism: updates on all three. Contact tracing and its discontents. Cybersecurity economic trends during the pandemic.
Episode Date: May 21, 2020Website defacements in Israel may be hacktivist work. Iranian cyberespionage against Saudi Arabia and Kuwait. The latest evolution of ZeuS. The Winnti Group is still hacking, and it still likes steali...ng in-game commodities. Contact tracing during the pandemic proves harder than many thought it would be. Economic trends for the security sector as it prepares to emerge from the general state of emergency. Caleb Barlow wonders if GDPR may have unintended consequences for stopping COVID-19 scammers. Gabriel Bassett from Verizon on the 2020 DBIR. And if you’re looking for qualified workers, follow the layoff news. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/98 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Website defacements in Israel may be hacktivist work. Iranian cyber espionage against Saudi Thank you. harder than many thought it would be. Kayla Barlow wonders if GDPR may have unintended consequences
for stopping COVID-19 scammers.
Gabriel Bassett is here from Verizon to discuss the 2020 DBIR.
And if you're looking for qualified workers, follow the layoff news.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW Wire summary for Thursday, May 21, 2020.
Thousands of Israeli websites hosted on Upress were defaced early this morning with messages calling for the destruction of Israel.
Israel and Iran have been swapping cyber attacks recently, but Haaretz says there's no evidence of a direct Iranian connection to the campaign.
The group claiming responsibility calls itself the Hackers of Savior.
Iranian hackers have been active against government agencies and transportation targets,
especially airports, in Saudi Arabia and Kuwait.
It seems a fairly straightforward espionage effort.
Bitdefender reports that
the Chafer APT, generally regarded as a run from Tehran, appears to have been engaged
in reconnaissance and data exfiltration. The operators relied on social engineering for
initial deployment of their payloads.
Malwarebytes today released a report on the recent evolution of the Zeus banking trojan,
which the researchers call, with some justification, the most famous banking trojan ever released.
They've observed a new family built on the old Zeus framework.
It emerged in November of last year, and it's currently being hawked in Russian-speaking criminal-to-criminal markets as Silent Night.
The seller and developer, who goes by the name Axe,
says it took him much time and many pains to pull together,
and he's charging a premium.
A general build goes for $2,000 a month,
a unique build for $4,000.
The researchers regard this version as clean and well-made,
but not particularly innovative.
They expect it to become a product catering to high-end
criminals. Researchers at ESET have an update on the Winti Group, which continues its practice of
using backdoors to attack online gaming companies. The goal is usually theft and monetization of
in-game commodities. Those loot boxes have uses beyond arming your avatar or giving it cool-looking armor.
In the MITRE taxonomy, the Winty group is described as being of Chinese origin and as having associations with APT-17, Axiom, and Keychange.
Many of these associations are code-sharing, especially of the Winty malware.
Note that Winty isn't the only strain or type of malware that Winty Group uses. As ESET
explains, they refer to the actor as Winty Group because of its early use of the malware,
but its horizons have expanded over the years. Prime Minister Boris Johnson says the UK will
have an effective contact tracing system in place by the 1st of June. He was, the Telegraph reports,
responding to labor concerns about staff safety should schools reopen. But in some respects,
the early favorable reviews Britain's NHS received from its contact tracing pilot on the Isle of
White now seem to have represented a false dawn. At the very least, more work needs to be done on
the security of the app.
People have been asked to let the National Cybersecurity Center know about any problems they've found with the NHSX-sponsored contact tracing app,
and they've reported, Computer Weekly reports, three classes of significant issues.
Those involving the registration process for app users, the application of the Bluetooth communication standard, and how the data are encrypted. Some of the issues involve developer missteps, inevitable with such compressed
development cycles, but many of them involve design choices or even simple failure to communicate.
Not all areas of the UK will adopt the national contact tracing app, whatever its final form may
be. Northern Ireland won't, for one.
According to the BBC, they intend to follow the Republic of Ireland's lead.
Northern Ireland has some issues with the NHSX app's privacy protections, but more importantly,
it values facilitating travel across the Irish border more than it does travel to England,
Scotland, or Wales. North-South movement is more important than East-West travel.
The Apple-Google decentralized exposure notification system now being rolled out
has attracted interest from governments who are proving willing to sacrifice
the advantages of centralized data management and analysis
in favor of an approach that users may find more congenial.
Reuters reports that some 23 governments have shown an interest in the Apple-Google solution.
1Password has published a survey of people whose jobs have been affected by remote work
and other measures taken to deal with the emergency,
and they've concluded that IT departments are actually getting a good bit of love from their colleagues.
89% of respondents had no criticism of their company's IT team.
Given the scale of the upheaval,
that's a remarkable testament to the incredible work IT teams are doing.
There may also be a growing preference for working from home,
with 68% of respondents saying they like it,
or that at least they've grown happier with telecommuting.
It is fair to say the annual release of the Verizon Data Breach Investigations Report
may be the most anticipated cybersecurity publication of the year,
and this year's DBIR is no exception.
Gabriel Bassett is one of the authors of the Verizon report.
So one of the things that we notice in the report pretty regularly
is that we don't see a lot
of exploitation of vulnerabilities. And what that means to us is that exploiting a vulnerability is
not the attacker's easiest path to a breach. And so we dug down into that this year and looked at
a bunch of things around vulnerabilities and around asset management. We also looked at patching and you
know the patching wasn't great. There's no single figure to really point into in the report but if
you look in the industry section there's some figures about patching and we see that overall
most organizations are patching 57% of their breaches in the first quarter, the first 90 days,
which isn't great. And so but if that's not causing exploits to be commonly used for breaches,
what's going on there?
And so when we look, what we found is that, you know, there's a small set
of the majority of an organization's assets,
particularly their Internet facing ones, don't have any significant vulnerabilities.
For half of organizations,
they had one or zero percent of their assets had a significant vulnerability, and for 90 percent of
them, it was 10 or less of their internet-facing assets had any significant vulnerability.
But there's the rest of their assets, right? The ones that maybe they don't know about,
because organizations had 43% of their assets on
their first network, their first autonomous system, number their first ASN. But half of all
organizations had another six ASNs that their assets were spread across. And so the question
is, do you know what those assets are as an organization? And what's the cash level, right?
We see anytime a new vulnerability comes out that there's tens of thousands of assets on the Internet that are vulnerable to it.
And, you know, that makes us wonder, well, is that me?
Like, you know, is one of my assets in there?
I think I'm patching, right?
And so we looked at what those assets were.
More specifically, we looked at what they were vulnerable to.
You know, and so say if a computer on the internet is vulnerable to EternalBlue,
what other vulnerabilities is it vulnerable to?
And more specifically, what's the first major vulnerability that's vulnerable to?
And the goal here is to say, to try to figure out if these are machines
that are being patched regularly and just haven't been patched for this vulnerability
or just aren't being patched at all.
And what we found is the machines that had like um eternal blue we also checked the the excellent vulnerability from last
year they hadn't been patched in 10 years and the majority of these machines were things that it's
not that they are getting patched slowly it's that they're getting patched never and the reality is
if someone wanted to take any of these systems over,
a large portion there were ones that were patched,
but the majority of them, if someone wanted to take them over,
they'd use any one of the attacks from the last decade.
They don't have to use the newest vulnerability.
What is your outlook?
Do you have a sense that, are we gaining ground or are we losing ground?
Are we treading water, as you were, to mix metaphors?
You know, from a data perspective, it is hard to say whether we are improving or getting better or getting worse.
But ultimately, my outlook is positive.
I think more than anything, I think that the things we are doing are working.
We are stopping a lot of the attacks. We know where the attackers
are going and they're going for kind of these very quick and narrow attacks, things like credentials,
phishing. We know how to respond to those. We know how to use two-factor authentication to secure
credentials. We know how to deal with phishing. You know, it's just a matter of us continuing to mitigate these things
and push the attackers into ever narrower and narrower attacks
to the point where our security operations can deal with all the attacks that they see.
That's Gabriel Bassett from Verizon.
There's much more to our conversation than we have time for in The Daily Podcast,
and you can listen to the full interview on our website when you sign up for CyberWire Pro. While security isn't something
organizations can easily cut during periods of stress, the larger tech sector nor its security
subsector have proven immune from the economic effects of the pandemic. While IT and security
businesses haven't been as hard hit as those in other industries, and the COVID-19 downturn has been particularly hard on media shops, they too have had to endure lower revenue and in some cases lay off employees.
Checkmarks, for one, on Monday said it was laying off dozens of staff. The company's CEO, Emmanuel Benziquin, suggested that restructuring had been in the plans for some time, saying, quote,
We didn't do it earlier because of the exit and the coronavirus crisis, but now it is time to make some changes, end quote.
It's part of building for the long term, and while the pandemic has affected the company like everyone else, he expects to emerge stronger from the other side of the emergency.
like everyone else, he expects to emerge stronger from the other side of the emergency.
The private equity firm Hellman & Friedman LLC finalized its purchase of check marks in April,
paying $1.15 billion for the company. The lesson CTEK observes is that even unicorns aren't immune to COVID-19. And finally, remember that there are security companies who are still hiring, even during the pandemic.
May we suggest they take a look at people who've recently been laid off.
They represent an attractive talent pool as close to pre-screened as any talent pool ever is.
And if you're in between jobs, hang in there.
Tough times do pass.
I'm so worried about my sister.
You're engaged.
You cannot marry a murderer.
I was sick, but I am healed.
Returning to W Network and Stack TV.
The West Side Ripper is back.
If you're not killing these people, then who is?
That's what I want to know.
Starring Kaley Cuoco and Chris Messina.
The only investigating I'm doing these days is who shit their pants. Killer messaged you yesterday? And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited
by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K, code N2K at checkout. That's join delete me.com slash N2K code N2K.
And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at Synergistech.
Caleb, it's always great to have you back. You've been tracking some interesting patterns when it
comes to phishing attempts.
You've got some interesting insights of the phishing we've seen related to COVID-19.
What can you share with us today?
Well, Dave, any time we see a major event,
could be a sporting event like the Super Bowl or World Cup,
could be a weather event like a hurricane or a typhoon,
but any time that there's an opportunity where people want new information, they want to
get access to maybe a better view on things, they're much more likely to click on a link.
And it's not surprising that we've seen a dramatic increase in phishing attempts. Depending on
which news outlet you look at, you can see Google's talking about an increase of about 350% amid COVID-19.
IBM X-Force is out saying that they've seen an increase of almost 14,000%, which I don't
even know how you calculate that number.
But anyway, the point is, and I don't think it's any surprise to anybody, all of the fishers
are now leveraging COVID-19 type fish bait.
We've even seen, you know, lots of fake sites getting set up, you know, variants, for example, of Zoom conferencing because, you know, Zoom is obviously one of the more popular solutions that people are using to communicate through this crisis.
And you're not seeing, you know, three or four examples.
You're seeing hundreds and hundreds of examples of these fake sites.
Right.
But here's what nobody's talking about.
Why is it so much larger than things we've seen in the past?
And there's a big reason why.
Any guesses, Dave?
Well, I mean, my initial response would be that this event is bigger than things we've seen in the past.
How often does something happen that affects the entire globe? All right. I'll have to give you partial credit for that because I don't think
you're wrong. Fair enough. But there is one other factor that hasn't existed before, and that is
actually GDPR. The very law and regulation that was designed to protect everybody's privacy,
particularly Europeans, is actually working
against us in this case. Because one of the things that never got figured out with GDPR
is the state of the who-is data. So since the start of the internet, ICANN, which is the
independent governing body set up to basically govern the internet and how we all use it,
you know, they basically said, look, if you're going to operate on the internet, your IP address needs to be registered. And, you know, we'll maintain this free database
that anybody can search to figure out who is behind a particular IP address or domain.
And of course, you had the ability to kind of like hide your home address and things like that. But
there was a way that law enforcement or security professionals working in investigation
could figure out, you know, who is this? And it isn't any different than kind of having a license
plate on the back of your car. Well, the challenge is that GDPR views an IP address as PII. Therefore,
you got into this kind of rift that never got resolved between the regulators of GDPR. They're saying,
hey, look, this is our rule. There's going to be unforeseen consequences. We're not changing it.
And ICANN basically standing up, you know, effectively saying, hey, you're about to break
the internet and how we've looked at it historically. Well, GDPR comes with gigantic
penalties. So the registrars, the people that go in, you know, register your domain, you know, hey, I want a new domain, you know, davesplanland.com.
You go out to like GoDaddy or something like that and register this domain.
Well, those registrars had to step back saying, hey, we can't deal with these GDPR fines.
Even though we're supposed to publish this, we're just going to stop. And that's what happened. But that is the critical resource that security professionals use
to root out these phishing domains. And so basically, the folks who are out there
fighting this, they've got one hand tied behind their back now. They really do. And it is the
metaphorical equivalent of everyone taking the license plate off their car
and still driving around.
Now, Dave, you're an upstanding guy.
You're probably still going to drive safely
and stop at the intersections and use your blinker.
Right.
But is everybody still going to do that
if you don't have your license plate on your car?
Yeah.
Hmm.
Interesting.
How do you suppose this shakes out? Is this just
the future we're stuck with, or are folks trying to come up with solutions to this?
Well, look, there has been just mounting pressure to get this resolved. Unfortunately,
I think everybody's dug into their camps. And, you know, look, and I think this is a bit of a
bold statement, but I actually think we're running the risk that the very law designed to protect our privacy may cause some of the largest privacy breaches in history.
And I think as more people realize this problem, all we need to do is tweak a few things here and have a few exceptions for security professionals.
And there's probably a way to get there in the long term.
But I don't necessarily know if the motivations are quite there yet.
All right. Well, Caleb Barlow, thanks for joining us.
Thanks, Dave.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.