CyberWire Daily - Espionage phishing in unfamiliar places. OT vulnerabilities. LemonDuck’s rising fortunes. Data exposure. Kubernetes advice from NSA and CISA. Meng Wanzhou’s extradition.
Episode Date: August 4, 2021APT31 casts its net into some waters that aren’t yet phished out. Vulnerabilities in the NicheStack TCP/IP stack are reported. LemonDuck may be outgrowing its beginnings as a cryptojacking botnet. A... large marketing database is found exposed. NSA and CISA offer advice on securing Kubernetes clusters. Adam Darrah from ZeroFox checks in from the floor at BlackHat. Our guests are Nic Fillingham and Natalia Godyla from Microsoft’s Security Unlocked podcast. David Dufour from Webroot on the hidden costs of ransomware. And Huawei’s CFO returns to court as her extradition hearings enter their endgame. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/149 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
APT31 casts its net into some waters that aren't yet fished out.
Vulnerabilities in the niche stack TCPIP stack are reported.
Lemon Duck may be outgrowing its beginnings as a crypto jacking botnet.
A large marketing database is found exposed.
NSA and CISA offer advice on securing Kubernetes clusters.
Adam Dara from ZeroFox checks in from the floor at Black Hat.
Our guests are Nick
Fillingham and Natalia Gedelia from Microsoft's Security Unlocked podcast. David DeFore from
Webroot on the hidden costs of ransomware. And Huawei's CFO returns to court as her extradition From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 4th, 2021. Positive Technologies, the Moscow-based security company with operations in multiple countries,
late yesterday reported widespread activity by APT31, also known as Zirconium, Judgment Panda, and Hurricane Panda,
known as Zirconium, Judgment Panda, and Hurricane Panda,
a Chinese cyber-espionage group usually associated with collection against governments in pursuit of Beijing's strategic goals.
Between January and July of this year, the campaign used phishing emails
to prospect targets in Mongolia, Canada, Belarus, the United States, and, unusually, Russia.
Positive technologies close to the Russian government
and to participate in the Gossopka information-sharing system
that Russia's CERT oversees
intends to keep Russian organizations, in particular,
apprised of APT-31's activities.
The company believes this marks Hurricane Panda's
first significant effort against Russian targets.
It also expects the activity to continue, at least over the near term.
Since the Hurricane Panda's typical approach has been through phishing emails,
the usual cautions about proper suspicion and skepticism with respect to the stuff that shows up in your inbox would apply.
shows up in your inbox would apply. Security firm Forescout and security research shop JFrog this morning disclosed their discovery of 14 vulnerabilities in the NicheStack TCPIP stack,
widely used in OT and industrial IoT environments. The vulnerabilities could be exploited for remote
code execution, denial of service, information theft, TCP spoofing, or DNS cache poisoning.
Recommended mitigations include prompt application of patches when they're available, network segmentation, and blocking unused protocols.
PowerScout sensibly acknowledges the difficulty of patching operational systems with their mission criticality and multiple dependencies, and offers a range of things organizations can do until they're able to apply available fixes.
The LemonDuck botnet, once known as a small-potatoes cryptojacking operation, has outgrown its origins, the record reports. It's become massive and is showing signs of expanding its capabilities to include hands-on keyboard intrusions into hacked networks.
This suggests a possible move into ransomware or destructive attacks in the near future.
Researchers at security firm Guardacore first described Lemonduck in 2019,
at security firm Guardacore first described Lemonduck in 2019, and Microsoft, within the past two weeks, devoted a two-part series to Lemonduck and LemonCat. As is usually the case,
the bad actors run by many names. It would be convenient to simply call them Legion.
Lemonduck is now a cross-platform threat, infesting both Windows and Linux systems, and it also operates as a loader.
We disclose again that Microsoft is a CyberWire partner. The GuardaCore malware analyst Ophir
Harpaz, who first noticed Lemonduck back in the day, told the record that it began as a classic
spray-and-pray crypto-jacker. But even in its early stages, Lemonduck, while small,
seemed to be serious about its business and determined to build for the future.
They showed strong technical chops, for one thing, quote, their multi-stage PowerShell scripts were
more complex and obfuscated than others, and they already made extensive use of open-source tools
for code execution and infection, end quote. And some of the features
Microsoft called out were there from the get-go. Credential theft, removal of security controls,
and lateral movement, they were all there from the very start. So for now, while Lemonduck remains
a mining operation, we may be seeing an incipient entrant into the criminal-to-criminal ransomware-as-a-service sector.
The annual Black Hat conference is officially underway in Las Vegas, albeit with lighter
crowds, as many have chosen to sit this one out thanks to COVID. I checked in with Zero
Fox's Adam Darrah from the Black Hat show floor to get his sense for how it's going.
We anticipated the same thing everybody else
was anticipating. You know, we were watching the news closely on what Black Cat had in mind
as far as like rules, regulations, best practices. And I will say that they're doing a great job so
far. And, you know, people are being very courteous. People are being kind, respectful of,
you know, maybe not wanting to be so close, hands and stuff but you know in the run-up to
it all at the end of the day was we expected a lot less people to show up I
mean some vendors some pretty major vendors we had heard pulled out and
judging by the you know the floor right now you can definitely tell that there's
definitely been tamed a bit as far as vendor
participation and even like user participation. But, you know, we just decided that it would
still be worth our time and our efforts to be safe, to be reasonable, and to give people an
opportunity to meet with us in person, you know, because those relationships matter. And I think
people are excited to, you know, meet with each other face-to-face in a reasonably
safe manner as is possible. So we just went for it, man. You know, I've heard folks say that when
you have a year like this where attendance is down, it might not actually be such a bad thing
because you get to spend more time with the folks who are interested in having a substantive
conversation. You can actually step aside and have the time you need to make those things happen.
Yeah. So I happen to agree with that. You know, you definitely don't want people to get the
impression that you're not caring, you're not attentive to what they're doing. So if you're
sitting, you know, if you're sitting at a booth or walking down the hallway, you see somebody that you know, you definitely want to give them the time they deserve.
So this year definitely will afford us that opportunity.
However, in the opening hours, we are still seeing quite a rush.
So we will see if that dies down as the days continue.
But I happen to agree with you. I really love and prefer taking the time one-on-one
to be thoughtful with my answers,
to be substantively accurate with my answers,
and make sure we're resolving the concerns
or seeing things through to the end.
So, yeah, that's definitely the vibe this year, I think,
is what I've seen so far.
What about beyond the show itself?
You know, a big part of events like this
are being able to
get together with friends and colleagues you don't get to see very often. Are those sorts of things
still happening? Absolutely. Wow, that's loud. Very effective. Yes. So those things are happening,
you know, based on just my personal preferences. I find it quite therapeutic to be back in person, talking to people, shaking hands, giving hugs, high fives, elbow high fives, whatever people are comfortable with.
An added layer of trust in the security business, I think trust is paramount.
Mutual trust and respect is paramount. And to be able to reestablish that in-person, face-to-face, touch, talking, just all those things are great.
And they are happening outside of the venue itself, which is really refreshing to see.
That's Adam Dara from ZeroFox.
really refreshing to see. That's Adam Dara from ZeroFox.
VPN Mentor reports finding an unsecured database maintained by business-to-business marketing firm OneMoreLead. The database included personal data on between 63 million and 126 million people in
the U.S. OneMoreLead secured the data when VPN Mentor contacted them. How the data were collected
in the first place remains unclear, and VPN Mentor speculates about possible connections
to earlier incidents involving other marketing outfits. NSA and CISA issued joint guidance on
Kubernetes configurations intended to help organizations build and maintain secure Kubernetes clusters.
The two agencies explain, quote,
Kubernetes is an open-source system that automates the deployment, scaling, and management of applications run in containers.
Kubernetes clusters are often hosted in a cloud environment and provide increased flexibility from traditional software platforms.
environment and provide increased flexibility from traditional software platforms.
The report details recommendations to harden Kubernetes systems.
Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible,
and using network separation, firewalls, strong authentication, and log auditing.
End quote. separation, firewalls, strong authentication, and log auditing. The advisory also details the
reasons threat actors are interested in Kubernetes. Kubernetes is commonly targeted for three reasons,
data theft, computational power theft, or denial of service. Data theft is traditionally the primary
motivation. However, cyber actors may attempt to use Kubernetes to harness a network's
underlying infrastructure for computational power for purposes such as cryptocurrency mining.
End quote. And finally, the extradition hearing for Huawei CFO Meng Wanzhou is entering its final
stages out in Vancouver, where Canadian authorities are considering whether to honor the U.S. request
that she be expedited to face charges related to alleged illegal Huawei trade with Iran.
She's been in Vancouver since she was detained on a U.S. request in December of 2018.
Bloomberg says that if you bet on form,
the odds of Canada sending her south to the U.S. are about 100 to 1 in favor of extradition.
The case involves some murky financing Huawei is said to have arranged with bankers at HSBC involving a subsidiary or partner.
Their relationship was obscure.
Skycom.
Skycom. Skycom is said to have tried to sell HP equipment to a service provider in Iran,
which would constitute a violation of U.S. sanctions on Tehran.
Meng is alleged to have lied about Skycom's true relationship to Huawei.
An essay in Light Reading, while not particularly friendly to Huawei or blind to the questionable aspects of the company's operations
that have brought it hostile U.S. security regulation,
thinks the prosecution of Meng looks at this point vindictive,
especially since she's been stuck in Vancouver, effectively under house arrest, for more than two years.
And given the reach and effectiveness of U.S. sanctions on Huawei,
if Meng's prosecution is intended as a further measure against the company, it seems to amount to making the rubble
jump. In any event, the case is nearing its conclusion and should be decided soon.
The latest round of hearings began today.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
We here at the Cyber Wire are very pleased to announce
that another Microsoft cybersecurity podcast
is joining the Cyber Wire podcast network.
The show is called Microsoft Security Unlocked,
and it's hosted by Natalia Gedulia and Nick Fillingham,
who join me with a preview of what to expect.
We're very fortunate.
You know, there's literally thousands of people
at Microsoft working on security,
be it, you know, building AI,
be it building product,
and actually protecting customers.
And so we are in a very fortunate position
that we can send them an email and say,
hey, we've got this little podcast
and we think you're doing some cool stuff.
Can we talk to you about it
and try and bring to light some of the great new techniques
or research that's being uncovered on a daily basis?
It's a very fun job.
Natalia and I are very fortunate
and we're very much enjoying the podcast.
Other than just having the massive Rolodex,
we also are fortunate to have so many eager new guests.
The Microsoft security folks are so excited to share
the work that they're doing. So you can feel that energy on the show
and it's also just awesome to continuously have new guests
who want to come on and share the work that they're doing. It really speaks back to that
mission-driven approach to security.
As the co-hosts and sort of the producers of this podcast,
we really do want to make sure that we aren't just talking about Microsoft and Microsoft products.
We actually try not to say the word Microsoft in the podcast or the names of the products,
because that's not what this is about. This is about bringing to light the work that really,
really talented and experienced people, dedicated folks at
Microsoft really across the globe are doing to protect obviously ourselves and our customers,
but also really trying to make the cyberspace sort of a safer place.
Some of the more recent episodes we did, a very recent episode was about how do you have
cybersecurity conversations with business partners that have no idea what cybersecurity is.
So that wasn't a technical discussion at all.
It was really about how do you talk to people
that don't really understand your domain.
And then we've also dived into the nuts and bolts
of sort of the Rust programming language.
And we've looked at how do you secure firmware.
And we've really gone up and down the stack.
We cover a very, very wide range of topics. You know, Natalia, I'm curious, you all are a few dozen episodes in now. What is the value proposition that you think the two of you bring to
the table? Do each of you as co-hosts bring a different perspective to the program?
I don't know about perspective, but I do think that we tend to ask different questions, which
is great. We complement each other in that way. I'm going to speak for both of us, Nick,
but you can correct me. I think we're just both really interested in the cybersecurity domain.
So we have that inherent passion
and we're both very curious.
And so we come to these episodes
and speak to our guests with that perspective
and mine's just eager to find out what they're doing
and eager to unlock that for,
oh, I used unlock to look at that.
Unlock that for our audience.
Well, one thing I'll add is I'm not a security professional.
That's not my background.
And, you know, I've been at Microsoft a long time.
I've sort of been in the technical space for a long time,
but I don't come from a professional cybersecurity background.
And so I actually use that, I hope,
to the benefit of the audience.
I hopefully get to ask some questions
that maybe sometimes don't get asked because they're thought of as, I hope, to the benefit of the audience. I hopefully get to ask some questions that maybe
sometimes don't get asked because they're thought of as, you know, sort of table stakes. So, we do
revisit a lot of those sort of fundamentals. And I hope that the audience sort of appreciates that
because we will from time to time come back and say, you know what, that's a sort of a buzzy word
that we've used a lot there. Let's just sort of pause and sort of revisit what that means
and wrap our head around that concept. So, you know, I think, you know, Natalia and I have 40-odd episodes in on this one.
So, we're starting to understand the space, but we're also sort of bringing to it that sort of
fresh perspective of people that, you know, want to make sure that we're not glossing over a concept
or an idea or a technique that may not be familiar to everybody. Now, Nick, just for a point of
clarification here, I mean, previously joining our CyberWire network was Microsoft Security Unlocked CISO series. This
is Microsoft Security Unlocked in a bit of a challenging branding differentiation there.
Can you help us understand the difference between the two shows so that people aren't confused and know why they should tune into this one.
Yeah, Dave, thanks.
We'll get Ron trying to create some clarity there.
We might need to revisit those brands.
But yeah, there are two podcasts.
The first one is Security Unlocked
that Natalia and I co-host.
That's a weekly podcast.
We've been going for about 40 episodes now.
And that's where we have conversations
with really anyone and everyone
at Microsoft working on security. And we'll cover with really anyone and everyone at Microsoft
working on security.
And we'll cover a really wide range of topics
based on what's going on.
Security Unlocked CISO series with Brett Arsenault,
that actually came to the CyberWire earlier,
a couple of months back.
And that is with Microsoft's
Chief Information Security Officer,
our CISO, Brett Arsenault.
We have been pestering Brett for years to allow us
to create a podcast with him. He has the ultimate Rolodex. And so his podcast comes out every two
weeks. And that's him having conversations with his security leader colleagues at Microsoft,
but also some of the CISOs of the biggest and most interesting companies out there.
of the biggest and most interesting companies out there.
TikTok CISO, Lululemon, Telco, you name it.
He knows them all.
And that's what's happening on his podcast.
I would say to CyberWire listeners,
you should really subscribe to both and listen to both.
But they are different podcasts.
One is weekly, that's Natalia and myself.
And then Brett comes out every two weeks where he chats to other CISOs.
I have to say for our listeners who may not have yet checked out Security Unlocked,
there is a tremendous amount of energy and a real sense of curiosity there that I think is contagious.
And one of the things I like about it is that there's something for everyone.
You can be someone who's just starting out on their journey or someone who's a seasoned pro who's been at this for a while.
And the spectrum of things that you all cover, as you say, is so wide.
Everybody can get something out of it.
It's time well spent.
That's Natalia Gedulia and Nick Fillingham.
They are co-hosts of the Microsoft Security Unlocked podcast.
You can find it on our website, thecyberwire.com,
or wherever the fine podcasts are listed.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's always great to have you back.
You know, we've been seeing a lot in the news, obviously, about ransomware, certainly a hot topic.
I wanted to touch base with you today about some of the things that are kind of running below the news, obviously, about ransomware, certainly a hot topic. I wanted to touch base
with you today about some of the things that are kind of running below the surface, some of those
hidden costs that folks don't always think of when it comes to ransomware. What can you share
with us today? Yeah, David. So, yes, it is in the news everywhere. First of all, great to be back.
Love being on the show. But yeah, you know, we think about the paying the ransom. We think about the folks
who maybe you're not able to deliver your solutions or do business when you've been
affected by ransomware. But there are a lot of other costs behind the scenes, some of them
tangible, some of them intangible, that I think a lot of people need to think about.
Well, let's go through some of them together.
Well, operationally, one of the first things people need to think about. Well, let's go through some of them together.
Well, operationally, one of the first things you have to think of,
how much is it going to cost you to get back up and running?
And that's not just, I have to restore some computers.
There could be systems that went down hard that may be affected directly by,
how are you going to bring them back online?
These large industrial systems,
you don't just flip a power switch and turn them back on. You don't reboot them like a PC or
something. There's a lot of effort operationally in bringing large industrial systems online,
and that's something people aren't thinking about. What other things are you thinking of here?
Well, there's the brand reputation. I mean, you and I, you can't really
hurt our brand because our reputations are terrible. No, no, it's the bottom of the,
can't go lower than zero. That's exactly right. So we don't worry about that, but
there's a lot of really good companies out there that this brand reputation is a big deal.
And one of the things we say tongue in cheek is it's always nice to be the security guy of the competitor of the company that got hacked because all of a sudden you're going to get a lot of money because you didn't get hacked, but your company doesn't want your brand to go bad.
So if it happens in your industry and it's one hop over, that's when people start paying attention and saying, this really does
affect our brand and we've got to keep our reputation strong. Right, right. What do I have
to do, security person, to keep that from happening to us? That's exactly right. And again, you might
see it happen in healthcare, but recently here, if you're in oil and gas, you're like, well,
we're not healthcare. We don't care about that. But I promise you, everyone who was a competitor of JBS, their security people got a
bump in their annual budget. Yeah. Yeah. That's interesting. Any other ones that come to mind for
you? You know, it's just a general shutdown of business. A lot of times people stop and they say,
you know, here's the
cost if we want to, you know, recover from ransomware, but they don't look at the bigger
picture. And if you can somehow factor in that larger picture across your organization, it
becomes a lot less cost efficient to be prepared for a ransomware attack. And that's easier to
take to your senior management and your board and justify the cost. What about the emotional impact to a company to have, I don't know, this sense of violation?
It seems like it's hard to put a dollar sign on that.
You know, that's something I haven't thought a lot about because usually we're in the middle
of it trying to recover from it, but you're absolutely right. And not only that, you're
wondering, will this happen again? Did I get everything? And so you're spending a lot of energy and a lot of cycles
trying to make sure that you've done everything you can to prevent it. And then your folks are
wondering, could it happen again? Well, what sort of advice do you have for folks to make sure that
they've got these things covered? Well, back in the Stone Ages, David,
back in the 80s and 90s when I first started in this industry,
we spent so much time protecting against environmental disasters.
We'd have multiple setups.
There was no cloud.
And we would spend a lot of time testing failovers, testing recoveries.
And people just have lost sight of that. They don't spend the
time that we used to. I guess when you spend, you know, $20 million on a computer in the 80s,
you're going to take the time to verify that it'll roll over. But now things have gotten so,
you know, grand, but less expensive that they just, we assume failover. So you need to take
that time to ensure you can recover from things.
Yeah, it's interesting because it strikes me that so many people, they cut these corners
because they think it may give them some sort of competitive advantage. And maybe they're just
playing the odds that, you know, whistling past the graveyard that is not going to happen to us.
But then when it does, boy, it can sure seem to be short-sighted.
You've nailed it because it is short-sighted. And if you get away with it, then I guess it's okay.
But I think somehow as an industry, we talk about this a lot, but how do we get folks to consider,
you know what, their posture, their defensive mechanisms that are in place really protect this company. And it's a cost of being a good company with a good reputation.
So you want to do it rather than the stockholders always wanting, you know, if it's a public
company, always wanting, you know, your low EBITDA and you're hitting your margins and
all that.
Like, how do you add that value in and convince people how critical it is?
Yeah, yeah.
And I did not answer your question.
I put it out there as, I don't know.
I mean, but it's something we got to do.
No, I mean, it's not an easy question, but it's certainly,
if you're the person standing in front of the board of directors and saying,
boy, I really thought we'd, you know,
we were just crossing our fingers and hoping we'd be lucky.
That's a hard conversation to face.
That's exactly right.
And then you don't want to be the board that the security guy has a bunch of I told you so emails that said I tried to bring this up, but you wouldn't listen.
Right.
Do you know what I mean? that people value. So it actually adds value to an organization's bottom line
and not a monetary value
as much as this is a reassurance type thing.
All right.
Well, David DeFore, thanks for joining us.
Great being here, David. Thank you. We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.