CyberWire Daily - DDoS interrupts Belgium’s parliament. New malware in the wild. Spies and crooks work around MFA, OAuth. COVID-19 scam site takedown. Online election fraud (in a homecoming queen election).
Episode Date: May 5, 2021Belgium sustains a DDoS attack that knocks parliamentary sessions offline. New malware strains identified in phishing campaign. Threat actors look for ways of working around multi-factor authenticatio...n and open authentication. COVID-19 scams continue online, and attract law enforcement attention. Joe Carrigan describes a compromised password manager. Our guests are Linda Gray Martin & Britta Glade from RSA with a preview of this year’s RSAC conference. And how secure was your high school’s election for homecoming court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/86 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Belgium sustains a DDoS attack that knocks parliamentary sessions offline.
New malware strains are identified in phishing campaigns.
Threat actors look for ways of working around multi-factor authentication and open authentication.
COVID-19 scams continue online and attract law enforcement attention.
Joe Kerrigan describes a compromised password manager.
Our guests are Linda Gray-Martin and Britta Glade from RSA with a preview of this year's RSAC conference.
And how secure was your high school's election for homecoming court?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 5th, 2021.
A large distributed denial-of-service attack yesterday hit Belnet, the ISP that serves much of Belgium's public sector.
Belnet has since restored service.
Computing notes that the attack caused the cancellation of several parliamentary meetings.
The denial-of-service prevented streaming the meetings to external participants.
the meetings to external participants. Among the sessions disrupted was a hearing before the Foreign Affairs Committee that would have heard testimony on human rights in China's Xinjiang
Uyghur Autonomous Region. Attribution would be premature, but this context has prompted
speculation about the possibility of Chinese cyber operations. FireEye's Mandiant unit has identified three new malware varieties in a phishing campaign
operated by a group it tracks as UNC2529,
probably a criminal gang working for a direct financial take.
The researchers call the group capable, professional, and well-resourced
and say that it researched its targets closely and tailored its fishbait
to the intended catch. FireEye named the new malware families DoubleDrag, a downloader,
DoubleDrop, a dropper, and DoubleBack, a backdoor.
If you can't beat it, go around it, like the Blitzkrieg flanking the Maginot Line through
the Ardennes, and it's worth noting that the Maginot Line was a pretty good fixed fortification,
as fortifications go, and it forced the opposition to rethink the way it would attack.
The point isn't that defenses are futile because they aren't,
it's that conflict is dynamic.
The big point is that all conflict is between antagonists
who perceive and think and react to each other's moves.
No single solution is sufficient, still less permanent.
That's as true in crime as it is in warfare.
Two reports today show ways in which threat actors have reacted
to the widespread adoption of sensible security measures.
First, researchers at security firm Symantec
describe the ways in which threat
actors respond to improved security, in this case the widespread adoption of two-factor authentication.
The researchers point out that one thing the recent SolarWinds compromise, the Microsoft
Exchange server proxy logon attacks, and the exploitation of vulnerabilities have in common is that they
obviate the need to defeat multi-factor authentication. Bypassing such protection
has become a principal tactical goal of advanced persistent threats and sophisticated cyber
criminals. The silver lining, as Symantec sees it, is that this tactical shift shows that
multi-factor authentication is working. If it weren't,
the threat actors wouldn't take such pains to find a way around it. So don't give up on
multi-factor authentication. Symantec recommends that organizations supplement it with some
additional precautions. Specifically, auditing login and active directory events, reviewing and
reducing services and accounts that do not require
MFA, keeping up to date on patches for any discovered vulnerabilities, considering a threat
model where MFA may be bypassed or on-site secrets may be compromised, and expanding their zero-trust
architecture beyond simple two-factor authentication. In the second case of threat actor adaptation,
security firm Proofpoint takes a look at how malicious apps abuse open authentication.
OAuth app abuse had a successful run in 2020.
As Proofpoint says,
We have observed many forms of OAuth token phishing and OAuth app abuse,
which is ideal for attackers to conduct reconnaissance,
launch employee-to-employee attacks, and steal files and emails from cloud platforms.
Malicious app attacks often target the accounts of vice presidents, account managers, human resources representatives,
and chief financial officers, the kinds of users with access to highly sensitive data.
If successful, attackers gain persistent and independent access to emails,
including read, write, send, and setting mailbox rules,
files, contacts, notes, Microsoft Team chats, and more.
In some cases, they redirect users to a phishing site after the user consents to the application.
End quote. redirect users to a phishing site after the user consents to the application. In response to this problem, companies like Microsoft have begun to require that app
publishers be verified. Microsoft's procedures, instituted in late 2020, have been sufficiently
onerous to induce threat actors to look for new approaches. Microsoft's verification process
requires that the app publisher be a member of its partner network, that the publisher's account threat actors to look for new approaches. Microsoft's verification process requires
that the app publisher be a member of its partner network, that the publisher's account be part of
a verified tenant, and that the publisher agree to the terms of use developers must abide by to
participate in the Microsoft Identity Platform. Redmond also checks tenant bills and activity.
Proofpoint notes with evident approval that
the whole process of verification is a complicated and unrewarding procedure
from the attacker's standpoint,
but of course it hasn't put the crooks and spies out of business.
As was seen with the threat actor's response
to widespread adoption of multi-factor authentication,
they're simply finding an alternative approach.
They now compromise accounts in credible tenants and then creating,
hosting, and distributing cloud malware from within those tenants.
Proofpoint says that cloud account compromise is now widespread,
with perhaps more than 50% of all tenants compromised.
COVID-19 scams, whether counterfeited vaccination records or bogus nostrums,
continue to be hawked online, but they're also attracting more attention from law enforcement.
The Wall Street Journal reports that demand for such things is particularly high in Europe,
which has seen more delays and stoppages in vaccination than have the UK, Israel, and the U.S.
But of course, the problem isn't exclusively an old-world one.
The U.S. Food and Drug Administration this week announced that the U.S. Attorney for
the District of Maryland had taken down a fraudulent website misrepresenting itself
as a biotechnology company working on COVID vaccines.
It's the ninth such bogus site the feds have taken down during
the pandemic. And finally, there's a case of election fraud being prosecuted in Florida.
No, it's not a U.S. federal or state election being finagled through inauthentic online ballots.
Instead, this one is a case in which a mother and her teenage daughter tried to rig a
homecoming queen election at Tate High School in Pensacola. The accused, the AP reports,
allegedly used the mother's access to school district networks to cast fraudulent votes for
the daughter. The mother has district-level access by virtue of her job as assistant principal at a local elementary school.
117 votes were cast from the same IP address within a short period of time.
That tipped investigators, who found a total of 246 votes cast for the homecoming court
from devices found in the accused home.
The mother-daughter duo are charged with offenses against users of computers, computer systems,
computer networks, and electronic devices,
unlawful use of two-way communications device,
criminal use of personally identifiable information,
and conspiracy to commit those offenses.
Both are currently free on bond,
but both face the possibility of 16 years in prison if convicted.
They are, of course, entitled to the presumption of innocence.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The RSA conference has, unsurprisingly, gone virtual this year,
and the Cyber Wire is once again a proud media partner for the conference.
Going virtual is a mixed bag of challenges and opportunities,
and for a better understanding of that, I spoke with Linda Gray-Martin,
Vice President of RSA Conference, and Britta Glade,
Senior Director of Content and Curation at RSA Conference.
We hear from Linda Gray-Martin first.
I have to say it's been a really interesting learning curve over the last year.
You know, virtual events are a new industry really in themselves,
and there's been so much innovation in this space.
It's been really interesting to watch it evolve.
in this space, it's been really interesting to watch it evolve.
So, you know, I think our community will see lots of the same elements of the conference, albeit reformatted for a virtual world.
But, you know, there are, of course, new things, particularly the format,
the structure, the way the agenda is planned.
But, you know, looking at the familiar elements, and Britta will do a deeper
dive into the kind of content side of things, but we have a very comprehensive track session agenda.
We have a very robust keynote program.
We have interactive sessions, and we've got quite a lot of new going on in this space, which I know Britta's keen to share with the listeners. But we also have our innovation programming, like Innovation Sandbox and our Sandbox and Capture the Flag events and networking opportunities.
And of course, the Digital Expo, which is the digital version of the Expo Hall that people are familiar with in San Francisco.
But just looking at the new, like I said at the beginning, kind of the format, the structure, the way the agenda is planned in particular, those are definitely new.
the structure, the way the agenda is planned in particular, those are definitely new.
You know, we all know a year into virtual events that virtual experiences are very different from physical ones. We're hoping actually that people will be able to attend our virtual event who would
never normally get the opportunity to come to San Francisco. So I think that's a real opportunity
there for us to really reach all corners of the world.
Because of that, we've been working hard to time zone optimize the agenda as much as we can.
Britta and team have worked really hard to kind of clump groups of like sessions together. and they're coming on later in our day, you know, all the sessions they attend
or if they've got an interest in a particular topic,
they can attend like sessions at the same time
just to make it easier on them.
The agenda is going to kick off at 8 o'clock PT every morning,
which is 4 p.m. in the UK.
So that's always my reference point for the UK.
You know, we've tried to make it as global as we can.
It's early for APJ, but we've planned it so that their sessions running later in the day
for the APJ audience so you know we've done a fair amount of research talk to a
lot of peers in the industry at other large event organizations to try and get
to this point and I'm sure it's not perfect but it does give our attendees
worldwide an opportunity to participate so So just to kind of summarize, lots of familiar, but also lots of new as well.
Yeah, I think, you know, here at the Cyber Wire, we're excited to continue our media partnership with the RSA Conference.
And indeed, we'll be taking part in the virtual version of Broadcast Alley, which we had a great time being a part of last year.
What are some of the programs that
you're particularly excited about as we approach this year's conference? You bet. And as Linda
mentioned, we are trying to take and make the best of a digital environment, which actually does lend
itself to some different things. One of the programs that I'm super excited about is what we're calling our
networking lounges. And the lounges, as Linda indicated, we've organized our content. We've
kind of thought about everything in clumps of three hours, thinking if we have a really nice
package, tight body of content for someone with a particular domain interest, anti-fraud, for example. You've got a
tight set of programming against that topically, and then corresponding, you have a networking
lounge. And in the networking lounge, which is hosted by a member of our program committee,
so someone with tremendous domain knowledge in that area, which then is visited by various speakers for live engaged Q&A, host to speaker presented,
but also the opportunity for anyone in that networking lounge to take and engage in the
conversation, to meet one another. So that's one element that we're doing. We have traditional
sessions. We have ability to have Q&A associated with all of those sessions.
We have some fabulous keynote programming put together.
Again, taking and embracing what couldn't you do in a physical environment while bringing together these experts from across the globe in a real-time basis.
So there's some really interesting, fun programming. And we have tried to embrace and continue to be pure
to our reputation of connecting people, of having moments of fun, moments of surprise,
but certainly that depth of focus on education and applicability of the education being shared.
I'm sure you're aware that each year we have a particular theme.
Last year's theme was the human element, and that resonated so well with our community at the time,
but this year the theme is resilience. And of course, it's taken on a whole new meaning for
everybody, kind of professionally and personally. You know, it's a word we've all become very
familiar with, but it also means something very specific to our
industry in that resilience is the ability to prepare for and adapt to changing conditions
and withstand and recover rapidly from disruptions. So, as we've gone through this process,
we're so happy to have the theme resilience as our umbrella this year. And I think it will hopefully really resonate with everybody as we go through life.
Our thanks to Linda Gray-Martin and Britta Glade from RSA Conference for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. client. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Joe,
great to have you back. Hi, Dave. You know, something you and I talk about a lot over on Hacking Humans
is the importance of password managers.
Indeed.
And here we've got a story from Bleeping Computer,
and it's titled Password State Password Manager Hacked in Supply Chain Attack.
What's going on here, Joe?
All right.
So what has happened here is there's a company called Click Software
that makes a password manager called Password State. And Password State includes
a copy of an open source library called moserware.secretsplitter.dll. Okay. All right.
Somebody managed to compromise the copy of the DLL that password state was included in itself. And that compromise
included a loader that would load a malicious version of the software that would then upload
all of the information to a malicious actor controlled website. So the malicious software was active for about 28 hours, so it wasn't a very
long-lived thing. This is a case of somebody using an open-source library and not verifying when
things have changed. Open-source libraries are extremely helpful in the development of software.
There is a lot of stuff out there so that you don't have to reinvent the wheel every
time you want to use some functionality that probably already exists and is available for you
to use under a free and open source license. This is actually available. It's developed by a guy
named Jeff Moser, who put it out under the MIT license, which is a very open license. It's very
similar to the BSD license. It's not like the GNU licenses that require that if you,
there's one GNU license that if you include any of the software under that license,
your software also has to be free.
But this software says you can do whatever you want with this,
or this license says you can do whatever you want with this.
You can even charge people for it if you want.
You shouldn't, but if you make any changes, you're free to do whatever you want. It's actually a very open license. People can do whatever they
want with it. And it's a near certainty these days that if you're developing something with
any degree of sophistication, it's going to have some open source libraries in it.
Some open source libraries in it, exactly. And I don't know where Click was getting their version of Moserware from, because the original version that's on GitHub hasn't been updated in 10 years. And the Moserware.secretsplitter.dll in a malware that has been dubbed Moserpass by CSIS underscore
cyber. That's a Twitter handle. It's unfortunate that my last name and DLL are associated with
this malware. I have no connection to it other than my prototype code that was open source and
apparently has been used by a commercial product. And he didn't even know about that until earlier today. So here's a product that a
developer put on GitHub 10 years ago. You look at his GitHub repository, it hasn't been updated in
10 years. And this company has been using another version of that. I don't think they've been using
his copy of it because somehow they got somebody's updated version. I don't know exactly how that supply chain attack
happened, but these malicious actors were able to put something in there that essentially exposed
the secrets of users of this software if they downloaded an update between, I think, April 20th
and April 21st. There's a couple of advisories from Click Software
and one from CrowdStrike as well.
To Click Software's credit,
Click Studio's credits,
they have been remarkably forthcoming about this
and they're very good at stopping this.
I think 28 hours is a remarkably short time horizon
for them to fix this.
That was good work mitigating this issue.
I would have liked to have seen a little bit better configuration management and quality
control on the front end of this to stop that from happening. But these mistakes are going to happen.
These kind of things are just going to happen. It's not anything that you can truly avoid.
Somebody's going to fall victim to this.
It just so happens that it was Click Studios this time. I wonder too, I mean, is it plausible that it could be as simple as, you know, some bad actor out there posting up, hey, here's the latest
version of Moser. You know, the original hasn't been updated in a decade, but we've got one with
all these improvements. And so, you know, and that's the one that has the malicious stuff in it. You know, someone who's using it, looks, sees that,
you know, is doing a Google search and says, oh, okay, here's an updated version. Doesn't do their
due diligence. And Bob's your uncle. Oh, I think that they were using a version that was good
for a period of time because these attackers may have actually created a version that was good for a period of time because these attackers may have actually created a version
that was good
and may have had better functionality, right?
But then when it was time,
once they knew that Click Studios
was putting it in password state,
they went ahead and attacked
Click Studios specifically.
It was a very specific attack.
Gotcha.
Interesting.
It is.
One thing I want to say before we go,
this does not mean you should not use a password manager. Gotcha. Interesting. The information, you can go and update your passwords now and be just as safe as you were before. All right. Well, the article is over on Bleeping Computer.
It's titled Password State Password Manager Hacked in Supply Chain Attack.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know. Download the
free CBC News app
or visit cbcnews.ca
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.