CyberWire Daily - Espionage and cyberespionage. Albania's national IT networks work toward recovery. Malicious apps ejected from Google Play. White House summit addresses the cyber workforce. Notes on cybercrime.
Episode Date: July 19, 2022A Cozy Bear sighting. Shaking up Ukraine's intelligence services. Albania's national IT networks continue to work toward recovery. US Justice Department seizes $500k from DPRK threat actors. The FBI w...arns of apps designed to defraud cryptocurrency speculators. A White House meeting today addresses the cyber workforce. Ben Yelin looks at our right to record police. Our guest is Tim Knudsen, Director of Product Management for Zero Trust at Google Cloud, speaking with Rick Howard. And another trend we’d like to be included out of. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/137 Selected reading. Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Unit 42) Russian hacking unit Cozy Bear adds Google Drive to its arsenal, researchers say (CyberScoop) Russian SVR hackers use Google Drive, Dropbox to evade detection (BleepingComputer) Ukraine’s spy problem runs deeper than Volodymyr Zelensky’s childhood friend (The Telegraph) Albanian government websites go dark after cyberattack (Register) On Google Play, Joker, Facestealer, & Coper Banking Malware (Zscaler) Justice Department seizes $500K from North Korean hackers who targeted US medical organizations (CNN) Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors (US Federal Bureau of Investigation) Announcement of White House National Cyber Workforce and Education Summit | The White House (The White House) Fortinet Announces Free Training Offering for Schools at White House Cyber Workforce and Education Summit (Fortinet) Not your average side hustle: the women making thousands from 'pay pigs' who enjoy being financially dominated (Business Insider) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A cozy bear sighting, shaking up Ukraine's intelligence services.
Albania's national IT networks continue to work toward recovery.
The U.S. Justice Department seizes $500,000 from DPRK threat actors.
The FBI warns of apps designed to defraud cryptocurrency speculators.
A White House meeting today addresses the cyber workforce.
Ben Yellen looks at our right to record police.
Our guest is Tim Knudson,
Director of Product Management for Zero Trust at Google Cloud, speaking with Rick Howard.
And another trend we'd like to be included out of.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 19th, 2022. Palo Alto Network's Unit 42 reported this morning that the Russian threat actor Cozy Bear
is leveraging trusted legitimate cloud services in its campaigns, the better to avoid detection.
It's worth noting that Cozy Bear is associated with the SVR Foreign Intelligence Service,
and also known as Cloat Ursa, APT29, and NOBELIUM.
Their two most recent campaigns have used Google Drive cloud storage services,
and when this is combined with encryption, malicious activity is more difficult to detect.
The most recent campaigns have had diplomatic themes, feigning an agenda of an ambassadorial
meeting, and are believed to
have targeted Western diplomats between May and June of 2022. The documents suggest the target
to be either foreign embassies in Portugal or foreign embassies in Brazil. The payload is
carried in a link to a malicious HTML file that drops Cobalt Strike. Cobalt Strike is, of course, a legitimate penetration
testing tool that's often abused by threat actors. It's not the only such tool that's
being misused this way. See Unit 42's earlier post describing the SVR's use of the less well-known
Brut Retail tools in similar campaigns. The replacement of both the head of Ukraine's SBU intelligence service
and the country's chief prosecutor indicates the extent to which Kyiv is troubled
by the problems of disloyalty in the security and intelligence services.
The SBU, like its Russian counterparts, the FSB and SVR,
is a successor organization to the old Soviet KGB,
with all the liabilities that come with that heritage, corruption, cronyism, and perhaps
most significantly, susceptibility to compromise by its Russian counterparts. The Telegraph describes
some of the specific incidents that prompted the suspensions, and its account points out the
difficulties involved in reforming a service with deep institutional roots and a questionable cultural
heritage. Contentious Ukrainian domestic politics further complicates efforts at reform.
The register follows developments in the large-scale disruption of Albanian networks
that began over the weekend. The eAlbania portal has been particularly disrupted by the attacks,
and that disruption has been especially painful given Albania's closure of many in-person services back in May,
judging the new online service platform to have rendered the older services redundant and unnecessary.
The disruption offers an object lesson in the importance of
redundancy and the availability of manual backups to provide continuity of service during emergencies.
There's no attribution of the attack so far, but the register, on the basis of a little
circumstantial evidence and a lot of a priori possibility suggests that there may be a Russian hand behind them.
Zscaler describes its identification of three familiar strands of malware
that have made a reappearance in Google's Play Store.
The security firm's researchers found numerous apps hosting Joker, Face Stealer, and Coper.
Google has ejected the infested apps from the Play Store,
and Zscaler advises that users take the usual precautions when they consider installing an app.
The U.S. Justice Department has announced the recovery of some $500,000 from North Korean
state-sponsored cybercriminals who targeted healthcare organizations with Maui ransomware.
who targeted health care organizations with Maui ransomware.
U.S. Deputy Attorney General Lisa Monaco cited the operation as an instance of a renewed focus on clawback operations
and as a positive example of close private sector cooperation with law enforcement.
While the recovery is welcome,
CNN points out that the amount is small relative to the hundreds of millions
Pyongyang's hackers are believed to have stolen in recent years.
The U.S. FBI lateulently claiming to offer legitimate cryptocurrency investment
services and convincing investors to download fraudulent mobile apps, which the cybercriminals
have used with increasing success over time to defraud the investors of their cryptocurrency.
Losses have in some cases run into the millions. The approach trades upon the victim's greed and their desire for convenience.
Who wouldn't want an app to help navigate the go-go world of crypto investing? Some of the
apps represent themselves as being connected to legitimate or at least formerly legitimate
exchanges. The FBI warns users to exercise due skepticism about offers of trading apps As you may have heard, there are about 700,000 unfilled jobs in cybersecurity across the United States.
In an effort to address that shortfall,
the U.S. National Cyber Director Chris Inglis has convened what the White House describes as a National Cyber Workforce and Education Summit today.
The summit has three goals.
First, address the need to create and prioritize new skills-based pathways to cybersecurity jobs.
Second, take advantage of the opportunity to build pipelines for historically untapped talent,
including underserved and diverse communities.
And finally, to discuss how investing in cyber training and education
will enable Americans who comprise the lifeblood of our economy,
including those building the next generation of our nation's infrastructure,
to be successful in our digital economy
and to empower society to harness cyber capabilities
to achieve our individual and collective aspirations.
It includes a number of senior government leaders,
as well as leaders from the private sector,
of senior government leaders, as well as leaders from the private sector, especially but not exclusively the cybersecurity industry and university leaders. One of the companies who's
participating, Fortinet, has taken the opportunity to announce an offer of free training it's making
available to schools. And finally, hey everybody, here's a story we don't fully understand or know how to classify,
but since it goes on online with only financial ramifications IRL, as the kids say, here you go,
make of it what you will, but apparently there's a pay pig thing going on in cyberspace.
It seems, if Business Insider is to be believed, and why shouldn't they be believed,
a kind of transactional relationship in which men with money give that money to women who insult
them online. That is, the men are paying for the thrill of being verbally disrespected and
denigrated. That's the extent of the exchange. The fin-domina, as they're known,
insults the pay pig, who then sends in money for the privilege of the experience.
Yes, we get it. The jokes practically write themselves, as do the stern deconstructive
lectures about relative empowerment, but we'll leave it as an exercise for you,
constructive lectures about relative empowerment,
but we'll leave it as an exercise for you,
gentle listener, to think up your own punchlines or seminar topics or keynote speeches.
The whole phenomenon seems entirely consensual
and it's hard to say what law might be broken here.
Our guess is that no law is being broken,
but perhaps we've been unduly influenced
by the legal opinion Slippin' Jimmy
McGill offers in the Hoboken squat cobbler episode of Better Call Saul. We'll close by
quoting the wisdom of Samuel Goldman, include us out.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Tim Knudson is Director of Product Management for Zero Trust at Google Cloud.
Back at the RSA conference, my CyberWire colleague, Rick Howard,
met up with Tim Knudson.
Here's their conversation.
Hey, everybody. This is Rick Howard.
We're running around RSA, and I happened to bump into Tim Knudson.
He is the Google Cloud Director of Product Management for Zero Trust,
and it is my pet peeve of things to talk about,
so I thought I would drag him in here and see what he has to say.
And from our preliminary conversations, Tim,
you said you were trying to address some of the pre-misconceptions
or some misconceptions about zero trust.
So what is the very biggest one that you're trying to talk about here at the conference?
Yeah, well, there's actually three.
But let's start with the first one, which is one that I call that is around
to do good zero trust does not mean you have to do everything zero trust to start.
Okay.
Because the idea about zero trust is, I mean, I think of it as a movement.
It's a set of principles.
It's an architecture.
It's not necessarily one product, nor is it one solution.
Yeah, I call it a strategy.
There you go.
Right.
So my point is, you know, there's this misconception that you have to do all, a full lift and shift, to get to good zero trust.
And my argument is, you know, anything that you can move to zero trust, be it contractors, a portion of your workforce, a set of devices, is an incremental step in the right direction.
Yeah, so don't try to boil the whole ocean.
This is common, right?
Bingo.
Yeah, do little small steps.
And every little bit you do makes it better, right?
Exactly.
So what's the biggest thing people are trying to get over?
What's the big hurdle that people trying to implement zero trust are doing?
What's the thing that they stumble on?
Well, one thing that's commonly an issue is yet another agent.
Yeah.
All right.
It's a practical problem.
It's a real problem.
It's fully legit. Now, of course, the way to work around that is to really think about what are the actual apps that are best suited or have the highest need or urgency for Zero Trust.
browser-based zero-trust access is a fine solution if you can find that technology that will give you that.
It'll also combine browser-based proxied access
with all of the fine-grained controls you need
based on the context, be it identity,
whatever you know about the device,
other risk scores or signals you're collecting.
So that's the thing that I have many, many conversations about.
Now, the thing is, again,
that's a great way to get started easily,
but oftentimes we're working with people
and there's many enterprises that have,
I call them multi-generational IT landscapes, right?
Which is really a nicer way of just talking about,
you know, there's apps of all ilk, right?
And some of them are still the fat client,
you know, client server legacy style.
So BrowseBase will not solve all.
But going back to my first point,
starting is getting on the path to good zero trust.
Can I rephrase that a little bit
and just say that what we're looking at
is for material apps,
apps that connect to your material data.
That's the ones you should be working on.
And the other stuff might come later,
but we don't have to hit those right away.
Exactly.
So you said there were three misconceptions.
We talked about one. What's the second one? Second one is, and this is a little bit conscious of my first point, but roll with me on this one. Okay, I'm with you. And that
is, it's, you know, just worry about, call it the north-south or the front end, and you can deal
with the back end later. Sure. The reality is, I think everyone is probably in some form of a
digital transformation conversation,
which means you're modernizing some or many apps, which means you're not building a monolithic app,
you're building a composite distributed, whatever you want to describe a type of app.
It's probably using some hyperscaler services in there from someone like Google or others.
And you need to also think about every leg of that communication,
much like you're thinking about
just the device-to-app communication
to begin with as well.
So my point there is,
over time,
and that's going to be
sooner rather than later,
you need to think about
how you secure with zero trust
or apply zero trust policies
and principles across
all legs of the communication.
That's why, you know,
Gartner got it right.
They first talked about SASE,
then they're like, hey, hold on,
there's just this security portion called SSE
or Security Services Edge, which is great.
Then they've now talked about this thing called CASI
or the bride of SASE, right?
The whole point is talking about
the other side of the equation, which is the backend.
So is that part of the, take the smaller bytes first?
Because we had the big SASE thing,
but now we're going to break into little pieces
and get it all right.
Is that what we're doing here?
Yeah, I mean, it's a progression.
Yeah.
All right.
So what's the big idea?
Where's it going to go?
Where is the future of Zero Trust?
What are we looking at here?
So I think there's two,
like if you want to ask where I look,
when I look at my crystal ball,
what do I see, right?
So I-
All right, Mr. Wizard, put your hat on.
Yeah, so I see two things, right?
Okay.
Okay, so number one's a short-term thing.
Number two is a longer-term thing.
Short-term thing, number one.
And that is, I think that many organizations
are now looking at combining, you know,
this two transformations, right?
One is the need to move to zero trust,
and it's going to be more centered around device to app,
along with how they can look at other
modernization transformation efforts.
And the reason being goes all the way
back to our first point, which is
the app workloads that matter
and how they are typically
web-based, and
looking at those as well as
an increase, of course, of
utilizing SaaS to modernize the productivity of the enterprise.
And they're looking at that and saying, okay,
if I go down that route, what does that mean now to how I can simplify
my devices, my fleet there, and how I can bring this all together
into an integrated view of both modernizing how I work, and also
with that, taking advantage of
technologies to bring that up to a zero trust standard along the way. That's short term. And
I call that out because I think a lot of those initial move towards zero trust was more like
lift and shift from VPN, remote VPN access to more granular context where access. Now it's
how do I combine them together to do a better outcome overall?
Second one is a little longer term,
and it goes back to my point about combining
north, south, east, west, front, and back,
and whatever you want to describe it as.
That is going to be the convergence
of being able to combine the two together.
There will no longer be, I expect,
in three to five years, a distinction.
I think you're going to be thinking about it
across all legs,
north, south, east, west.
You'll be looking for one way to have a singular policy
that works across everything,
a context that you can apply
across everything,
and the teams will be all working
in a unified fashion
to make this happen.
We started our Zero Trust journey
around 2010 or so, right?
It's kind of when we all started talking about it.
When do you see it as being just the normal thing that everybody does?
Is that two years away, five years away?
Well, if you measure it as it's a conversation for which you no longer have to explain why,
and it's all about just what and how, we're there now.
Yeah.
So everybody's got it and we're just moving towards it now.
Everybody knows what it is
and why they should do it.
Now where they are
on that transformation path
or that journey
or whatever word
you want to apply to it
that's a different
that's a different
you know topic
but there's no longer
any the why conversations.
It's mainstream.
Thanks for coming out
and explaining
what Zero Trust is to you.
Thanks.
I appreciate it.
No worries.
All right, man.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting, I guess you'd call it a press release from the EFF,
the Electronic Frontier Foundation.
The article is titled,
Victory, Another Court Protects the right to record police.
What's going on here, Ben?
So there have been a bunch of challenges in most of the judicial circuits across the country.
The one in this article refers to the 10th Circuit.
But we've had decisions at the appellate level in the 1st, 3rd, 5th, 7th, 9th, and 11th Circuit.
Isn't it kind of weird that it's all the odd circuits until this current article?
Not as weird as the fact that you have them all memorized, but go on.
Yes, memorized.
Of course, that's it.
So there's this question of whether states can pass laws forbidding people from recording police interactions.
Right.
The fact that people do record interactions with police on their smartphones has been a boon to people who want to
foster police accountability.
We would not have had George Floyd protests if we had just relied on the word of law enforcement.
It was the video that caused those protests.
Right.
The fact that it was something people could see with their own eyes.
Law enforcement understands that they're going to get pushback if every type of
episode like that is recorded. And in their defense, some of the video footage is and could
be misrepresented to make them look bad, even if, you know, perhaps the viewer of the video didn't
understand the full context. Right. It might not tell the whole story. Right. So that's certainly
a consideration. I
think what the courts are saying in all of these appellate jurisdictions is recognizing law
enforcement's interest in protecting its own safety. That certainly does not supersede the
First Amendment right of speech and expression, which manifests itself in somebody taking out
their camera and recording.
These efforts, at least at the state level, are not going to stop.
I know there's a proposed law in Arizona,
and there's been a major debate about it that would criminalize people filming law enforcement interactions.
Right, it was like an eight-foot distance or something like that?
Yeah, which might not seem large, but if they're around the corner,
and the eight foot is the
difference between you being able to record and not record, that's certainly going to be
an item of difficulty.
That's going to inhibit your ability to record the interaction.
The appellate courts are recognizing that videotaping law enforcement is a form of
expression. It's a form of getting your voice heard, publishing something that you've seen with your own eyes.
It's not like somebody is trespassing on somebody else's physical property.
It's generally something that's in public view.
The Electronic Frontier Foundation and the ACLU and other groups have rightfully made the case that it has improved
police transparency and accountability. And once we see sort of this uniform application among
circuit courts across the country, it makes it more likely that the Supreme Court isn't going
to mess with this. They're not going to supersede the near unanimous holdings of all of these
federal circuit courts.
Is that only for the folks who are within these appellate court districts?
For now, it is, yes.
But that covers a large portion of the country.
Right.
I noticed the 4th District was not on there,
and that's where we live here in Maryland.
It was not on that list.
Come on, Ben.
I know, but I'm sure some cases are going to come up. One of the states
that's in the Fourth Circuit is going to try and pass a law. There's going to be a challenge to
that law. Somebody's going to get arrested, prosecuted, and they'll come up with a constitutional
claim. And the Fourth Circuit might go a different way than the other circuits, but I think the trend
is pretty clearly in one direction here, protecting the right of people to record the police.
Yeah. All right. Well, I mean, personally, I'd categorize this as good news.
Yeah. I mean, I think it's good news for transparency and accountability and in not
restricting people's constitutional rights. So it's something where it's affirming to see that so many courts agree with our civil liberties instincts here.
You know, I agree with the notion that there should be a reasonable amount of distance that you keep between law enforcement who are busy doing their work.
Right.
And that could be a public safety issue.
Right. But I guess what I wonder about, particularly the case that you mentioned where or the one we talked about earlier with the eight foot distance.
What if I'm standing 20 feet away and a police officer closes that distance to make it smaller than eight feet?
Right. Right. I didn't move.
Right. But they were the ones who lessened it. I mean, yeah, that could be a complication with that.
There are a couple of other interesting complications here. One is the police department in the case they
reference here tried to use qualified immunity, which protects law enforcement unless they did
something particularly egregious. Right. And it's really important that this court has said that
qualified immunity doesn't apply to a situation where somebody is taking out a
video and recording.
Another thing they mentioned in this article that we
talked about a long time ago is
on-duty officers playing loud
popular music to try and get
copyright claims
filed against the video
by the producers of this music.
So, you know, police
will do anything
to try to shield themselves
if they think a video could potentially be damaging.
So it's good to see courts try to take a stand on this.
Yeah.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.