CyberWire Daily - Disinformation, foreign and domestic. Content moderation, always harder than it seems. US Cyber Command’s defend forward doctrine.
Episode Date: October 15, 2020Tehran says this week’s cyberattacks are under investigation. Silent Librarian returns to campus for academic year 2020-2021. Crooks are posing as nation-state hackers. Domestic disinformation repor...ted in Guinea and Ghana. Disinformation, content moderation, and the difficulties presented by both. US Cyber Command’s forward engagement campaign. Mike Benjamin from Lumen on how bad actors reuse infrastructure. Our guest is Ralph Sita from Cybrary with a look at their "Skills Gap" research report. And an extended meditation on the Scunthorpe Problem. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/200 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. under investigation. Silent Librarian returns to campus for academic year 2020-2021.
Crooks are posing as nation-state hackers. Domestic disinformation reported in Guinea and Ghana.
Disinformation, content moderation, and the difficulties presented by both.
U.S. Cyber Command's Forward Engagement Campaign. Mike Benjamin from Lumen on how bad actors reuse
infrastructure. Our guest is Ralph Sita from Cybrary with a look at their skills gap research report.
And an extended mediation on the Skuntthorpe problem.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 15th, 2020.
We begin with a follow-up to an earlier story.
It seems that Tehran has acknowledged sustaining cyberattacks this week.
The AP, citing Iranian state-operated media,
says that Tehran has confirmed
that it sustained cyberattacks
Tuesday and Wednesday of this week.
The disclosure was brief,
said that the incidents were serious,
and stated that they were under investigation.
No attribution was offered.
The story continues to develop.
We'll continue to follow it.
Malwarebytes researchers report that the Iranian-linked cyber espionage group Silent Librarian
has made its annual return to campus.
The threat actor is active mostly against universities
where it seeks to collect sensitive research and intellectual property.
Malwarebytes writes, Considering that Iran is dealing with constant sanctions,
it strives to keep up with world developments in various fields, including that of technology.
As such, these attacks represent a national interest and are well-funded, end quote.
Silent Librarian has shown up in the late summer and early autumn, back to school time, in both 2018 and 2019.
You needn't be an actual APT to pose as one.
Radware notes that criminal organizations posing as flashy, well-known state actors like Fancy Bear, the Armada Collective, the Lazarus Group, and so on,
have been sending extortion letters to victims.
They typically threaten distributed denial-of-service attacks if they go unpaid,
but the threats are more scareware than malware.
The demand letters have followed new reports of high-profile attacks,
and Radware says the quality of their language has improved, and why not?
If they can call you and say they're the social security police,
why can't they email you and say they're Cozy Bear?
Bloomberg reports that African governments are actively using social media
to spread what it characterizes as disinformation
during the run-up to this year's elections
in order to dominate the narrative around campaigns.
In these cases, Bloomberg cites Guinea and Ghana. to this year's elections in order to dominate the narrative around campaigns.
In these cases, Bloomberg cites Guinea and Ghana.
The influence operations are domestic, not foreign.
Government-aligned operators are said to have been particularly active on Facebook.
Reports by the New York Post that alleged smoking gun emails involving U.S.-Ukrainian relations have been found on a computer
belonging to Hunter Biden, son of former U.S. Vice President and present Democratic presidential
candidate Joseph Biden, raise questions of influence operations, potentially foreign
and demonstrably commercial. At issue is the long-running and much-investigated nature of
the relationship between Bidenens and various foreign business
interests, notably Ukrainian energy firm Burisma, and whether such relationships amounted to
influence peddling, or at least the invidious appearance of influence peddling. The elder
Biden has denied detailed knowledge of his son's business relationships, and the younger Biden has
periodically regretted any appearance of impropriety. The provenance of the emails the Post reported is disputed, coming as they did
from a laptop of uncertain origin, but with some appearance of connection to the younger Biden.
Johns Hopkins University's Thomas Ridd points out the ways in which the emails could amount
to a disinformation operation, and that cannot be ruled out. The story's details have been difficult so far to corroborate, and some of the emails give
the appearance of having been either reconstructed or fabricated. But the treatment of the Post's
reporting has also raised questions about content moderation. Ars Technica has a summary of the
issues the case raises for social media content moderation.
Twitter and Facebook were quick to inhibit sharing of the post's coverage,
and that's aroused more questions about the ways in which they attempt to control
alleged disinformation or misinformation.
Twitter simply blocked it and blocked some accounts that had shared the story.
Twitter CEO Jack Dorsey tweeted some regrets about his company's handling of the material.
Quote, our communication around our actions on the New York Post article was not great,
and blocking URL sharing via tweet or DM with zero context as to why we're blocking,
unacceptable. Unquote. So what we have, Mr. Dorsey says, is a failure to communicate,
or specifically a failure to communicate, or specifically a failure to
communicate context. Facebook didn't block sharing or discussion of the content. Instead,
it deprecated sharing, which is to say that it reduced the likelihood that the platform's
algorithm would amplify the story. In any case, the two platforms seem to have enmeshed themselves
in a lose-lose approach to the story,
with Republicans incensed by what they characterize as censorship and Democrats upset by what they see
as an instance of the Streisand effect, where an attempt to downplay information has the unwelcome
and paradoxical effect of drawing attention to it. It's almost pleasant to turn from this to the more refreshing atmosphere surrounding
TrickBot. The criminal botnet that was affected by separate operations by Microsoft and its partners
on the one hand and U.S. Cyber Command on the other hasn't been destroyed, CyberScoop reports,
but it's been forced to trim its sails and its targets have been given a reprieve during which
they can shore up their defenses. Microsoft was able to make effective use of trademark law to hit the criminal operation,
and Cyber Command was able to degrade its command and control by pushing bogus updates into the
gang's network. Cyber Command's action represents an unusually public instance of the organization's
defend-forward doctrine, in which persistent engagement with
hostile networks complements direct defense of friendly systems. Wired describes the operation
as showing how Fort Meade has increased both its reach into adversary networks and its willingness
to use that reach to act against them. Some have noted that TrickBot is principally a criminal
operation and that it seems unusual for a military organization,
which Cyber Command, of course, is,
to take action in what might be read as a law enforcement matter.
But it shouldn't be overlooked that Russian criminal organizations
survive at the sufferance of Russian intelligence and security services
and that their resources have been co-opted by those services in the past. And finally, to return to the question of content moderation,
the process is difficult and labor-intensive,
and the quest for automated tools that could reduce the workload goes on.
It doesn't, however, always proceed happily.
Witness the meetings of the Society of Vertebrate Paleontology,
a society devoted to the study of the fossilized remnants of prehistoric beasts,
many of them skeletal, you know, mastodons, giant ground sloths, stegosaurians, guys like that.
Anywho, they are holding their meetings virtually, like the rest of us,
and the conference software came equipped with filters that screened out certain words.
Vice reports that prominent among the words it excluded is bone.
Ha ha ha, right?
But as is usually the case, the bowdlerizing software is inconsistent.
For example, if your name should be Wang, you're out of luck.
Call yourself something like Ace or Lefty instead.
But if you're a Johnson, well, that's okay.
Weird, right?
It's an old problem, sometimes seen in non-digital forms
where different dialects of the same language collide.
Our NATO desk, for example, told us a story at greater length
than we really wanted to hear about,
planning meetings in which the transition from the coverage force engagement to the main battle were discussed.
The Americans, thinking as usual of American football,
called the process of the covering force turning the fight over the main force the battle handoff,
you know, like play action between a quarterback and a running back.
handoff, you know, like play action between a quarterback and a running back. The Royal Army asked with pursed lips if the U.S. Army might change its terminology to battle handover since
handoff had unfortunate connotations in British English. After getting it, the U.S. Army obliged.
Sometimes it went the other way. A Royal Army staff officer once promised in the presence of our NATO desk
to deliver some useful resources no matter what.
Even, quote, if I have to knock up the Prime Minister, unquote,
a technique the Americans received with surprise, sniggering, and some admiration.
The Bundeswehr representatives were completely baffled,
and they probably spoke more correct English than anyone else in the room.
Anywho, we suggest that once in-person meetings are possible again,
the Society of Vertebrate Paleontology holds its conference in Skunthorpe.
We hear it's nice there.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
There is ongoing debate about the degree to which the so-called cyber skills gap exists,
or if it really exists at all. Some say it's an industry-wide obstacle, while others maintain it only affects certain skill levels or that it may be self-inflicted due to organizations' unwillingness to invest in training up the next generation.
Ralph Sita is CEO at Cybrary, and he joins us with insights from their Skills Gap Research Report.
saying all along, and the industry has been crying out for help, you know, that there's a talent gap,
meaning there's not enough people out there to fill these roles in cyber that, you know, exist and are going, you know, vacant too long. But then we also just, you know, came to the realization
that not only is there a talent gap, but there's an actual skills gap within the employed ranks,
within these companies. So we've heard this anecdotally. We've seen it from our user base,
and we decided that, hey, now's a great time. We have this vast array of folks that could add value
with their feedback and let the know, let the other industry
people, their contemporaries, their competition even, you know, understand what they're going
through because it's a commonality that they all have. Well, let's go through some of the
key findings together. What were some of the things that drew your attention? Well, I mean,
it's most importantly that all these organizations from
generally the employee upward feel like they are inadequately prepared to do their jobs.
And so in terms of this gap, I mean, is it a matter that companies need to be investing in
more training? That's just the beginning of it. Training is fine, but unless you
have a critical path for employees to see the light at the end of the tunnel and the light's
not an oncoming locomotive, training is just part of the equation. You have to have a structured
curriculum, a structured career path set for them so they know that they're working towards a goal that is going to improve their skills,
improve their job preparedness, and make them better to do what they have to do.
How about coming at it from the other direction, for that person out there who's on the hunt for a new job or a better position?
Did you get any insights on how that person can best prepare themselves to make
them, to set themselves apart from the crowd? I believe that certifications are still important,
so I don't want that to, you know, think that that's the tenor of my comments here.
What I'm trying to say is that assessments that prove skills are more important.
The best thing for people to do and new people to get in this profession
is grab a couple of the certifications
that get the minimum boxes checked,
but make sure you are continually learning.
You know, our study shows that 78% of employees right now
are finding time on the job to learn.
Some of the bigger worldwide brands are encouraging their employees to learn on company time because they realize that, you know, if they don't,
then it's only hurting the company because these folks are struggling to get this type of training
done. So again, constant learning.
Prove that you know what you know.
You'll find a job in this industry really fast.
That's Ralph Sita from Cyberary.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black
Lotus Labs, which is part of Lumen Technologies. I want to touch today on the reuse of infrastructure
and some of the pros and cons
of that. What can you share with us today? Yeah, so what I really wanted to touch on was how
actors reuse infrastructure. And it's pretty common that we will see an actor set up a campaign.
They'll put their malware downloader on a web server or so, they have to
install a web server or break into, as it depends. And realistically, as long as they can deliver
malware from that, they're going to leave it up. And so a lot of times we think about a malware
infection as something that can be, you know, quote unquote, cleaned up. But how often do we
as an industry clean up endpoints and don't take the time to
go back and make sure that the originating delivery host has been removed from the internet?
Unfortunately, I can tell you it's very common. And so just because we've eradicated a component
of a campaign doesn't mean it's all gone. And so if I'm an actor, I've taken the time to
take a stolen credit card, put some Bitcoin, whatever, into the purchase of a VPS host.
I've installed Nginx or Apache, and I've set up a new environment.
Realistically, I'm just going to keep using it.
And maybe I don't even use it for the same campaign.
Maybe that campaign really is burned.
It was a phishing website, and the domain got taken away, and the data I was trying to exfil, that host is gone.
But heck, I can move it to a malware delivery host the next week.
So as a criminal actor, they are very common in reusing components of the infrastructure they have in a campaign.
And so why we think it's important to call out and talk about why everything I just said may be intuitive.
Too often, we don't maintain as an industry, those blocks in our firewalls, those alerts in our SIMs.
When we know something's bad, keeping it there for a while really can be a benefit to the defense of an environment because the actors are, in many cases, going to reuse that at some point in the future.
Well, can you give us some specific examples, some things that you all have seen?
point in the future. Well, can you give us some specific examples, some things that you all have seen? Yeah, so recently we were looking at a report that the team over at FireEye had produced
on the maze ransomware. It's a pervasive threat right now. A lot of people are looking into it.
And upon diving into it, we actually saw components of a maze campaign that we now saw delivering
cobalt strike beacons. And so the cobalt strike payload
was sitting in a directory on the server, and it was completely unrelated to the previous maze
campaign. And so anyone who had come along and maybe read that FireEye report or someone else
looking at that particular campaign and had blocked those IP addresses in their perimeter
firewalls, alerted on them in their SIM, done anything on that piece of the infrastructure, would
have been precluded and never impacted by the subsequent Cobalt Strike campaign that
we saw.
And so just a simple reuse of an IP address that was delivering a payload from one campaign
to the next could have completely removed any threat from the secondary campaign. Another example we see is on the victim side where we've many times seen IoT hosts reused
across very different campaigns, maybe even by different actors, just because they were a
vulnerable pool that remains unpatched over time. So we may see a DDoS attack come from a thousand IPs.
And six weeks later, a hundred of those IPs pop up in a credential stuffing campaign.
So one actor group installed the DDoS payload.
The home users rebooted their DVR or whatever it was.
And a few weeks later, somebody came along and installed proxy servers. So again, knowing that those vulnerable pool of devices could attack you over time,
could have alerted to or prevented
those credential stuffing attacks
that happened a few weeks later.
So being cognizant of how IP addresses, domains,
and other components infrastructure
can be used over time
is really a useful way to prevent future attacks.
I see.
Now, is this something where the attackers
could catch on
and stop doing this?
Well, of course, right?
Anybody who reuses a tool could take the time and stop
and just set up a new tool,
install the host somewhere else, new software.
Heck, in some cases, just grab a different IP
if it's as easy as that.
But let's face it, it's easy for them not to, and human beings are lazy.
And so as long as, let's say, the criminal market, they can make money, they're not going to take
the extra few minutes to set up a new host or roll an IP or grab a new domain. As long as they can
still make their money, still carry out their objective, they're going to continue down that path. And so as defenders, it's all of our job to raise the cost of being bad and carrying out
those campaigns. And so if we can make it harder, they're going to go a little slower. They're
going to spend a little more money and make a little less profit, hopefully be less motivated
a little bit over time to do this kind of work. I see. All right. Well, Mike Benjamin,
thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed, and it smells April fresh.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.