CyberWire Daily - Energetic Bear lands at SFO. Windpower utility hit with RagnarLocker ransomware. COVID-19-themed threats. Telework advice. Zooming.
Episode Date: April 15, 2020Energetic Bear’s pawprints seen at SFO. A leading windpower company is hit with ransomware. Advice for more secure telework. Why healthcare is an attractive target for cyberattack during a pandemic.... ICANN pleads for action against scam domains. And the fortunes of Zoom. Joe Carrigan from JHU ISI on undocumented backdoors in Android apps, guest is Emily Mossburg from Deloitte on the geographical and cultural elements of privacy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_15.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Energetic Bears paw prints have been seen at SFO.
A leading wind power company is hit with ransomware.
The Nemty gang hangs up a going out of business sign.
Advice for a more secure network.
Why healthcare is an attractive target
for cyber attack during a pandemic.
ICANN pleads for action against scam domains
and the fortunes of Zoom.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, April 15, 2020.
Hey, everybody.
Guess who left their heart in San Francisco?
Yes, yes, Mr. Tony Bennett.
But no, not us.
We checked when we got back to Baltimore from RSA,
and our heart's pretty much where it's always been,
right there on the left-hand side of the breastbone.
It took a licking, but kept on ticking.
But somebody else hearts the city by the other bay.
You'll remember the two networks at San Francisco International Airport
that were hacked last month.
Researchers at security firm ESET have fingered a suspect
on the basis of the tactics,
techniques, and procedures the security company observed, ESET attributes the attack to Energetic
Bear, generally regarded as a threat group operating on behalf of Russia's GRU. So it's
Fancy Bear's aerobicizing sister who made her bones going after energy infrastructure in the
Middle East. You may know Energetic Bear by her dragonfly alias.
What were they after?
Not so much the airport networks themselves as credentials of those who used them.
Specifically, as ESET puts it, the intent was to collect Windows credentials of visitors.
Do remember, as always, that attribution is usually necessarily circumstantial,
and that's the case here. Recharge News reports that Portugal-based international power producer
EDP has suffered a ransomware attack. According to Bleeping Computer, the strain involved in the
attack was Ragnar Locker, and the attackers have demanded 1,580 Bitcoin in ransom, the equivalent of $10.9 million
or 9.9 million euros, in order to restore EDP's files. As is now customary, the ransomware
operators say they've taken some 10 terabytes of company information, which they threaten to
release if the victim is slow to pay. EDP is a major player in Europe's gas and electric sector
and the world's fourth largest wind power producer.
Data privacy continues its ascension
as a critical component of cybersecurity.
Emily Mossberg is a principal
on Deloitte's Cyber Risk Services leadership team.
We chatted at the RSA conference
about the geographical and cultural elements of privacy.
We're seeing more and more that global companies want a level of consistency in terms of their cyber programs.
If we look around the globe, there's definitely a distinction and difference
in terms of the maturity of programs and where different countries and regions are
in terms of their maturity in understanding cyber and implementing their cyber programs.
in terms of their maturity and understanding cyber and implementing their cyber programs.
So there's a big focus on what does that mean
in terms of the program itself.
And one of the big things is how do they educate globally
on the area of cyber,
particularly as the stakeholders shift and change?
How do you educate a global organization?
How do you get everybody on the same page in terms of the risks?
Because the CISO organization itself isn't going to be able to have the scale
to face off on the issue as a whole.
It's very big.
So how do you get a global organization on the same page
to understand what the risks look like
and to know basically who to call for help
when you start to see
something that's interesting or maybe needs a closer look.
I mean, that strikes me as a really fascinating problem, especially at a global scale where
not only are you dealing with technical issues, but you're dealing with different cultural
issues around the world as well.
Yeah, I think that's a huge part of it is cultural issues.
And if you even think about the legal and regulatory environment, there's elements
there as you think about what the expectations are around employee interaction and protection
of privacy and the overlap of security and privacy. So it really requires an organization to think
very comprehensively about what they need to include
in their program and what needs to be focused on being consistent, but maybe not exactly the same
based upon cultural norms, legal and regulatory environment, et cetera. Let's touch a bit more on
privacy because I think particularly from the regulatory point of view, it's a place we're seeing some movement and some momentum.
What sorts of messages are you providing your clients
in terms of preparation for regulatory regimes that may be to come?
Well, one of the things that we've looked at and talked about
around privacy for a long time is the fact that it's very complex.
Even when you start to see, you know, some of the consistencies in the EU around the GDPR,
you have to overlay that with other various regional privacy laws and security laws that
are focused not always on the same goals. So getting to a place where you understand
sort of what your foundational program needs to focus on, where are the areas of overlap
and similarity, that if you have a single focus for your program, you're going to meet
multiple legal and regulatory requirements. And then where do you need to flex your program and be specific within a specific
geography or country in order to meet the difference between where your foundation is
and what the expectations are for that particular country or region?
That's Emily Mossberg from Deloitte. With so many people working from the social isolation of home,
the better to avoid spreading the coronavirus.
There's no shortage of advice on making telework more secure, and doing so as quickly and easily as possible.
Security experts are advising in general that organizations and individuals take five steps to improve their security during remote work.
They come down for the most part to familiar cyber hygiene recommendations, and their familiarity
doesn't make them any less important.
First, keep systems patched and up to date.
And while we're on the subject, we note that both Microsoft and Adobe patched yesterday.
Microsoft fixed 113 bugs in its products, 19 of them critical and 94 of them important.
Four of them are being actively exploited in the wild.
Adobe addressed five issues in ColdFusion, After Effects, and Digital Editions.
None of Adobe's seem particularly urgent, but you never know, so please do your due diligence.
To return to the advice people are offering, the second common recommendation is to use
multi-factor authentication. Third, avoid reusing passwords.
That's how credential stuffing happens. Fourth, be alert to the possibility of phishing emails.
They won't always betray themselves with eccentric usage or grammar or with sloppily pasted logos.
But with a little attention, an alert user can become a reliable detector of most of the phishing
attempts, especially the low-grade ones. And fifth, consider
using a virtual private network. That last bit of advice should be followed with caution and
circumspection. Zscaler says it's found a number of phony VPN sites using spoofed brands to deliver
information stealers. Any organization will be concerned about the confidentiality, integrity,
and availability of its data,
but there are few sectors where these matter more than they do to health care, especially during a pandemic.
The Washington Post and others report that there's been no respite in attacks, particularly ransomware attacks,
against organizations engaged in developing or administering treatment for COVID-19.
This isn't because health care and research organizations are especially poorly prepared
to defend themselves.
Rather, it's because the data they hold is urgently needed, and therefore unusually
valuable.
Health IT security sees smaller hospitals and care facilities as particularly attractive
targets.
The criminals perceive them as likely to pay the ransom rather than risk an
interruption of care. No one, we repeat, no one should expect any public-spirited restraint in
the underworld, not even during a global crisis. The U.S. Federal Trade Commission's update on
COVID-19-themed complaints it's received is evidence enough the losses to fraud victims reported to the FTC since the beginning of January
totaled
13.44 million dollars
some of that fraud has been facilitated by domains established to push bogus merchandise and other scams an
Inter-isle consulting group study conducted for I can concluded at the end of March
Naked security describes how IANN, the Internet Corporation
for Assigned Names and Numbers, has written to its accredited domain registrars and asked them
to take action against the registration of new domains whose names suggest a pandemic theme.
And of course, since the pandemic is peaking during tax season, there's a criminal convergence
between tax fraud and COVID-19-themed attacks.
The Hill reports that the U.S. Internal Revenue Service, the IRS,
is warning tax professionals that they should expect to be targeted.
Reuters reports that London-based Standard Chartered is the first major global bank to tell its employees to stop using Zoom because of concerns about the platform's security.
But according to Reuters, the memo also indicated that employees should shun Google Hangouts, too.
Standard Chartered says its employees have other, more secure means available to conduct business.
As concerns grew over the teleconferencing service's security,
Zoom has begun to issue weekly security updates.
iMore reports that the latest of these, out yesterday,
enhances the password options available to users and session organizers.
Some of last week's improvements included giving paying customers
the option of choosing how their traffic will be routed.
The news that Zoom traffic routinely transited Chinese servers aroused alarm in many.
The new routing options, one might add, are reassuring only insofar as one believes Zoom
either escaped or contained potential security problems in its code supply chain.
Several of its partners are Chinese firms, as Citizen Lab found when they looked into
the company's encryption issues.
One of the widely reported security problems that have troubled Zoom as the teleconferencing
platform's usage suddenly expanded has been the availability of login credentials on various
black markets.
The data exposure, as Fast Company points out, isn't due to a breach at Zoom itself.
Instead, it's the result of credential stuffing, in which attackers try credentials called
from other incidents to see if their users have casually employed them for other sites or services.
All too often, the users have done exactly that.
Don't be like that.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
We've got an interesting article.
This is from the folks over on the Naked Security blog from Sophos, written by John E. Dunn.
And it's titled, Thousands of Android Apps Contain Undocumented Backdoors Study Finds.
What's going on here, Joe? Well, these guys have studied the behavior of a bunch of apps,
including 150,000 apps from the Google Play Store and some apps from the Chinese market Baidu.
And they found that some of these apps have behaviors you might not expect. Now,
what's interesting is they also studied, now get this, Dave,
30,000 apps that are pre-installed on Samsung devices.
Hmm.
That boggles my mind,
that there are 30,000 apps that have come pre-installed on Samsung devices.
You know, Samsung makes a lot of stuff, but...
They do.
Even if they've made 100 different products that you would pre-install an app on, that's still 300 apps per object, per phone, per device.
It's got to be.
I'm imagining the new Samsung bloatware 5000 where you unbox it and you power it up and there's thousands of pages of pre-installed apps just there ready and waiting for you.
And it already runs slow, new and out of the box.
Right, exactly.
Yeah, this is why I don't recommend, first off, I don't really recommend Samsung products.
I've not been impressed with their security and this amount of bloatware that's installed, 30,000 apps, that's unconscionable.
But anyway, they analyzed all these apps looking for backdoors, as they call it. And that's kind
of, the article says it's an emotive term, and I agree with that. What they're looking for is
exhibited behaviors. And they found that somewhere between 5% and 6% of these apps, depending on
which marketplace you're looking at, exhibit
behaviors that include secret keys, master passwords, or secret commands. And some other
apps that seem to be checking user input against blacklisted words, such as political leaders'
names, incidents in the news, and possibly racial discrimination. Right? So they're using this broad term backdoors
to cover basically things that the app is doing
and information it's exchanging
that it's not being on the up and up about.
That's right.
It's not being open about it.
Yeah.
What's interesting is these bloatware apps
exhibited a rate that was more than twice
the rate of the apps from Google Play
or from the Baidu store.
Then 16% of the bloatware apps were conducting these behaviors.
Now, when you have purchased an Android device,
and if you've gotten a brand that comes with these pre-installed apps,
is the first thing you do pretty much go through and delete them?
I've tried to do that.
And in some cases, you actually can't remove them.
They've built a software such that you can't remove the pre-installed apps i remember one of my original htc devices that i
got from sprint had a nascar app that i couldn't uninstall i can't stand nascar i have absolutely
no interest in it but i couldn't get rid of the app i absolutely couldn't get rid of the app um
there are other other things that come on the Samsung phones. I've owned a couple of Samsung
phones, and I couldn't get rid of some of the Samsung apps like their fitness app that I didn't
want. I would prefer to use other apps, but I still had to keep their app installed. And because
their app is installed, if I don't go in and physically disable it and tell it not to run,
which I had to do with all the Samsung apps, And even then, how do I know that they're
actually disabling it? Because this is Samsung's version of Android, because Android's an open
source operating system. There's a way to protect yourself against this, and that is to buy an
Android One certified phone, which comes with just the stock Android, and bloatware is not allowed
to be included in the distributions in order to be listed as an Android One phone.
Of course, you will probably remind everybody that Apple absolutely forbids the installation of bloatware apps on their phones, regardless of who the carrier is, because they're the only manufacturer of the phone.
That's right.
That's right.
Well, and I don't have to remind them because you just did.
Right.
Thank you, Joe.
Must have pained you to have to do that, didn't it?
It does, Dave.
Well, I mean, I suppose that's one of the answers then is if you pay this, you know,
this tax for the more pure versions of either Android or what people refer to often as the
Apple tax.
Right.
That solves the issue of the bloatware.
But if these things are coming through the Play Store, and I suppose there's no reason to think that the same thing isn't happening on the Apple App Store, I'm not sure there's an easy way to protect yourself against this.
Yeah, I mean, just limit the apps you have installed.
The other day, I looked at how many apps I had installed on my phone.
It was over 100, and I was kind of dismayed by that.
I probably don't need 100 apps installed on my phone.
Yeah.
dismayed by that. I probably don't need 100 apps installed on my phone. But I would like to see a similar study done on the apps available in the App Store from Apple, because I would imagine that
this is probably going on in the Apple Store as well, and apps from that store as well. But I'll
bet that Apple has a more severe response. Yeah, yeah, it could be. Maybe just a little more
stringent from the get-go in their testing. But, you know, stuff slips by.
Stuff does slip by.
Absolutely.
Yeah, yeah.
All right.
Well, it's an interesting story, again, from the Naked Security blog over at Sophos.
Thousands of Android apps contain undocumented backdoors.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.