CyberWire Daily - EMA emails altered before release in apparent disinformation effort. Vishing rising. Another backdoor found in SolarWinds supply chain campaign. An arrest and a stolen laptop.
Episode Date: January 19, 2021The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another backdoor is found associated with the SolarWinds supply chain campaign. DNS ...cache poisoning vulnerabilities are described. FBI renews warnings about vishing. Iran’s “Enemies of the People” disinformation campaign. Vishing is up. Rick Howard previews his hashtable discussion on Solarigate. Verizon’s Chris Novak looks at cyber espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/11 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online.
Another backdoor is found associated with the SolarWinds supply chain campaign.
DNS cash poisoning vulnerabilities are described.
The FBI renews warnings about vishing.
Iran's enemies of the people disinformation campaign.
Rick Howard previews his hash table discussion on SolaraGate.
Verizon's Chris Novak looks at cyber espionage.
And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 19th, 2021.
The threat actors who stole COVID-19 vaccine documents appear to have altered them before releasing them online, the European Medicines Agency says.
The material stolen, EMA says, included internal confidential email correspondence dating from November relating to evaluation processes for COVID-19 vaccines.
Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines. Some of the correspondence has been manipulated by the perpetrators prior to
publication in a way which could undermine trust in vaccines. Emails about the vaccine development
process were altered to give the appearance that this process was less credible than it might
otherwise have been believed to be, and EMA stands by the effectiveness and credibility of its reviews.
The corrupted, altered data thus appear
to have been emails about vaccine development and not data collected in the course of that
development or during evaluation of vaccines. Symantec reports another discovery in the
Thread Actors Armamentarium. Raindrop, a backdoor used to drop Cobalt Strike.
Tarium. Raindrop, a backdoor used to drop Cobalt Strike. Raindrop bears some similarities to Teardrop, malware earlier identified as having been delivered by the Sunburst backdoor.
Both load Cobalt Strike beacon, but Raindrop uses a custom packer for Cobalt Strike.
Raindrop also appears to be used to propagate across networks,
and may have been used selectively against high
interest targets. Various sources are warning against seven vulnerabilities in the widely
used DNS forwarding client for Unix-based operating systems, DNS Mask. Vulnerable systems could be
susceptible to DNS cache poisoning. Seven vulnerabilities are being collectively tracked as DNS spook.
JSOF has a page up devoted to DNS spook,
and users of affected systems are advised to apply patches as they become available.
On Friday, the U.S. FBI renewed and updated a December warning
about an Iranian campaign, Enemies of the People, intended to exacerbate U.S. domestic mistrust and division by, quote, threatening the lives of U.S. federal, state, and private sector officials using direct email and text messaging, end quote.
The operation also involves menacing doxing.
menacing doxing. The Bureau's warning says, quote, the Iranian cyber actors have sought to intimidate some of the officials with direct threats, including an image of an apparent text communication between
the EOTP actors and an unidentified individual in the United States purportedly supporting the
operation. Individuals in the United States intent on disrupting the peaceful transition of power
potentially may be inspired by and act upon these influence efforts to harass, harm, threaten, or attack individuals specifically identified.
End quote.
Enemies of the People represents an extreme form of this tendency in influence operations.
CyberScoop reports seeing a U.S. intelligence assessment that claims Russian
and Chinese services are using the Capitol Hill riot as an occasion for propaganda and
disinformation. Those two nations' styles have been consistent with that on display in past
campaigns. Russian disinformation has been negative and disruptive, concentrating on
producing red-meat conspiracy theories about the Capitol Hill
riot. Chinese disinformation has been characteristically positive, that is, not positive
in the sense of happy or optimistic, but positive in the sense of persuading its international
audience of a particular position. More accurately, two positions. First, the United States is a power
in decline. And second, this is what happens when
you tolerate democratic demonstrations. You get anarchy, which is why in Beijing's line,
it's a good thing they crack down on Hong Kong. At the end of last week, the FBI also issued a
private industry notification warning of increased rates of vishing aimed at theft of corporate
remote access credentials with a view to furthering privilege escalation. A common gambit is an
invitation to log into a bogus VPN page. Bleeping Computer observes that this is the second such
alert the FBI has issued since the onset of the pandemic. The FBI sees this particular warning
as calling out a new style of criminal
activity. Quote, cyber criminals are trying to obtain all employees' credentials, not just
individuals who would likely have more access based on their corporate position, the alert says.
Once they have some initial access, even relatively lowly access, it's then the criminals' task to
work their way into other, more sensitive precincts
of the organization's network. And finally, the FBI is investigating whether a Pennsylvania woman
identified as Riley June Williams stole a laptop or a hard drive from U.S. Speaker Nancy Pelosi's
office during the Capitol Hill riots with the intent of selling it to Russian intelligence
services. The Washington Post says the suspect has now turned herself in and been arrested.
Politico, which broke the story over the weekend, calls the charges bizarre,
by which they mean startling and not inherently implausible. The FBI says it was tipped off by
a source identified only as a former romantic partner of the suspect.
The ex-boyfriend, as the New York Times describes the tipster,
said that Ms. Williams intended to sell the computer device to a friend in Russia,
who then planned to sell the device to SVR, Russia's foreign intelligence service.
The transfer of the device to the Russian middleman seems to have fallen through for unclear reasons, if indeed there was any actual plan to do so. The investigation is continuing.
is said to have been used only for presentations,
but it's unclear what, if anything,
Ms. Williams may have taken and what, if anything, she hoped to turn over to the SVR.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is the CyberWire's Chief Analyst and Chief Security Officer, Rick Howard.
Rick, welcome back.
Hey, Dave.
So last week, you analyzed the solar storm campaign, and you did it through a first principle lens.
And you concluded that the best strategy that could have helped there was a robust zero-trust deployment.
Now, I know you've invited some of our subject matter experts to the Cyber Wire hash table this week to discuss that idea.
Did they come up with any practical advice?
Indeed, they did.
I talked to both Gary McCallum, the USAA chief security officer, and Don Welch, the Penn State University CIO.
They said that the two most practical things InfoSec teams could do to defend against this kind of supply chain
attack is one, a human process of two-person control, and two, a combination of human process
and security automation called privileged access management. And for the two-person control,
I want you to think about our old hacker movie, Dave, our favorite one, War Games. I know we both
love it. Yes, yes, indeed.
So do you remember the opening scene where the two Air Force officers go down into the nuclear
missile silo, and because of, you know, reasons, they are told to launch the missiles? Well,
as audience members, we learned that you can't do that destructive act unless two people,
in this case, U.S. Air Force officers, turn the launch keys at the same time.
And that is what Gary and Don are recommending.
For critical operations, let's say, I don't know,
issuing new authentication tokens to your cloud environment,
just to name one, maybe it shouldn't be possible
to make changes like that unless two people
authorize the change.
And then for privileged access management,
we did two entire episodes of identity management
back in season two of the CSO Perspectives podcast.
But it's basically policy and automation to control actions
for critical or privileged systems.
In fact, Don prefers that solution
over the two-person control because it's less costly in terms of people resources.
Here's Don.
Again, things like privileged access management with monitoring of everything that is done in those system administrations so that you can go back and find out that something has gone wrong and hopefully catch it before too much damage is done.
Not as good, but once again, it's a lot less expensive to implement a solution like that than it is that two-person control.
Wow, interesting stuff for sure.
So if folks want to check out the hash table discussion, it is CSO Perspectives.
That is part of CyberWire Pro.
You can find out all about it on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Chris Novak.
He is the Global Director of Verizon's Threat Research Advisory Center.
Chris, always great to have you back.
We want to talk today about the report that you all recently published. This is Verizon's Cyber Espionage Report. Take us through first,
what prompted the creation of the report? Yeah, thanks. Thanks, Dave. Always a pleasure to be
here. And it's our first time ever putting together a report specifically on cyber espionage. For,
I mean, over 10 years now, we've put together our data breach
investigations report, which really kind of focused on the entire threat landscape. And
lately we've been seeing an incredible amount of interest in diving more deeply into what does the
cyber espionage world look like. And honestly, I think it's probably even more kind of profoundly
topical these days with what seems to be going on in the news.
And so we really just decided, hey, let's take that plunge and dive specifically into that topic.
So we kind of created this separate report just to look at that avenue.
Well, take us through, what are some of the highlights,
the key things that you all bring into focus here?
Sure. I mean, I'd say that probably the biggest things, and maybe for most
people, not a surprise, but when we carve out the data and look at cyber espionage breaches,
they typically take much longer to discover, which again, I don't think is a surprise,
typically on the order of months to years. Containment, typically, if you're lucky,
maybe days, but typically that's also ranging out to, you know, months. And, you know, that's,
you know, when you look at the entire macro landscape, that's substantially longer than what you'd see in other kinds of breaches. The other thing I'd also say is that a lot of them
would be something that I would classify as being kind of underreported. You know, typically
these threat actors are after a different kind of data.
So most of what we see in the broader landscape is typically financially motivated.
They're going after PII, PCI, stuff like that that they can easily sell.
But the cyber espionage landscape is quite different in that it's typically looking for trade secrets,
intellectual property, more of what you would think of in a traditional espionage
kind of sense.
And it's not necessarily data that someone's going to steal and sell, but typically it's
something that someone is going to steal and use for their own gain.
And in many cases, since it's not something like PCI or PII or something like that, there's
typically also not the same kind of regulatory duties to notify. So we actually believe a lot
of that is highly underreported. Yeah. How does an organization judge or calibrate the amount of
relevance that this report has to them? Yeah. And I think, honestly, you have to look at your
threat model, right? You have to look and see what is it that you are most concerned about?
What kind of business are you in?
And I think everybody kind of has a little bit of everything going on.
But typically, you know, if you're looking at certain kinds of industries like education, financial services, information management, manufacturing, mining and utilities, professional services, and public sector. Those are the
industries that we see most heavily hit by cyber espionage kinds of attacks. So if you're in one
of those areas, then it's definitely something you've got to be figuring into your threat model.
And I think, honestly, a lot of organizations in those industries have probably not put as much
effort into it, partially because it is probably one of the hardest things, right?
You're trying to defend against an adversary that is extraordinarily persistent, and they typically
want into a specific target because of something only that target has, right? If you compare and
contrast that with what we typically see in financially motivated breaches, you think of
financially motivated breaches, the think of financially motivated breaches,
the threat actor, they don't care who they're stealing the funds or the data from,
as long as it is something that they can monetize.
If they can't get into victim A,
they're happy to try victim B, C, D, and so on.
But when you look at espionage,
that's generally very different
because I want into target A or target B
because of the very specific data
that maybe they
and only they actually have. How important is it for organizations to share information,
to collaborate here, to help spread the word about these sorts of efforts?
I think it's critically important. It's interesting that you mentioned that because one of the things
that people are always asking me is, you know, what is it that they can be doing? And, you know,
one of the things that I always say as it relates
to espionage is because they're typically lower and slower kinds of attacks, they're typically
more sophisticated or almost artistic or creative in some ways, and that the way that they actually
go about their attacks are maybe a bit more nuanced than kind of your plain Jane vanilla
kind of cyber attacks,
sharing the information is even more critical, right?
And so typically I'm talking to more and more organizations to understand
what is it that they're doing from a threat intelligence perspective?
How is it that they are either getting information from others that may be relevant to them?
And when they see something, how are they sharing it with others in the community?
Because, you know, I can't stress enough how important it is. It's almost like your neighborhood watch in where you
live, right? It's important that if the neighbors see something suspicious, you're sharing it with
the other neighbors, right? You all kind of go out there and you try to protect the entire
neighborhood. If you're just in it for yourself, then maybe you'll be safe. But at the same time,
you also don't know then what others may be aware of that they're not sharing with you, right?
So how do we protect everybody in an industry or a community at large against these kind of threat actors?
Yeah. All right. Well, it's the Cyber Espionage Report from Verizon.
Chris Novak, thanks for joining us.
Always a pleasure, Dave. Thanks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for Cyber Wire
Pro. It'll save you time and keep you
informed. Bring out your best.
Listen for us on your Alexa smart
speaker, too. Don't forget to
check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called
Security Hop. I join Jason and Brian on their show for a lively discussion to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com
slash podcast. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.